Ireland
Irish Departement of Health
GDPR enforcement action by Data Protection Authority of Ireland on 2023-06-16.
Case details
- Authority
- Data Protection Authority of Ireland
- Date
- 2023-06-16
- Controller / Processor
- Irish Departement of Health
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) c) GDPR, Art. 6 (1), (4) GDPR, Art. 9 (1) GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Irish DPA (DPC) has fined the Irish Department of Health EUR 22,500.
The DPA launched an investigation into the department following public allegations that the department unlawfully processed personal data from claimants and their families in the context of litigation over special educational needs.
The DPC found that the departement had obtained information from the Health Service Executive (HSE) about services that the plaintiffs and their families had received. They had also been asked broad questions that led to the disclosure of sensitive private information. The data was collected to determine whether a settlement could be pursued with the plaintiff.
The DPC concluded that the collection of information about the social services provided was lawful. However, the questions that led to the disclosure of the sensitive information were excessive and, according to the DPC, not necessary for the purposes of the litigation. According to the DPC, this violated the principle of data minimization.
Related fines