CSO COVID-19 Data Research Hub Summary Data Protection Impact Assessment (1204)

Extensive legal protections exist to govern access to, and use of, personal data, defined at Article 4(1) GDPR, data concerning health set out under Article 4(15) GDPR, and special categories of personal data as addressed by Article 9 GDPR. Data controllers and data processors are required to comply with their legal obligations, both under the GDPR and as set out in applicable national legislation. The Office of the Data Protection Commissioner exercises oversight and regulatory authority for compliance with these data protection requirements and has been consulted in the preparation of this DPIA.

At this time, no applicable approved Codes of Conduct, as provided for under Section 5 GDPR apply, however, the European Statistics Code of Practice is a possible code of practice that may be approved in the future by the Data Protection Commission, European Data Protection Board (EDPB) and European Commission (as the code is EU wide). The CSO adheres both to the European Statistics Code of Practice (Regulation 223/2009 on European statistics)
https://ec.europa.eu/eurostat/web/quality/european-statistics-code-of-practice and the Irish Statistical System Code of Practice. https://www.isscop.ie/.  The CSO also adhere to the United Nations Fundamental Principles of Official Statistics - see https://unstats.un.org/unsd/dnss/gp/fundprinciples.aspx

In addition to the foregoing, all ADC and RCU staff sign up to, and abide by, the CSO Data Management Policy as approved by the Office’s Confidentiality and Data Security Committee (CDSC). Stringent confidentiality rules apply under the Statistics Act to all staff of the CSO, who are designated as Officers of Statistics under Section 20(a) of the Statistics Act, 1993. All RMF researchers are designated as Officers of Statistics as per Section 20(c) of the Statistics Act, 1993 and abide by the rules and protocols with respect to researcher access to data.

All RMF researchers agree to carry out research in accordance with the RMF Policy:
https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/policies/ The COVID-19 Data Transparency Notice, linked below, provides information on the nature of the collaboration between the CSO, HSE and DoH and is available on the CSO website. This Notice outlines the COVID-19 related data being processed and analysed on behalf of the HSE and DoH in response to the pandemic. The Notice also states that this data processing and analysis is taking place in accordance with the Statistics Act, 1993, with the written permission of the Minister for Health and consistent with the provisions of the GDPR and the Data Protection Act 2018.

The CSO will be the Data Controller for this COVID-19 data as long as it is stored in the CSO. The organisation that employs the researcher is the data controller of the research study for which the COVID-19 RMFs are being used. Researchers are deemed to be data processors in respect of their individual projects.

COVID-19 Data Research Hub Landing Page:
https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/covid-19dataresearchhub/ 
COVID-19 FAQs:
https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/covid-19dataresearchhub/faqs/ 
COVID-19 Data Transparency Notice:
https://www.cso.ie/en/methods/tn/covid-19data/ 
COVID-19 Data Research Hub Transparency Notice:
https://www.cso.ie/en/methods/tn/covid-19dataresearchhub/

Rights of the Data Subject
Articles 15 to 22 GDPR provide for specific Data Subject rights. Certain derogations may apply, for example where data is processed for scientific research or statistical purposes, but these derogations are subject to strict conditions. These rights and any related derogations as they apply to the present data processing are set out here:

Article 15 – Right of Access by the Data Subject
All data on the COVID-19 Data Research Hub are pseudonymised and therefore personal data cannot be identified in this location. A right of access to the COVID-19 data flows, relevant to the COVID-19 Data Research Hub and containing personal data is possible.

Article 15 of the GDPR provides a right of access by the data subject. Article 89 (2) GDPR provides that where personal data are processed for scientific or historical research purposes or for statistical purposes, this right of access may be derogated from in so far as such a right is likely to render impossible or seriously impair the achievement of the specific purposes for processing, where the derogation is necessary for the fulfilment of this purpose.

This COVID-19 data is being processed and analysed to assist in the development of the official Government response to the pandemic and to provide timely public insight into the evolution of the pandemic. Significant ADC staff resources are required to process this data within a short timeframe and to make it available for statistical analysis. Acceding to access requests could result in a delay in processing and impact on the effectiveness of the Government’s response to the pandemic. Applications for access will be assessed on a case-by-case basis, however it is the intention of the Office to vindicate this right wherever possible.

Article 16 - Right to Rectification
The data analysis in response to this pandemic requires records of the affected population as documented at HSE level to be included, to achieve the best quality analysis. Using the best available evidence and data to guide public health and health systems decisions is integral to an effective and efficient response in public health emergencies. Due to the statistical and research purposes of the COVID-19 data being processed, and the risk that the exercise of this right could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the permissible derogation to Article 16 provided for under Article 89(2) GDPR.

Article 17 – Right to Erasure
The data analysis in response to this pandemic requires all records of the affected population to be included to achieve the best quality analysis. Using the best available evidence and data to guide public health and health systems decisions is integral to an effective and efficient response in public health emergencies. Due to the statistical and research purposes of the COVID-19 data being processed and the risk that the right to erasure could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the permissible derogation to this right under Article 17(3)(d) of GDPR.

Article 18 - Right to Restriction of Processing
The data analysis in response to this pandemic requires all records of the affected population to be included to achieve the best quality analysis. Using the best available evidence and data to guide public health and health systems decisions is integral to an effective and efficient response in public health emergencies. Due to the statistical and research purposes of the COVID-19 data being processed and the risk that the exercise of this right could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the Article 89(2) derogations to this right. The right of restriction of processing is further invoked under Section 61(2) of the Data Protection Act, 2018.

Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
In light of the CSO’s proposal to invoke derogations permissible where processing is for statistical or scientific research purposes in relation to Article 16, 17(1) and 18 rights, this Article does not apply.

Article 20 – Right to Data Portability
The right to portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, as is the case here, per Articles 17(3)(c) and 20(3) GDPR.

Article 21 – Right to Object
The data analysis in response to this pandemic requires all records of the affected population to be included to achieve the best quality analysis. Using the best available evidence and data to guide public health and health systems decisions is integral to an effective and efficient response in public health emergencies. Due to the statistical and research purposes of the COVID-19 data being processed and the risk that the right to object could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the derogation to this right provided for under Article 21 (6).

Article 22 – Automated individual decision making, including profiling
As the operation of the Statistics Act, 1993 provides that the present data may be processed for statistical purposes only, no automated individual decision making or profiling is permissible, by law.