The GDPR and Section 117 of the Data Protection Act 2018 consider that a person can bring a claim in their own right, use legal representation, or by a non-profit association.

In many countries a “class action” would be the normal means by which people’s claims would be processed. While Irish Law does not at present recognise the existence of a class action, this is due to change with the EU Directive on Representative Actions. Ireland has until 25 December 2022 to transpose the Directive, with a further six months to apply it, meaning that widespread collective redress procedures should be available no later than 25 June 2023. Irish Legislation will be needed to implement this directive, and we would suggest that such legislation should be considered by the Government as a set of broad actions to make good the events from the HSE data breach.

At O’Dowd Solicitors we are passionate about privacy and data protection. Our litigation department has taken an active interest in the fallout from the HSE Data Breach. For a month subsequent to the data breach we held our hand with regard to actively advising people they should consider issuing proceedings against the HSE. In that space of time we have written numerous letters to the Minister for Heath, and many other stakeholders. We have not got any response. At this point we strongly feel that the HSE will not assist those affected by the data breach unless it is proactively demanded.

At this point we see four distinct classes of people who may be in a position to bring an action against the HSE

  1. People who may have a “personal injury” type action. These people may have suffered from delayed treatment, misdiagnosis, or other deleterious consequences as a result of the non availability of a functioning healthcare system
  2. Other medical professionals and HSE employees. We know GP’s ability to treat patients in an efficient and businesslike manner has been severely curtailed, while some HSE employees are having difficulty access Pension payments
  3. Individuals who have suffered definite and material loss as a result of the breach (e.g. having to spend additional money to access services, deal with the condequences of fraud etc)
  4. individuals who have suffered a non material loss