Data Protection and GDPR Update


The 25th May 2019 marked the first anniversary of the implementation of the General Data Protection Regulation (“the GDPR”). A review of how GDPR has been implemented and operated in individual member states demonstrates proactive engagement of data subjects with the GDPR complaints framework. It also shows that national data protection authorities have been very active role. In the case of Ireland for example, between the 25th May 2018 and 31st December 2018, there were 2,864 complaints made to the Data Protection Commissioner (DPC) regarding alleged data breaches. Overall, 3,542 data security breaches were identified.

Under the GDPR, data controllers are obliged to notify the DPC of data breaches and 3,687 such notifications were received by the Data Protection Commissioner’s office, 84% of which related to unauthorised disclosure of data.

While it is too early at this stage to assess the development of a pattern of case studies or litigation arising from the rights and obligations under the GDPR, there have some decisions by national data protection authorities which are of interest for healthcare professionals and healthcare institutions.


GDPR breach and complaints case studies

In July 2018, the Portuguese data protection supervisory authority imposed a fine of €400,000 on the Barreiro Hospital for three breaches of the GDPR. A reported GDPR breach was made by the national Medical Council.

Firstly, the Portuguese data protection supervisory authority found there to be a breach for the wide extent to which patient data could be accessed by a wide-ranging number of hospital employees. Secondly, hospital management did not apply organisational measures to prevent unlawful access to personal data. At the root of the investigation was the apparent extent to which non-medical staff could access medical data on the hospital system particularly as 985 system users were categorised on the system as “medical” user, notwithstanding the fact there were only 296 physicians working at the hospital. There were a number of significant factual findings giving rise to this decision, including that:

  • There was no organisational safeguard for the creation of system users for certain categories of data;
  • There was no limitation on clinicians in one medical speciality having access to patient data held in another speciality department;
  • There were active system access profiles still in existence for clinicians who no longer worked at the hospital, and;
  • Up to 9 members of the technical staff had access to all medical data across the hospital.

The authority found that there were breaches, including under Article 5 of the GDPR, of the requirement of “data minimisation” – which provides that personal data should only be processed to the extent that is necessary. In addition, the authority found that there was a breach of the “data security” principle – the requirement that data be processed securely and that the data controller implement appropriate technical and organisational measures to ensure a level of security adequate to the risk.

The decision highlights that compliance with data protection obligations must be reviewed on an ongoing basis. Procedures must be adopted, and adhered to, in order to ensure that there is ongoing and active review of the necessity for the processing of data and also of the need for certain categories of staff members to have access to such data.   

This decision is one of which healthcare professionals and healthcare institutions across the EU/EEA should take notice. Healthcare institutions will already be aware of the Irish Data Protection Commissioner’s Report released just prior to implementation of GDPR on 21st May 2018 on “Data Protection Investigation in the Hospitals Sector” which highlighted a number of concerns, some of which are not dissimilar to those in the Barreiro Hospital case.


GDPR and Health Research regulation in Ireland

Another area of relevance for healthcare institutions is the implementation of the Data Protection Act 2018 (Section 36(2))(Health Research) Regulations 2018 (“the Health Research Regulations”) on the 7th of August, 2018, which introduced a framework to regulate the processing of personal data, specifically sensitive and health data, for medical research purposes in the context of the GDPR. The Health Research Regulations provide for a number of significant preconditions and developments for the lawful processing of data for health research purposes, including:

  • a definition of “health research” which includes research in the categories of medical treatment and diagnostics, health care systems and health products;
  • an obligation to comply with “suitable and specific measures” in processing personal data including obligations regarding governance of research, the necessity of the processing to the achieve the aim of research, control of, and access to data;
  • the requirement to obtain informed and explicit consent from the data subject to the use of personal data for specified health research projects and uses;
  • the establishment of the Health Research Consent Declaration Committee (“HRCDC”), the functions of which include the power to provide a declaration permitting the processing of personal data for health research in the absence of express consent of the data subject where the public interest in undertaking the research “significantly outweighs” the public interest in requiring the consent of the data subject.

It is noteworthy that the necessity for express consent of the data subject is not required by the GDPR Regulation but has been introduced by national regulation in Ireland.

The HRCDC has attached conditions to such declarations to process data for health research and an assurance that anonymisation of data be completed by destroying the original documents and records containing the original personal data. This has been a key factor and condition in at least two applications in 2019.



Whilst some data controllers, including healthcare providers, may still be coming to terms with the extent of their obligations under GDPR and national data protection legislation, it seems that individuals are more cognisant of their personal data rights under GPDR and are not shy about submitting a complaint where they consider a breach of GDPR has taken place. It is likely that the Data Protection Commissioner will take a proactive approach to enforcement of data protection law. Healthcare institutions need to ensure that robust processes and appropriate measures are in place to ensure the highest standards of compliance with the law.

For more information on GDPR and Data Protection, contact Emily Sexton, Partner, or Barry Murphy, Solicitor at Comyn Kelleher Tobin.