Back to Top

 Skip navigation

DPO Advice

Open in Excel:

DPO Advice

This DPIA addresses the data protection issues arising in respect of the receipt by CSO of a range of health-related data flows from the Health Service Executive by consent of the Minister for Health, under section 30 (2)(b) of the Statistics Act, 1993.

The legal basis for the processing of this data is set out in the DPIA and evidences an understanding of the special category status of the data and the consequent requirement for great care in the receipt, handling and onward processing of the data. There is a particular urgency associated with this processing, in light of the impact and effects of the COVID-19 pandemic. However, early and close attention should be paid to the data minimisation/necessity and proportionality analysis proposed. Progress in this respect should be reviewed at an early stage and be ongoing.

The detailed operational measures invoked to secure data processing and access management and the risk mitigation measures identified in the Risk Assessment should be periodically reviewed and it is recommended that the result of such reviews be used to update the Risk Assessment and associated Mitigation measures.

On the matter of the fundamental rights of the data subject, the arguments made out regarding invoking Article 89(2) protections or derogations otherwise provided for within Articles 15 to 22, are noted. In respect of the Article 15 related Right of Access, the significant ADC staff resources required to process this data within a short timeframe and to make it available for statistical analysis are noted, but every effort should be invested to vindicate this right wherever possible. While it is clear that the ADC process by design makes individual’s personal data progressively more difficult to identify and thereby to extract, as a matter of good practice and in the interest of transparency, Article 15 requests should ideally be assessed on a case-by-case basis before this derogation is invoked and the mooted derogation should arise only if deemed proportionate and necessary due to the risk of rendering impossible or seriously impairing the achievement of the specific purposes.

Particular attention should be paid to the retention period applied to this data, which given its sensitive nature should be limited to that which is deemed strictly necessary having regard to the public interest ground invoked for its processing in this manner.

The DPIA should be subject to periodic review and updated to reflect the evolution of public policy related pandemic requirements. The DPIA should be shared with the DPC1.

1The CSO, DoH and HSE consulted with the Data Protection Commissioner's Office and shared the full Data Protection Impact Assessment (DPIA).

Go to: Appendix 1 - Administrative Data File Names