The Health Service Executive (HSE) and other health service providers must ensure that all data is processed and controlled in line with the principles of the GDPR and relevant Irish legislation.
However, as the Data Protection Commission has highlighted, GDPR is not intended to stop or hamper the legitimate, lawful use and sharing of personal data. The GDPR is a ‘principles-based’ piece of legislation that sets out certain high-level rules, consisting of limitations and obligations, addressed to those who process personal data (data controllers). At the same time, it also gives individuals whose personal data are processed (data subjects) a range of rights to help them control how their personal data is used and ensure that these uses are both lawful and transparent.
Confusion can arise in some instances, primarily where data controllers do not fully understand the GDPR or have been given incorrect advice. In the circumstances identified by the Deputy, there is clearly a need to first analyse whether, in fact, there is a legal impediment under the GDPR to the activities in question. As this is a service matter, I have asked the HSE to respond directly to the Deputy.