Trinity College Dublin: Legal experts raise data-protection red flags around key COVID-19 decisions taken in Ireland

Experts from the COVID-19 Law and Human Rights Observatory at Trinity have raised numerous concerns about the compliance of COVID-19 data-driven measures adopted in Ireland with data protection legislation.

They outline these concerns and offer a series of recommendations in a comprehensive report, DATA PROTECTION AND THE COVID-19 PANDEMIC, which can be read here.

In common with previous reports from the Observatory is the concern that there is a general lack of transparency in Ireland’s response to the pandemic and, as a result, it isn’t easy to ensure important decisions satisfy various legal requirements.

Among the key recommendations emerging from the current report – of which there are 13 in all – are that government should: adopt an overarching instrument that contains the blueprint for data processing for pandemics (current and future); map how health data are shared between public bodies to be clear about who has access and control; and clarify if personal data on vaccination are being transferred to third countries and what the related data protection arrangements are.

Other important recommendations involve policymakers making greater effort in: discussing due diligence concerning the uptake of technologies for continued tele-working, both from a health and safety and cybersecurity perspective; and promoting transparency, public consultation and engagement when developing projects that involve large scale processing of personal data (such as the COVID Tracker App).

Maria Grazia Porcedda, Assistant Professor in Trinity’s School of Law, said:

“Since the beginning of the pandemic policymakers have adopted several data-driven measures to contain the spread of COVID-19. With the exception of the Covid Tracker App, which received great publicity, other mandatory, and therefore commonplace data-driven measures such as the Covid-19 Contact Management Programme and the Vaccine Information System have largely gone under the radar, and consequently eschewed much public scrutiny.

“While we find that the rationale of most data-related decisions made during the COVID-19 pandemic in Ireland is fully justifiable, the delivery does not always appear to have been sound. A systematic reading of the applicable law in light of fundamental rights suggests that data-driven measures that process data without necessary safeguards could amount to undue restrictions and could be challenged on rule of law grounds.”

Róisín Costello, Assistant Professor at Dublin City University, added:

“The ongoing public health context generated by COVID-19 has drawn particular attention to the issue of data sharing as both State departments as well as public bodies like the HSE seek to co-ordinate data collection and to map vectors for disease transmission and service need.

“In the context of the existing legal landscape, however, the extent to which data has been shared among public bodies, and which public bodies shared such data during the COVID-19 pandemic is difficult to gauge for those not actively involved in the system. We hope moving forwards that there will be far greater transparency in this regard.”