Data Privacy and Governance Opportunities and Challenges Ehealth Identifiers Data Privacy and Governance Opportunities and Challenges

Some Background

Health Identifiers have

Act sets out the underpinning for IHI and its use in EHR systems Creates a framework for governance Establishes a number of key registers Patients Healthcare workers Healthcare service providers Relevant Agents Section 15 of the Act requires inaccuracies in data to be reported within 30 days Relationship to Article 19 GDPR in this context… The enabling legislation was passed in 2014. Castlebridge contributed to the prelegislative consultation and the consultation on the application of HIQA standards to the legislation. We produced a detailed whitepaper over 3 editions, reflecting the evolution of the Act and the supporting standards. At no point were we happy that a foundation for best practice was being established. Important that the legislation be reviewed in light of GDPR as this places additional wrinkles in the way in which things should be interpreted and the potential conflicts between this Act and EU law.

Examined proposed HIQA standards (1st and 2nd editions) Noteworthy that a number of applicable standards proposed by HIQA subsequently dropped from Governance 3rd Edition provides a section by section analysis, highlighting areas of conflict with Data Protection law Submitted as part of PIA, but not included as judged “strategic” in nature The report was available from 2014 in its 1st edition. This looked primarily at the HIQA standards that were being proposed for the implementation of IHI. 2nd Edition addressed the output of the HIQA /HSE head to head on the final standards to be applied. Our 3rd edition looked at a section by section analysis of the Act, particularly in light of the Bara ruling. We also looked at some of the practical issues and considerations in the implementation of the Act, including issues like the apparent intent in the legislation to codify professional disciplines into the identifiers for individual health practitioners, which would mean a surgeon switching to being an anaesthetist could have their ID recording the wrong specialism for the rest of their career.

Some issues… Bara ruling – impacts in relation to Section 3 of the Act (Public Interest). Bara requires that, not withstanding any legal basis, people must be informed of the sharing of their data Bara ruling – technically the same problem, but a doozy so mentioning twice PIA undertaken only AFTER Health Identifier Registers were built Only a sub-set of HIQA’s Standards for Better Safer Patient Care have been applied in the governance of Health Identifiers. The Gender Recognition Act 2015 Need to ensure that the Identifier is not misused to reidentify previous gender of people who have changed

Some Issues Section 31 post GDPR Section 31 empowers Minister to enter into Data exchange agreements Requires DPC to be consulted GDPR will require a PIA to be undertaken (by definition) Section 27 extends GDPR protections to the data of the deceased (specifically re: security) Section 25 of the Act creates personal liability for breaches, echoing similar provisions in Data Protection Act 2018 and its predecessor. Section 10 of the Health Identifiers Act makes the DPC subservient to the Minister in the exercise of their function, which is counter to GDPR, Charter of Rights, and EU Treaty obligations.

A problem Section 8 of the Act allows for any Government Minister to be asked for data to contribute to the development and validation of the Register. This has happened, for a production system, despite the Bara ruling It is not possible for a public body to rely solely on a statutory provision to acquire data.

The Privacy Impact Assessment Public consultation only commenced AFTER processing had taken place and was in a “live” system. This is not “best practice” for a PIA But feedback was taken on board..

Where we are now…

The database exists It is being used A health warning should be applied to compatibility with EU law The means by which data was obtained open to challenge Extending uses of IHI and eHealth IDs will require timely PIAs and transparency “Build it and they will come” not a good design philosophy

Image credit: Digital Rights Ireland Public Services Card report from DPC will turn spotlight on data sharing in Public Sector IHI database proposes to hold photographs of patients… If source is the Public Services Card data set, this will be unlawful. (Bara, GDPR etc.) Scepticism about Public sector data sharing and handling of personal data not helped by PSC debacle Image credit: Digital Rights Ireland

Presented as a panacea, but DPC has been clear that an “umbrella” law to allow for Public Sector data sharing is not compatible with EU law and with the principles of transparency etc. in GDPR. Bill now passing through Report stage in the Seanad and 50+ amendments have been tabled by one Senator alone to try and bring the Bill in line with basic principles of EU law and the Charter of Fundamental Rights The Bill is not YET an Act and should not be viewed as a done deal panacea.

The Future

Fundamental weakness in underpinning legislation remains Future use of data (OpenData /AI etc.) will require PIAs to be completed Fundamental weakness in underpinning legislation remains Need to ensure that long term societal and social benefit is delivered Requires rigorous attention to detail around basics of data privacy and governance Requires investment in transparency and engagement with health care stakeholders as individuals

Increasing focus of DP regulators Recent conference of global regulators in Brussels had Data Ethics as its core topic Compliance with core legislation remains a fundamental

People Practices Policies Legislation Ethics

Conclusion

Ethical Data and Information Management: Concepts, Tools & Methods Available from: Amazon Book Depository Easons.ie Waterstones .. And more www.Castlebridge.ie/data-ethics