Data Protection in the Department of Health
The Data Protection Acts 1988 and 2003 are designed to protect people’s privacy. They give effect to the Council of Europe Data Protection Convention. The Acts confer rights on individuals in relation to the privacy of their personal data as well as responsibilities on those persons holding and processing such data.
Personal data means data relating to a person who is or can be identified either from the data itself or in conjunction with other information that is in, or is likely to come into, the possession of the Department. It covers any information that relates to an identifiable, living individual. This data can be held on computers or in manual files.
The Department’s Obligations
The Department’s obligations under the Act are that:
- Data must be obtained and processed fairly;
- Data must be accurate, complete and where necessary, kept up to date ;
- Data must have been obtained only for one or more specified, explicit and legitimate purpose;
- Data must not be further processed in a manner incompatible with that purpose;
- Data must be adequate, relevant and not excessive in relation to the purpose for which they were collected or are further processed;
- Data must not be kept for longer than is necessary for that purpose;
- Appropriate security measures must be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing;
- All personal data held by the Department must be registered with the Data Protection Commissioner.
The Department owes a duty of care to the data subjects concerned, i.e. it must take care not to cause damage or distress to any of its customers by, for example, maintaining inaccurate information on file or disclosing personal data to someone who is not entitled to this data.
The Department takes its obligations very seriously and adopts the strongest line in relation to the misuse of customer information by any of its staff. Any breach of trust with regard to the confidentiality of information is treated as serious misconduct and may result in disciplinary action up to and including dismissal in accordance with the terms of the Disciplinary Code.
A Data Protection Code of practice was drawn up by Department and approved by the Data Protection Commissioner during 2014. The Code of Practice reflects best practice in protecting personal data held in the Department. Read the Data Protection Code here.
Access to Personal Data
An individual can make a data protection access request by writing to The Data Protection Officer, Department of Health, Hawkins House, Dublin 2. A request should be as specific as possible, to quickly identify where the particular data is held. A response to an access request will issue as soon as is possible and in any event within forty days. It should be noted that individuals who seek access to their personal records under the Data Protection Acts must pay a minimum fee of €6.35.
Additionally, the Freedom of Information Acts grant every person a right, subject to certain restrictions, to access information held by Government Departments, agencies and other designated bodies in receipt of State funding. The Acts also allow for persons to seek access to their own personal data held by such bodies. There is no fee for this access to personal information. An individual can make a Freedom of Information request by writing to the Freedom of Information Section, Department of Health, Hawkins House, Dublin 2 A request should be as specific as possible to quickly identify where the particular data is held.
Exceptions to the right of access
Sections 4 & 5 of the Data Protection Acts set out a small number of circumstances in which the right to access personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand. For example, the right of access to medical data is restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data. The right to obtain access to examination results and to see information relating to other people is also curtailed.
Further information about an Individual’s Rights under the Data Protection Act
The Data Protection Commissioner’s Website offers an explanation of the rights and responsibilities under the Data Protection Acts (www.dataprotection.ie) and information is also available from
The Data Protection Commissioner’s Office
You can contact the Data Protection Commissioner’s Office by email or by phone 1890 252231.