Official Report (Hansard)
Date: 01 October 2014
Committee for Health, Social Services and Public Safety
PDF version of this report (116.75 kb)
The Chairperson: I welcome the officials and Professor Roy McClelland, who is chairman of the Privacy Advisory Committee. We have with us Ms Sharon Gallagher, the Department's director of corporate services, and Mr Chris Matthews, who is from the Department's information management branch.
Ms Sharon Gallagher (Department of Health, Social Services and Public Safety): Good afternoon, Madam Chair and members. Thank you for the opportunity to set out the Department's proposal to bring forward legislation to enable the personal information of Health and Social Care (HSC) patients to be used for purposes other than their direct care in limited and controlled circumstances.
You will be aware that the Department's proposals are out for consultation. Members were provided with a copy of the consultation when it launched on 7 July. A further copy has been enclosed in your briefing pack for today. Currently, Health and Social Care may share a patient's information for non-direct care purposes if consent has been given. Where consent is not possible, new arrangements have been put in place to allow for the sharing of information where the patient's identity has been anonymised or pseudonymised. These arrangements will enable an improvement in the planning and delivery of services and will support ethically approved Health and Social Care-related research.
Even with these developments, there are instances where access to identifiable patient information is needed to secure the required outcome. Under current arrangements, patient-identifiable information may already be used for purposes other than direct care as long as the requirements set out under the Human Rights Act 1998, the Data Protection Act 1998 and the common law duty of confidentiality are met. The requirements of the Human Rights Act and the Data Protection Act are clearly defined, but aspects of the common law duty of confidentiality are less clear.
Under the common law duty of confidentiality, where consent has not been given, personal information may be shared only if there is a statutory basis for doing so or if disclosure is deemed to be in the public interest. At present, because we do not have statutory authority, the use of patient-identifiable information for any purpose other than direct care is predicated on the organisation's ability to satisfy the public interest test. Deciding what is or is not in the public interest is open to interpretation, which creates a significant risk for patients and the Health and Social Care organisations that hold the information as well as those who are using the information. The ambiguity about what constitutes public interest means that decisions may be more subjective and prone to legal challenge and this is where the proposed legislation will come into play.
To mitigate the risks outlined, the proposed legislation would put in place a statutory framework that would clearly define the circumstances under which patient-identifiable information could be shared for secondary uses. The proposals would remove any ambiguity and safeguard the patient, the HSC and the information user. Safeguards will be a key element of any changes, with robust controls and protections in place. For example, the proposed legislation would confer upon the Department the authority to establish an oversight body that would critically assess any requests for access to information. Given the importance of the safeguards, the detail of the governance arrangements will be subject to a separate consultation process that will inform regulations.
That said, as a general point, the Department envisages that approval to use patient-identifiable information would be granted only where it can be proved that results could not be achieved without access to the data sought, that it is not possible to secure consent and that anonymised or pseudonymised information could not provide the same outcome. It is important to emphasise to the Committee that, in the majority of cases, information that does not identify the patient will be sufficient to deliver the required outcomes. I would also stress that it will remain the Department's policy that, primarily, an individual's consent should be obtained for the use of their information.
In conclusion, there is just over one week of the consultation left to run. So far, 13 responses have been received, all of which have been supportive. In addition to the normal public consultation process, the Department has engaged directly with a number of key stakeholders, including Disability Action, the Northern Ireland Human Rights Commission, the Northern Ireland Law Centre, the Patient and Client Council, the British Medical Association and the Information Commissioner's Office.
We appreciate the opportunity to address the Committee today, and I am very happy to take questions.
The Chairperson: Thank you for that, Sharon. You talked about a separate consultation process. Is that to say that it will take place alongside the standard consultation? You said that you engaged with the Law Centre and the Human Rights Commission. Is there a separate process?
Ms Gallagher: No. We are running a second consultation process pending the approval of the Bill to inform the regulations, which would set out the safeguards and governance arrangements. We feel that the safeguards and the governance arrangements around the protection of confidentiality of patient information are so important that we want to run a separate consultation on that.
The Chairperson: There is a week left of this consultation.
Ms Gallagher: Yes, and it will inform the Bill.
The Chairperson: And alongside that, you had a separate consultation process.
Ms Gallagher: It is purely to engage informally with key stakeholders to make them aware of our proposals and take their views as we develop the proposals.
The Chairperson: Do you then propose to have an additional consultation?
Ms Gallagher: There will be an additional consultation to inform the regulations, pending approval of these proposals for the Bill.
The Chairperson: What timeline or timescale is on that?
Ms Gallagher: Pending approval of the Bill, we hope that that process will finalise in October 2015. Only after that would we launch the second consultation on the proposals for the safeguards.
Mr McCarthy: Is the information for use within Northern Ireland or is it shared with other jurisdictions?
Ms Gallagher: Primarily, it will be used in Northern Ireland.
Mr McCarthy: That is fair enough.
Mrs Dobson: Thank you for your briefing. Can you tell us when arrangements to enable specific sharing came in in England and Wales? What benefits has it brought there?
Mr Chris Matthews (Department of Health, Social Services and Public Safety): In England, legislation passed in 2001, and they have had it in place since then. They have been able to make use of it for planning and a range for the purposes. For instance, with asthma and some other diseases, they have used the identifiable information to look at how they can deliver and improve their services. They have a process in England and, up to now, they would come to us to ask whether they could look at it on a UK-wide basis. They would approach Roy, as the chair of the Privacy Advisory Committee. Unfortunately, because we do not have the legislation, our answer has had to be that we could give them anonymised information or that they can get consent. However, you can be talking about thousands of people, so we have not been able to be linked in with other UK-wide initiatives in that area.
Mrs Dobson: How do your proposals for legislation differ from those of England?
Mr Matthews: They are very similar, and the same robust governance arrangements would be put around that process.
Mrs Dobson: In your briefing, you state that the administration of winter fuel payments to cancer patients, for example, is complex under the current system. How do you see that changing under your proposals?
Mr Matthews: The difficulty was that the Department could not access the identifiable information of those people, and you could be receiving treatment in a range of locations. So, one of the issues is about identifying where there is duplication of a patient's record in a number of areas. We were not able to get the identifiable information because we could not apply to the body, so we ran into difficulties about what options we had for identifying who the people were. Obviously, we came to the conclusion that, in such instances, the only way is to go through the GPs who, obviously, have up-to-date information. There would be small numbers, hopefully, within each practice, so the GPs probably personally know who the people were. We sent a process through the GPs whereby the person would give consent, they send that back in and the payment is then made to them.
Mrs Dobson: So, things could be processed so much more quickly.
Mr Matthews: It would have saved us quite a bit of time to be able to make the application, obviously meet the criteria and get the advisory group to approve that to enable the Department to move the process forward.
Mrs Dobson: How do your proposals sit with the Data Protection Act or other legislation?
Ms Gallagher: They would be fully compliant with the Data Protection Act. That is one of the provisos for sharing the information.
Mrs Dobson: Are you aware of concerns about data protection that were raised in England when it was introduced?
Mr Matthews: No, there have not been any significant concerns about this process. In fact, some of the initial respondees, who would be very aware of the process in England, are very supportive of it. Obviously, that will come out when we review the consultation responses.
Ms P Bradley: I would like to follow on from what Jo-Anne was saying about the model in GB. I gather from my reading that there were criticisms made about the care data over there. How are we going to be different from that? Will we not face the same criticisms?
Mr Matthews: The issue that they had recently is around care.data, which is the information centre that they have in England for the processing of information. That is a different process from this. That is where they take identifiable information from GPs, pseudonymise it and then provide it to other bodies. This is about a specific structure that would sit beside that structure. It would say, "If you want identifiable information, we will consider it", but, primarily, as Sharon set out, we would put it to an honest broker service, which we have put in place, and say, "Get the information anonymised. You should not need identifiable information. If you do, you have to answer the three questions, and stipulate why consent is impossible, anonymisation is impossible and, obviously, what benefits will be achieved from getting the identifiable information".
Ms P Bradley: We currently have the Cancer Registry. Is that not correct?
Mr Matthews: Yes.
Ms P Bradley: What will be the main differences between this and the Cancer Registry?
Ms Gallagher: That is a really good example of why we are looking to get this legislation in place.
Ms P Bradley: It is an excellent example, yes.
Ms Gallagher: The Cancer Registry operates on the test of public interest. It has robust mechanisms in place to protect the data, but there is still the risk of challenge because there is no statutory basis for it to operate. The register for cerebral palsy is another example. This legislation will enable those organisations to have greater protection in what they do.
Ms P Bradley: I am very much behind this, as someone who worked in the health service for years and knows that information went astray. Had there been one database that had lots of information, it would ultimately have saved lives.
With the Cancer Registry, there is the possibility of opting out. Will that be the same in this process?
Mr Matthews: We have not gone into the detail of the opting out process. That is for the next phase. We will consider it as part of the regulations.
Ms P Bradley: OK. We will watch and wait.
Ms Gallagher: The questions raised are very much around governance and safeguards. That is why we want to break this into two parts and not lump everything together. We are hugely aware that people are very interested in how this will operate and how we create protections and safeguards in the right way for Northern Ireland. So, at this stage, we are dealing with the principle of sharing information. The second stage, which will be set out in regulations and will be subject to the Committee's scrutiny and public consultation, will deal with all those aspects: opt outs; how we share the data of the oversight board; and how it operates. It is very important to us to get right.
Mr Beggs: You indicated the potential benefits and illustrated them by reference to the Cancer Registry, yet this was introduced in England in 2001. Why has it taken us so long to move on this issue?
Ms Gallagher: Roy might like to comment on that.
Professor Roy McClelland (Department of Health, Social Services and Public Safety): I will answer this; I have longevity behind me. [Laughter.] The Privacy Advisory Committee was established in 2006, and we were asked to implement a number of recommendations by the then Minister, one of which was to look into the feasibility and desirability of legislation. We reported to the Department in 2008 that there was a strong case for introducing legislation along the lines that we have now. We have been keen, and we are delighted to be at this point in its development. I expect that we would have preferred to have seen it happening much earlier, but I think, as the Department can explain, it has been setting in place a number of other bits of the jigsaw puzzle. Reference has been made to the fact that anonymised information is a much better option if you can maximise that, and processes have been moving to provide better anonymised services to allow the health service information flows to happen. There are now better governance arrangements within the health service generally. Chris can join up the dots around this. It is not for me to defend why the Department has taken six years or more to get to this point but to support the position that it has got to.
Mr Matthews: From my perspective, when I came to the Department, we looked at what the issues were around governance in the health and social care sector, and there had been a number of audit reports and recommendations. We then set out to put together a three-year strategy. The first year looked at how the health and social care sector managed its information, at personal information asset registers and senior information risk owners, and put all those protections and robust governance arrangements in place. That was not to limit access to information but to help them to share it. Subsequent to that, we put in some additional controls in the health and social care sector to assure the Department that we had robust governance in place. Then we introduced the anonymisation and pseudonymisation processes, which was just last year. It is called an honest broker service, and it looks to develop the use of anonymised and pseudonymised information. So, only when you had good governance and other processes in place, could you then bring in the legislation. The vast majority of cases, as Roy said, should be using anonymised information, so we needed to have a process within the organisation that could do that. That is now in place, and is starting to develop and build its capacity. Now is the time to start to move forward with the legislation process, which is really the final piece of the jigsaw, as I see it.
Mr Beggs: How do you reassure the public that, where you use patient-identifiable information, it will be secure and only available to the professionals who need it?
Ms Gallagher: That is the next part of the process that I referred to earlier. We will be very clear about the purposes for which the information can be used. They will be clearly defined, controlled and limited. The oversight group will assess all applications to make sure that they are in line with the agreed set of criteria. That part still needs to be fully defined, thought through and consulted on, but there will certainly be a very robust regime around that process.
Mr Matthews: In addition, they will need to adhere to the Data Protection Act and the Human Rights Act and, if it is for research, they will need to have ethical approval for the information to be shared, but, ultimately, it is looking to pseudonymise and anonymise as far as is reasonably possible.
The Chairperson: Finally, can I just get clarity on the timelines for the legislation? I know you talked about the consultation, but do you have a projected timeline?
Ms Gallagher: It is October 2015 for this legislation. Pending approval for the legislation, we will begin to consult on the governance arrangements and the safeguards.
The Chairperson: But that is the timeline for the process. What about it being introduced?
Mr Matthews: The Royal Assent to the Bill will be in October 2015, and then the regulations will follow.
The Chairperson: Have you a timeline for when it will be introduced to the Assembly?
Mr Matthews: I think it will start in February/March 2015.
Ms Gallagher: We are looking for Royal Assent in October 2015, and we have not fully defined the timeline for the regulations because we want to make sure that we pass the Bill first of all.
The Chairperson: But for the introduction to the Assembly, I think, you are indicating February/March.
Mr Matthews: Yes, we have it as March/April 2015. That is our planning assumption.
The Chairperson: So, February/March 2015. Obviously, that will be our Committee Stage starting, so it would be useful to share those exact timelines with us.
Thank you for that information and presentation. At this point, I will just ask members if they are content to note as it proceeds.
Members indicated assent.