Resources

Inquiries concerning the Health Service Executive

(IN-19-9-1 & IN-19-9-2)

Date of Decisions: 18 August 2020 & 29 September 2020

The DPC commenced inquiry IN-19-9-1 in respect of one personal data breach notified by the HSE to the DPC. The personal data breach occurred when documentation containing the personal data of 78 individuals, including special category personal data in respect of 6 of those data subjects, were disposed of in a public recycling centre. The list was created in Cork University Maternity Hospital, but was discovered by a member of the public in a public recycling area in Cork County.

  • The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

The DPC commenced Inquiry IN-19-9-2 in respect of a personal data breach that the HSE notified to the DPC on 1 May 2019. The personal data breach occurred when a member of the public found documentation that contained the personal data of 15 data subjects, including data relating to clinical information and treatments received. The documents were created in Our Lady of Lourdes Hospital, but were discovered by a member of the public in their front garden.

  • The decision found that the HSE infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data.

The corrective powers exercised:

  • Decision IN-19-9-1 imposed an administrative fine of €65,000 on the HSE for its infringements of Articles 5(1)(f) and 32(1) of the GDPR.
  • Decision IN-19-9-1 ordered the HSE to bring its processing operations regarding the use and disposal of hardcopy documents containing patients’ personal data into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • Decision IN-19-9-1 issued the HSE with a reprimand in respect of its infringements of Article 5(1)(f) and 32(1) of the GDPR.
  • Decision IN-19-9-2 did not exercise further additional corrective powers in light of how decision IN-19-9-1 addressed the circumstances of the same infringements as were subsequently also identified in decision IN-19-9-1. Both decisions also concern the same processing operations, undertaken by the same controller, and concern the same time period.

For more information, you can download a copy of the full decision at this link: Health Service Executive - August and September 2020 (PDF,1,866 KB).