Irish Departement of Health: Non-compliance with general data processing principles

The Irish DPA (DPC) has fined the Irish Department of Health EUR 22,500. The DPA launched an investigation into the department following public allegations that the department unlawfully processed personal data from claimants and their families in the context of litigation over special educational needs. The DPC found that the departement had obtained information from the Health Service Executive (HSE) about services that the plaintiffs and their families had received. They had also been asked broad questions that led to the disclosure of sensitive private information. The data was collected to determine whether a settlement could be pursued with the plaintiff. The DPC concluded that the collection of information about the social services provided was lawful. However, the questions that led to the disclosure of the sensitive information were excessive and, according to the DPC, not necessary for the purposes of the litigation. According to the DPC, this violated the principle of data minimization.

GDPR Articles: Art. 5 (1) c) GDPR, Art. 6 (1), (4) GDPR, Art. 9 (1) GDPR
Industry: Health Care