11 April 2016
1.These Explanatory Notes relate to the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 which received Royal Assent on 11 April 2016. They have been prepared by the Department of Health, Social Services and Public Safety in order to assist the reader in understanding the Act. They do not form part of the Act and have not been endorsed by the Assembly.
2.The notes need to be read in conjunction with the Act. They are not, and are not meant to be, a comprehensive description of the Act. So where a section or part of a section does not seem to require an explanation or comment, none is given.
3.Providing a clear statutory framework, and robust and stringent safeguards, which will enable the use of health and social care information which identifies individuals to be used for health care or social care purposes which are in the public interest, without the consent of the individuals whose information may be used.
4.The provisions of the Act will only be utilised where it is impossible or impracticable to gain the consent of individuals, anonymised or pseudonymised information would not achieve the desired outcome and the committee established under the provisions authorises the processing.
5.The policy objective underlying this Act is to minimise the legal challenge risk which the Department and the Health and Social Care sector could potentially face as a consequence of using service user information, which identifies individuals, for purposes other than the direct care of the individual.
6.Every individual in Northern Ireland will use the services of the Health and Social Care sector at some point in their lives. In presenting for care from their GP, hospital consultant or other health or social care professional these individuals will provide information about themselves, in confidence, to help with the identification and treatment of their health condition or social care need. The information is provided under the common law duty of confidence to help resolve the individual’s difficulties and improve their health and/or social care. This is called “primary use”. Any further use of this information beyond the direct care of the individual is called “secondary use”.
7.The risk of not having robust provisions is that the benefits to be derived from secondary use are not realised or that service information could be used or disclosed in an inappropriate manner. Inappropriate use would have implications for the service user whose information has been compromised, the health and social care sector organisations as the guardians with responsibility for safeguarding the information, as well as those who are using the information.
8.This Act will enable regulations to be made that establish a process which will ensure that information is only shared in very limited circumstances which are proven to be for health care or social care purposes and which are in the public interest.
9.The process will be robust, open and transparent. It will impose conditions on the use of the information and include penalties for those who fail to comply with these. This will protect the service user, the holder of the information and the individual or organisation applying to use it by establishing a clear, unambiguous framework to govern the secondary use of information.
10.Sharing information which identifies individual service users for purposes other than the provision of direct care could lead to a potential breach of confidentiality.
11.The common law duty of confidentiality is not codified; it is based on previous judgements in court. Whilst various interpretations of the common law may be possible it is widely accepted that, where information which identifies individual service users is provided and held in confidence, disclosure may only be justified in one of three ways:
the service user has given consent for their information to be used;
the balance of public and private interest favours public interest disclosure; or
a statutory basis exists which permits or requires disclosure.
12.Evidencing service user consent or a statutory basis under the common law is straightforward. Consent is obtained or there is a statutory basis under which the sharing can happen. Satisfying the public interest under the common law is considerably more complex. It is about assessing the benefits and risks of sharing the information and basing a decision on that analysis. Currently, when using service user identifiable information for secondary purposes, where it is impossible or impracticable to gain the consent of individuals and the use of anonymised or pseudonymised information would not achieve the desired outcome, there is a reliance on the public interest and an increased legal challenge risk.
13.This Act will allow the setting aside of the common law duty of confidentiality where gaining individuals consent is impossible or impracticable and the use of anonymised or pseudonymised information would not achieve the desired outcome. It will not set aside the Data Protection Act 1998 or the Human Rights Act 1998. Any secondary use of information must continue to comply with the requirements of these two pieces of legislation.
14.The Act has 6 sections and comprises 6 headings:-
Control of information of a relevant person – places an obligation on the Department to make regulations to make provision for the processing of Health and Social Care information.
Establishment of committee to authorise processing of confidential information and the dissemination of information - places an obligation on the Department to make regulations to establish a committee to authorise the processing of confidential information as defined in the Act and to disseminate information to the public about the operation of the Act and any other relevant matter, and in particular about the rights of relevant persons regarding the processing of confidential information of those persons. This section also allows the Department to set out in regulations the make-up of the committee and its procedures.
Code of Practice - places an obligation on the Department to publish a Code of Practice in respect of the processing of information to which health and social care bodies, and any other person providing health and social care, must have due regard in exercising their functions in relation to the provision of health and social care.
Regulations - relates to control of regulations made under the Act.
Interpretation - sets out the definitions of specific terms used within the Act.
Short title and commencement - sets out the title and commencement dates.
15.A commentary on the provisions follows below. Comments are not given where the wording is self-explanatory.
Imposes a duty on the Department of Health, Social Services and Public Safety to make regulations in connection with the processing of information held within the Health and Social Care sectors, where this is in the public interest.
Regulations made under this section may make provision for:-
Authorising or requiring the disclosure of prescribed health care information;
Authorising the disclosure of prescribed social care information; and
Creating offences punishable on summary conviction by a fine not exceeding level 5 on the standard scale.
Regulations made under this section must make provision requiring that the processing of confidential information may only be undertaken when it is approved by a committee.
The section further sets out definitions of terms used within the Act.
Imposes a duty on the Department of Health, Social Services and Public Safety to make regulations establishing a new committee to authorise the processing of confidential information under the Act and to disseminate information to the public about the operation of the Act and any other relevant matter, and in particular about the rights of relevant persons regarding the processing of confidential information of those persons. This section also enables the Department to set out in regulations the make-up of the committee, and its procedures.
Provides that the Department must prepare and publish a code of practice on the processing of information, and sets out how this may be reviewed. This section also places an obligation on Health and Social Care bodies, and any other person providing health and social care, to have due regard to this code of practice and provides that the code of practice is admissible in evidence in criminal and civil proceedings and may be taken into account by a court or tribunal in any case in which it appears to the court or tribunal to be relevant.
Enables the Department to make any further provisions under the Act, and provides that regulations under the Act will be subject to draft affirmative procedure in the Assembly.
This section sets out the definitions of terms specific to the Act.
Sets out how the Act should be titled, and when it shall come into effect.
16.The following table sets out the dates of the Hansard reports for each stage of the Act’s passage through the Assembly.
| STAGE | DATE |
|---|---|
| First stage | 16 June 2015 |
| Second stage. | 29 June 2015 |
| Committee stage – briefing from the Law Centre (NI) and Privacy Advisory Committee. | 9 September 2015 |
| Committee stage – briefing from Northern Ireland Rare Disease Partnership, Northern Ireland Fire and Rescue Service, Northern Ireland Cancer Registry and Northern Ireland Human Rights Commission. | 16 September 2015 |
| Committee stage - briefing from Information Commissioner’s Office, Royal College of Nursing and Royal College of Physicians. | 23 September 2015 |
| Committee stage - briefing from Departmental officials. | 30 September 2015 |
| Committee stage – Formal clause-by-clause scrutiny. | 11 November 2015 |
| Committee’s report on the Act – Report Number NIA 274/11-16 | 18 November 2015 |
| Consideration stage | 18 January 2016 |
| Further Consideration stage | 26 January 2016 |
| Final stage | 8 February 2016 |
| Royal Assent | 11 April 2016 |