Health and Social Care (Control of Data) EFM - As Amended at Further Consideration Stage
HEALTH AND SOCIAL CARE (CONTROL OF DATA PROCESSING) BILL
EXPLANATORY AND FINANCIAL MEMORANDUM
1. This Explanatory and Financial Memorandum has been prepared by the Department of Health, Social Services and Public Safety in order to assist the reader of the Bill and to help inform debate on it. It does not form part of the Bill and has not been endorsed by the Assembly.
2. The Memorandum needs to be read in conjunction with the Bill. It is not, and is not meant to be, a comprehensive description of the Bill. So where a clause or part of a clause or schedule does not seem to require an explanation or comment, none is given.
3. Providing a clear statutory framework, and robust and stringent safeguards, which will enable the use of health and social care information which identifies individuals to be used for health care or social care purposes which are in the public interest, without the consent of the individuals whose information may be used.
4. The provisions of the Bill will only be utilised where it is impossible or impracticable to gain the consent of individuals, anonymised or pseudonymised information would not achieve the desired outcome and the committee established under the provisions authorises the processing.
5. The policy objective underlying this Bill is to minimise the legal challenge risk which the Department and the Health and Social Care sector could potentially face as a consequence of using service user information, which identifies individuals, for purposes other than the direct care of the individual.
6. Every individual in Northern Ireland will use the services of the Health and Social Care sector at some point in their lives. In presenting for care from their GP, hospital consultant or other health or social care professional these individuals will provide information about themselves, in confidence, to help with the identification and treatment of their health condition or social care need. The information is provided under the common law duty of confidence to help resolve the individual’s difficulties and improve their health and/or social care. This is called “primary use”. Any further use of this information beyond the direct care of the individual is called “secondary use”.
7. The risk of not having robust provisions is that the benefits to be derived from secondary use are not realised or that service information could be used or disclosed in an inappropriate manner. Inappropriate use would have implications for the service user whose information has been compromised, the health and social care sector organisations as the guardians with responsibility for safeguarding the information, as well as those who are using the information.
8. This Bill will enable regulations to be made that establish a process which will ensure that information is only shared in very limited circumstances which are proven to be for health care or social care purposes and which are in the public interest.
9. The process will be robust, open and transparent. It will impose conditions on the use of the information and include penalties for those who fail to comply with these. This will protect the service user, the holder of the information and the individual or organisation applying to use it by establishing a clear, unambiguous framework to govern the secondary use of information.
COMMON LAW DUTY OF CONFIDENTIALITY
10. Sharing information which identifies individual service users for purposes other than the provision of direct care could lead to a potential breach of confidentiality.
11. The common law duty of confidentiality is not codified; it is based on previous judgements in court. Whilst various interpretations of the common law may be possible it is widely accepted that, where information which identifies individual service users is provided and held in confidence, disclosure may only be justified in one of three ways:
the service user has given consent for their information to be used;
the balance of public and private interest favours public interest disclosure; or
a statutory basis exists which permits or requires disclosure.
12. Evidencing service user consent or a statutory basis under the common law is straightforward. Consent is obtained or there is a statutory basis under which the sharing can happen. Satisfying the public interest under the common law is considerably more complex. It is about assessing the benefits and risks of sharing the information and basing a decision on that analysis. Currently, when using service user identifiable information for secondary purposes, where it is impossible or impracticable to gain the consent of individuals and the use of anonymised or pseudonymised information would not achieve the desired outcome, there is a reliance on the public interest and an increased legal challenge risk.
13. This Bill will allow the setting aside of the common law duty of confidentiality where gaining individuals consent is impossible or impracticable and the use of anonymised or pseudonymised information would not achieve the desired outcome. It will not set aside the Data Protection Act 1998 or the Human Rights Act 1998. Any secondary use of information must continue to comply with the requirements of these two pieces of legislation.
14. The Department has considered the implications of continuing with the current secondary use sharing arrangements and, whilst steps have been taken to reduce the risk of a loss of personal information, the provisions in the Bill provide for a much more robust process.
15. A formal consultation on the policy proposals to inform the Bill was carried out from 7 July 2014 to 10 October 2014. The consultation attracted 59 responses from a variety of sources including: the general public; local councils, health and social care organisations; and the voluntary and community sector. A summary report of the consultation responses can be found at http://www.dhsspsni.gov.uk/microsoft_word_-_secondary_uses_legislation_-_consultation_response_document.pdf
16. The Bill has 6 clauses and comprises 6 headings:-
Control of information of a relevant person – places an obligation on the Department to make regulations to make provision for the processing of Health and Social Care information.
Establishment of committee to authorise processing of confidential information and the dissemination of information - places an obligation on the Department to make regulations to establish a committee to authorise the processing of confidential information as defined in the Bill and to disseminate information to the public about the operation of the Act and any other relevant matter, and in particular about the rights of relevant persons regarding the processing of confidential information of those persons. This clause also allows the Department to set out in regulations the make up of the committee and its procedures.
Code of Practice - places an obligation on the Department to publish a Code of Practice in respect of the processing of information to which health and social care bodies, and any other person providing health and social care, must have due regard in exercising their functions in relation to the provision of health and social care.
Regulations - relates to control of regulations made under the Bill.
Interpretation - sets out the definitions of specific terms used within the Bill.
Short title and commencement - sets out the title and commencement dates.
COMMENTARY ON CLAUSES
17. A commentary on the provisions follows below. Comments are not given where the wording is self-explanatory.
Clause 1: Control of information of a relevant person
Imposes a duty on the Department of Health, Social Services and Public Safety to make regulations in connection with the processing of information held within the Health and Social Care sectors, where this is in the public interest.
Regulations made under this clause may make provision for:-
Authorising or requiring the disclosure of prescribed health care information; Authorising the disclosure of prescribed social care information; and Creating offences punishable on summary conviction by a fine not exceeding level 5 on the standard scale.
Regulations made under this clause must make provision requiring that the processing of confidential information may only be undertaken when it is approved by a committee.
The clause further sets out definitions of terms used within the Bill.
Clause 2: Establishment of committee to authorise processing of confidential information
Imposes a duty on the Department of Health, Social Services and Public Safety to make regulations establishing a new committee to authorise the processing of confidential information under the Bill and to disseminate information to the public about the operation of the Act and any other relevant matter, and in particular about the rights of relevant persons regarding the processing of confidential information of those persons.. This clause also enables the Department to set out in regulations the make up of the committee, and its procedures.
Clause 3: Code of Practice
Provides that the Department must prepare and publish a code of practice on the processing of information, and sets out how this may be reviewed. This clause also places an obligation on Health and Social Care bodies, and any other person providing health and social care, to have due regard to this code of practice and provides that the code of practice is admissible in evidence in criminal and civil proceedings and may be taken into account by a court or tribunal in any case in which it appears to the court or tribunal to be relevant.
Clause 4: Regulations
Enables the Department to make any further provisions under the Bill, and provides that regulations under the Bill will be subject draft affirmative procedure in the Assembly.
Clause 5: Interpretation
This clause sets out the definitions of terms specific to the Bill.
Clause 6: Short title and commencement
Sets out how the Bill should be titled, and when it shall come into effect.
FINANCIAL EFFECTS OF THE BILL
18. The Bill would not impose any significant additional costs on the Department or on the Health and Social Care sector.
HUMAN RIGHTS ISSUES
19. The provisions of the Bill are compatible with the European Convention on Human Rights.
EQUALITY IMPACT ASSESSMENT
20. The aim of the measures within the Bill is to allow information to be shared to better inform a range of health and social care services and to enhance the collaborative, professional approach to the management and commissioning of these services. Any application to access information which identifies individual service users will be required to meet prescribed conditions and will be subject to the approval of the committee. The Department carried out a preliminary screening of the policy proposals and, as part of the screening process, concluded that an Equality Impact Assessment was not necessary. This screening was revisited following public consultation and the Department remains content that there will be no adverse impact on any of the groups listed under Section 75.
21. Specific questions on section 75 issues were included in the consultation document. None of the responses received indicated that any of the proposed measures would have an adverse impact on any of the nine section 75 groups of people.
REGULATORY IMPACT ASSESSMENT
22. The Department did not complete a full Regulatory Impact Assessment as the measures contained in the Bill do not impact on businesses, charities, social economy enterprises or the voluntary sector locally.
23. The Minister of Health, Social Services and Public Safety has made the following statement under section 9 of the Northern Ireland Act 1998:
“In my view the Health and Social Care (Control of Data Processing) Bill would be within the legislative competence of the Northern Ireland Assembly.”