This submission was made today, slightly after the deadline of 3pm.
Nonetheless, I have submitted it for the consideration of the Oireachtas Committee on Health in response to their call for submissions.
I post it here for reference. Printable version can be downloaded here:
Analysis of Part 2: PERSONAL DATA, PERSONAL HEALTH DATA AND PERSONAL HEALTH INFORMATION
By Simon McGarr, McGarr Solicitors
Section 5 (1)
“Nothing in this Act shall be construed as permitting the processing of personal data and personal health data in contravention of the Act of 1988 except to the extent provided by any provision of this Act.”
Comment: The Data Protection Acts are transposition of EU Law (Specifically, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive)) and any national legislative provision which purports to restrict, amend or create exemptions from same are ineffective. The State must be bound by the provisions of the Data Protection Directive and its national transposition in the Data Protection Acts. The Acts permit specific and limited infractions on a citizen’s data protection rights, but only when such a provision is both provided for by law and, and it is important to note that this is an additional requirement, only when such legal provision is necessary and proportionate. (See joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Ors)
All of which is to say that, if there is any modification of the Data Protection Acts, which are not already in compliance with those Acts, then they are, by definition, not in compliance with Ireland’s duties to apply EU Law.
This right already exists in Section 6 of the Data Protection Acts. It is common, for example, for Plaintiffs in personal injury actions to make Data Access Requests for their Personal Data from medical providers and to nominate their solicitors to receive same on their behalf. Though it is couched in such a way as to create an additional right (the right to compel the delivery of medical records to a nominated third party), this right is already dealt with in the Data Protection Acts. This section appears to instead seek to create a parallel data access right to that already granted under Section 4* of the Data Protection Acts, but, in sub-Section (2), to purport to create additional requirements upon a data subject in making a request and in subsection (3) to create exemptions from the requirements to respond to Data Access Requests and in subsections (4) and (5) to create further exemptions from the requirement to provide records to a data subject on receipt of such a Request. It is not open to Ireland as an EU member state to create such a divergent data subject access system. Subsection (6), which states that subsections 2-5 of that heading is without prejudice to the rights under the Data Protection Acts simply recognises the legal reality while also rendering subsections 2-5 ineffective. Subsection 8 attempts to define a class of personal data records as not falling within the definition of health records. Again, it is not available to an EU member state to seek to redefine the definition of personal data or classes thereof.
It is not possible to restrict EU Law rights by national legislation, simply by asserting that such a restriction is without prejudice to the EU law rights.
This seems sensible.
No comment on this section
This section is to be welcomed. However, it is not clear that it is helpful to try to create a new category of data “personal health information”. It would be better to use the terms defined in EU law and caselaw- “Sensitive personal data” and “personal data”. Any domestic category will have to be interpreted at some point to identify which EU category it sought to embody.
This is the section most impacted by the decision in the Bara and Digital Rights Ireland cases. This section simply is not in compliance with EU Law as interpreted by the CJEU and should be redrafted to bring it in line with same. In addition, Subsection (5) of this head is an infringement on the Independence of the Data Protection Commissioner, a right derived from the Charter of Fundamental Rights of the EU and the Data Protection Directive.
This section is outside my competency to comment upon.
Subsection (5) of this head is an infringement on the Independence of the Data Protection Commissioner, a right derived from the Charter of Fundamental Rights of the EU and the Data Protection Directive.
*originally, incorrectly, this cited Section 6