The Information Regulator ('the Regulator') announced, on 20 February 2023, that it has decided to refer the National Department of Health ('NDoH') to the Enforcement Committee over the issue of certain personal information that the NDoH had collected as part of the management of the spread of COVID-19 during the pandemic, following numerous unsuccessful requests for information to the NDoH made by the Regulator. In particular, the Regulator explained that, in 2022, it had requested a report from the NDoH indicating how the latter is complying with the lawful processing of personal information collected during the pandemic.

Specifically, the Regulator detailed that it had asked the NDoH to advise whether it had destroyed and/or de-identified the information that had been transferred to it during the national state of disaster in accordance with the procedure set out in the Disaster Management Regulations, and to provide the Regulator with evidence of such action. Furthermore, the Regulator stated that, despite acknowledging receipt of the Regulator's letters, the NDoH had failed to accede to the Regulator's requests or explicitly refused to comply; therefore, the matter has now been referred to the Enforcement Committee.

Lastly, the Regulator highlighted that the referral to the Enforcement Committee can culminate in an enforcement notice which has the same effect as a court order.

You can read the announcement here.