Back to Top

 Skip navigation

Scope Of Processing

Open in Excel:

The scope of processing means what datasets are concerned, what variables they contain, whose data is concerned, how is it processed and for how long it will be retained.

What Data is Being Received?

The relevant data sets currently being processed are set out at Appendix 1, while the relevant variable listing is contained at Appendix 2. The datasets contain a combination of personal and non-personal data, some of which is already anonymised on receipt by the CSO.

The selection of appropriate data sources to be processed for the present purpose, was guided by recommendations from NPHET and DoH, while in line with law, the final decision resides with the Director General of the CSO.

Within the personal data received, some variables are deemed “special category” under the GDPR, Article 9. Special category data is personal data, including health-related data, that attracts additional protection under GDPR because of its sensitive nature.

The primary legal basis for the processing of personal but non-special category data derives from Article 6 GDPR, specifically Article 6(1)(c) and 6(1)(e) – the former addressing processing carried out in compliance with a legal obligation to which the controller is subject (production of Official Statistics) and processing being necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller.

The special category health data affected by this DPIA is being processed using legal provisions permitted under the GDPR Article 9(2)(i) – public interest in the area of public health and Article 9(2)(j) – processing is necessary for statistical purposes in accordance with Article 89(1) GDPR.

Whose data is it?

Records received or to be received, by the CSO, include data relating to those assessed for COVID-19 testing, referred for testing; confirmed positive for COVID-19; identified as close contacts of COVID-19 confirmed cases; admitted to hospital for COVID-19 related treatment, associated ICU cases and related care tracking, plus vaccinations records.

Note: as at August 2021, no Vaccinations data has been received by the CSO and no agreement is yet in place for these transmissions to commence.

The flow of records to the CSO was disrupted by the Cyber Security Incident in May 2021 and has yet to be reinstated in full.

The data covers the population within the geographical area of the Republic of Ireland.

How is it processed?

The health data is received by the CSO’s Administrative Data Centre (ADC), using secure and encrypted transmission methods. The ADC team then decrypt, process, pseudonymise and store the data in a format suitable for statistical analysis – see page 4 for a detailed description of the pseudonymisation process. The resultant pseudonymised statistical datasets are catalogued on the CSO ADC portal and made available for analysis purposes, subject to case by case validation of requests for access. Access is limited strictly to approved applicants, that is, either CSO staff or approved researchers operating under the Section 11 agreement in place between the HSE, DoH and the CSO.

What is the Data Retention policy?

By agreement between the CSO, DoH and the HSE, the CSO will conduct a post-pandemic review which may make certain recommendations regarding the duration of the data storage of COVID-19 related data sources. In light of the pandemic-related exigencies of this data processing exercise, the over-riding priority will be to ensure that no data is kept for longer than is necessary for the purposes for which it was collected. This is in line with the European Data Protection Board guidance 03/2020 (section 5.3, page 10), which is that data in this category shall only be processed as long as it is both necessary and proportionate to do so.

Go to: Context Of Processing