The Gist: Ireland under Investigation

A bit of a Gist exclusive story this week; the European Commission opened an investigation into the Government’s refusal to give Mother and Baby Home survivors GDPR rights of access to their health records. It wrote to the Government, raising the issue on foot of a complaint by one survivor. The complaint and investigation were triggered when the Minister for Children refused to set aside a piece of 1989 domestic law in order to give effect to the GDPR, as he is obliged to do.

Furthermore, the new Heads of Bill for the Government’s much heralded Birth Information and Tracing Bill have also been submitted for investigation, as they provide for a fresh statement of the same restriction as the 1989 law.

That’s the headline. Now let’s explain how we got here.

When the Final Report of the Commission of Investigation (Mother and Baby Homes and certain related matters) was published the Government was mindful of the firestorm it had met in November 2020. Back then, the Minister for Children et al, had whipped the three government parties TDs to support his proposal to seal the Commission’s records for thirty years, in the teeth of public outrage.

Then, the following week the AG told Cabinet that he hadn’t given the advice the Minister had relied on in his arguments against the application of the GDPR, and the whole effort fell apart to the great unhappiness to those same TDs who found they’d been sent out defending the indefensible.

So, on the report’s publication in January 2021, access to records was a hot topic.

As part of their statement greeting the report, the Government promised;

“We will ensure that people can access personal information contained within the Commission’s records in line with GDPR.”

You will be unsurprised to hear that this has not, to date, happened.

In fact, the Government completely refused to provide survivors with direct access to their medical records, in particular, citing a Statutory Instrument from 1989.

Wearing my solicitor hat I wrote in June 2021, representing a Mother and Baby Home survivor, to the Minister to explain why the GDPR, a later and superior law, meant that he had a legal obligation to simply ignore, or disapply, that blocking legislation and provide survivors with their records.

You can read the detail of that argument here. It was pretty comprehensive (for this you may read; long) and the Department didn’t try to engage with it, other than simply repeating its previous position.

Here’s the Court of Justice of the EU setting out the principles that apply when domestic law contradicts EU law in a recent decision of WRC v The Minister for Justice;

“bodies called upon, within the exercise of their respective powers, to apply EU law are obliged to adopt all the measures necessary to ensure that EU law is fully effective, disapplying if need be any national provisions or national case-law that are contrary to EU law. This means that those bodies, in order to ensure that EU law is fully effective, must neither request nor await the prior setting aside of such a provision or such case-law by legislative or other constitutional means.”

In June 2021, the Minister for Children wrote to the Minister for Justice.

He acknowledged “the broad reach of the Regulations imposes a significant restriction on the fundamental right of access of data subjects to personal information about themselves”.

He then continued, seeking to do the very thing the CJEU has said a data controller must not do. He made a request and awaited ‘the prior setting aside of such a provision… by legislative or other constitutional means’.

I would be most grateful for an urgent review of the Regulations and Section 68 of the 2018 [Data Protection] Act

When the Minister for Justice wrote back to him, she declined to solve his problem, pointing out that all Ministers of Government have the power to pass Regulations.

It then became clear that, unlike the Little Red Hen, the Minister for Children is not a man given to deciding to ‘do it all myself’.

In response, he again decided that Somebody Else should do this, and contacted the Minister for Health about drafting new laws. Because, just now, what else might the Department of Health have to do with itself?

Meanwhile, also in June 2021, the Data Protection Commission wrote to the Minister’s officials, joining the chorus pointing out that his Department wasn’t following the GDPR.

“Concerning SI 82/1989, I have had reason to re‐examine the Department’s approach to dealing with SARs pertaining to health data and I am of the view that the manner in which the Department is handling such requests is not appropriate to the circumstances. While section 68 of the Data Protection Act saved SI 82/89, it did so in the expectation that new regulations would be made under section 60 of the Act which would take account of the requirements of Article 23 GDPR. Furthermore, it cannot be the case that the considerations in play in 1989 would have foreseen the specifics of the current situation or that the SI was intended to apply to a scenario such as the Department is now dealing with”

(emphasis added)

But, by September, there had still been no action by the Minister for Children or his Department to actually apply the GDPR and give survivors direct access to their medical records.

So, on behalf of a client, on the 17th September my office reported Ireland for this ongoing breach of EU law to the European Commission.

On the 10th November 2021 the Commission wrote back, confirming it had opened an investigation on foot of that complaint and that it had written to the Department;

“We wrote to the Department of Children, Equality, Disability, Integration and Youth as part of the investigation of this complaint. They informed us that the Minister for Health is progressing new Regulations concerning access to health data as a matter of priority and that officials from the Department of Children are also liaising with the Department of Health on this issue. The Department have informed us that the new Regulations intend to take into account of the requirements of the GDPR, and the issue of mandatory consultation with a health practitioner will be given further consideration. They stated that it is anticipated that the new Regulations will be in place by the end of the year.”

In response, I pointed out that the Minister had not accepted that the requirement for a mandatory consultation with a health practitioner would be changed, but merely that it would be given ‘further consideration’.

I then supplied the Commission with a copy of the new Legislative Heads for the same Minister’s proposed Birth Information and Tracing Bill, drawing their attention to Section 10(2), which repeats and continues the same block on direct access, and maintains the same requirement from the 1989 SI, that survivors’ medical records would be sent to doctors, not to them directly.

We’re awaiting their reply, but it appears as though Ireland remains under investigation.

And, for survivors, a right that everyone seems to acknowledge they have—to access their medical data under the GDPR—continues to be blocked.

The Gist is a reader-supported publication. To receive new posts and cheer me up no end, consider becoming subscriber.