Earlier this year the Mental Health Commission & Decision Support Service (DSS) moved a longstanding legal instrument known as an enduring power of attorney (EPA) into an online format. Previously EPAs were a document created by solicitor and were for all intents and purposes a paper documents. The new EPA is one created online using a new DSS portal. Unsurprisingly it was necessary to commission an Data Protection Impact Assessment, but somewhat surprising is that the DPIA commissioned highlights a number of serious flaws, which may well open the DSS and Mental Health Commission to future litigation as well as fines from the Data Protection Commission.
In June 2023 O’Dowd Solicitors made an FOI request for the DPIA prepared by the Decision Support Service (DSS). The DSS as it is now known was established by the Assisted Decision-Making (Capacity) Act 2015 (as amended) (“the 2015 Act”). The DSS is not a statutory body, but is one that operates within the aegis of the Mental Health Commission. The Full DPIA together with our conclusions can be downloaded here.
The main data protection issues with the DSS EPA framework including the following:
The legal basis for the operation of the EPA framework is flawed
The DPIA notes that the legal basis for the Collection and Processing of Personal data come from the 2015 Act . While the functions of the DSS and the operation of the procedures are governed by the 2015, it is not immediately obvious what legal basis the 2015 Act gives to the DSS for processing data in the granular manner it does. In some cases it may rely on consent, but this is far from clear, and most unsatisfactory.
The DPIA proposes that the legal basis for the collection and processing of personal data is the 2015 Act. As noted above this is only partially correct, and this error has led the DSS to assume they have a certain omnipotence in what data is collected and how it is processed when there is little to support this.
While Section 79A permits the director to specify certain forms the 2015 Act does not permit the director to determine what data should or should not be collected, nor is there any scope for regulations to be made by the relevant Minister to do so. We have set out our views on the legal basis above.
The DSS system collects more data than it needs
The DPIA notes the following
- The data collected is largely limited to the purposes of the DSS. However, two data items were noted that are not necessary for the processing:
PPSN – this is captured but not validated of used.
- Ethnicity dropdown — this captured so that the DSS can meet their obligations under IHREC public sector duty. Such use includes monitoring the source of applications, and Targeting particular groups if they are underrepresented
One must question whether the PPSN should be furnished to the DSS at all in the first instance given the explicit provisions of Section 262(6) of the Social Welfare Consolidation Act 2005 which provides:
Where a specified body has a transaction with a person, the Minister may share the person’s public service identity with the specified body to the extent necessary in respect of that transaction for authentication by the specified body of the person’s public service identity
It would seem that even if the PPSN is required at the outset to validate identity, once this is done there is no legitimate reason to hold that identifier, particularly where the DPIA (correctly) observes as follows:
the PPSN is used as an identifier by many public sector bodies and increasing its use can lead to combining of data from multiple datasets, in a fraudulent or an unexpected way.
The collection of ethnicity data (even in relation to “supporters”) is deeply problematic. The reason given for the collection is so at to comply with (we assume Section 42) of the Irish Human Rights and Equality Commission Act 2014, and the reason given is that it includes “monitoring the source of applications, and Targeting particular groups if they are underrepresented”. The DSS does not however seem to contemplate the other categories of discrimination in Section 13 of that act, (and for instance does not collect data concerning religious beliefs), but more importantly for this discussion gives no rationale whatsoever for the collection of ethnic data pertaining to those who are not donors. The ethnic background of any attorney, or medical professional, or person even occasionally connected with the creation of an EPA is utterly irrelevant as regards the IRHEC Act, and is a clear breach of Article 5(1)(c) of the GDPR.
The DSS IT System is currently unable to comply with the GDPR
The DPIA discloses that at present the IT system developed by the DSS is not fit for purpose as it cannot:
- Delete Data in Accordance with the data retention policies in place or process Subject Access Requests. It appears the agency is having difficulties in developing an IT Solution with an external contractor to manage its retention policies, Subject Access Requests and Deletion requests, and this issue is accepted, but explained away in the DPIA.
- Show what employees of the DSS/Mental Heath Commission accessed the personal data it processes. The system developed does not have an audit trail to show what DSS users accessed an individuals personal information, but can only report on changes made. This is somewhat difficult to comprehend in 2023, particularly given the comments of the European Court of Human Rights 15 years ago in I v. Finland , and is a clear breach of Article 5(2) as the DSS is unable to demonstrate compliance with the GDPR if an issue arises.