An individual submitted a Freedom of Information (‘FOI’) request to their former employer, a State Agency. Once in receipt of the response to the FOI request, the individual became aware that the State Agency had disclosed their financial data and special category personal data, namely health data, to a connected third party. The individual subsequently submitted a complaint to the DPC in relation to this disclosure.

The DPC was tasked with examining whether the State Agency had lawfully processed, in a non-excessive manner, the individual’s personal data when a staff member of the State Agency disclosed the individual’s health and financial data to a connected third party.

In the circumstance of this case, the individual had communicated with a member of the Human Resources (‘HR’) department in their official capacity, highlighting issues connected with the individual’s health, financial status and personal life. Due to issues connected to the individual’s health, they were regularly in contact with the HR staff member in their official capacity.

Following a meeting between the individual and the HR staff member, the HR staff member emailed a summary of what was discussed with a connected third party i.e. a member of the Civil Service Employee Assistance Service (‘CSEAS’). The CSEAS provides an internal Employee Assistance Programme to civil service staff, which employees can refer to by contacting the service. It is a shared service utilised by all State Agencies for the benefit of all employees, promoting employee wellness and organisational effectiveness.

During the examination of this complaint, the State Agency stated that the processing of the personal data, the sharing of the individual’s personal data by the HR staff member to the CSEAS member, was lawful as the individual shared the personal data freely with the HR staff member, accordingly they had consented to the processing; the overlapping services and consultation between the HR staff member and the CSEAS in relation to an employee would be normal; both the HR staff member and the CSEAS member operate under strict confidentially in the performance of their duties; and what the individual shared with the HR staff member was so concerning, that the HR staff member had to urgently disclose it to the CSEAS member in order to seek appropriate guidance, and support to assist the individual. Accordingly, the State Agency’s position was that there were no prohibitions on the disclosure.

Notwithstanding, the HR staff member had a genuine concern for the health and welfare of the individual, the DPC found that the circumstances did not fit the urgency associated with protecting life rather the processing occurred as the HR staff member sought direction and guidance from the CSEAS member to urgently deal with the issues raised by the individual.

The DPC also found that the State Agency could not rely on having obtained the consent of the individual to process their personal data in this manner, as although the individual shared the personal data freely with the HR staff member, they did not consent to the HR staff member disclosing this personal data to the CSEAS member.

The State Agency did not provide any other lawful bases for the processing. The DPC found that the State Agency did not have a lawful basis for the processing and accordingly, the processing was unlawful.

In consideration of the principles relating to processing of personal data the DPC found that the State Agency obtained the personal data for a specified, explicit and legitimate purpose, namely to provide the individual with HR assistance with the issues they had raised with HR. Similarly, considering the connected relationship between the HR staff member in their official capacity and the CSEAS member, the sharing of the individual’s personal data was not further processed in a manner that was incompatible with the purpose for which it was obtained, as it was disclosed in order to provide the individual with assistance regarding the issues raised, which included employee wellness.

However, the DPC found that the State Agency disclosed an excessive amount of personal data than what was required in order to seek, and provide, assistance to the individual. Accordingly, the State Agency did not adhere to the principle of data minimisation, and this was identified and accepted by the State Agency.