Report on the Health and Social Care (Control of Data Processing) Bill NIA (274/11-16)

report-on-the-health-and-social-care-control-of-data-processing-bill-nia-274-11-16-.pdf (455.7 kb)

Executive Summary

The purpose of the Health and Social Care (Control of Data Processing) Bill is to provide a clear statutory framework with appropriate safeguards, to enable in certain circumstances the processing of health and social care information which identifies individuals.

The evidence from stakeholders on the Bill was in support of a statutory framework with robust and stringent safeguards. However, significant concerns were expressed about a number of issues including the use of the terms ‘public interest’ and ‘social well-being’; the right of an individual to opt-out of having their identifiable data shared; and the robustness of the safeguards provided for within the Bill including the Code of Practice.

 Clause 1

A number of key issues were raised in relation to Clause 1 which deals with the control of information of a relevant person:

The use of the term ‘public interest’ in Clause 1(1) attracted a considerable amount of comment. The Committee’s main concern was that, as the Bill is currently drafted, identifiable information could be shared if it was found to be in the public interest whether or not it was connected to a medical or social care purpose. Initially, the Department indicated that the drafting of Clause1(1) reflected its intent. However, it later clarified that information sharing would not be permissible solely on the basis of public interest; all uses must be connected to a medical or social care purpose. In response to the issues raised by the Committee, the Department proposed an amendment that would allow the sharing of information in the public interest only if it was connected to a health or social care purpose.

The Committee was also concerned that individuals were unaware of their right to opt-out of having their information shared. Whilst acknowledging that an opt-out provision already exists in health and social care (under section 10 of the Data Protection Act 1998), the Committee was of the view that the protection of an individual’s right to a private life and the potential for raising public awareness of the right to opt-out was of such importance that provision should be on the face of the Bill. The Committee therefore agreed its own amendment to Clause 1(2) to place an ‘opt-out’ provision on the face of the Bill.

The Committee was clear in its view that the safeguards within the Bill should be made as robust as possible to better regulate the processing of health and social care information which identified individuals. To that end, it held the view that information should only be processed if authorisation is granted by the committee established by the Bill to authorise the processing of information. In response to the Committee’s concerns, the Department proposed an amendment to Clause 1(3) to this effect.

The use of the term ‘social well-being’ in Clause 1(11) to describe ‘a relevant person’ was also criticised because of its breadth and potential for wide interpretation. The Committee felt strongly that this term should be replaced with the term ‘social care’. The Department provided the wording of an amendment to address the Committee’s concerns and replace ‘social well-being’ with ‘social care’.

The Committee considered the wording of a proposed departmental amendment to Clause 1(14), which would remove the word ‘services’ from after ‘social care’, as the definition of ‘social care’ refers to the Health and Social Care (Reform) Act (NI) 2009  and means any services designed to secure improvement in the social well-being of people in Northern Ireland, thus making the word ‘services’ superfluous.

The Committee expressed concerns in relation to the open-ended definition of processing. It was of the view that prohibiting the selling of identifiable information was of such importance for the protection of individuals and public confidence in the Bill, that a Ministerial assurance should be sought that regulations made under this legislation will not make provision for the selling of information which identifies individuals. A Ministerial assurance to that effect was provided.

The Committee agreed that it was content with Clause 1 subject to the amendments proposed by the Department and the Committee.

Clause 2

The Committee was firmly of the view that the establishment of the committee to authorise processing of confidential information should be mandatory. It felt that this safeguard was of the utmost importance in ensuring that confidential information is protected and due process is followed when applications are received and considered. To address the Committee’s concerns, the Department proposed an amendment to redraft Clause 2(1) to this effect.

The Committee agreed that it was content with Clause 2 subject to the amendment proposed by the Department.

Clause 3

The Committee felt strongly that the Code of Practice had the potential to be a more robust safeguard against the unlawful processing of information, and was of the view that it should be strengthened. In response to the Committee’s view, the Department proposed an amendment to require health and social care bodies, and any other person who provides health and social care under arrangements made with a public body who exercises functions in relation to the provision of health and social care, to ‘have due regard’ to the Code of Practice as opposed to ‘have regard’.

To further strengthen the Code of Practice, the Committee agreed its own amendment to provide that a court or tribunal may take into account a breach of the code in any proceedings where it considers relevant.

The Committee agreed that it was content with Clause 3 subject to the amendments proposed by the Department and the Committee.

 Clauses 4 to 6

The Committee agreed Clauses 4 to 6 as drafted.

Download full report here