Department fined for unlawful use of personal data about plaintiffs

Department fined for unlawful use of personal data about plaintiffs

The Department of Health has been fined after unlawfully using private information about plaintiffs and their families in special educational needs litigation to decide whether to propose settlements.

The Data Protection Commission (DPC) this week imposed a €22,500 fine on the Department after concluding that it unlawfully collected and processed personal data in relation to 29 litigation files.

The DPC, which commenced an inquiry into the matter in 2021, said it found evidence that the Department sought information from the HSE about services that were provided to plaintiffs and their families, as well as “any other issues HSE feels worth mentioning”.

“This broad question resulted in the provision of private information about the lives of plaintiffs and their families,” the DPC said. This included “details about plaintiffs’ jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff”.

The Department told the DPC that they processed this personal data for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case.

However, the DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the Department and that the processing for this reason was not necessary for the purposes of litigation.

Therefore the DPC found that there was no lawful basis for this processing in the files examined, and that the Department had infringed the principle of data minimisation by processing this personal data.

Having regard to the relevant factors under the GDPR and the fining cap for public authorities under the Data Protection Act 2018, the DPC decided to impose a fine of €22,500 for these infringements. The DPC also imposed a ban on further processing the sensitive data in the files examined for the purposes of determining an appropriate time to settle a case.

The Department was also reprimanded on a number of other grounds, including failing to convey in its privacy notice the extent of information sharing between the Department and the HSE.

Share icon
Share this article: