Whistleblower claims raise serious issues in areas of privacy and data protection

It would be ‘remarkable’ for patient’s report to be handed over without consent of patient

People are entitled to sue if their data protection rights are not upheld. Photograph: iStock
People are entitled to sue if their data protection rights are not upheld. Photograph: iStock

The claims made by Department of Health whistleblower Shane Corr raise very serious legal and ethical issues in the areas of privacy, data protection, and medical and professional ethics, according to experts in these areas.

Barristers asked about the claims on Thursday said they would like to hear more detail before expressing definitive views on the matter, but were surprised by the suggestion that medical reports might be sought from professionals without the patient’s knowledge or consent.

Even if a service was being provided by the State to a person who had initiated legal action to procure that service, it would be hard to think of a situation where, for instance, a psychologist’s report would be given to the department without the patient’s knowledge or consent, said one senior counsel.

“The only thing the State would be entitled to would be the bill,” said the lawyer, who has been involved in such cases.

READ MORE

If a party is sued and then the case goes dormant, the party being sued is entitled to keep the situation under review, in case the action is revised, and fresh allegations made, another senior counsel said.

“But if they are surreptitiously getting reports because they are the State, then that would raise issues of data protection law, patient confidentiality, and breach of contract.”

The State, when being sued, should not be in a different position to anyone else, he said.

If the State wanted a new psychologist’s report in a case, for example, it should go to the person’s solicitor and have it arranged though the proper channels.

“If the report is prepared for the benefit of the child, then it is not for the State to get a copy from the provider.”

Another senior counsel said it could be the case in litigation that a court order might exist that would make the type of breach of confidentiality being suggested legal, “but intuitively it doesn’t feel right.”

It would be “remarkable” that a medical professional would be asked to hand over a patient report and to not tell the patient.

Initiated litigation

Mr Corr has told RTÉ Investigates that he raised concerns with the department about the continuing collection of confidential data in relation to children with special needs who had initiated litigation which was now dormant.

It is claimed that in one instance at least, a HSE doctor who was asked for a report on a patient raised a query about the legality of the request, and was told consent was not sought and that this was “standard practice” in litigation cases.

Mr Corr said he was told that a senior counsel had looked into his complaint and reported what was being done was “lawful, proper and appropriate”. The department did not give him a copy of the report.

The department, in a statement on Thursday, said it “has never unlawfully held sensitive medical and educational information of children involved in dormant court cases.”

It said it was “normal practice” for defendants to gather and maintain appropriate information in order to obtain legal advice or defend the proceedings, and that the review it had commissioned from a senior counsel had not identified any breaches of the data protection laws.

It did not respond to the claim that medical professionals had been asked to hand over patient reports and to not tell the patient.

Data law expert, Daragh O’Brien, of Castlebridge Associates, said the department asking HSE doctors to hand over information about patients and to not tell the patients, would be a clear breach of transparency principles that apply in relation to data handling.

“If it happened before May 2018, it would be a scandal,” said the consultant, referring to the date of introduction of the EU’s general data protection regulation (GDPR). “It happening after May 2018 means the State has created a whole new line of liability.”

People are entitled to sue if their data protection rights are not upheld. They do not have to show they have suffered harm as a result of the breach.

“This is a very serious issue,” said O’Brien, who often advises public bodies on data rights. “They’ve managed to open a whole new can of worms.”

The department may have been trying to ensure that it was in a position to protect itself against litigation but it has done “all the wrong things for the right reasons”.

He was of the view that it was “inevitable” that if the department was acting as alleged in relation to litigation involving people with special needs, then similar practices would have occurred in relation to other types of litigants.

A senior counsel suggested that if the department commissioned a review that said what was being alleged was lawful, then it should publish that review.