The Department of Health believed it was lucky to escape with a €22,500 fine for a major data breach which involved “excessive and disproportionate” gathering of sensitive personal information about people who had taken legal action against the State.
In internal submissions, officials said the department could have been hit with a fine of up to €1 million, and that the actual fine “fell far below the maximum that could be levelled”.
A submission to the department's Secretary General Robert Watt from senior officials said the level of the fine “should, as a result, be welcomed” and suggested the department could accept the sanction proposed by the Data Protection Commission (DPC), despite “some reservation”.
The investigation followed an RTÉ programme in March 2021 based on information provided by the whistleblower, Shane Corr, who said the department had a practice of collecting sensitive and personal information about vulnerable children and their families when they were involved in litigation against the State.
The department's submission said the DPC had sent them an initial draft decision in December of that year, with the department responding with submissions in March 2022.
A draft revised decision was sent in May 2023, with the department given a final opportunity to respond to its contents over the summer.
The submission stated: “In the revised draft decision received, the DPC has taken on board the submission made by the department and also acknowledged the points raised, correcting misleading elements of the decision and acknowledging the mitigation the department has put in place since the issues concerned in the investigation first arose.”
It said the department would now face a ban on processing the data they had collected, a reprimand for collecting it in the first place, and a fine of between €15,000 and €30,000.
'Punitive measure'
The submission recommended: “Having reviewed the revised draft decision and following consultation with the department’s DPO [data protection officer] and our legal unit, I’ve determined the appropriate response to the DPC, is … with some reservation, [to] welcome and accept the proposed sanction of the DPC as it now stands.”
It said the department needed to recognise that any fine was a “punitive measure” and would have to be funded from the Exchequer, but that the amount involved was lower than it could have been.
In an email responding to the submission, Mr Watt wrote: “Very important to note that this relates to historical issues. Also, we should stress that we have taken steps etc.”
A second submission said the department had acknowledged there had been “issues around retention and data minimisation, transparency and security controls”.
In a review of the decision, it said the department had not ensured that the personal data involved was processed properly or deleted within an appropriate timeframe.
It said the people involved did not know how their personal information was being used and there were insufficient controls over who had access to data.
A statement from the department said: “[We] accepted the corrective measure imposed by the Data Protection Commission (DPC) following their investigation into the department's handling of data related to Special Educational Needs Litigation cases.
“The Department of Health would like to reassure all parents, families and interested parties that the Department has never actively obtained or unlawfully held sensitive medical and educational information of children involved in historical special educational needs court cases as outlined.”