Pic: Shutterstock
Control alt delete
Data-privacy lawyer Elaine Morrissey asks whether the GDPR is being used correctly by the State following the revelation that three Tusla files flagged by Judge Dermot Simms to the Department of Children have been destroyed
The objective of the EU’s General Data Protection Regulation is to protect the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
There are questions as to whether this objective has been achieved when data-protection statutory obligations have been cited as the reason for destroying several reports submitted to the Department of Children for the purposes of highlighting a concern for vulnerable children (see Gazette.ie, 15 September: ‘Tusla files flagged by judge deleted by department’).
While we do not have all the pieces of the jigsaw, questions arise in relation to the destruction of three reports by the department.
In May 2023, now-retired Judge Dermot Simms wrote to the Department of Children and several Government ministers and State institutions, highlighting his concern for vulnerable children.
This letter (publicly available at www.childlawproject.ie) referred to six documents (some of which are also publicly available). However, in response to questions, the Department of Children has confirmed that three reports provided with the letter have been destroyed, citing compliance with data-protection obligations as the reason for doing so.
Specifically, the department cites having no legal basis for processing the personal data within the report.
Correct use of GDPR?
It is correct that there needs to be a legal basis to process personal data. In the Department of Children’s Privacy Notice (available at www.gov.ie), it states its basis for processing personal data: “The following are the key pieces of legislation which underpin the department’s core functions, and which allow for the processing of personal data by us, or on our behalf:
• Childcare Act 1991,
• Education (Welfare) Act 2000,
• Children Act 2001,
• Youth Work Act 2001,
• Adoption Act 2010,
• Child and Family Agency Act 2013,
• Children First Act 2015,
• Childcare Support Act 2018.
“The department is also entitled to process personal data under other legislative provisions (for example, the Data Protection Act 2018) that provide the basis for all Government departments to administer the range of services, schemes and supports set out by successive Government decision.”
Content not available
While Simms J’s letter has been published, the content of the three reports is not available and, for that reason, we cannot say with certainty how the department arrived at a decision that there is no legal basis to process them.
In the letter, the parents’ consent for the disclosure of one of the reports was provided. But again, we do not know if this report was destroyed or retained.
Section 38 of the Data Protection Act 2018 specifically states that “processing for a task carried out in the public interest or in the exercise of official authority, [and in particular] (1) the processing of personal data shall be lawful to the extent that such processing is necessary and proportionate for (a) the performance of a function of a controller conferred by or under an enactment or by the Constitution…”.
In circumstances where a judge submits personal data to the Department of Children as part of a suite of documents to highlight his “utmost concern for the immediate predicament and welfare of children who are in care”, for which the department is responsible, it raises queries over the destruction of these reports.
While a lack of legal basis was cited as a reason for the destruction of the three reports, with the information currently available, it is difficult to see how there was not a legal basis when Simms J was highlighting issues that fall squarely within the department’s remit.
Personal data and the GDPR
While the GDPR relates to personal data, it is important to remember that pseudonymised personal data is also captured under the GDPR. This can cause confusion for those handling personal data.
In short, data does not have to include a name to be considered personal data. Personal data is any information relating to an individual. To reach the status of ‘anonymous’, there is quite a high benchmark.
Once data is anonymous, it falls outside the scope of the GDPR, and a legal basis is not required to process such anonymous data.
One assumes that, where the Department of Children is citing ‘legal basis’ and referring to its statutory responsibilities in relation to data protection, it has classified the data as personal data falling under the scope of the GDPR. However, without access to the reports, we cannot comment on this classification.
It is, however, important to remember that just because a child’s name is not mentioned in a report does not mean that the data is anonymous, as there may be sufficient information to identify that child.
Receipt of unwanted data
While many organisations have the difficult challenge of being in receipt of unwanted data – receiving data in error due to an email address being typed incorrectly or receiving an incorrect attachment via email (and there is very specific guidance from the Irish Data Protection Commission on this topic) – this is not the case here.
Simms J was very clear regarding to whom his letter and the attachments were being delivered. He very clearly wanted his letter and attachments in the hands of the Department of Children. This is not a case of receipt of unwanted data.
It is noted that the Department of Children was not the only recipient, so this prompts the question as to whether other recipients have taken the same view and destroyed parts of the Simms J suite of documents? There is the possibility that the three destroyed reports could end up back on the desk of the Department of Children through other avenues.
Does the Department of Children review every item of correspondence it receives to consider the appropriate legal basis? In circumstances where one assumes the correspondence relates to the functions of the department, this would be an unusual and extremely burdensome step.
Why was it that three specific reports were destroyed, when clearly the balance of the material has been deemed necessary to retain? Have the objectives of the GDPR been met?
Elaine Morrissey is a member of the Law Society’s Intellectual Property and Data Protection Committee.
Elaine Morrissey
Elaine Morrissey is a member of the Law Society’s Intellectual Property and Data Protection Law Committee and is assistant global DPO at ICON.