Dear Sirs,
I write further to your letter of the [insert date of reply to SAR letter].
I note that, in response to a Data Subject Access Request made under Article 15 of the GDPR, the Department has acknowledged it holds a number of records relating to my health but has refused to provide them to me.
Your letter, referred to above, cites SI 82/1989 as the basis for this refusal. You state;
These 1989 Regulations mean that the Department is required to consult with “the appropriate health practitioner” before supplying health data to you. The purpose of this is to ensure that a medical practitioner provides an expert opinion on whether or not releasing the health data would be likely to cause serious harm to the physical or mental health of the data subject.
The Department is not entitled to release health data without first consulting with the appropriate medical practitioner.
I write to inform you that the Minister and the Department have misadvised themselves as to the applicable law. You do not cite which regulation the Minister relies upon in making the above refusal to supply data. However, the wording cited partially echoes that of Regulation 5 SI 82/1989.
This Regulation 5 reads;
A data controller who is not a health professional shall not—
( a ) supply information constituting health data in response to a request under the said section 4 (1) (a), or
( b ) withhold any such information on the grounds specified in Regulation 4 (1) of these Regulations, unless he has first consulted the person who appears to him to be the appropriate health professional.
This regulation was amended by Section 68(2)(b)(iii)(III) of Data Protection Act 2018 by ;
the substitution, in paragraph (1)(a), of “a request under the said Article 15 of the Data Protection Regulation” for “a request under the said section 4(1)(a)”,
This Regulation contains no provision in relation to the necessity or proportionality of this interference with to the right of access conferred under EU Law (Art 15 GDPR) and derived from the EU Charter of Fundamental Rights. In addition, it represents a restriction of the essence of the right of access under the Charter.
Regulation 5 of SI 82/1989 is incompatible with EU law, on its face.
Article 8.2 of the EU Charter of Fundamental Rights states:
Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Article 15.1 of the General Data Protection Regulation states;
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data
Article 15.3 of the General Data Protection Regulation states
The controller shall provide a copy of the personal data undergoing processing.
The European Data Protection Board, in their Guidelines 10/2020 on restrictions to Article 15 rights amongst other rights have stated, at paragraph 38:
Restrictions are only lawful when they are a necessary and proportionate measure in a democratic society, as stated in Article 23(1) GDPR. This means that restrictions need to pass a necessity and proportionality test in order to be compliant with the GDPR
The Court of Justice of the European Union, in case C-73/07, Tietosuojavaltuutettu v. Satakunnan Markkinaprssi Oy and Satamedia Oy, ECLI:EU:C:2008:727, paragraph 56 has stated;
derogations and limitations in relation to the protection of personal data (…) must apply only insofar as is strictly necessary
The CJEU has also confirmed (in Case La Quadrature du net and others joined cases C-511/18, C-512/18 and C-520/18, ECLI:EU:C:2020:791, paragraph 210) that even if there is an objective test in the legislation which demonstrates the necessity of a restriction to a legal right, there is also a requirement for the legislative restriction to address the question of proportionality;
In particular, as is the case for Article 15(1) of Directive 2002/58, the power conferred on Member States by Article 23(1) of Regulation 2016/679 may be exercised only in accordance with the requirement of proportionality, according to which derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (see, by analogy, with regard to Directive 95/46, judgment of 7 November 2013, IPI, C‑473/12, EU:C:2013:715, paragraph 39 and the case-law cited).
The European Data Protection Board’s Guidelines 10/2020 summarises the requirements for a legislative restriction to Article 15 rights to be compatible with Article 23 GDPR and CJEU caselaw.
A proposed restriction measure should be supported by evidence describing the problem to be addressed by that measure, how it will be addressed by it, and why existing or less intrusive measures cannot sufficiently address it. There is also a requirement to demonstrate how any proposed interference or restriction genuinely meet objectives of general interest of the State and EU or the need to protect the rights and freedoms of others. The restriction of data protection rights will need to focus on specific risks.
Furthermore, at Paragraph 14 of those same Guidelines the EDPB confirms that
a general limitation of the rights mentioned in Article 23 GDPR of all data subjects for specific data processing operations or with regard to specific controllers would not respect the essence of the fundamental right to the protection of personal data, as enshrined in the Charter.
If the essence of the right is compromised, the restriction shall be considered unlawful, without the need to further assess whether it serves an objective of general interest or satisfies the necessity and proportionality criteria.
Regulation 5 of SI 82/1989 represents a restriction to the essence of the right of access as described above. In addition, in restricting the right of access it doesn’t address the question of necessity or proportionality at all, nor does it meet the above test which could allow one to be lawfully implied.
Where a state body encounters a disagreement between a national law and an EU law, it is the duty of the state body to directly disapply the national law.
The CJEU has addressed this longstanding duty of all organs of the State in Case C‑378/17 Minister for Justice and Equality, Commissioner of An Garda Síochána v Workplace Relations Commission, Paragraph 38;
As the Court has repeatedly held, that duty to disapply national legislation that is contrary to EU law is owed not only by national courts, but also by all organs of the State — including administrative authorities — called upon, within the exercise of their respective powers, to apply EU law (see, to that effect, judgments of 22 June 1989, Costanzo, 103/88, EU:C:1989:256, paragraph 31; of 9 September 2003, CIF, C‑198/01, EU:C:2003:430, paragraph 49; of 12 January 2010, Petersen, C‑341/08, EU:C:2010:4, paragraph 80; and of 14 September 2017, The Trustees of the BT Pension Scheme, C‑628/15, EU:C:2017:687, paragraph 54).
Paragraph 50 of the same judgement sets out the nature and basis of that duty.
It follows from the principle of primacy of EU law, as interpreted by the Court in the case-law referred to in paragraphs 35 to 38 of the present judgment, that bodies called upon, within the exercise of their respective powers, to apply EU law are obliged to adopt all the measures necessary to ensure that EU law is fully effective, disapplying if need be any national provisions or national case-law that are contrary to EU law. This means that those bodies, in order to ensure that EU law is fully effective, must neither request nor await the prior setting aside of such a provision or such case-law by legislative or other constitutional means.
As shown above, contrary to the statement in your letter of the [Insert date of letter] that “The Department is not entitled to release health data without first consulting with the appropriate medical practitioner”, the opposite is the case.
Under EU and national law the Department and the Minister as the data controller of my data is obliged to directly disapply the restriction to my right to access as unlawful and to provide me with my sensitive personal health data directly.
We are sending a complimentary copy of this letter to the Department’s DPO for his information also.
Please note that in the event that I have not received my data- which has been unlawfully withheld- within 5 working days of the date of this letter I intend to formally lodge a complaint with the Data Protection Commission and, if needs be, to issue proceedings directly against the Minister without further notice to you. This correspondence and the earlier exchange between me and your office will be brought to the attention of the Court in the application for my costs.
Yours faithfully,
_______________
[your name]
Cc: Data Protection Officer, Department of Children, Equality, Disability, Integration and Youth