The Department of Health believed they were lucky to escape with a €22,500 fine for a major data breach that involved “excessive and disproportionate” gathering of sensitive personal information about people who had taken legal action against the state.
In internal submissions, officials said the department could have been hit with a fine of up to €1 million and that the actual fine “fell far below the maximum that could be levelled”.
A submission to Department Secretary General Robert Watt from senior officials said the level of the fine “should as a result be welcomed” and suggested the department could despite “some reservation” accept the sanction proposed by the Data Protection Commission (DPC).
The investigation followed an RTÉ programme in March 2021 based on information provided by the whistleblower Shane Corr who said the department had a practice of collecting sensitive and personal information about vulnerable children and their families when they were involved in litigation against the state.