The notification chimed at 9am on Friday morning. “Department of Health built secret dossiers on children with autism”
And with that began the latest, worstest sorry tale yet of our scofflaw state’s abuse of citizens’ data.
The children’s families had sued in their name to get the state to follow its statutory duty to give them an education. The Department has since spent the last ten years looking for something- going on ‘fishing expedition’ after ‘fishing expedition’- to use against them. The problem was, it didn’t follow the normal, lawful means of accessing medical records under a court order for discovery.
It just exerted the raw power of a government department to take what it wanted. It reached into the Department of Education, to get copies of the children’s school reports.
Then it went further. It wrote to medical professionals, clinical caregivers who were attended by the children and their families seeking treatment and help, and it told them to hand over their infant enemy’s medical details. It told them to keep this data raid secret from the families. And, it seems, the medicos complied.
The Department has been screaming that this is all totally normal since the story broke. Whenever it issues one of these borderline hysterical statements, it focusses on the nature of the data stored. It never addresses the means by which it has obtained that data.
That’s because it may be normal for me to hold your bank records if I receive them on foot of a court-ordered discovery process. But if I break into your house in the night and steal them from your desk then it is generally considered very Not Normal when I am found with them.
And this is the problem with the Department’s legal defence to the obvious charge that it (amongst others) has breached the Data Protection rights of these children and their families. Here’s what it told RTÉ;
The department said that, under data protection legislation, it was entitled to share and store information for the purposes of getting legal advice or to defend court proceedings.
This is a reference to Section 8(f) of the 1988 Data Protection Act.
- That’s not what the section allows and;
- That Act was repealed when the GDPR replaced it and';
- It doesn’t matter what’s in our national laws if it breaks the EU law above it.
Let’s look at those three in order.
- Section 8, 1998 Act allowed for sharing data when
(f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness
And these doctors, and School Boards of Managment who made the disclosures weren’t parties or witnesses.
- The GDPR came into force in May 2018. The RTÉ report said this dossier processing continued after that, and today’s statements from the Minister for Health confirmed it. By then, a new Data Protection Act has been passed. It had to abandon the subjective wording that allowed sharing when someone thought it was ‘required’ and replace it with Section 47 DPA 2018 where sharing was only permitted if ‘necessary’.
47- The processing of special categories of personal data shall be lawful where the processing—
(a) is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings
That’s an important change, because the High Court of Ireland has already confirmed that accessing a litigant’s entire medical history generally, going back years and years will not generally be considered necessary, and so will not be allowed, even in court Discovery applications. (See Paragraphs 11 and 12 of Power v Tesco Ireland, 2016)
“It offers the proposition that general discovery of a plaintiff's entire pre-medical history ought to be allowable. However, this is but a starting-point: discovery, were it always or even widely to be ordered on this basis, would almost invariably be disproportionate (oppressive).”
- And finally, even if there was a provision in Irish law allowing for the sharing of data about citizens between state bodies in secret, that provision would be a nullity, since the CJEU has already determined, in the Bara case, that EU data protection principles overrule and outlaw any
“national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.”
The Data Protection Commissioner has announced they’d like some questions answered. That body will need to go further than just asking questions, if it is to ensure that these children’s rights have been upheld and this sort of snooping isn’t repeated.