Call McGarr Solicitors on: 01 6351580

HSE has no record of legal advice re Health Identifier scheme

I have previously written about why I think the CJEU’s Bara Judgment makes Section 8 of the underlying Health Identifier Act illegal. (This is the Section that allows the state to try to pool the info they hold on citizens in other databases to populate this new one.)

An FOI reply has now been sent on to me about the Individual Health Identifier scheme. I am surprised to see an acknowledgement that, despite the extreme sensitivity in creating a new database of the population for medical use, the HSE has no record of any legal advice on the scheme, no assessment by their Data Protection officer of the scheme and, perhaps most perplexingly given the HSE’s repeated assurances that they have been engaged with the Data Protection Commissioner’s office, they have no records of any Data Protection Commissioner Office engagement on this project.

The reasons for refusing the release of the only category of document that actually exists are unsupportable, but that is almost becoming too common to bother remarking on.

Full reply below.

FOI Refusal for IHI Redacted

What’s the prognosis for Health Identifiers after the Bara Judgment?

The Irish State loves a good database, as regular readers will know.

I was doing the washing up recently, listening to the video of a recent event in TCD’s Science Gallery when I heard about the latest one.

A store of electronic health records for women and infants, starting in four maternity hospitals in the new year. This is a subsection of the wider eHealth project being run by the HSE, which also includes the Individual Health Identifier database system.

There was a problem connecting to Twitter.

The Health Identifier Act 2014 provides the statutory basis for the creation of this database which is intended to eventually take in everyone born or resident in Ireland, citizen or not. To build this (latest) national identity database, the Government has spared itself no power. The Minister for Health has been given the power to take information from every other database within the reach of any part of the Government. Section 8 of the Act reads;

A Minister of the Government may, solely for the purpose of establishing, or maintaining the accuracy of, the National Register of Individual Health Identifiers, provide the Minister with an individual’s other identifying particulars and the Minister may use any such particulars so provided for that purpose.

The Department of Social Welfare’s register of PPS numbers, the Department of Education’s Primary and Post Primary Online Database, the Department of Environment’s Local Property Tax… personal data from all of them now combined into a single database.

We know this has already happened because Richard Corbridge, the official charged with bringing in the eHealth project, has confirmed that the data transfer has already taken place and that the IHI database is populated with a full cohort of real citizens’ data.

All of which is to say that this is a plan with far reaching consequences for the whole population, involving what most people would agree is the most sensitive of sensitive data.

All of which makes the impact of the recent judgment by the CJEU in the Bara case all the more significant.

The Irish Times has a report today arising from my questions on Twitter to Mr. Corbridge (which he admirably engaged with) on the new ruling forbidding the transfer of people’s personal data between state agencies without giving people prior notice of the intention to do so. I asked how Section 8, above, could be legal in the light of that judgment.

There were the usual reassurance statements made- The Dept of Health has legislation and, of course, the Data Protection Commissioner is happy.

Later, however, he confirmed that as a result of legal investigation the Department of Health is now ‘seeking advice’ on the impact of the Bara judgement before taking their next steps in the Health Indentifer project.

Section 8 of the Health Identifiers Act is now profoundly challenged by the CJEU’s finding of what is acceptable manipulation of private data by States under the EU Charter. And, more broadly, I would question the focus on patient privacy of a project where the Privacy Impact Accessment is still only in draft form at a time when the database has already been fully compiled and filled with our personal data.

The recent example of the UK’s Care.data project should give pause to the Department of Health in treating the question of patient privacy and consent as an afterthought. There, a multi-million pound project simply came off the rails as it became clear the patients did not trust officials to respect the privacy of their medical history.

Dr. Ben Goldacre, writing in the Guardian, set out the stakes if patient trust is lost in dealing with their medical data.

This breaks my heart. I love big medical datasets, I work on them in my day job, and I can think of a hundred life-saving uses for better ones. But patients’ medical records contain secrets, and we owe them our highest protection.

Time to Remember

Jean Claude Juncker has cited previous refugee crises in proposing the settlement of Syrian and other refugees in the EU.

He needed to look no further back in time than to 1945, and to look at Europe itself.
In preparation for administering Nazi-dominated Europe, the Allies estimated that 11.469 million people were “refugees” in Europe, with 7.738 million of them being in Germany itself. (Many were slave labourers in the Reich). The European nationalities were represented in the following proportions:

2.3 million French;
1.840 million Russians;
1.403 million Poles;
500,000 Belgians;
402,000 Dutch;
350,000 Czechs;
328,000 Yugoslavs;
195,000 Italians;
100,000 from the Baltic states;

(From “The Long Road Home” – Ben Shephard; The Bodley Head 2010, p. 59)

Why does my Conveyancing take so long?

The reply to the question is, to some degree found in a quip; how long is a piece of string? Another reply is found by looking at my solicitor’s reference bookshelf. The title of one book – “Contract and Conveyance” jumps to my eye. Making the contract precedes the conveyancing.

What has a contract got to do with, ultimately, the registration of land ownership? A lot, is the answer. For starters, a contract for the sale of land (and buildings or structures like them) is an exception in
the law of contract. Such a contract cannot be enforced unless it is in writing signed by the relevant person or his/her agent. You could buy and sell a jumbo jet without such a restriction.

So, what does the written contract look like? It could take almost any form, as long as it is in writing and says the necessary minimum of things. It could fit on a sticky note.

Would you be happy to sign a contract embodied on a sticky note? You would not, and neither would your solicitor be happy if you did so. Your solicitor would like to add quite a lot to the contract. Well, she would if she were qualified to do so. To reach that level of qualification requires many, many years of experience, more than the average solicitor will ever get.

Luckily, all the necessary years of experience have been culled from the past; they are found in the Law Society’s form of contract for the sale of land. That form of contract is revised from time to time to take
account of changing conditions. Sometimes, the conditions change before the next edition issues. That’s where your solicitor starts to earn her fee. She has to ensure that the contract as signed by you reflects such a change.

The Law Society contract expresses the basis for asking questions about the title of the vendor. Even a contract on a sticky note will lead to such questions, known as “requisitions”. However, the requisitions on the sticky note contract will be inadequate because most appropriate queries
will be precluded from being asked, or, if asked, the sticky note contract will not oblige the vendor to answer them. (It would be a good test of the skill and knowledge of a solicitor to see how many requisitions she could justify, in law, under a sticky note contract).

Identifying the basis for a requisition is important. If that cannot be done, the reply “declined”, may shut the issue down. Or, the vendor’s solicitor may have drafted the contract to allow such a reply to be validly given. Which is another way of saying that the purchaser’s solicitor should ensure, before the purchaser signs, that such a reply cannot be validly given under the terms of the contract.

Wow! Who are these solicitors?

Nobody special. They work in offices just down the road from where their clients live. Nevertheless, they have to pay attention to the ordinary mundane task of getting the clients from the agreement to sell and buy to the point where the property changes hands without a destructive expensive
row in between. To do that requires the solicitors to pay attention to the process. (A very expensive High court lawsuit, and Supreme court appeal, arose from a failure to appreciate the significance of “Vendor says no” when given in reply to a requisition). Excessive speed could damage the process. The process involves the exchange of documents between solicitors and the documents must
first be created. That takes a minimum amount of time. The process is intended to uncover problems, if they exist. If they exist it will take yet more time to remedy them (if they can be remedied).

As a rule of thumb, the process of completing the sale and purchase of a standard suburban house should be complete in six weeks from the signing of the contract by the purchaser. (Only when the process ends satisfactorily do we know what “a standard suburban house” is).

Safe Harbour Decision ruled invalid by CJEU

16340819563_2544706777_o.jpgMax Schrems took his case when the Irish Data Protection Commissioner refused to accept his complaint that Facebook was transferring his data to the US, where he did not believe it was being treated in accordance with EU data protection law.

The Commissioner rejected the complaint on the basis that it was “frivolous and vexatious” as they had no power to second-guess a EU commission decision that the Safe Harbour scheme between the EU and US provided ‘adequate’ protection.

Today, the Europe’s top court, the Court of Justice of the European Union (CJEU) has ruled that Decision invalid and, in a strong statement on the paramount need for Independent data protection authorities, is reported

“the Irish supervisory authority is required to examine Mr. Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the [Data Protection] directive, transfer of the data of Facebook’s European subscribers to the United states should be suspended”

McGarr Solicitors represented Digital Rights Ireland who were a party to these proceedings in the Irish High Court and before the Court Justice of European Union. We argued at both court levels that the Commission’s Safe Harbour Decision should be assessed in the light of the Charter of Fundemental Rights. Today, the CJEU took the same position.

Judgment below

CJEU Judgment Schrems Case on Safe Harbour

After Bara: All your (Data)base are belong to us

“The Government has announced a database to…”

My heart now sinks when I see these words. IT solutionism has a mesmerising power over governments everywhere but seems to exercise particular power over the Irish State. It allows them to announce a crisp remedy for a (frequently mis-defined) problem. All they need do is spend public money and through the magic of computers and surveillance tech they can assert they can actually get rid of that problem.

However, a very significant decision this week from the Court of Justice of the European Union (the EU’s top court, whose decisions are binding on member states) may force a change in government behaviour.

Asked to rule on the legitimacy of the Romanian government’s laws allowing for citizens’ data to be shared by the government between institutions without the knowledge of the person whose data it is, the Court delivered an emphatic decision.

Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.

In the life of this one government alone we’ve seen announced a series of database building initiatives. Not all of them will survive this ruling. The Irish Water database, for example, was assembled from disparate sources on foot of legislative provisions analogous to the Romanian law found illegitimate by the Court.

It will be for the Data Protection Commissioner’s office to take the next move.

***

Let’s build a data base!

The government hasn’t been slow to announce databases as solutions for all sorts of problems. Implementation has frequently proved more complicated.

Rural crime panic? Build a database of car movements through CCTV cameras on motorway exits that read and record number plates.

Want to charge people for their houses?
Build a database of addresses by sequestering info from other state, semi-state and private bodies.

Want to number the population but use it in ways not permitted by the existing PPS numbering system?
Build an entirely new parallel numbering system.

Want to create a new water utility and make everyone pay for it?
Build a database of every man woman and child in the state and try to track where they live from all the other databases you can think of.

Want to have a database of all the children in the state, linked to their PPS number and their mother’s ID for some unexplained reason?
Build a database of all the schoolchildren in the state by threatening to cut off the education funding of any children whose parents refuse.

Do even Intelligence Reports have to pass into history eventually?

Sometimes looking at these files, you can understand that it would be a bad decision to release them.

In particular, the files from An Garda Síochána are going to contain sensitive material. And, files containing Criminal Intelligence Reports (presumably, though I’m no expert, including data from informers) must surely be some of the most sensitive.

And yet.. and yet.

The National Archives Act allows that a file can hold both sensitive and non-sensitive historical records and, for a S8(4) certificate to issue, the certifying officers affirm that file can’t be made public “in whole or in part”.

What can we make of a series of Certificates granted in respect of Criminal Intelligence Reports files which all run from 1922 to the mid-1980s?

Should information and records which were created 92 years earlier- about people who would all now be into their second century if still alive- really be treated the same as records created a scant 30 years ago?

Perhaps they should. I don’t have access to the records. And perhaps there is an argument that such records ought not be captured by the National Archives Act at all. Perhaps no amount of time can pass before revealing the content would not be “contrary to the public interest”, a “breach of good faith” and “might cause distress or danger to living persons”.

If so, there is an argument for an amendment to the Act to exempt them. But, on the other hand, is it right that historians should never know the contents of those files?

The Oireachtas included the files within the ambit of its legislation. Presumably, it was intended that some day they should pass into history.

The question is, how long is long enough?

These are all secret ditches. Stop looking at them.

Part of the reason I asked for these files was because I was curious as to how reflexively the state would want to keep things secret. The thirty year rule was set so that we could understand our own recent history and historians could, in future, make sense of the broader narrative of the State’s development.

In a way, from my small 4-year sample, there’s an indication that, at least when it comes to historical documents, most departments aren’t trying to avoid their duties to history under the National Archives Act.

But, I was surprised to find one department had decided it simply couldn’t allow a range of files to be released- files that were, not thirty, but frequently over fifty years old.

The Department of Transport’s Airport division, for whatever reason, doesn’t think that details of (lots and lots of) contracts going back to the 1940s for the digging of ditches & the laying of wires are ready for the public gaze.

The Department of Foreign Affairs has a secret file on Shergar

I’m not sure I really need to say much more than that here.

Seriously, a secret Shergar file, from the Irish Embassy in London. Who could resist?

The info in file 3/175 runs from 1983 to 1984.

I guess, seeing as Iveagh House isn’t going to tell us, we’ll have to rely on Tesco to spill the beans.

I’m sorry, I can’t tell you about the weather. It’s a secret.

Dealing with these files sometimes throws up questions of balance. After all, you can see why personal data relating to job inquiries or sometimes even sensitive family matters such as adoptions shouldn’t be released heedlessly into the public domain.

But in 2013 the Department of Foreign Affairs decided that file 250/1048, containing “Meteorological Data” covering the years 1953-1981 should be kept secret. The Certificate cites Section 8(4)(a) which requires that the file being withheld shouldn’t be released because it

(a) would be contrary to the public interest,

How this relates to the weather reports from the middle of the last century, and why the Dept of Foreign Affairs kept such a file remains, of course, a mystery.