Back to Top

 Skip navigation

Scope Of Processing

Open in Excel:

The scope of processing means what datasets are concerned, what variables they contain, whose data is concerned, how is it processed and for how long it will be retained.

What Data is Being Received?

The relevant data sets currently being processed are set out at Appendix 1, while the relevant variable listing is contained at Appendix 2. The datasets contain a combination of personal and non-personal data, some of which is already anonymised on receipt by the CSO.

The selection of appropriate data sources to be processed for the present purpose was guided by recommendations from NPHET and DoH, while in line with law, the final decision resides with the Director General of the CSO.

Within the personal data received, some variables are deemed “special category” under the General Data Protection Regulation (GDPR), Article 9. Special category data is personal data, including health-related data, that attracts additional protection under GDPR because of its sensitive nature.

The primary legal basis for the processing of personal but non special category data derives from Article 6 GDPR, specifically Article 6(1)(c) and 6(1)(e) – the former addressing processing carried out in compliance with a legal obligation to which the controller is subject (production of Official Statistics) and processing being necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller.

The special category health data affected by this DPIA is being processed using legal provisions permitted under the General Data Protection Regulation Article 9(2)(i) – public interest in the area of public health and Article 9(2) (j) – processing is necessary for statistical purposes in accordance with Art 89(1) GDPR. Processing of personal health data as contained in the COVID-19 Data Flows is also permitted under Sections 53 and 54(c) of the Data Protection Act 2018. 

Whose data is it?

Records received or to be received by the CSO include data relating to those assessed for COVID-19 testing, referred for testing; confirmed positive for COVID-19; identified as close contacts of COVID-19 confirmed cases; admitted to hospital for COVID-19 related treatment, associated ICU cases and related care tracking, plus vaccinations records.

Note: as at August 2021, no Vaccinations data has been received by the CSO and no agreement is yet in place for
these transmissions to commence.

The flow of records to the CSO was disrupted by the Cyber Security Incident in May 2021 and has yet to be reinstated in full. The data covers the population within the geographical area of the Republic of Ireland. 

How is it processed?

Section A (below) covers internal use in CSO
The health data is received by the CSO’s Administrative Data Centre (ADC), using secure and encrypted transmission methods. The ADC team then decrypt, process, pseudonymise and store the data in a format suitable for statistical analysis – see page 4 for a detailed description of the pseudonymisation process. The resultant pseudonymised statistical datasets are catalogued on the CSO ADC portal and made available for analysis purposes, subject to case by case validation of requests for access.

Section B (below) covers use by researchers of RMF datasets
Data is made available to approved external researchers working on COVID-related outputs by the RCU via the RDP. External researchers from approved organisations are appointed Officers of Statistics by the CSO under Section 20(c) of the Statistics Act, 1993 for the duration of their research.

All research applications are reviewed by RDGB and require REC approval and a consent declaration from the HRCDC before, if approved, being forwarded to CSO for consideration. The RGDB, HRCDC and REC applications are independent and separate processes, reviewing the research from different perspectives.

Only researchers who are employed by, or formally related to, a registered research organisation are eligible to apply for access to RMFs. Research organisation registration establishes two roles:

  • Senior Representative, i.e. someone with the authority to make commitments on behalf of the organisation, e.g. managing director, president, university chancellor or similar; and
  • RMF Contact, i.e. a person designated by the Senior Representative, who will be in charge of coordinating RMF project applications.

When registered, a researcher can then apply for access to an RMF. The RMF Application Form is completed by a project’s lead researcher and captures information used for administrative purposes, information on the research project being applied for, information on the researcher’s experience and competency in relation to the application of statistical disclosure control (SDC) as well as information on the physical security measures in place at the location from where the researcher will carry out their research. SDC refers to methods that allow the dissemination of statistical information while ensuring that an individual’s personal data are protected against disclosure. Should a researcher’s application be approved, the researcher would, on completion of further steps detailed in the RMF
process flowchart (linked earlier in this DPIA on page 5), gain access to pseudonymised data only.

The outputs resulting from analysis of the microdata can only be exported from the RDP with CSO approval which is granted in accordance with CSO Statistical Disclosure Control (SDC) policy. The RDP is locked-down (no import or export possible without approval) and no internet access is possible within the RDP.

What is the Data Retention policy?

By agreement between the CSO, DoH and the HSE, the CSO will conduct a post-pandemic review which may make certain recommendations regarding the duration of the data storage of COVID-19 related data sources. In light of the pandemic-related exigencies of this data processing exercise, the over-riding priority will be to ensure that no data is kept for longer than is necessary for the purposes for which it was collected. This is in line with the European Data Protection Board guidance 03/2020 (section 5.3, page 10), which is that data in this category shall only be processed as long as it is both necessary and proportionate to do so.

1The term “Research Organisation” refers to organisations whose primary focus is on research and also to organisations which have
research units but where the organisation’s principal activity is not research.

Go to: Context Of Processing