Tag Archives: Data Protection Commissioner

This afternoon.

Via the Data Protection Commissioner:

As the economy and society continue to open up with the lessening of COVID-19 restrictions, many employers are seeking to understand what information they can process in relation to their employees return to the workplace. In particular, as the rollout of the National Vaccination Programme progresses, the question has been raised as to whether employers can lawfully collect and process information about the COVID-19 vaccination status of their employees.

As a general position, the DPC considers that, in the absence of clear advice from public health authorities in Ireland that it is necessary for all employers and managers of workplaces to establish vaccination status of employees and workers, the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists. This is particularly the case when there is no public health advice pertaining to what the purpose of such data collection would be. For example, advice as to what employers would be expected to do with knowledge of vaccination status of workers i.e. to send non-vaccinated workers home or segregate vaccinated and non-vaccinated workers in workplaces?

Specific Employment Contexts

The processing of health data in response to the COVID-19 pandemic, in all contexts, should be guided by the Government’s public health policies. The current version of the Work Safely Protocol: COVID-19 National Protocol for Employers and Workers suggests that there are a limited set of circumstances in which vaccination should be offered as a workplace health and safety measure (as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020).

There may be further situations, such as in the provision of frontline healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector specific guidance. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”. In these situations, it is likely that an employer will be in a position to lawfully process vaccine data on the basis of necessity.

Data Minimisation

The Work Safely Protocol: COVID-19 National Protocol for Employers and Workers also states that, “Irrespective of the vaccination roll-out, Public Health infection prevention and control measures (such as physical distancing, hand hygiene, face coverings, adequate ventilation), and working from home unless an employee’s physical presence in the workplace is necessary, will all need to remain in place”.

This makes it clear that there remains a full suite of measures that employers should employ to maintain workplace safety before considering whether knowledge of vaccination status is a necessary measure. In accordance with the principle of data minimisation, employers should implement all such measures that avoid processing the personal data of employees in the first place.

Voluntary Nature of Vaccination

Information about a person’s vaccination status is special category personal data for the purposes of the GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The Work Safely Protocol: COVID-19 National Protocol for Employers and Workers states that the decision to get a vaccine is voluntary and that individuals will make their own decisions in this regard. This further suggests that COVID-19 vaccination should not in general be considered a necessary workplace safety measure and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in the employment context.

Due to the nature of the National Vaccine Programme, individual workers are not in control of when they will receive a vaccine, and due to its age-based nature many younger workers will not be fully vaccinated for several months. For these reasons, it is not clear that processing vaccination status can be considered a necessary or proportionate measure in most employment situations. In addition, the long-term efficacy of vaccination in terms of immunity is not yet clear i.e. where new COVID variants may arise, or vaccine top-ups may be required. For these reasons, there does not appear to be a sufficiently evidence based justification to consider that knowledge and processing of vaccination status can be considered necessary in employment at this time.

The processing of personal data in the context of employment takes place in a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data as this consent is not likely to be freely given.

Medical Officer of Health

In the course of carrying out their public health duties under the Infectious Diseases Regulations 1981, as amended, a Medical Officer of Health may require access to the vaccination status of employees. This limited type of processing is specifically permissible under data protection law where carried out on a case- by-case basis, subject to the determination of necessity and at the request of the Medical Officer of Heath.

Employees and Travel

Situations may arise where employers need to be made aware of when an employee will be available for work after travelling to Ireland from abroad and undergoing any required periods of self-isolation. It should not be strictly necessary for employee’s vaccination status to be recorded in such instances, rather the employee can be asked to indicate the date on which they will be in a position to return to work.

Processing COVID-19 Vaccination Data in the context of Employment (DPC)

Earlier: Can He Get Lower?

Meanwhile…

Minister for Children Roderic O’Gorman addressing the Seanad, sitting in the Dáil this afternoon

This evening.

The Irish Examiner reports:

The Government has contravened European and Irish law with regard to the accessibility of personal data by voting to seal the records of mother and baby homes for thirty years.

The Data Protection Commission was consulted by the Department of Children ahead of the drafting of the new mother and baby homes bill regarding the Data Protection Impact Assessment it had commissioned concerning the legislation.

In passing the legislation on Thursday evening, Children’s Minister Roderic O’Gorman said that his advice from the Attorney General was that access to the records had been explicitly restricted by the Commissions of Investigation Act 2004.

However the Irish Examiner can reveal that this is entirely contrary to the observations provided to the Department by the DPC.

Meanwhile…

Meanwhile…

More as we get it.

Government breaking the law by sealing mother and baby homes records, says DPC (Cianan Brennan, Elaine Loughlin, Ciarán Sunderland, The Irish Examiner)

Earlier: “I Didn’t Want To Ask Survivors To Wait More”

Yesterday: Simon McGarr: Sealing The Archive Would Be Impermissible In EU Law

Public Services Card; Minister for Employment Affairs and Social Protection Regina Doherty

Further to the Department of Employment Affairs and Social Protection and Minister Regina Doherty publishing the Report of the Data Protection Commission on the Public Services Card last week…

And her department’s intention to challenge the DPC’s findings on the card based on “incredibly strong legal” advice

Dr Eoin O’Dell, a Fellow and Associate Professor at the School of Law, Trinity College Dublin, wrote in yesterday’s Sunday Business Post:

The government’s misguided approach has the capacity to do great damage to Ireland’s reputation as a good location for international tech companies to establish their European headquarters.

A government in such open conflict with the DPC [Data Protection Commission] can have no credibility in seeking to ensure that such companies comply with the commission’s decisions.

Worse, it risks fostering the view that a company unhappy with an unfavourable DPC decision could seek government help to resist that decision.

…This is not the first time that government departments have run afoul of data protection laws.

In 2011, the commission found that blood samples from babies’ heel-prick tests were being unlawfully retained, but in 2013 the Minister for Health ordered the HSE not to comply with the commission’s determination.

The Department of Education has continued with its controversial plans, unveiled in 2014, to collect extensive profiles of all children in education and store that data until they turn 30, notwithstanding the commission’s misgivings.

Dealing from bottom of the deck on the Public Services Card (Eoin O’Dell, The Sunday Business Post)

Previously: The Regina Monologues

Rollingnews

Dublin’s Google Docks in the Grand Canal Dock; extract from Department of Justice submission explaining why Data Protection Commission should be only ‘partially included’ in the Freedom of Information Act

Journalist Ken Foxe tweetz:

If you ever wondered why there is such incredible levels of secrecy surrounding the Data Protection Commissioner, arguably Ireland’s most important state agency. They need to be able to provide “guarantee of absolute confidentiality” to the giant tech firms based in Ireland.

The above is an extract from a Dept of Justice submission explaining why Data Protection Commissioner should be only “partially included” in the Freedom of Information Act.

Will post the full record to @Thestoryie later on.

The Story

Um.

Data Protection Commissioner’s office, Portarlington, County Laois

Louis le Fronde writes:

So according to the Irish Independent , the Irish Data Commissioner is going to investigate Facebook, have you seen their office in Portarlington (above)?  I’m sure Zuckerberg is terrified….

Irish Data Protection Commissioner to probe Facebook’s ‘oversight’ of political targeting on the platform (Independent.ie)

Earlier: A Limerick A Day

CallinSHatWall

You may recall when former Justice Minister Alan Shatter and Independent TD Mick Wallace appeared on RTÉ’s Prime Time on May 16, 2013, to talk about the penalty points report and the appearance of former Garda Commissioner Martin Callinan at a Public Accounts Committee meeting earlier that day.

During their discussion with presenter, Pat Kenny, Mr Shatter accused Mr Wallace of having been stopped while driving by the gardaí in May 2012 and claimed he benefitted from garda discretion.

The Data Protection Commissioner subsequently found Mr Shatter broke the law by disclosing personal information about Mr Wallace on the show.

This morning, RTÉ reports:

Former Minister for Justice Alan Shatter has begun an appeal against a decision of the Data Protection Commissioner that he breached the Data Protection Act.

Mr Shatter says the information about Mr Wallace was given to him orally by the then Garda Commissioner when no other person was present.

He said he did not make any written note of what he was told and retained the information solely in his head.

His lawyers said he was concerned about how the Data Protection Act could be used to regulate information retained solely in a person’s mind.

Alan Shatter begins appeal over Data Commissioner finding (RTÉ News)

Previously: Breaking The Law On Prime Time

How Did He Know?

quartz

Ah now.

The world’s tech companies are coming to Dublin, as the Irish prime minister and his various trade representatives will tell you. Yet every morning, the man in charge  [Data Protection Commissioner] of overseeing how these companies use our data cycles to Heuston station, takes a 50-minute train ride out of Dublin, and walks the last five minutes to his office next to a convenience store in Portarlington, a town of some 7,500 people in the Irish midlands…

They’re laughing at us again.

How a bureaucrat in a struggling country at the edge of Europe found himself safeguarding the world’s data (Quartz)

Public Concern About Access To Personal Data On Rise In Ireland (Elaine Edwards, irish Times)

Thanks Serv