Health and Social Care (Control of Data Processing) Bill

Health and Social Care (Control of Data Processing) Bill - As Introduced.pdf (92.05 kb)

[AS INTRODUCED]

CONTENTS

1. Control of information of a relevant person

2. Establishment of committee to authorise processing of confidential information

3. Code of Practice

4. Regulations

5. Interpretation

6. Short title and commencement

 

A

B i l l

to

Make provision about control of data processing in relation to health and social care.

BE IT ENACTED by being passed by the Northern Ireland Assembly and assented to by Her Majesty as follows:

Control of information of a relevant person

1.—(1) The Department may by regulations make such provision for and in connection with requiring or regulating the processing of prescribed information of a relevant person for medical or social care purposes as it considers necessary or expedient⁠—

(a) in the interests of improving health and social care, or

(b) in the public interest.

(2) Regulations under subsection (1) may, in particular, make provision⁠—

(a) for requiring or authorising the disclosure or other processing of prescribed information of a relevant person who is a recipient of services referred to in subsection (11)(a) to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information),

(b) for authorising the disclosure or other processing of prescribed information of a relevant person who is a recipient of services referred to in subsection (11)(b) to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information),

(c) for securing that, where prescribed information of a relevant person is processed by a person in accordance with the regulations, anything done by that person in so processing the information must be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it,

(d) for creating offences punishable on summary conviction by a fine not exceeding level 5 on the standard scale or such other level as is prescribed or for creating other procedures for enforcing any provision of the regulations.

(3) Regulations under subsection (1) which make provision in relation to the authorisation of the processing of confidential information of a relevant person may provide that such information may only be processed if authorisation is granted by the committee established under section 2(1).

(4) Subsections (1) and (2) are subject to subsections (5) to (8).

(5) Regulations under subsection (1) may not make provision requiring the processing of confidential information of a relevant person who is a recipient of services referred to in subsection (11)(a) for any purpose if it would be reasonably practicable to achieve that purpose otherwise than pursuant to such regulations, having regard to the cost of and the technology available for achieving that purpose.

(6) Where regulations under subsection (1) make provision requiring the processing of confidential information of a relevant person who is a recipient of services referred to in subsection (11)(a), the Department⁠—

(a) must, at any time within the period of one month beginning on each anniversary of the making of such regulations, consider whether any such provision could be included in regulations made at that time without contravening subsection (5), and

(b) if the Department determines that any such provision could not be so included, must make further regulations varying or revoking the regulations made under subsection (1) to such an extent as the Department considers necessary in order for the regulations to comply with that subsection.

(7) Regulations under subsection (1) may not make provision for requiring the processing of confidential information of a relevant person who is a recipient of services referred to in subsection (11)(a) solely or principally for the purpose of determining the care and treatment to be given to particular individuals.

(8) Regulations under this section may not make provision for or in connection with the processing of prescribed information of a relevant person in a manner inconsistent with any provision made by or under the Data Protection Act 1998.

(9) Subsection (8) does not affect the operation of provisions made under subsection (2)(c).

(10) For the purposes of this Act, “information” means⁠—

(a) information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of an individual’s condition or to the care or treatment of an individual,

(b) information (however recorded) which relates to the social well-being of an individual or to the care of, or assistance to, an individual, and

(c) information (however recorded) which is to any extent derived, directly or indirectly, from such information,

whether or not the identity of the individual in question is ascertainable from the information.

(11) For the purposes of this Act, “a relevant person” means an individual who is a recipient of⁠—

(a) services designed to secure improvement⁠—

(i) in the physical or mental health of people in Northern Ireland, or

(ii) in the prevention, diagnosis or treatment of illness, or

(b) services designed to secure improvement in the social well-being of people in Northern Ireland, (including all forms of personal care and other practical assistance provided for individuals who, by reason of age, illness, disability, pregnancy, childbirth, dependence on alcohol or drugs, or any other similar circumstances, are in need of such care or other assistance).

(12) For the purposes of this Act, the information of a relevant person is “confidential information” where⁠—

(a) the identity of the individual in question is ascertainable⁠—

(i) from that information, or

(ii) from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and

(b) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.

(13) In this section “medical purposes” means the purposes of any of⁠—

(a) preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health services, and

(b) informing individuals about their physical or mental health or condition, the diagnosis of their condition or their care and treatment.

(14) In this section “social care purposes” means the purposes of any of⁠—

(a) assessment of social care needs, research into social care or social well-being, and the provision and management of social care services, and

(b) informing individuals about their social care needs or the provision of social care services in relation to them.

(15) In this Act “processing”, in relation to information, means the use, disclosure or obtaining of the information or the doing of such other things in relation to it as may be prescribed for the purposes of this definition.

Establishment of committee to authorise processing of confidential information

2.—(1) For the purposes of subsection (2), the Department may by regulations establish a committee.

(2) Where regulations under section 1 make provision by virtue of subsection (3) of that section, the committee may authorise the processing of confidential information of a relevant person in prescribed circumstances and subject to compliance with prescribed conditions (including conditions requiring prescribed undertakings to be obtained as to the processing of such information).

(3) Regulations under subsection (1) may, in particular, make provision as to⁠—

(a) the persons or bodies who are to be represented by members of the committee,

(b) the appointment, tenure and vacation of office of a Chair and of other members of the committee,

(c) the procedure of the committee,

(d) the payment by the Department of⁠—

(i) such expenses incurred by the committee, and

(ii) such allowances in respect of expenses incurred by members of the committee,

as the Department may determine,

(e) the publication of any authorisations granted by the committee.

Code of Practice

3.—(1) The Department must, as soon as reasonably practicable, prepare and publish a Code of Practice on the processing of information.

(2) The Department must review the Code of Practice at least once in every two year period starting with the date of publication of the first Code of Practice.

(3) The Department may revise the Code of Practice whenever it considers it appropriate to do so.

(4) Health and social care bodies must have regard to the Code of Practice in exercising their functions in relation to the provision of health and social care.

(5) Any other person who provides health and social care under arrangements made with a public body who exercises functions in relation to the provision of health and social care, must, in providing such care, have regard to the Code of Practice.

(6) In this section⁠—

“health care” has the meaning given by section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009;

“health and social care bodies” means the Department and any of the bodies established by section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009;

“social care” has the meaning given by section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009.

Regulations

4.—(1) Regulations under this Act may contain incidental, supplementary, consequential, transitional, transitory or saving provision.

(2) Regulations under this Act may not be made unless a draft of the regulations has been laid before, and approved by a resolution of, the Assembly.

Interpretation

5. In this Act⁠—

“confidential information” has the meaning given by section 1(12);

“the Department” means the Department of Health, Social Services and Public Safety;

“information” has the meaning given by section 1(10);

“prescribed” means prescribed in regulations made by the Department;

“processing” has the meaning given by section 1(15);

“relevant person” has the meaning given by section 1(11).

Short title and commencement

6.—(1) This Act may be cited as the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2015.

(2) This Act comes into operation on the day after Royal Assent.

Find MLAs

tools-map.png

Locate MLAs

Search

News and Media Centre

tools-media.png

Read press releases, watch live and archived video

Find out more

Follow the Assembly

tools-social.png

Keep up-to-date with the Assembly

Find out more