Last night, RTÉ’s Investigations Unit aired a story about the Department of Health and data gathering practices in respect of vulnerable persons (autistic children and young adults) on whose behalf litigation was initiated historically to get access to necessary services, but where those cases have fallen dormant. I participated in this programme as an expert on data protection law and practice. As RTÉ describe it, the Department has built “secret dossiers on children with autism“. This information has come to light as a result of protected disclosures by a whistleblower within the Department.
From the broadcast story it is clear that this sharing and pooling of data has continued at least into 2019 and one must assume, given the stout defence of the practices by the Department that the practices continue today.
Having watched the broadcast I thought I’d put together some blog posts to make some additional comments. Some of these are points that I made to Conor Ryan in my interview but which didn’t make the package. Others are points in respect of claims made by the Department that there is no data protection compliance issue. This first one will look at the question of Fair and Transparent processing and the potentially problematic consequences of continuing this practice after May 2018.
Nothing to See Here, Move Along!
The Department is apparently in possession of a report by a Senior Counsel which concludes that no breach of the Data Protection Acts was idetified by their review. This review was completed in November 2020. There are a few small problems with this finding in my view.
- It is wrong
- If the Department Press Office has taken their reference to legislation from this report it was done against repealed legislation (“Data Protection Acts” suggests the repealed Data Protecton Acts 1988 and 2003), and even then it is still wrong.
- Irrespective of whether the review was carried out against the repealed Data Protection Acts or the currently operative Data Protection Act 2018, it’s still wrong.
Now, the eagle eyed among you will have noticed that this is in fact but one problem repeated with variations, a bit like Chopin fiddling around with a catchy tune. However, when the bald assertion on which the Department rests its defence is wrong to the extent that I believe it is then I think it’s worth mentioning a few times.
Of course, it could be me that is wrong. I’d welcome the opportunity to review the erudite analysis which has reached a conclusion that I consider to be wrong at least three ways from Thursday. But the Department wouldn’t even release the review to the person who made the protected disclosure. Personally, I think a little transparency about the reasoning that has determined so definitively that “no breach of the Data Protection Acts was identified” would be good.
But transparency (or rather the lack of it) is the first reason that this finding is wrong.
Beause this processing has been going on for a number of years, and because it is not clear whether the Senior Counsel’s review in 2020 was carried out against the Data Protection Acts 1988 and 2003 which were almost entirely repealed on the 25th May 2018 when the GDPR and the Data Protection Act 2018 came into force, or if they looked at the actual law as it stands today, I’ll examine the question of transparency under both regimes.
The Data Protection Acts 1988 and 2003
One of the fundamental principles of data protection law going back decades is that personal data must be processed fairly, lawfully, and transparently. Section 2D of the Data Protection Acts 1988 and 2003, it sets out the conditions and considerations for “fair processing”, which includes the provision of certain information about how data will be processed, including where information is obtained from a third party rather than directly from the Data Subject (see Section 2D(1)(b)). In such cases there is an explicit duty on the Data Controller who receives personal data from a third party to make information about the processing of that data by the Controller available to the Data Subject ” not later than the time when the data controller first processes the data“.
The General Data Protection Regulation (Regulation 2016/679/EU)
The transparency principle is expanded on in the GDPR, which explicitly sets out in Article 5(1)(a) that personal data shall be
processed lawfully, fairly and in a transparent manner in relation to the data subject
Article 12 of GDPR is even entitled “Transparent information, communication and modalities for the exercise of the rights of the data subject“, just in case anyone missed the memo.. Article 12 sets out some basic provisions for the communication of information about what is going to happen with peoples data in a “a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Article 13 and Article 14 of GDPR set out the detail of what information must be provided to data subjects, similar to the provisions of Section 2D(1) of the old legislation, but with a richer and more detailed set of information to be shared with the Data Subject. Article 14(2) makes interesting reading in this context as it beefs up the requirement that existed under the old legislation to tell the Data Subject when you have gotten data about them from a third party. Article 14 of GDPR requires disclosure of information about the processing of personal data:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
The Bara Ruling
Of course, parts of the Civil Service still have not adjusted to the fact that the CJEU ruled in 2015 that these pesky transparency requirements also apply to the sharing of personal data between public bodies. The case that decided this is the Bara case and it related to sharing of data between the Romanian tax and social security authorities. Simon McGarr has an excellent write up of it over half a decade ago. The TL;DR of this case is simple:
Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.
This case predates GDPR and applied to processing under the Data Protection Acts 1988 and 2003. And it applies to processing post 25th May 2018 as well.
Given that, in the case of these dodgy dossiers data subjects or their familes were not informed, and indeed there was an direct request from the Department that the data subjects would not be informed I struggle to see how anyone could say that no data protection issues arise in respect of this processing.
Indeed, in Bara the lack of transparency was essentially a result of an oversight. Nobody thought about whether the data subjects should be informed so they simply weren’t. Here, we have an clear policy of deliberate opacity in breach of EU law.
Assessing the level of wrong.
Where does one start? Whether we apply the legislation that was in force before May 25th 2018 or the revised standard set by the GDPR, there is an obligation for personal data to be processed transparently. This has been confirmed by the CJEU. Repeatedly.
In circumstances where information about your processing activities is not provided to data subjects when you receive data from others (as required by law) and you effectively sign off your emails with an instruction that the data subject or the people who care for them or represent them legally shouldn’t be told about the request, you are acting in a manner that can only be described as the polar opposite to anything that any frequent traveller on the Clapham Omnibus might regard as “transparent”.
Another key requirement of the most fundamental data protection principle is that data must be processed fairly.
Governments are often fond of telling us that if we have nothing to fear we have nothing to hide (this is usually right before they install a CCTV camera up our right nostril for our own protection). But the corollary is also true. If Governments have nothing to fear they too have nothing to hide. The concept of “fair processing” finds its root in the early days of Data Protection, back in Convention 108 of the Council of Europe. But, as with many things of import it is not formally defined in legislation as it would be a subjective test in context.
The UK ICO (and good grief I’m having to say something nice about the ICO here) has a passable definition of what would make something unfair, which is as close to a definition of fair as we will get. Processing is unfair if it is “unduly detrimental, unexpected or misleading to the individuals concerned“.
In this case, the processing is clearly unexpected. It is arguably also unduly detrimental as the purpose for processing was to manage case strategy for dormant cases to identify an optimum time to offer a settlement, ideally, lump the family with their costs. It created an imbalance and bypassed the checks and balances of discovery in litigation.
Ultimately, the “scratch and sniff test” for whether processing is fair is really whether or not you are comfortable with someone knowing you are doing something to get data about them without them knowing, chances are it may be unfair.
If you find yourself writing in your template email that the person providing you with the information shouldn’t tell the data subject, their family, or their legal representatives you need to consider why. And then consider if that is fair.
The Fresh Can of Worms
I’m quoted in the Irish Times commenting that this debacle has actually opened up an entirely new can of worms for the Department. The reason for this is quite simple. These cases were dormant. There was no active litigation. These cases may have, in the fullness of time, simply faded away. Certainly, if a more transparent approach that actually complied with data protection law had been taken, it might even have been possible to resolve the cases in time cleanly.
However, the Department became aware that there might be problem with this process back in 2017. But they kept ploughing on with it. In the process, they hoovered up the data of family members of the children, their physical and mental health, and other senstive information. They hoovered it up in a manner that clearly infringes on fundamental data protection rights. They continued to hoover it up after the 25th of May 2018. This is a significant date. This the date that Article 79 and Article 82 of GDPR came into force.
Article 79 of GDPR allows that “each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.” – in other words any data subject whose data has been hoovered up in this process can now sue the Department, irrespective of any administrative inquiry or sanction that might arise from the Data Protection Commission.
Article 82 allows affected Data Subjects to recover for both material and immaterial loss. And any Controller or Processor involved can be held liable. So the Department of Education and the HSE, and any other Data Controller or contractor acting as a Data Processor who provided data could also be sued and held liable.
And the potential population of litigants has just mushroomed from the one plaintiff (who may have been suing through a parent or guardian) to every single person whose data was hoovered up. So, if an autistic child is one of three siblings and they have two parents who are separated but are in new relationships, we could potentially have EIGHT individuals with a right of action against the Department and others.
Nice work on the case management to minimise costs to the State folks.
An Independent Inquiry
In the Dáil (the Irish parliament) yesterday, there were calls for an independent inquiry similar to the Scally Inquiry to be established to investigate the legality and ethics of this sharing of data. The Scally Inquiry cost the State €1.13 million. If Deputy Pearse Doherty is adamant that the State should invest that much money in an independent inquiry into the legality of this and he is insistent that it should be done quickly, I have a suggestion.
- Vote to increase the budget of the Data Protection Commission IMMEDIATELY by that amount. It would be a 6% increase in their total budget but would finally given them a higher budget than the Greyhound Board.
- Get out of their way and let them execute their statutory independent regulatory function as set out in the Treaty for the Functioning of the European Union (Article 16), the EU Charter of Fundamental Rights (Article 8.3), and the GDPR (Article 52).
There is no time or need for pointless political soundbite bullshit. Let the Regulator regulate.
I will have other thoughts on this over the coming days so expect a further analysis of the 50 shades of wrong in the assertions made by the Department, including an analysis of whether the processing, though not fair and not transparent was also not lawful, and the problems that appear to arise from the organisational and technical controls that existed(or didn’t exist) in respect to the processing of personal data and special category data in this case.
To anyone in the Data Protection Commission who is reading this blog, please feel free to contact me directly if you disagree with any of my analysis.