State’s right to collect data on children with autism far from clear

Families reported not being informed that data would be passed to other State departments

Under EU and Irish law, personal data can be collected and processed only where the individual who the data directly (or indirectly) identifies has consented to that collection (where a child is involved, a parent is required to consent on their behalf). File photograph: iStock
Under EU and Irish law, personal data can be collected and processed only where the individual who the data directly (or indirectly) identifies has consented to that collection (where a child is involved, a parent is required to consent on their behalf). File photograph: iStock

In the wake of claims that the Department of Health has been maintaining extensive files on children with autism, questions must be asked about the legal basis for the collection of such data, best practice in data sharing within Government and the consequences of the disclosures for public trust in the State's protection of fundamental rights.

The information broadcast by RTÉ detailed the collection of personal data, including medical data and confidential information about children who were involved in court cases against the State. The data which was collected appears to have come from various medical practitioners from whom the children were receiving treatment or support as well as from other Government departments with whom the children and their families had interacted.

Shane Corr, a senior civil servant with the department of health made a protected disclosure as a whistleblower. Photograph: Screen grab from RTÉ
Shane Corr, a senior civil servant with the department of health made a protected disclosure as a whistleblower. Photograph: Screen grab from RTÉ

In one case, it was reported that school reports were shared via the Department of Education and information from them added to the centralised file held by the HSE.

In addition to this, it appears that data collected included information about the wellbeing and mindset of the children’s parents, including information about marital breakdowns and addiction and information about the children’s siblings.

READ MORE

The Department of Health has stated that it secured legal advice on the arrangement under which data was collected from various State departments and that nothing arising from those advices caused it to change its approach as it was entitled to share and store information for the purposes of securing legal advice or defending court proceedings. This, however, does not address all of the concerns raised by the disclosures. State departments may, of course, share data in order to perform their functions and make services available where this is done in accordance with the relevant laws. However, the lawful basis on which that data can enter the control of State departments to begin with is a more basic question and one whose answer is not clear on the basis of the information released so far.

Under EU and Irish law, personal data can be collected and processed only where the individual who the data directly (or indirectly) identifies has consented to that collection (where a child is involved a parent is required to consent on their behalf). Where no consent has been secured, an alternative basis for processing is needed.

Alternative bases that would allow data to be processed include where it is necessary for a contract between the parties, for compliance with a legal obligation, where it serves the vital interests of the person to whom the data belongs or where it serves a legitimate interest. Some of the data which RTÉ reports was involved – such as school reports – may fall into this category though it is not clear which of the legal bases listed above was relied on. Whether siblings, and parents, of the children involved could be considered to have consented to the collection of data about them is an entirely separate, but also serious, matter.

This case raises broader concerns about the public's trust in the ability of State institutions to uphold the requirements of transparency

More stringent requirements, however, apply to the health data which was collected. Health data is a “special category” of data and under the GDPR can only be processed where a person gives their explicit consent to their data being processed for a specific purpose (a higher threshold than exists for “normal” data). As in the case of non-special data there are also alternative bases for processing without consent. These alternative bases include provisions that allow processing where it is necessary to establish, exercise or defend legal claims. However, to rely on this ground (and therefore avoid the need to secure explicit consent) there would need to be an ongoing legal case. This does not appear to be the case based on the information made public thus far.

Lack of clarity

The result is a lack of clarity as to what the legal basis for this data being collected, shared and processed was. Aside from this concern, there is a more general worry that the State failed to uphold the basic principles of data protection which legally require data to be processed in a manner which is transparent.

This case raises broader concerns about the public’s trust in the ability of State institutions to uphold the requirements of transparency required by data protection laws. Photograph: Andrew Matthews/PA Wire
This case raises broader concerns about the public’s trust in the ability of State institutions to uphold the requirements of transparency required by data protection laws. Photograph: Andrew Matthews/PA Wire

In this case such transparency is apparently notable for its absence with families reporting they were never informed that information disclosed to medical staff would be passed to other State departments and letters seen by RTÉ specifically emphasising that families and their legal advisers should not be made aware that information was being sought or compiled in this manner. The data may also have been retained for an unnecessarily long period, and have been used for purposes other than those for which it was initially collected (ie, medical treatment) in breach of data-protection principles.

Ultimately, this case raises broader concerns about the public’s trust in the ability of State institutions to uphold the requirements of transparency required by data protection laws and to respect the fundamental right to privacy required by constitutional and European law. Separately, it should be noted that the matter also raises significant concerns in respect of the precise boundaries of doctor-patient confidentiality – a confidential relationship which the Irish courts have emphasised as having significant importance in the context of the right to privacy.