13th November 2020
DRAFT: NOT FOR UNIVERSAL CIRCULATION
This document contains some recommendations for individuals contacted by the Mother and Baby Homes Commission of Investigation in relation to redaction of personal data from its archive, some background information on how the Commission appears to be failing to meet its data protection obligations, and actions which should be taken by the Commission to remedy this.
The Commission of Investigation is beginning to contact individuals in line with its obligation under Section 6 of the Commission of Investigation (Mother and Baby Homes and certain related Matters) Records, and another Matter Act 2020 to allow individuals who gave evidence or any document to the confidential committee of the Commission to “make a request in writing of the Commission to redact from that evidence or document all personal data relating to that person before that evidence or document is deposited with the specified Minister”.
It has come to our attention that the Commission of Investigation is contacting individuals by telephone and inquiring whether they wish to have their personal data redacted from the archive. This is an inappropriate way to go about this and does not meet the transparency standards of the GDPR.
It is also a rather inauspicious start to what we were led to believe would be a new approach to data subject rights by the state, one which is compliant with the Charter of Fundamental Rights of the European Union and the General Data Protection Regulation.
In its statement of the 28th October1Department of the Taoiseach: ‘Government Statement on Mother and Baby Homes’ (published 28th October, last updated 5th November 2020) the government said it “acknowledges and regrets the genuine hurt felt by many people across Irish society.”
The Taoiseach added to this on the 4th November in the Dáil, stating that the government “is determined to take the necessary actions to ensure those concerns are dealt with in a manner that is timely, appropriate and focused on the needs of victims and survivors.”
While the focus in the government statement and subsequent answers to parliamentary questions has been on the Department of Children, Equality, Disability, Integration & Youth Affairs and Túsla, the Commission of Investigation remains in being and is carrying out processing operations on the archive in advance of its transfer to the Minister of Children, Equality, Disability, Integration & Youth Affairs.
The definition of processing in the GDPR includes a wide range of activities including storage and redaction. 2GDPR, Article 4 (2): “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
All personal data must be processed in accordance with the principles in Article 5 of the GPDR. Of particular relevance here are the principles of fairness, transparency 3GDPR, Article 5 .1 (a): “Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); and accountability.4GDPR, Article 5 .2: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
This is a new processing operation which should be accompanied with information about the consequences of the processing and all the other conditions for transparency. Data subjects have a right to be fully informed.
Information in plain English5GDPR, Recital 39: “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.” which makes it easy “to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used.” 6European Data Protection Board: ‘Article 29 Working Party Guidelines on transparency under Regulation 2016/679’, as last revised and adopted 11 April 2018, paragraph 10 must be provided.
This information must be easily accessible. The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it …” 7European Data Protection Board: ‘Article 29 Working Party Guidelines on transparency under Regulation 2016/679’, as last revised and adopted 11 April 2018, paragraph 11
If sufficient information had been provided by the Commission before it began to contact individuals this situation could have been avoided.
“The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:
before or at the start of the data processing cycle, i.e. when the personal data is being collected either from the data subject or otherwise obtained; throughout the whole processing period, i.e. when communicating with data subjects about their rights; and at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing.” 8European Data Protection Board: ‘Article 29 Working Party Guidelines on transparency under Regulation 2016/679’, as last revised and adopted 11 April 2018, paragraph 5
Immediately publish comprehensive information on its website about the proposed redaction activity as required by Articles 12 and 13 of the GDPR. This information should be informed by the European Data Protection Board’s Guidelines on Transparency and Guidelines on Data Protection by Design and Default. This should be done before any process to identify personal data to be redacted under Section 6 is started.
As the Commission will remain in being until the end of February 2021, clarify its position in regard to Article 15 Subject Access Requests made between now and the date at which it will be dissolved. In the past the Commission has operated a policy of blanket refusal of Subject Access Requests. Given the government’s new approach and acknowledgement that state data controllers have to meet their obligations to allow data subjects exercise their data protection rights it is important that the Commission make it clear to those whose personal data it is processing what its position is.
If the Commission is continuing to operate this policy of blanket refusal to give individuals a copy of the personal data relating to them which is held by the Commission then it is difficult to see how any individual can make an informed decision about whether or not they would like this information redacted.
In order to comply with principles of lawfulness, fairness and transparency, data subjects have to understand what it is they are agreeing to have redacted.
Publish a copy of the consent form being used. While consent may not be the lawful basis under GDPR which is being relied upon for this processing operation the GDPR provides conditions for consent which could be used in this case.9GDPR, Recital 32: Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her” Most importantly in this situation, any consent given must be informed. This is also an element of transparent processing.
Describe the envisaged scope of redactions. Hypothetical examples may be a good way of doing this.
As part of this description, resolve the differences between what is stated on the Commission’s website – “If you want to have your name removed, you need to tell the Commission this in writing.” – and what is in Section 6 of the Act – “all personal data relating to that person”. The Commission is fully aware that personal data means far more than simply names.
If special categories of personal data are being redacted then explicit consent is required.
To meet its accountability obligations, describe the technical and organisational measures implemented for this new processing activity, as required by Article 25 GDPR, Data Protection by Design and Default. 10Recital 78, GDPR: “The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of … transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing”
This should include clarification of the Commission’s position on how redactions will be applied to records containing the personal data of more than one person, and how the Commission will respond to Article 18 Requests for Restriction of Processing.
Provide the same transparency information as on its website in hard copy along with the consent form to any data subjects who have expressed an interest in having personal data redacted.
Commission of Investigation (Mother and Baby Homes and certain related Matters) Records, and another Matter, Act 2020: PDF
Regulation (EU) 2016/679 (General Data Protection Regulation): PDF
European Data Protection Board: ‘Article 29 Working Party Guidelines on transparency under Regulation 2016/679’, as last revised and adopted 11 April 2018
European Data Protection Board: ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’, adopted October 2020
European Data Protection Board: ‘Guidelines 05/2020 on consent under Regulation 2016/679’, adopted May 2020
Department of the Taoiseach: ‘Government Statement on Mother and Baby Homes’ (published 28th October, last updated 5th November 2020)