What Rights do Individuals have?
The data protection framework is designed to regulate the collection and processing of personal information. In Ireland we have had Data Protection legislation since the 1980s in some guise or another. As computers have become more advanced in their capabilities, the legislation has followed suit. The more recent “upgrade” to the Data Protection Framework was in 2018 with the coming into force of the European Union General Data Protection Regulation, or EU GDPR. Despite the hype surrounding the introduction of the GDPR much of the basic obligations on organisations who collect and process are fundamentally the same since 1988.
Separately, the Law of Tort continues to apply in situations whereby a person is injured directly or indirectly as a consequence of negligence. In this case it would fall on the individual to show negligence on the part of the HSE, and damage caused as a result of the negligence.
Can individuals sue the HSE for damages because of the Data breach?
In a nutshell the answer to this is “Yes”. While we cannot guarantee the success of any litigant, Article 79 of the GDPR requires the existence of an “effective judicial remedy” where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance the regulation. In Ireland this “effective judicial remedy” can be found in section 117 of the Data Protection Act 2018. This provides as follows:
(1) Subject to subsection (9), and without prejudice to any other remedy available to him or her, including his or her right to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action (in this section referred to as a “data protection action”) against the controller or processor concerned.
This means that as well as being able to make a complaint to the Data Protection Commission, an individual may bring an action against a Data Controller or Processor. In this case the Defendant would most likely be the HSE . This action should be distinguished from a “personal injury” type action. It is an action for a breach of the rights provided guaranteed by the GDPR. The Courts are entitled to give both relief in the form an injunction which is an order that something should be done or not done, or compensation. Section 117 also provides that an action may be for material or “non-material” damage.