In recent days, the Department of Health has published two reports it commissioned to examine allegations made in protected disclosures by Shane Corr, one of its senior civil servants.

In March, RTÉ Investigates revealed that Mr Corr had raised concerns that the Department was secretly using private clinical and education information to build and maintain dossiers on children with autism who were involved in legal actions against the State.

This was done without the knowledge or consent of parents.

Each of the recently published reports appear to indicate that there are no significant causes for concern. But, together, the external report, produced by a senior counsel, and an internal review that was ordered following the RTÉ Investigates report leave a lot of questions unanswered.

Conor Ryan, who broke the story, has been piecing together the evidence from the two reports.

Did the reports confirm claims the Department of Health was gathering sensitive information on children involved in dormant legal cases without informing their parents or legal advisors?

Central to Shane Corr's concerns was the fact that the Department was approaching the Health Service Executive to obtain updates on historic legal cases taken by vulnerable people and their families, without their knowledge, and that they were doing so in a systematic way through the use of template letters and spreadsheets. Some of the cases had lain dormant for more than a decade.

Both the internal review by the Department of Health and the review by Senior Counsel Conleth Bradley confirm the use of spreadsheets to process and store information on children and the use of a template letter sent by the department to the HSE repeatedly requesting updated information on children and their families.

The letters specifically state that "this is not a request to contact any of the plaintiffs involved in the litigation or their families or their legal advisors and indeed we would request you do not do so in relation to this request".

The reports confirm updated sensitive personal information was repeatedly received, processed, and stored by the Department in response to these requests.

Read more on the Department of Health dossiers

The Department’s internal review said there is no evidence it sought clinical reports "directly from clinicians". What does this mean?

The internal review places a particular emphasis on the word "directly". In fact, the word is used more than 20 times.

The review stresses no information was "directly sought from clinicians".

However, Mr Corr’s primary allegation was not that the Department sought sensitive information directly from clinicians, but rather that it built and maintained dossiers using information that had been gleaned from consultations with clinicians (such as doctors, psychiatrists, therapists, counsellors, or other health professionals). It did this to inform its own litigation strategy in relation to dormant cases.

The internal review confirms that, in six instances, medical reports from clinicians were found in the Department of Health’s files.

Further, Conleth Bradley said that he had reviewed a large sample of the spreadsheets retained by the Department and agreed with Mr Corr that "some of the information contained in the spreadsheets is sensitive and in some cases refers to what are distressing circumstances".

Shane Corr is a senior civil servant within the Department of Health

If this information was not sought directly from clinicians, how did the Department obtain it?

The two reports from the Department do help explain how its processes worked. The internal review spells out that, in practice, "service updates were sought from service managers in the HSE" – as opposed to directly from clinicians. And this is supported by the senior counsel report, which said contact had been between the Department and "HSE management". So, in most cases the department didn’t need to source the information "directly" because it was able to get it indirectly.

One of the case studies, where a detailed medical report from a clinician was sent to the Department, gives further indication how individual service updates were gathered. In June 2017, the Department of Health emailed the HSE’s relevant Community Healthcare Organisation (CHO), looking for an update on a particular case. Community Healthcare Organisations are geographic zones that break up the HSE to coordinate services like mental health teams and social workers.

In this case, the Department received a reply directly from the CHO with a service update – but it also got an email from the clinician. In the email, seen by RTÉ Investigates, the clinician said: "I have been asked by my managers to provide you with clinical information about a patient [name removed], is he and his parents aware of this and has consent to release details been given?"

Watch on RTÉ Player:
RTÉ Investigates: The Department, The Data & The Disclosure

The chain of communication was supposed to involve the Department contacting the CHO service manager, who in turn contacted the clinician. The update was to be fed back up to the CHO and then relayed to the Department for its files. As such, there was not supposed to be a "direct" request from the Department to the clinician.

In the case highlighted in the internal review, the clinician initiated direct contact with the Department to raise legal concerns. A Departmental official confirmed consent had not been sought or given; however, the clinician subsequently went ahead and sent a detailed report on a child and its family.

While the Department’s internal review said that, if such direct communication happens again, it should be sent back and not kept on file, the senior counsel’s report gives further insight into the eagerness of the Department to get the updates from the HSE. The report cited one email from 2017 in which Departmental colleagues discussed the effort to collect service updates on people.

In this, a senior civil servant who wrote the email said "we are still chasing up HSE on some details", and went on to thank a staff member "who sought out, followed up, hunted down, chased up, followed up again and obtained the required updates from HSE units around the country, did all the inputting at our end and assisted… closely in analysing each case and developing [Department of Health] strategy proposals".

The internal review says there is no evidence the Department of Health sought updates directly from schools or the Department of Education. How did it obtain class reports on children?

In March, RTÉ Investigates revealed that school reports on some children were retained and were accessible in the Department of Health files. The internal review concludes that "there is no evidence that the Department of Health sought updates or reports on plaintiffs directly from Schools or the Department of Education."

The words "sought" and, again, "directly" are operative words used in the context of the reports’ findings. The Department has confirmed that its files contained information gleaned from children’s school reports. But it says it had not "sought" this data. Rather, it just received it "in the normal way".

The Department of Health was copied in on communications sent by the Department of Education to the Chief State Solicitors’ Office, which was a co-defendant in some of the legal cases. This information was then retained by the Department.

As such, the Department of Health contends that it did not receive this information "directly".

Further, Mr Bradley’s report details a memo and correspondence from September 2016 and January 2017 involving both the Department of Health and Education.

This devised the strategy for closing off cases and the development of spreadsheets to retain details on the cases, including columns such as "personal information regarding the plaintiff".

While the internal review maintains that the Department of Education was merely copying in the Department of Health, this indicates that the Department of Education was involved at the outset in devising the strategy.

Both reports confirm the use of spreadsheets to process and store information on children

Separately, documents reviewed by RTÉ Investigates show that, as part of the co-operation between the Department of Health and the Department of Education, a file of all updates on the children involved was prepared by the Department of Education in May 2017.

As part of an agreed strategy, the Department of Health was responsible for "amassing" this material and sharing it back with the Department of Education.

This means that, while information was not "sought", there was an arrangement in place to share the information without any request needing to be made.

Last month, the Department of Health said the expert review found "the information sharing to be entirely lawful".

The senior counsel’s report said that, in terms of an update in the context of litigation in dormant cases from November 2015, the information was " broadly typical" of the kind of information kept on files, and the "sort of information" that is canvassed in proceedings. Some of these cases had lain dormant for more than a decade with no activity during that time.

Mr Bradley’s report refers to the fact that in the summer of 2017 legal advice was sought by the Department on the sharing of sensitive personal information by State bodies without the knowledge or consent of the people involved, but he had not been given sight of this advice.

The senior counsel recommended the Department make its legal advices available.

The Department’s subsequent internal review does not make the advices available either, but it includes a footnote that says "legal advice was sought and received August 2017 which confirmed that the Department was entitled to rely on the relevant sections of the Data Protection Acts 1988-2003".

It is RTÉ’s understanding that advice was sought in January 2018 as to whether or not it was lawful for the Department to obtain information in this informal manner, in a context where the Department of Health was not managing the litigation, but appeared to play a peripheral role, and in situations where the primary defendant appeared to be the Department of Education or the HSE.

In a separate section of the internal review, it refers to advice that was received "following the entry into force of the GDPR" in May 2018.

This advice says the Department should "check with the HSE in the first instance" and, where the HSE was of the view that it was "not lawful or appropriate" to share information, this fact should be logged on the spreadsheet.

As such, it appears that the Department of Health put the onus of determining the lawfulness of the information sharing on the HSE.

What did the reports say about the practice of information sharing in litigation?

The Senior Counsel’s review states that a significant reason for sharing the information was to assist the Department in deciding whether it was advisable to contact the parents against the backdrop of long dormant cases.

Does this objective justify the informal, regular, and updated access to and sharing of information, in such cases, where presumably to seek this information through formal channels would have re-activated an otherwise dormant case?

The Department’s own internal review states that "as a matter of proper administration of legal proceedings, it is incumbent on the State to ensure that cases do not remain dormant".

However, the Senior Counsel’s review refers to a draft discussion document from March 2009, on possible alternative legal strategies, that seems to contradict the Department’s stated position of cases not remaining dormant.

The text of the document is redacted in Mr Bradley’s report. However, RTÉ Investigates has seen the unredacted version. It states: "Standing advice on most inactive cases is not to reactive them. However, cases inactive over 2 years might be subjected to an annual strategy review to make positive decisions on letting the matter lie or seeking to have the cases struck out for lack of proceedings."

An ongoing statutory inquiry by the Data Protection Commission may resolve some questions

Does a common interest justify or excuse the informal sharing of information between state bodies who are separate defendants in litigation involving dormant cases?

The internal review states that the HSE is under the "aegis" of the Department of Health. However, the HSE appears to manage its own litigation itself and, in some cases, through external solicitors.

Both reports note that the nature of the information itself is "consistent with" and "typical" of the sort of information that arises in litigation. This may be correct. However, one can legitimately ask whether the sharing of such information in an informal manner between state bodies is appropriate, transparent, and consistent with GDPR/data protection principles?

Would those who legally represent an individual/plaintiff reasonably know or expect that the Department of Health would have informal and updated access to HSE information concerning that individual, or indeed information from the Department of Education?

It was clear that the information updates from the likes of the HSE gave the Department of Health a unique advantage when deciding how it would deal with its own litigation in each case. For example, the Department of Health would know as to whether an individual plaintiff was satisfied with a service provision or not. If the person was, then presumably the Department could approach the plaintiff’s solicitor to settle or to have proceedings discontinued.

The Department has not published the legal advice that it received in 2017 or the advice it received in response to its subsequent request in January 2018.

If the Department of Health obtained the information unlawfully, then all subsequent processing of the data – which would include storage of the data in spreadsheets – after GDPR came into force would also be unlawful.

Ultimately, this is likely to be resolved by the ongoing statutory inquiry set up by the Data Protection Commission, which has already sent authorised officers with powers to review the files to the Department of Health.

What did the Department's internal review say about the "secret dossiers" on children with autism?

The internal review says there is "there is no evidence that the Department of Health was secretly compiling dossiers on children with autism involved in Special Education Needs litigation as alleged". There are a couple of key words to deal with here – and they paint a different picture.

The first is the word "secret". This is not dealt with in the internal review or the senior counsel report. In terms of seeking consent from the parties, the internal review clarifies that, if the HSE felt consent was needed, then the information would not be requested. Template letters seeking case information from the HSE, which are set out in the internal review, detail the terms by which data on children was gathered. These end with the line "this is not a request to contact any of the plaintiffs involved in the litigation or their families or legal advisors and indeed we would request you not to do so in connection with this request".

The second important word in the review’s finding is "dossiers". This is a case where it helps to read both reports together and reflect on the definition of the word "dossier" (which, in its ordinary meaning, is "a collection of documents about a particular person, event, or subject"). The senior counsel’s report is clear about what is kept: these are files and spreadsheets with "sensitive" and in some cases "distressing" information. The internal review gave further clarification that "the documents retained by the Department in relation to these cases comprise of the individual case files which may be both electronic and paper versions and the case management spreadsheets".

Watch RTÉ Investigates: The Department, The Data & The Disclosure on RTÉ Player.