In 2019, the DPC received a complaint about the disclosure of a patient’s data via Facebook messenger by a hospital porter regarding her attendance at the Early Pregnancy Unit of a hospital. Upon examination of the complaint, the HSE clarified to the DPC that the hospital porter who disclosed the personal information of the patient was in fact employed by a healthcare agency contracted by the HSE. The DPC contacted the agency and sought an update in relation to its internal investigation, details of any remedial action as well as details of any disciplinary action taken against the employee in question. At the same time, the DPC advised the HSE that, as it contracts the company concerned to provide agency staff to work in the hospital, ultimately the HSE is the data controller for the personal data in this instance.

The complaint was subsequently withdrawn by the solicitor acting on behalf of the woman following a settlement being agreed between the affected party and the hospital/ healthcare agency. Data controllers/data processors may be liable under Section 117 of the Data Protection Act 2018 to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession.

The DPC has no role whatsoever in dealing with compensation claims and no function in relation to the taking of any such proceedings under Section 117 of the 2018 Act or in the provision of any such legal advice.