Oh well, an internal review. https://twitter.com/sociuscriminis/status/1384963152350167041

FWIW, that “internal review” confirms circumstances which constitute serious data breach.

Furthermore, as a measure of how much weight you should give to this internal review, here are two examples from it, on adjacent pages.

Firstly, we’re told that clinicians weren’t directly contacted by the Dept of Health and asked for private data.

Except...

It isn’t really better if you contact clinicians’ managers to get the records. That’s the same data transfer problem, with an added implied pressure for the clinician.

But the report tries to create a distinction between sensitive medical data and “service updates”.

Except, given the nature of the services being provided, these cannot but be sensitive personal data under Art 9 GDPR.

The denial rests on a distinction without a difference.

But don’t just take my word for it. Let’s look at how the Department understood its request, as laid out on the very next page, in an account of an exchange with a clinician who asked if the parents had consented to the release of this data.

The Department of Health wrote to the clinician and said that the Department, was “happy to withdraw our request for information for the moment and to revert in about a years’ time”

The Dept knew it had made a request for information which was going to come from the clinician.

Their defence rests on the suggestion that getting clinician records *via the HSE* makes it OK.

It does not.

Surely one of the most darkly telling examples of how seriously the Department takes its legal Data Protection obligations comes in the description they wrote- directly to the clinician they say they were not directly looking for personal data from.

Here, they write to a clinician and assert that the request for private medical data to be passed in secret to the Dept of Health is “legally supported”.

Ooh, but look- a footnote.
I loves a footnote I do.

It turns out that they only actually sought legal advice on the legitimacy of this practice *after* they had written making this assertion to the clinician.

Now this legal advice, from August 2017, is one of the great mysteries of the Dept’s report.

Because it was so super helpful to them that they didn’t show it to the Senior Counsel they hired to review this whole project after the whistleblower made his protected disclosure.

Now, what is v strange about this is that, as our friend Footnote 3 quoted above acknowledges, that mysterious legal advice dates from pre-GDPR, Aug 2017.

Which means it did not address the current Data Protection law when the SC was doing his review of the protected disclosures

The SC’s report does, however, detail what the Dept official who was in correspondence said was their understanding of the legal basis permitting the transmission of clinical data explicitly without parents knowledge or consent.

The Dept official (before getting legal advice) cites Section 8(f) of the pre-GDPR Data Protection Act 1998-2003

“Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure is—“

Problem; this clinician- all the clinicians whose records on autistic children the Department obtained through invoking this section, are neither parties or witnesses in the legal proceedings.

I know, I know.

Oh, and as to the headline- the Department acknowledges they were collecting information on autistic children, and telling their sources not to tell the parents about it.

But they conclude they weren’t secret dossiers.

How does that work?

Here’s the Department of Health’s standing order to the HSE on the question of secrecy.

Here’s what they tell the HSE if it ever feels that parents would have to be told about a request for information.

Here’s the Department telling a clinician it is “standard practise to ‘*confidentially* update the Department’ on service provision and family satisfaction” (emphasis added, Page 19 of the Review conducted to establish the facts etc)

https://assets.gov.ie/133017/10988c1f-3fe7-4ffb-8238-27d61cb9331e.pdf

Let me give you a tip when reading internal Civil Service documents. Start with the statement of terms- this will be where you get the first inkling as to the line of defence they will be advancing.

Here, the Dept seeks to distinguish between processing data and “seeking” it.

This line of argument sees absurdities such as this admission that the Department is, right now, today, processing (by obtaining and storing) medical reports not obtained from the children’s parents being immediately preceded by a denial of something else entirely.

It is irrelevant in assessing processing of medical reports of children obtained without the knowledge of their parents whether the reports come directly from the clinicians or via their HSE managers.

The word “directly” here is carrying too much weight to hold up.

The medical reports and the sensitive personal data within them is acknowledged to come from the clinicians

Whether they’ve passed through an intermediary before they reach the Department of Health has no relevance in assessing the Department of Health’s legitimacy of processing

It does raise questions for the intermediary, in this case the HSE, as to what legal basis it thinks it had to obtain clinical medical reports from *treating doctors* without the patient’s knowledge and then pass them on to a third party.

But that doesn’t absolve the 3rd party.

The same question stands for the Department of Education, which the Department of Health says used to just cc it data on autistic children, unasked.

Did the two bodies have a DPA to cover this processing? We’re they now joint processors?

That particular fact raised a lot of Qs.