The Department of Health believed they were lucky to escape with a €22,500 fine for a major data breach that involved "excessive and disproportionate" gathering of sensitive personal information about people who had taken legal action against the state.
In internal submissions, officials said the department could have been hit with a fine of up to €1 million and that the actual fine "fell far below the maximum that could be levelled".
A submission to Department Secretary General, Robert Watt, from senior officials said the level of the fine "should as a result be welcomed" and suggested the department could despite "some reservation" accept the sanction proposed by the Data Protection Commission (DPC).
The investigation followed an RTÉ programme in March 2021 based on information provided by the whistleblower, Shane Corr, who said the department had a practice of collecting sensitive and personal information about vulnerable children and their families when they were involved in litigation against the state.
The Department of Health submission said the DPC had sent them an initial draft decision in December of that year with the department responding with submissions in March of 2022.
A draft revised decision was sent in May of this year with the department given a final opportunity to respond to its contents during the summer.
The submission said: "In the revised draft decision received, the DPC has taken on board the submission made by the Department and also acknowledged the points raised, correcting misleading elements of the decision and acknowledging the mitigation the department has put in place since the issues concerned in the investigation first arose."
It said the department would now face a ban on processing the data they had collected, a reprimand for collecting it in the first place, and a fine of between €15,000 and €30,000.
The submission recommended: "Having reviewed the revised draft decision and following consultation with the Department's DPO [data protection officer] and our Legal Unit, I’ve determined the appropriate response to the DPC, is … with some reservation, [to] welcome and accept the proposed sanction of the DPC as it now stands."
It said the department needed to recognise that any fine was a "punitive measure" and would have to be funded from the Exchequer but that the amount involved was lower than it could have been.
In an email responding to the submission, Robert Watt wrote: "Very important to note that this relates to historical issues. Also we should stress that we have taken steps etc."
A second submission said the department had acknowledged there had been "issues around retention and data minimisation, transparency and security controls" in a further vindication of Shane Corr, the whistleblower who brought it to public attention.
In a review of the decision, it said the department had not ensured that the personal data involved was processed properly or deleted within an appropriate timeframe.
It said the people involved did not know how their personal information was being used and that there were insufficient controls over who had access to data.
A statement from the Department of Health said: "[We] accepted the corrective measure imposed by the Data Protection Commission (DPC) following their investigation into the Department's handling of data related to Special Educational Needs Litigation Cases."
"The Department of Health would like to reassure all parents, families and interested parties that the Department has never actively obtained or unlawfully held sensitive medical and educational information of children involved in historical special educational needs court cases as outlined."
- reporting Ken Foxe
