The EU General Data Protection Regulation (GDPR) is a European regulation to protect data and requires all data processing to be carried out lawfully, transparently, fairly, accurately and to high standards in other criteria such as purpose limitation and data minimisation. See Article 5 of the GDPR (pages 35-36)
Protecting health is considered a very important activity nationally and internationally, and therefore the GDPR allows essential activities to be carried out. Ireland's MOH law provides the lawful basis for investigation and control of notifiable infectious diseases including COVID-19.
Article 6 of the GDPR (pages 36-37) requires at least one of a number of provisions to apply for data processing to be lawful and the following apply to Public Health in Ireland, based on the MOH laws:
- (c) processing is necessary for compliance with a legal obligation to which the controller is subject
- (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person
- (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9, 2 (i) of the GDPR (pages 39-40) provides the public health exception to the prohibition on the processing of health data:
"processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy" - the member state laws here are the Health Acts 1947 and 1953, and the Infectious Diseases Regulations 1981 as amended.