Joint Committee on Health debate -
Wednesday, 14 Dec 2016

The purpose of this afternoon's meeting is to engage with officials from the Department of Health, representatives of the Health Information and Quality Authority, HIQA, and the Office of the Data Protection Commissioner on pre-legislative scrutiny of the general scheme of the health information and patient safety Bill. Parts 6 and 7 were addressed by the then Joint Committee on Health and Children in the Thirty-first Dáil.

On behalf of the committee, I welcome Mr. Muiris O'Connor, assistant secretary, Dr. Kathleen MacLellan, Mr. Kieran Smyth, Ms Bernadette Ryan, Mr. Peter Lennon and Ms Louise Kenny from the Department of Health.

By virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to the committee. However, if they are directed by it to cease giving evidence on a particular matter and continue to do so, they are entitled thereafter only to qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person or an entity by name or in such a way as to make him, her or it identifiable. I advise that any opening statement or other material submitted to the committee may be published on its website after the meeting.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official, either by name or in such a way as to make him or her identifiable.

I now invite Mr. Muiris O'Connor to make his opening statement.

I begin by thanking the committee for inviting us here today to talk about the health information and patient safety Bill. This Bill aims to facilitate efficient and effective health information systems in the interests of enhancing our capacity to utilise data and information to plan and deliver safe quality health services.

I would like to introduce myself and my colleagues. I am Muiris O’Connor, assistant secretary in charge of the research and development and health analytics division in the Department. It is a new division, which was established in 2015, and reflects the importance that the Department attaches to information, research and eHealth. I am joined by Mr. Kieran Smyth and Ms Louise Kenny from my division's research policy unit. Ms Bernie Ryan and Mr. Peter Lennon are from our corporate legislation unit, which has put the various elements of the general scheme together.

Dr. Kathleen MacLellan is the director of the newly established National Patient Safety Office in the Department. Specific patient safety policy objectives in Parts 6 and 7 are intended to promote a culture in health care where there is open acknowledgement, reporting and learning from adverse incidents when they occur and where health care activity is regularly clinically audited to ensure that areas of poor practice are identified in order to support quality improvement. These parts were dealt with previously by the then Joint Committee on Health and Children and the points made are being considered in the Department. Part 9, which forms parts of today’s proceedings, has the specific patient safety policy objectives to extend HIQA’s remit to the private health service.

Given the range and size of the health information and patient safety Bill, I do not intend to go into details on all its provisions in my opening statement but will set out the key principles and also use the statement as an opportunity to briefly outline the broader context of what we have in mind in terms of health information policy generally. My colleagues and I are, of course, very happy to answer any questions that the members have on the Bill. I hope that this approach is agreeable to the committee.

The key objectives of the Bill are to support a number of health service goals by providing an enabling legal basis in the following areas. The first objective is to support the development of better information systems, information capacity, data quality and the eHealth agenda. This will be done mainly through the provisions on prescribed national data matching programmes and prescribed national health information resources and by the provisions on setting standards to support the electronic exchange of information and best practice in the management of health data. Data matching is where personal information collected for one purpose by one organisation is subsequently matched with data collected for another purpose by the same or another organisation. Health information resources in the general scheme are defined as registries, databases, indexes, etc., that contain personal data.

The general scheme provides for the Minister to prescribe a health information resource or a data matching programme where he or she is satisfied that the purpose is of significant health importance. A person who operates a prescribed health information resource or data matching programme will be able to require the provision of relevant personal information. The provisions on prescribed data matching programmes and health information resources are very detailed in the general scheme, reflecting the intention to carefully regulate these areas, and the Minister must consult with both HIQA and the Data Protection Commissioner before prescribing a programme or resource. The resources and or programmes will operate under HIQA standards. The aim is to ensure a clear and certain governance structure for the operation of the prescribed programmes and resources in a way that balances the needs of a modern integrated health service for relevant information, which benefits everyone, with the need to have regard to the privacy considerations of individual data subjects.

Another objective of the Bill is to encourage health research in Ireland. Health research is extremely important for innovations in health care that can directly benefit the patient and the health system and there are also benefits for the economy in terms of jobs. EU law already governs research ethics approval for clinical trials of medicinal products for human use and medical devices and the Bill will not apply to that research. What the Bill will do is to provide for a new voluntary research ethics structure for other health research. The purpose is to have a more streamlined system and to avoid fragmentation which can happen at present. This more streamlined system for research ethics approval will be through HIQA-approved research ethics committees.

There is also a separate tightly controlled data protection consent exemption for certain health research in limited and specified situations. Only a researcher using the new research ethics approval structure will be able to apply for a data protection consent exemption. The general scheme provides that the decision on the consent exemption will be for the Data Protection Commissioner.

The third objective is to strengthen patients' rights in relation to their health information in specific areas. Measures include ensuring that a patient's health record at the patient's request can follow the patient from one health care provider to another, which is essential for effective continuous clinical care; requiring that the patient is made aware of arrangements for his or her health records when a health services provider is closing down or retiring; and creating an offence in relation to the buying and selling of personal health information by those who obtained it in the course of employment or business or in a professional capacity.

The final key objective is to enhance patient safety measures. Patient safety and quality are at the heart of our health services and it is important to keep patients and service users at the centre of everything we do. Delivery of health care is, however, inherently risky and while it is inevitable that things go wrong, there is much that can be done to prevent harm or error, identify and act when that occurs and to learn from it to improve services.

I referred earlier to Parts 6 and 7, which are intended to build a positive patient safety culture where reporting and clinical audit are part of the clinical governance agenda and can provide the evidence for assuring the quality of clinical care, drive improvements where required and inform health service planning. In addition, health professional regulatory bodies and other regulatory bodies will be enabled to share information with each other for the better performance of their statutory functions.

As the members of the committee will be aware, HIQA has played a major role in recent years in driving improvements in patient safety and quality across a number of areas of the health system, in relation to the provision of services for older people, for people with disabilities and in many facets of our public hospitals. However, at present HIQA has no role in relation to the regulation of private hospitals. The Bill being considered today will rectify that situation, bringing the private sector within the scope of the Health Act 2007, allowing HIQA to set standards and monitor performance against them, as well as undertaking investigations in the same way that it does for the public system. This development is part of the Department's phased approach to regulation in health care, and in particular the introduction of a legislative framework on hospital licensing. This will involve the creation of a system whereby both public and private hospitals, as well as certain designated high-risk activities, will require a licence from HIQA in order to operate.

These provisions form part of a number of initiatives to improve the governance and management of patient safety and quality in general. The national patient safety office, which was established two weeks ago in the Department of Health, will provide required patient safety policy leadership and will lead the programme of major patient safety reforms agreed by the Government last November.

Before turning to the broader health information policy context, I should say that in its development the general scheme was the subject of considerable engagement with HIQA and the Office of the Data Protection Commissioner and we will, of course, continue that engagement. I mentioned the broader context. As the committee is aware, the health system is necessarily information intensive. The right information needs to be in the right place at the right time for both patient care and health service management. If we cannot achieve that outcome, we will not succeed in achieving a health service fit for purpose. The health information and patient safety Bill is, therefore, part of a bigger information project in the Department. We have already begun work on a framework for a new health information policy. The last time that was done was in 2004 with the national health information strategy and much has changed since then. One of the key issues is about how we protect and safeguard people's health information which is fundamental to building public confidence. A core part of our information policy development process is, therefore, to examine the different perspectives that exist in relation to greater information sharing in our health system.

In all of that, we are very aware of the new EU data protection regulation, which becomes effective in May 2018. Unlike most EU regulations, which are self-implementing, this regulation has scope for member states to introduce their own legislative rules on processing of personal data. It is worth making the point that the inclusion of that flexibility in the regulation is most likely a reflection of the differences that exist in the health systems of EU member states and their information cultures. The nature of that diversity and the historical, cultural and legal reasons for it are something to be borne in mind when looking at information systems and data protection regimes in other countries, even other EU countries.

In relation to the health information and patient safety Bill and the EU data protection regulation, it is important to point out that the general scheme was being prepared at the same time as the regulation initiated by the EU Commission in January 2012 was being considered and amended by the EU Council and EU Parliament. While careful attention was paid to developments on the regulation in the preparation of the general scheme, the latter was finalised before the former and we are mindful of the need to ensure that there is no inconsistency between the two as we progress the Bill. In that context, the Office of the Data Protection Commissioner has raised a concern about its role in making the decision on the health research data protection consent exemption. We acknowledge and understand the point made and we are examining it.

I hope my opening statement has been helpful and I look forward to the committee’s questions. I have outlined a clear set of health information and patient safety requirements for a framework which will provide for a health system built on a solid foundation of data and information. The Bill will ultimately allow our health system to utilise data and information to plan for the future and to monitor its performance in the achievement of clinical outcomes and population health. This health information approach will lead to a health system which is more person centred, planned in line with population need and informed by trusted data ensuring that it has the capacity to benchmark and evaluate itself in real time.

I thank Mr. O'Connor very much. I have one question for him before I open up the meeting to questions from Deputies and Senators. It is about the concerns raised by the Office of the Data Protection Commissioner. The phrase used was "insurmountable conflict". The question is whether those concerns warrant an extensive redesign of the Bill. I invite Mr. O'Connor to comment on that please and then I will take questions from other members.

We actually have prepared briefing material that covers the rationale for our inclusion of the role for the Data Protection Commissioner in the various aspects of the Bill, which I could supply in written form. We are aware of the reservations expressed about section 3 and the data protection consent exemption. We will work with the Office of the Data Protection Commissioner to explore other opportunities. We are also digesting the implications of the EU data protection regulation in areas 4 and 5 in terms of its role in giving advice on the prescribing of data sources and matching programmes. It is our understanding that the powers ascribed in our legislation to the Data Protection Commissioner are statutory powers the office has in any event. The concerns are about the perception that the office would be complicit in some sort of consent exemptions or data matching programmes of which it would ultimately have to be an independent arbiter. We are satisfied that we could remove the role as specified in the Bill and still retain the functionality that is available.

The health information and patient safety Bill has been developed over a number of years. When I referred to extensive consultation, it was extensive at an earlier point in the formulation of the general scheme. In recent months each party has been respectively digesting and studying the implications of the EU data protection regulation. From today, we commit to a series of intensive engagements with the Data Protection Commissioner to work through the issues, which we do not believe are insurmountable. We respect the views of the commission in respect of the role it should appropriately play in the schemes.

My first question relates to page 3 and the reference to creating an offence in relation to the buying and selling of personal health information by those who obtain it in the course of employment, business or professional capacity.

I will outline my experience of a GMS doctor with a medical card list, even though the list system has been deregulated in recent years. Let us say that a GP has built up a practice over 40 years and then retires. When they sell on their practice my experience is that the price is usually calculated on turnover, how many patients are on the list and what sort of money the practice is taking in, which is only normal. The same also applies to community pharmacies to some extent whereby the turnover is worked out based on how much the business will be sold for. How will that fit with what I just read out? How will we let that sort of thing continue, which is just normal market practice, in light of the statement here? It could be said that one is selling personal data because there are 100 patients who each spend €60 per month. Data are essentially being sold there, so how does the statement sit with existing private businesses within the health service?

The second thing concerns consent and the sharing of information within the health service. Going back to my own experience, a community pharmacy will have patient records but there is absolutely no correlation to the records in a hospital. There are always difficulties in clarifying what happens at the GP practice, hospital, primary care setting or community pharmacy, and how that information is collated. There is a broader issue of consent. If a patient is discharged from hospital on a Saturday night I would have serious concerns about practitioners, be they community pharmacists or GPs, being able to access information on a patient when the patient has not turned up on that practitioner's doorstep. People have sensitivities and may not want to visit such and such a surgery because the receptionist is their next door neighbour. They may not want to visit a particular pharmacy because the girl behind the counter was a student of theirs at school, or for whatever reason.

A couple of patients may be seen at the HIV services in St. James's Hospital but that would have nothing to do with the community setting. They do not want people in the community setting to know anything about their HIV status. With stigma, how do we protect the patient's right to keep that as their own private business and limit the number of people who can access such data? Sharing data is one thing, but when one starts putting limitations in does it not all fall asunder because one is not getting good data in and out?

The first question related to the transfer of a GP practice and how the records might naturally be available. Clients of the practice would be alerted to the fact that it is closing down and would be offered an opportunity to indicate where they wanted their information transferred to. The money that has changed hands in acquiring the practice, with the records that remain which have not been indicated to go elsewhere, would not be considered as buying or selling patient information. It would be considered as a continuity of service, I would imagine, in relation to the practice. The penalties for buying and selling are to bring a lot of rigour and to show our determination to ensure that data collected for one reason are not used or abused for other reasons. It would not interfere with the transition of ownership of medical practices.

Head 7 provides for the nullification or cessation of the provision of health services. It is designed to address the situation where, if a GP practice is closing down, there is a requirement to inform patients that that is happening. As members of the committee can understand, it is a long-term relationship with GPs and there is a considerable amount of information built up concerning the patient. Head 7 is there to address the situation that we feel is relevant. If a person's general practice is closing down they should be advised of that fact. Such patients should be afforded an opportunity to make alternative arrangements concerning another GP and what happens to their records.

Deputy O'Connell raised a number of issues which are really relevant. At the outset she pointed to the disconnect between information sources and the inability to recognise that the same individual is being referred to. The individual health identifier which was originally part of this legislation, was taken out and enacted separately in 2014. We are now commencing the establishment of a base register for the individual health identifier. That will be a key building block in moving towards electronic health records and in creating the necessary connections. In that way, the pharmacist will recognise that a client is the same individual the GP or hospital is treating.

The issue of data privacy and consent in the context of electronic health records is one that will require considerable further engagement. It will be part of broader health information policy as we move towards electronic health records. A group of European data protection experts believe that in the context of electronic health records, consent is a democratic imperative. We are minded to ensure that as electronic health records progress, consent will be allowed for.

Deputy O'Connell asked a specific question on how a person's HIV status would be protected. It may be known in one area but not in another. Is Mr. O'Connor saying it will require further consultation to ensure that does not happen? A patient also has the right not to share information, even though it is handy to share it. They must have the right to share it only with certain people. There is a genuine concern about where that information will go.

In real life I have had an experience of a patient who attends the HIV services in St. James's Hospital. They were supplied with their drugs there and I had no idea the man was HIV positive. He deals with me for other aspects of his life. It is none of my business, it just came up one day. My point, however, is that he genuinely set about not wanting anyone in the community setting to know that. How do we preserve that and protect it in future? That is his right. It is his belief that there is still a stigma there and it is his choice. How are we going to protect that sort of situation? Are we going to block the St. James's Hospital record from the community care person? Has the Department of Health thought this out?

The issue raised by the Deputy relates to a person's self-determination of his or her own record and the choice or control they can exercise over it. With the UK model, a patient is basically in full control of what goes into their summary care record. The patient can also determine who gets access to that and what parts of the record others may get access to. That concept of self-determination lies at the heart of developing summary care records as well as national electronic health record systems. It is a recognised key element of that.

I will just add to that. Everybody recognises there is some health information that we do not really mind being disclosed, such as allergies or a person's blood type. That is at one level, but there are certain things about which there must be major privacy considerations and everybody is aware of that.

I thank Mr. O'Connor for his presentation. I would raise two issues, those of clinical governance and accountability. The general scheme of the Bill states that "The Commission on Patient Safety and Quality Assurance creates a framework for better patient safety and quality in Irish health service". It also states, "However, the Commission recognises that fear of litigation and damage to professional reputation presents a significant challenge for professional bodies in engaging with incident reporting, open disclosure and audit process. This is supported by international experience". The reason I ask about this is that we in this committee are also having a discussion, in the context of another item or piece of legislation, on the issue of open disclosure and duty of candour. The more I read this legislation the more I think it is very unlikely to be compatible with what we are trying to do in the context of other legislation. When those in the Department were drafting this legislation did they just take into account the Commission on Patient Safety and Quality Assurance's recommendations or did they take account of the broader picture of what we are trying to do in terms of open disclosure and duty of candour? From a first glance at the Bill some days ago it did not appear to be anywhere near where we would like to be in terms of open disclosure and duty of candour in the context of the pre-legislative discussions we are having on the other Bill.

That leads me to another issue. When we talk about improving the quality of health care here we have an uncanny knack of putting the clinicians front and centre and we always absolve the administration from having any accountable standards whatsoever in terms of an obligation to ensure safe quality health care. I would instance the Portlaoise report, which was explicit and unearthed some poor practices, to say the very least, in the administration of health. Are we consistently putting the onus on front-line clinicians, nurses, doctors, consultants and other allied health professionals and yet absolving senior management from having any accountability in the context of potential risks to patient safety? In this legislation again I believe we are using the professional bodies to ensure clinical governance and accountability. Is that an area we need to examine if we are to have genuine meaningful accountability?

It is fine for us as parliamentarians to bring the Minister into a committee and criticise him for an hour or two over something that has happened or blame some doctor or nurse when it is quite evident that it may have been because of administrative inability or lack of ability, or heavy-handedness or short-handedness. Mr. O'Connor might give his observations on that.

I also wish to raise the issue of the licensing of hospitals. There is a great pretence in our health system, as we well know. The Health Information and Quality Authority, HIQA, visits hospitals, observes some our theatres and requests that the hospitals do their best to improve them and bring them up to standards but, let us be honest, if there was a full detailed audit of our health system, we would be under huge pressure in the morning. What preparatory work is done in the licensing of our public hospital system in advance of there being a full licensing system in place in terms of an audit? What assessment has been done of the need to get from where we are to where we must be when a licensing system is in place? The reason I ask about this is on foot of discussion we have had in another committee on the capacity of our public health system to deal with what comes through the emergency departments and through appointments from outpatient and inpatient departments and the fact that we do not have necessary capacity. I have concerns about the areas covered under heads 71 and 72 of the Bill regarding the issue of open disclosure and duty of candour.

I thank the Deputy for those questions. I will pass the questions on open disclosure and the licensing of hospitals to Dr. Kathleen MacLellan but, first, I acknowledge that the Deputy has raised good points on the responsibility of administrators and managers in health care settings to make better use of information. I would say that is the key motivation for the health information aspects of the current Bill.

The current situation is one of fragmented data sources, different computer systems with little interoperability and awful lot of paper that goes missing. These deficiencies raise direct patient safety challenges and they do not service the needs of our clinicians, as the Deputy said, in their administration of care in a professional way to citizens and to patients. I refer to the provisions around ensuring best practice, as overseen by HIQA in the management of data, in the electronic exchange of data, and the Minister's facilities to prescribe data-matching programmes and health information resources which would operate to very high standards. These would be a small number of key national programmes that would underpin a much more robust and much more accurate and available information base that would be the responsibility of administrators and managers to maintain and to execute. That is a key motivation here, that the clinicians and the health and social care professional be supported.

Yes, but Muiris, or Mr. O'Connor - I was addressing Mr. O'Connor by his first name, like the Taoiseach and Deputy Adams did yesterday - the clinicians have professional bodies that hold them to account. If an administrator who is obliged to do all that is required on HIQA's recommendations does not do that, what accounting procedure for that purpose is provided for in the Bill? Is there any onus being placed on the individual to do this and, furthermore, if he or she does not do that and it results in an adverse outcome for a patient, who is culpable?

I take the Deputy's point that when something goes wrong in health care it is rarely one person's fault and it may be due to a combination of factors and a system failure. Dr. Kathleen MacLellan would probably have further thoughts on this. We are moving to a situation where it is incremental and we will get there, but it is taking longer than anybody would want.

To return to the Deputy's first point on open disclosure and consistency, I know he made another point about open disclosure but on the element of consistency in the context of what is in the health information and patient safety Bill, originally it was part of that Bill and it was taken out to progress it faster. As he will have noted, this Bill is quite a large one dealing with a range of issues. We were aware that we needed to keep things consistent as far as possible because open disclosure was part of the same package as the external notifications to authorities of an incident.

On the Deputy's point regarding accountability, as we are moving forward towards licensing, clearly, a worst-case scenario for a health care provider would be that the licence would be jeopardised. That probably brings people's attention very quickly and closely to the need to react and put in place proper practices. Dr. MacLellan might wish to respond to the Deputy's other questions.

I will pick up on a number of the other patient safety issues that have emerged. We would view that the health information and patient safety Bill is complementary to the other legislation. Within Parts 6 and 7, it particularly allows for the mandatory reporting of serious reportable events to an external agency, and that will be the first time that this will be done. Similar to systems we have, in the UK - this is part of the legislation there - and in Scotland, Australia and New Zealand, a particular set of, what we would call, serious reportable events or sentinel events would be reported externally to an external agency. The health information and patient safety Bill provides for that external reporting to HIQA or the Mental Health Commission, as appropriate. It will be the first time that we will have created such mandate in that manner and that will create a flow of information that we have not have had previously to allow for examination of analysis and learning to the system. From the establishment of the patient safety surveillance system, which we will work on through the National Patient Safety Office of the Department, this will one will allow a flow of information that will start to help inform us in terms of patient safety issues and trends happening across the system. That is one element within the health information and patient safety Bill. In terms of the front-line clinicians and the management, it is important to remember that we have an accountability framework within the HSE and one of the core components of that is around quality and safety, so there is an accountability process within the HSE.

I would like to refer to the licensing of hospitals. We would see Part 9, which is around extending HIQA's remit to the private health care sector, as part of a phased approach to regulation across our hospital system.

The licensing legislation we are working on is at an advanced stage and we plan to submit it in a memorandum to government in early 2017. This legislation will provide for licensing of public and private hospitals and designated high-risk activities in the community. We established a licensing working group, which has met five times in 2016 and includes representatives of the Health Service Executive at a senior level, private hospitals, HIQA, the chief executive officers of the hospital groups and the forum of regulators. The group has been discussing the capacity of the public and private health care systems to take on the programme of licensing. This will provide an opportunity to make an assessment against a core set of regulations that will be based on the standards for safer better health care. In itself, this should move forward regulation within the health care systems. For the first time, they will be required to have a licence to operate as a private or public hospital. HIQA will be given explicit powers in the legislation to revoke or retain a licence or impose on health service providers improvement requirements and so forth. This is a significant step forward for the health system. The HSE and private health care providers are examining the stage of preparedness they have reached for the introduction of licensing.

The HSE is examining what stage it is at in comparison with the implementation of the national standards for safer better health care. The core regulations pertaining to the licensing regime will be based on those systems. Work is under way in the HSE to assess what stage it is at and its readiness and preparedness for licensing.

I thank the witnesses for their presentation and replies to questions. To return to Deputy O’Connell's first question on information being exchanged on the sale of a practice, due diligence applies nowadays to all commercial transactions. Does a due diligence process apply when a medical practice is being taken over? Does the legislation provide for this? I am not convinced by the answers provided thus far that this matter has been addressed adequately. Due diligence would involve a careful examination of all the records of a practice before a decision is taken to pay out €100,000, €200,000 or €1 million to take over the practice. I do not believe the matter is either covered or excluded from this process. I ask for a response.

Were the processes in place in other countries considered before the plans were made? In Denmark, for example, patient records have been entirely digitised since 1996 and I understand the number of information technology systems in use there has been reduced to 25, with a view to reducing it further to five. The health service here uses approximately 1,700 information technology systems.

I am a little sceptical about the approach to be taken to this process. In November 2013, I submitted a question to the Health Service Executive seeking details of the number of consultants working in the HSE and the number of consultant vacancies. I received a detailed response in January 2014, which provided a template setting out the number of consultants in each hospital in each area, the number of vacancies and locums, etc. It was clear that records were being kept and had been digitised. When I submitted the same question in November 2016, however, I was informed that this system no longer exists and the HSE was developing a new system module to bring its records up to date. Why was the system in place in January 2014 abandoned at some point before November 2016? Information on the number of vacancies for hospital consultants and the number of locums operating in the HSE is crucial for forward planning purposes, for example, to ensure a recruitment process commences before a member of staff retires. This basic information, which is of fundamental importance to the HSE, was abandoned at some point between January 2014 and November 2016. While everyone is talking about paperwork, legislation and so forth, I am concerned about how the process will be implemented given the inability of the HSE to maintain such basic information. I ask the witnesses to address that issue.

I am not aware of the particular workplace planning information technology system to which the Senator refers. I have been in the Department for one year. The issue of the multiplicity of different information technology systems throughout the health and social care sector is of major concern. As I indicated previously, it is highly fragmented and the systems do not even speak to each other. Since the adoption by the Government in 2013 of the national e-health strategy, serious and significant steps have been taken to ensure a much more co-ordinated, sensible and mainframed approach to investments in information and communications technologies, ICT. We have the appointment of a chief information officer in the HSE, Richard Corbridge, who addressed the joint committee recently. E-health Ireland has been established with an independent advisory group and includes key experts from jurisdictions that are far ahead of Ireland in terms of investments in information technology. A knowledge and information plan has also been developed.

Increasingly, what is happening under the office of the chief information officer in the HSE is that national systems are being rolled out instead of local, fragmented individual investment in technology. For example, we have seen a national system that allows general practitioners to make electronic referrals to hospitals. We have seen a national system being rolled out across hospitals that allows them to get back to general practitioners with notes, test results and notifications. There is a national approach to digitisation of medical issues. It makes no sense to do these types of things independently because they are extremely expensive and the systems frequently do not communicate with each other.

We share the Senator's concerns about the inadequacy of the technology base. It suffered from under-investment over the past decade. We have much to learn from other countries, including Denmark and Belgium. The United Kingdom has chopped and changed in this area and we can learn a great deal both from its mistakes and what has worked. We are paying attention to all of that.

We cannot expect to replicate in multiple sites the type of technological security that is required of any of these systems in terms of data protection and legislative and legal security, and the governance around that. It is necessary to achieve a standardisation of the governance arrangements and this is provided for in the health information and patient safety legislation with the HIQA standards that will be imposed on prescribed resources. The Bill also progresses the e-health agenda through its specifications in respect of interoperability and data management standards.

We can look into the specific workforce planning tool that fell off the radar and revert to the Senator on the matter. However, the case he raises is illustrative of a broader concern of fragmentation that we are genuinely trying to address. The establishment of the division I head up reflects the Department's appreciation of the need to pull together the different functions relating to information, analytics, research and, crucially, information technology. I also have responsibility for international engagement, academic engagement and enterprise engagement. This reflects the need to learn from outside the public health system with regard to how best to implement some of these systems.

Mr. Lennon will address the issue of due diligence in practice.

I will follow up on Mr. O'Connor's comments. If one looks back to 2005, 2006 and 2007, one would be forgiven for believing we were standing at the dawn of a new digital age where everybody would have a cradle to grave national electronic health record. Some countries spent a great deal of money trying to make that happen.

In 2009-10 there was a subtle change as people realised it was not as feasible as they might have wanted it to be. We now have systems that talk to each other such that rather than a big bang what we have is an evolving system.

Reference was made to the number of legacy systems in the HSE. As stated by Mr. O'Connor, it is important we learn from the mistakes of others. Often, it is good not to be first to do something because one then gets an opportunity to see what does not work. We have looked at the landscape not only in Europe but in North America, Canada, Australia and so on. The evolutionary approach is the one that has been adopted in the Bill. Mr. O'Connor referenced inoperability in relation to head 11 of the Bill. This is about computers communicating with each other. In this regard, we are suggesting a standard based system such that there will be clarity for everybody going forward as to how the bits of the puzzle will fit together. One of the advantages of being where we are now is that other people rather than us have spent billions of euro and made the mistakes which, hopefully, we will learn from. I hope my response on this matter has been helpful.

On the due diligence issue, everybody here probably attends a general practitioner, GP. When we visit our GP we tell him or her things we would not tell anybody else because that relationship is governed by confidentiality. The information in the records about which we are speaking is personal information. Under the data protection Acts, the directive or the forthcoming regulation that information is regarded as sensitive, personal information that deserves the highest degree of protection. The sale of a business which holds information on people's personal health is rather different to the sale of most other types of businesses. To say to somebody who is interested in buying that business that he or she would have a right to examine the records in order to establish whether the client base in those records was such as to justify a particular price is inconsistent with the principle of data protection. What we are doing in terms of this Bill is building on data protection concepts. I do not think it is possible to allow a situation whereby a person who is thinking of buying a business could be permitted to examine records in order to establish a monetary value on what those records suggest the business is worth.

I am speaking about access to information such as where the population that attends the practice is drawn from. The due diligence could be around review of addresses and so on. A person considering the purchase of a practice will want to try to work out the likely future of a practice based on information on patient age profile and so on, which information will also help in reaching a determination as to what the practice is worth.

I apologise for having misunderstood the Senator's point. So long as the information is not personal data relating to individual patients what he suggests would not be problematic. As I understand it, the Senator is talking about access to more generic information that would give a profile of the practice.

The first objective of the Bill is to support the development of better information systems, information capacity, data quality and the e-health agenda. To what extent do we compare with other jurisdictions under each of the aforementioned headings? What information has been requested from other jurisdictions in terms of how they have progressed in this area? Are we up to speed? Have we identified the precise areas where we need to improve and do we have the capacity to improve? Are there any issues arising that have yet to be determined?

The second objective of the Bill is to encourage health research in Ireland. Health research is an important element of the development and evolution of a health service. What are the weaknesses in health research in this country compared with other jurisdictions? For example, to what extent do we allow modern technology such as e-systems to be incorporated into the research that takes place here? Do we have access to what prevails in other jurisdictions, not only in Europe but globally, and how do we aspire to achieve their levels of efficiency, capacity and response?

The third objective of the Bill is to strengthen patients' rights in relation to health information in specific areas. In regard to patients' rights and given the experiences of the past number of years in terms of incidents that have occurred, the conditions prevailing at the time and whether or not adequate information was made available, subsequently, to the patient, will all information be made available to patients in future? Patient rights are applicable prior to and after an event has taken place particularly if the outcome of that event was not as satisfactory as it could or should have been from the point of view of the patient.

Reference was made to the Data Protection Commissioner and to the lengthy engagements between the Health Information and Quality Authority, HIQA, and the Data Protection Commissioner. Presumably, the role of the Data Protection Commissioner is to ensure the information is provided to the patient or an authorised person or association.

On the enhancement of safety measures, is Mr. Lennon satisfied that patient experience, in terms of the procedures to be followed in the course of their treatment, whether in or outside a hospital or in or outside of primary care centres, is adequately provided in this legislation? I suspect that we will not be revisiting this legislation for a long time. To what extent is Mr. Lennon satisfied that what is provided for in this Bill is adequate?

Deputy Durkan asked a range of interesting and pertinent questions. In regard to where Ireland stands in the international context in terms of e-health and the use of health information, as alluded to, most EU countries are quite a bit ahead of Ireland in terms of their investments in information technology and how co-ordinated those investments have been. The UK and Denmark have been cited in this regard. Belgium also has a very sophisticated system. The Scandinavian countries more generally operate population registers, which are so comprehensive they do not need to undertake census of population, as we do every five years. The population registers provide information on citizens' basic characteristics and their interactions with all kinds of State services. The richness and comprehensiveness of the evidence base available to other health systems is considerably superior to ours. I am confident that we can catch up on other countries.

We have a very focused ambition to do so. Basic but fundamental building blocks such as the individual health identifier are critical differentiators that other countries have had ahead of us. The UK has an NHS number which is like a bank account number and allows service providers to recognise individuals. The health information we get includes an enormous amount of metrics generated from service provision. The individual health identifier will allow us to anchor all that noise against a frame of reference that looks at the impact of all of this service provision on the health and well-being of people in Ireland. That is a critical move.

In terms of capacity, I have mentioned the more concerted investments in ICT leadership through the establishment of the CIO's office in the HSE and of my own division in the Department as well as through HIQA and other bodies. There was sanction in 2016 to expand by an extra 49 people to build capability into that. This is to move from a situation of fragmented localised investments in often disconnected technologies to national programmes of investment. There is an electronic health record business case with the Department from the HSE that looks at a multi-annual plan to ensure the development of a comprehensive electronic health record for all citizens based on investments in acute and primary. That shared view for people with a legitimate professional relationship with a citizen for his or her health or social care is critical to better integrated care and the greater integration between primary and secondary care that has been in each programme for Government for the last number of Governments. We are getting there. We are making big progress and I am confident that we can catch up with other countries.

It is similarly the case in health research. We have some very strong performers in health research in the medical and academic worlds in Ireland but some of the provisions in section 3 will allow us to move into research of greater scale and significance in terms of analysing the impacts of various health and social care interventions on population health outcomes and utilising anonymised data to look at scale. A great deal of energy goes into doing sample surveys at a small level and that generally does not get us to the global standard we need to get to. The provisions in section 3 and the streamlined research ethics committees will, we hope, facilitate greater research projects of scale where Irish medics and academics can collaborate domestically and internationally to improve things.

Patient rights and their awareness of data protection are things we seriously prioritise as can be seen from the provisions of the HIPS Bill. We prioritise the rights of patients to privacy and to have their data used in appropriate ways only and are very aware that further reflection and, potentially, further legislation will be required as we move to the implementation of electronic health records. One of the main things that is found in other countries is that even with a great deal of consultation, patients can have little awareness of what happens to their data and of the value of their consent to have data used for health or research. The CIO in the HSE will develop over the immediate months ahead an approach to public engagement and devising a more practical consultation strategy. In that regard, a number of hypothetical personas are being devised. It might be an elderly lady of 75 with certain conditions or it might be a middle-aged person or a young person. These hypothetical personas are being developed with hypothetical electronic health records so that issues around privacy can be discussed in a much more practical way. These things are often deliberated in very abstract terms that do not mean a whole lot to the citizen. We want citizens to know about their privacy rights and to know, in particular, about the value that attaches to them and the public more generally when data can be used appropriately for health research and understanding the outcomes of clinical interventions.

We were asked about patient safety and Dr. MacLellan will speak more on its enhancement.

Broadly enhancing patient safety at scale across our health system is going to require a comprehensive set of patient safety interventions. We know that from our international patient safety experts and our research. To pursue this, we are tackling the issue in a number of different ways. Within the health information and patient safety Bill we have included provisions to support and promulgate clinical audit, the reporting of the serious reportable events and also the extension of HIQA's remit to the private sector. This is part of an overall programme of work. For example, we have already discussed in the committee the proposals around open disclosure and, recently, the planned introduction of licensing for our public and private hospitals and high-risk designated activities. The Deputy may be interested to know that HIQA and the mental health commission are finalising standards for patient safety instant management which will be very helpful for the system. They will be published early in 2017.

In terms of the Department's policy commitment and leadership, the Minister launched the national patient safety office last week and it has three programmes of work. These include extending the national clinical effectiveness agenda and developing the patient safety surveillance system, both of which are highly dependent on good data and good information sets to help build our system going forward. The patient safety office will further develop and deliver a programme of policy and legislation. Just today at the announcement of the national service plan, the HSE committed to a changed approach to its management around patient safety to a patient safety programme of work. We are confident that within that comprehensive set of patient safety measures we will really start to move forward our patient safety agenda.

I thank Mr. Muiris O'Connor and his team for the introduction to and work on the Bill. It is worth reflecting on the fact that the research, development and health analytics division, which Mr. O'Connor manages, was only established last year. It is great that it has been set up and it is important that its work gets moved on rapidly.

Believe it or not, I am going to come at this from the angle of people with chronic conditions, disabilities and mental health needs. While they may constitute a minority of those who use the health service, they may make up the majority of the use of its services because they are repeat customers and their conditions bring them back more intensely over time. Mr. O'Connor referred to hypothetical personas. Is it possible to put in instead of a persona some particular conditions? This is just my own anecdotal experience over nearly 40 years of being involved with people with disabilities. It was the case 40 years ago that a family that had a baby born with Down syndrome were told they would get 30 or 35 years out of that little fellow or girl. While those children are now men and women of 35 who still have 20 or 30 years left to live, we know there are things coming down the track with certain other co-morbidities, etc.

In terms of building up a trajectory or a profile of how conditions and people's experience of those conditions move, we have a sense from more developed societies with better health services that one gets a five or ten year window where one can see what is happening.

I know this from my engagements with organisations in Ireland whose work relates to specific conditions such as muscular dystrophy and Down syndrome and their counterparts in Europe, North America and elsewhere. They see what is happening. It is very important to try to build up these pictures. There is a tension in this legislation which is mirrored in its Title, the health information and patient safety Bill, which also includes the idea of confidentiality and people's confidence. We must get this tension or, to use another word, "balance" right. The health information side of it must not be sacrificed to the other side. The other side must be properly looked after. This is where we will make the gains. I read this morning that the CSO has stated that three out of every five people over the age of 60 in Ireland has a chronic condition and that 13% of people have disabilities of some kind. This figure can be taken as conservative. We need to plan on the basis that it is conservative. People are living longer and surviving more illnesses that would previously have taken them out of this world, albeit with other morbidities and so on.

The Department has set out four objectives. The second is to encourage health research in Ireland. I want to juxtapose this with the third and fourth, which concern the strengthening of patients' rights and the enhancement of patient safety. This is what I am suggesting in my comments on the Title of the Bill, that this is the tension we need to get right on both accounts. If we do not get it right on the patient confidence side, we will achieve nothing on the other side. I will put it this way. I have polio. There are people with other neurological conditions. If one were to pull the files together on the desks of the handful of consultants in this country and put those files into a great machine, one could learn an awful lot - if given patients' gender, age, life circumstance and so on - about the profile of a certain condition and how people's expectations of it and what they can do has expanded over the years. In one way, therefore, we are close to being able to do something yet we get caught. Every time anyone talks about doing something about this, data protection is offered as an excuse. I do not know about data protection in detail. However, the cancer registry has real information about real people. Why is it only used for cancer patients? I am not saying we should not have it at all, but why is this or some similar model not available to help us with all these other conditions?

We also know that as one problem is solved, we get over the crest of a challenge only to find the next peak ahead. We should start planning for these things. We should help organisations and communities that support people with disabilities to self-manage better to have better understandings and work more in partnership with clinicians. Many organisations we call service providers, that is, organisations for people with specific conditions, are on the cusp of having a very powerful role because they have the confidence of the people and the families, they know their situations quite intimately and they can be major advocates at local and regional level.

I greatly appreciate Senator Dolan's observations and contributions. I assure him that I will pass on to the HSE his recommendation that, in the context of developing these personas, we will cover the diversity of the population and include disabilities and particular conditions in order to understand how health information might be assembled and shared in respect of those disabilities and conditions. He is correct about the demographics and many of the challenges arising from the success of modern health systems over recent decades here and elsewhere in ensuring longer life but that many co-morbidities are associated with this.

The issue of the balance between privacy and the benefits of information is absolutely critical and lies at the core of the Bill, and I note the Senator's advice to get this right. He is correct in what he says. I am new enough to the health arena but I observe a great deal of caution in the health research community surrounding the use of health information and a kind of intense awareness of everything people believe they cannot do, much of which is unfounded. There is an onus on us in the Department and on the health service providers to be perhaps more intentional and more assertive in communicating the public value of health information and the fact that information to which personal details are associated, when anonymised, can generate data sets that are of enormous value in understanding particular conditions. We can aggregate this data at national level. The Bill before us takes great steps forward in allowing the cancer registry model to be applied to other areas. Were the Minister to prescribe particular conditions or a disability data set, it would be possible under certain circumstances to develop that information and derive the value from it.

The Senator also touched on patient involvement in the framing of research or research questions and in the contribution to greater collective awareness even of what lifestyles, habits, support, longevity and comfort are involved in the context of particular conditions and which new drugs are impacting in what ways. This is about the value of health information. We would like to see this encouraged and expanded for the greater good while of course protecting privacy.

I thank the Senator for his observations.

Yes. It is amazing - I think Senator Dolan has powers of mental telepathy because his comments went along the direction in which I was about to head. I compliment him on that.

My comments relate to a question Senator Colm Burke raised earlier and which I raised previously as well. I refer to the questions that should be readily available to those interested in the health sector - for example, Members of the national Parliament - and access to this information at the touch of a button. It is hugely important that this information is collated quickly and drawn together in such a way as to make it valuable in the context of a vision of a health service, particularly when incidents take place. We will not learn anything from an incident unless people are alerted right throughout the system and all the details are made available. As a result of that, we would be able to provide a better quality service.

Going back a number of years, regarding the cancer registry, I repeatedly raised those questions, which it was obvious to me needed to be dealt with, regarding the various forms of cancers, the incidents and the profiles. Eventually the registry was set up. I do not claim responsibility for it. Nowadays politicians claim responsibility for anything and even wish to be associated with minor policy details. The important aspect of the registry is that at the touch of a button the information is readily available, although not yet to the extent I would like.

I came from the background of membership of a health board at that time and could instantly see the necessity for it.

To what extent does the Department monitor everything that takes place at clinical trials? There were controversies years ago about the way they were managed and the regard for the safety of those involved in the trials. Is the Department satisfied that this proposed legislation makes adequate provision? Will we gain some further benefit from it? There is an urgent necessity, as the witnesses have said, for continued medical research in this jurisdiction in order that benefits accrue to the general population. There is always a tendency to forgo information that might be available because there might be ethical questions about it. That is where the Data Protection Commissioner and HIQA will have to lock horns in the future. I would appreciate the witnesses' comments.

The legislation before us does not extend to clinical trials which are already encompassed within EU law. The Bill does, however, provide an equivalent set of arrangements for research ethics for research outside the clinical trial environment.

I was not sure if there was a question in the Deputy's initial contribution but he talked about the value of-----

There is a national incident management system, managed by the State Claims Agency. It is in its second phase of roll out across the whole system. The intent is to capture all incidents, be they near misses, minor incidents or serious incidents, and to feed all that information back to local services, but also that at national level the State Claims Agency can create and collate national reports about incidents. It is critical that this information comes back into the system very quickly and that we examine patterns and trends and act on them very fast. We cannot do that without the data and information being available in a usable format for us and for the system.

No, but it is something we would certainly consider and discuss. The UK is setting up a new body to examine serious incidents and we have had some discussions about that with our counterparts in the English Government. We have not really considered it but I think we should consider and think about it.

Yes, absolutely.

In response to the question about the cancer registry, the cancer strategy steering group is meeting this afternoon to finalise the cancer strategy. That is based on, and driven by, the information that has come from the cancer registry which is critically important. Earlier this year we published the maternity strategy and were able to pull from several data sets so that we could get a sense of the demand for the system, its capacity and the areas where we needed to focus the key objectives of the maternity strategy. The sense of being able to create data sets around various diseases and conditions is critically important for the planning and development of our system. From a patient safety and planning point of view we very much support and see that the provisions of the Health Information and Patient Safety Bill will support the growth of those types of information systems.

In response to the Vice Chairman's opening question about the roles of the Data Protection Commissioner, I understand it may have reservations about some or all of the roles. I could send the committee a short note tomorrow on the rationale that underpinned the inclusion of the Data Protection Commissioner in the various roles. It might be helpful. The committee can share it with the Data Protection Commissioner also.

That would be welcome and we will circulate it to the members.

On behalf of the committee I thank Mr. Muiris O'Connor, Ms Kathleen MacLellan, Mr. Kieran Smyth, Ms Bernadette Ryan, Mr. Peter Lennon and Ms Louise Kenny for their valuable contributions and insights. Following this engagement and our upcoming engagement with the Health Information and Quality Authority and the Office of the Data Protection Commissioner the committee will present its views on the draft legislation, which will be informed by these engagements, to the Minister.

We will now suspend for a couple of minutes to allow the witnesses leave and the representatives of HIQA and the Office of the Data Protection Commissioner to take their seats. Is that agreed? Agreed.

We are now meeting representatives from the Health Information and Quality Authority and the Office of the Data Protection Commissioner for pre-legislative scrutiny of the general scheme of the health information and patient safety Bill. On behalf of the committee, I welcome Mr. Phelim Quinn, chief executive; Ms Mary Dunnion, director of regulation; Ms Rachel Flynn, director of health information at HIQA; Ms Helen Dixon, commissioner; and Mr. Dale Sunderland of the Office of the Data Protection Commissioner.

I draw the witnesses' attention to the fact that by virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to the committee. However, if they are directed by the committee to cease giving evidence on a particular matter and they continue to do so, they are entitled thereafter only to a qualified privilege in respect of their evidence. Witnesses are directed that only evidence connected with the subject matter of these proceedings is to be given and are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable.

I also advise the witnesses that any submission or opening statements they make to the committee may be published on the committee website after this meeting. I remind members of the longstanding parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside of the Houses or an official, either by name or in such a way as to make him or her identifiable.

I now ask Mr. Phelim Quinn to make his opening statement.

On behalf of the Health Information and Quality Authority, I thank the committee for the opportunity to address the Joint Committee on Health this afternoon. I am joined by my colleagues, Mary Dunnion, who is director of regulation and chief inspector of social services, and Rachel Flynn, who is our director of health information. We are pleased to be here today with the Data Protection Commissioner to discuss the health information and patient safety Bill 2016. I will keep my statement short to allow as much time as possible for questions at the end.

HIQA was established almost ten years ago to regulate Ireland's health and social care sector and to promote quality and safety in services. Our remit has grown substantially since then. However, our core activities remain the same, that is to monitor and regulate health and social care services, develop standards, carry out health technology assessments and advise on the collection and sharing of information across our health care services. All of these functions are focused on making services safer and better, providing assurance to the public as to the quality of these services and ensuring that the findings of our work are reflected in decision-making at local and national level. Putting the needs and the voices of the people who use these services to the fore is the essence of everything we do. The health information and patient safety Bill is broad legislation that sets out a legislative framework for the better governance of health information and the mandatory reporting of patient safety incidents. The Bill also includes measures to support clinical audit and provides for the extension of HIQA's remit to private health service providers, including private hospitals and cosmetic surgery clinics. In this instance, HIQA will be required to set standards, monitor compliance with those standards and undertake investigations. It is important legislation and we welcome the fact that it was made a priority issue in A Programme for a Partnership Government.

Today, I will discuss the main provisions of the Bill as they relate to HIQA. At the request of the committee, I will not refer specifically to Parts 6 and 7, which underwent pre-legislative scrutiny by the Joint Committee on Health and Children in the thirty-first Dáil. Health information plays a vital role in improving patient safety. Better information means better decisions and better, safer care. While information plays a vital role in improving patient safety, it is important that information is governed correctly and personal health information is protected. Unlike other European countries, Ireland does not have a legal framework around electronic health records or a national information governance framework for the sharing of information across the public and private sector. Personal health information is currently governed by Irish data protection legislation, but from 2018 it will come under the general data protection regulations, which provides for a harmonisation of data protection regulations across the EU. Notably, health care data under the general data protection regulations will be subject to a higher standard of protection than personal data in general. Many EU member states will have national provisions that apply directly to the health care sector. HIQA’s health information directorate is currently responsible for developing a coherent and integrated approach to health information.

We set standards for all aspects of health information based on international best practice. In 2017, we will commence a programme to monitor compliance with health information standards in order to drive improvements in the governance, quality and use of data held by national data collections. In addition, we evaluate the quality of the information available on health and social care and make recommendations on how to address gaps where information is needed but not currently available. The health information and patient safety Bill sets out the legislative remit for a number of important health information initiatives and, in a number of cases, assigns additional functions to HIQA, including to the private sector as regards the management of health data. As required, HIQA will be asked by the Minister to set standards in several areas including for the electronic exchange of health information, the management of health data held by health services, for data matching programmes and for health information repositories such as national registries. Furthermore, HIQA will be tasked with monitoring compliance with a number of these standards and will advise the Minister and the commissioner on any breaches in this regard.

However, in respect of the standards on the electronic exchange of health information in Part 2, the HSE will be required not only to follow the standards, once approved, but to report to the Minister on the extent to which they have been implemented and observed.

Enforcement is covered in Part 10. Most breaches of the provisions dealing with personal data and personal health data will be dealt with by the commissioner. However, summary proceedings for offences relating to false or misleading statements may be brought and prosecuted by HIQA. The proposed health information and patient safety Bill contains many positive initiatives. However, while it makes advances in providing an information governance framework for the management of health data, it does not address the sharing and collection of data within the private sector. Moreover, further legislation is required to enable the sharing of electronic health records and advance the eHealth agenda in Ireland as set out in the eHealth Ireland Strategy document. While there are many benefits to implementing eHealth solutions, there are also challenges, especially in terms of information governance and upholding the privacy and rights of individuals. Other EU member states address this through legislation to achieve semantic, technical, organisational and legal interoperability.

Research ethics is covered under Part 3 of the proposed Bill. A new framework for research ethics governance for research other than clinical trials is proposed. The intention is to improve the approval process and create a voluntary national streamlined structure. HIQA is to become the single point of contact for health researchers in its role as the supervisory body for approved research ethics committees. Proposed national legislation will confer a similar supervisory function on HIQA with regard to research ethics approval for clinical trials. To enable the efficient operation of research ethics committees it is important that the requirements of the systems of research ethics approval and governance are harmonised as much as possible.

Under Part 9, amendments are proposed to the Health Act 2007 to extend the powers of HIQA to private hospitals and certain private services with regard to setting standards, monitoring compliance and undertaking investigations. High-risk services, where general anaesthetic is administered in the treatment of patients, are included. Based on our research on health care regulation internationally and our experience of regulating services provided and funded by the HSE, HIQA strongly supports the proposal to introduce a system of regulation in the private health sector. However, it should be noted that the regulatory system in Ireland varies significantly from those in place in other countries with regard to regulatory reach, monitoring and enforcement. The current programme funded by the Department of Health merely allows for targeted monitoring in high-risk areas. To date, our programmes have focused on inspecting nutrition and hydration care in hospitals, reviewing how public acute hospitals are tackling antimicrobial stewardship and monitoring the compliance of acute hospitals with the national standards for the prevention and control of health care associated infections. We have also conducted a review of pre-hospital emergency care services, including ambulances, and an inspection of the child protection and welfare services provided to children living in direct provision accommodation.

While we believe the proposed Bill potentially provides for greater oversight of private sector compliance with nationally mandated standards, it is important that Members and the public realise the limitations to the legal powers of HIQA. The proposed Bill does not confer HIQA with the same powers of registration, inspection and enforcement that we have for the social care sector, for example, those relating to nursing homes and disability centres. For this reason we have worked with the Department of Health over many years to progress the patient safety licensing Bill, which will provide for the introduction of a more formal programme of regulation to private health care service providers. Furthermore, it should be noted and understood that the conclusions and recommendations HIQA issues on completion of an investigation are not and will not be legally binding under this Bill. The extension of HIQA's remit in several areas and amendments to the way in which we work under the 2007 Act will have considerable resource implications. HIQA will be required to take on a number of additional staff with specialist expertise. Much preparatory work is required in advance of the commencement of new functions. For this reason, sufficient staff must be in place at least six months prior to the commencement of any relevant legislation.

HIQA is generally supportive of the proposed health information and patient safety Bill with a view to improving the quality and safety of care, notwithstanding the reservations I have outlined. Indeed, it is paramount that this legislation focuses on the patient rather than the institution. HIQA will work closely with the Department of Health and the Oireachtas to prepare for the enactment of the Bill. I thank members of the committee for inviting us to appear before the committee. We are happy to answer any questions.

Thank you, Vice Chairman. I thank the members of the committee for the invitation to discuss the provisions of the general scheme for the health information and patient safety Bill, in particular those provisions relating to a proposed role for the Data Protection Commissioner, which is Ireland's national data protection supervisory authority.

I am joined by my colleague, Dale Sunderland, deputy commissioner. He leads the function of consultation for the data protection authority. Public and private entities consult and seek guidance from the office in respect of the planned implementation of measures that may interfere with the data privacy rights of individuals.

The 1995 EU data protection directive requires each member state to have a national supervisory authority which must "exercise their functions with complete independence". This is recognised in the text of the directive as an essential component of the protection of individuals with regard to the processing of personal data. In the course of infringement proceedings issued against Germany, Austria and Hungary in 2010, 2012 and 2014 by the EU Commission, the Court of Justice of the European Union further underlined the requirement for complete independence from government of data protection authorities. Equally, Article 8 of the EU Charter of Fundamental Rights came into legal force in 2009 and provides for the right of every individual to have personal data protected. It also stipulates that compliance with these rules shall be subject to control of an independent authority.

The independence of data protection authorities is a necessity in terms of performance of their obligations to hear complaints from individuals who consider their data protection rights may have been contravened. Where a data protection authority is prescribed a role in making executive decisions of government in relation to specific projects that concern the processing of personal data, it becomes unable to fulfil its primary obligation of supervising the public authorities engaged in personal data processing and of independently examining the complaint of any individual who brings forward evidence that his or her rights have been contravened.

It is precisely this scenario that would arise under heads 33, 34, 35 and 54 of the health information and patient safety Bill as the Data Protection Commissioner would be required to take on the role of the organisations to which the obligations under data protection law apply. While recognising the important safeguards the Bill introduces in respect of health-related personal data and fully respecting the prerogative of the Oireachtas to enact legislation as it deems appropriate, we respectfully request that the committee give due consideration to the concerns we have raised in our written statement in light of our view that the roles prescribed for the Data Protection Commissioner conflict with EU legislation. We are pleased to note that the Department of Health, with which we have engaged in recent months on these issues, has acknowledged and is committed to examining the concerns we have highlighted. Further, the committee may wish to consider if it would be useful to hear from the Department of Justice and Equality on these matters as it has policy oversight for data protection legislation. The Data Protection Commissioner is aware of the determination of the Department of Justice and Equality to ensure that the commissioner is not only completely and concretely independent in the performance of tasks and exercise of powers as required by law, but is equally determined to ensure that the perception of independence is not compromised or undermined in any way.

Finally, I wish to highlight to the committee - we are aware the Department of Health has also made reference to this point - that a new legal framework in the form of a general data protection regulation will govern personal data processing in the EU from May 2018. Provisions of this new regulation, which deals with public health research as a subset of scientific research, now set out new potential legal bases for health research without obtaining the consent of a data subject, but subject to appropriate safeguards to be set out in national legislation.

We would be very happy to take questions from members of the committee.

I thank Ms Dixon. Before I call Deputy Kelleher, I wish to ask Mr. Quinn a question on HIQA. In his opening statement, Mr. Quinn mentioned the potential resource implications and the need for additional expertise. I would like to know whether that expertise would be available in the health service, or will we have to go further afield to obtain it?

Second, has he the detail of the number of personnel he would require?

I will deal with the matter of the resources available within the health and social care services. I will defer to my colleagues on some of the more specialist areas.

In regard to the proposal for extending the functions of standard setting, monitoring and enforcement, I imagine we would be able to access the requisite knowledge, skills and expertise in the Irish context, without necessarily having to go further afield. We have been able to meet our current remit in respect of services provided by the public sector and publicly funded services, with small incursions into other states for some of that expertise. I will ask Ms Flynn to outline the availability of specialist expertise.

This legislation makes provisions that HIQA will be setting standards in the area of data matching, information resources, data management and data sharing, in effect setting the standards for interoperability. We currently do this under our own Health Act, so the expertise would be within the Authority, but because we will be doing it across both the public and private sectors, not just for the HSE but for those outside the executive, we would need additional resources to do that. The expertise would be within the country and in HIQA currently.

Ms Dixon referred to an insurmountable conflict and I would be interested to learn the extent to which there has been consultation and if further consultation would resolve the conflict. Describing the conflict as "insurmountable", does not sound to me as resolvable. Is there scope for a resolution or could another agency provide the means to get around this "insurmountable conflict"?

The Department of Health referred to the engagement that it has had with the Office of the Data Protection Commissioner. Was that a comprehensive engagement? How have we managed to arrive at a situation where there is seemingly "insurmountable conflict"? The Department of Health created the impression that this can be fairly easily resolved, but Ms Dixon takes a somewhat contrary view. It would be of benefit to the committee to know whether this is resolvable. I am particularly interested to learn the level of engagement that has taken place so far to get us to where we are.

In regard to consultation between the Department of Health and the Data Protection Commissioner, I think Mr. Muiris O'Connor referenced earlier that it had in fact taken place some years prior to the publication of the Bill. In fact, that was the case, the consultation took placer a number of years ago. It was prior to the general data protection regulation being enacted and I think it was also prior to some of the clarifications that have come out in the Court of Justice of the European Union in recent years that have underlined both the importance of and the independence of data protection authorities and precisely how that independence has to play out. That is the position in respect of consultation. It took place some years prior.

In regard to recent engagement, post the publication of the Bill, we immediately set about engaging with the Department of Health and pointing out the concerns we have had in regard to the role prescribed for the data protection authority which, as the Vice Chairman said, conflicts with our views on the requirements for independence of the authority under EU law. As the Department of Health outlined earlier, the Department is committed now to listening to those concerns. They have acknowledged why we have raised those concerns.

On the question of whether there can be a resolution - Mr. Muiris O'Connor referenced a resolution - I think there can be a resolution to what is required under the Bill, which is that health research can take place with an appropriate legal basis and with the appropriate safeguards. What he may have been referencing and what we referenced in our written statement to the committee is that the general data protection regulation is now opening up new legal bases for the conduct of health research as a subset of scientific research. In our written statement, we referenced Article 9 of the general Data Protection Regulation, which sets out the conditions under which member state law could prescribe health research to be conducted in the absence of consent of individuals. The resolution to the issue is the conduct of appropriate health research in the public interest with appropriate legal bases underpinning it.

In regard to the issue the Vice Chairman raised as to whether there was another agency that could substitute in place of the Data Protection Commissioner, that goes to the point of how this issue could be resolved. Either in certain instances, alternate legal bases could be used in respect of the conduct of health research that does not require consent or if consent remains the basis upon which the Department of Health views research as relying upon. In that case potentially the health research ethics committees, which are in any case examining all of the provisions in relation to any health research project, could take on the role of examining whether the requirement for consent is met or not.

I welcome the witnesses and thank them for their presentations. I am getting a little more confused. Am I talking about two different Bills, the Bill as we discussed an hour and a half ago as opposed to the Bill now?

At the outset I wish to raise the role of HIQA as set out in this Bill. I asked questions on the licensing of hospitals and there was discussion around the issue of public and private hospitals. In the presentation it seems to be the case, that section 9 is primarily allowing for inspections and oversight in the private hospitals system. I also questioned the previous witnesses in terms of whether there had been an audit done or discussions with HIQA in terms of public hospital and the public hospital system about what they will need to do in terms of capacity requirements and investment to get to a stage whereby they will be licensed by HIQA. I am not sure whether there are proposals in the Bill before us, having listened to Ms Dixon on the issue of the public hospitals system. I would like to have that clarified because the purpose of today's meeting is to get information but there seems to be slight differences of opinions from the various witnesses on the governance and oversight of the public hospital system, when it will come into play, whether there are detailed discussions. Mr. O'Brien came before a health committee some time ago, where he effectively said that if there were no further enhanced capacity investment or if we do not change how we deliver health care, that effectively we will not be able to deliver any elective surgery within seven years. The reason I ask this question of Mr. Quinn, is that if there is to be an inspection process, we will have to have planned in advance to ensure that a health facility will comply with the standards of a HIQA inspection as opposed to having difficulties in trying to deliver health care in unsafe conditions.

I wish to raise issues with regard to the patient safety and pre-hospital emergency care.

HIQA oversees nursing homes and the disability sector. The role of HIQA has dramatically expanded since its inception some years ago, which is welcome. HIQA's work is appreciated by all involved as well as its independence and authority.

I will reference the question asked by the Chairman. At what stage does HIQA decide it needs enhanced capacity and additional resourcing to meet its original aim and ensure its expanded role is fully implemented?

In previous times we have raised the issue of decongregating the disability sector and for congregated settings to be inspected. We have received some complaints that not enough discussion has taken place between service providers and HIQA to ensure service providers enhance or comply with the standards. There have also been calls for flexibility to be shown without compromising patient safety. My query refers to the public hospital system in general.

My question on the processing of personal data without consent is for the Data Protection Commissioner, Ms Dixon. It must be acknowledged that a state should be able to conduct detailed health analyses and research with the information that it has at its disposal to ensure that it can establish the best health practices, promote health and well-being, observe the impact of vaccination plans, etc. If there is a big body of information available then it surely is not beyond our capacity, as a State, to protect the rights of an individual and the individual's information while at the same time use that information in an anonymised way for the purpose of a State conducting research into health outcomes and identifying whether health promotion policies have benefitted the general health of the population.

Sections 33(4) and 33(5) go into some detail about the processing of personal data. Then the Data Protection Commissioner referenced that the provision is in conflict with rulings by the Court of Justice of the European Union. I refer to the role that was requested in this legislation. Then she told us that her office has had little discussion with the Department of Health in recent times and that since then the Court of Justice of the European Union has since clarified the role and independence of the data protection held by a State on behalf of its citizens. Who discussed the matter with the Office of the Data Protection Commissioner? The Department of Justice and Equality established the Data Protection Commission. I assume the heads of a Bill are still circulated in the normal process to the various Departments. Did the Department of Justice and Equality express an opinion on this issue? Was the matter referred directly to the Data Protection Commissioner?

In terms of the Deputy's question about whether it is within the purview of States to conduct health research in the public's interests, it absolutely is. As I mentioned, the general data protection regulation, which will become law in 2018, specially sets out in Article 9 that health research can, subject to member state law, be conducted in certain cases without the consent of individuals. Subject to appropriate legal bases being put in place and safeguards, this is entirely possible.

The Deputy mentioned anonymised data. Such data does not come within the remit of the Data Protection Acts. Once data is anonymised to that level then it is no longer personal data. What is at issue in many of the health research projects that are considered in the Bill is the use of personal data that is not in an anonymised format where it is necessary to use it in a format where an individual could still be identified.

In terms of circulating the heads of the Bill, they were not copied on any observations that the Department of Justice and Equality would make in response to memos to Government. I cannot confirm what, if any, position it took when the memo was circulated.

Typically, Departments engage directly with the data protection authority when considering preparation of legislative measures that may constitute an interference with data privacy rights. In this case my understanding is that there was a series of meetings in 2012 and 2013 directly between the Department of Health and the data protection authority. There was no formal sign-off in terms of a designation of a role for the data protection authority at that point.

I will address some of the issues raised before handing over to Ms Dunnion who is the director of regulation and chief inspector of social services.

Possibly what we are dealing with, both in consideration of the health information and patient safety Bill, we are also dealing with elements of what exists currently within the Health Act 2007 and the proposed patient safety (licensing of healthcare facilities) Bill. There are a range of issues that are at play and they were referenced in our opening presentation, which Ms Dunnion will talk about.

Critically, there is a clear differentiation even within the current Health Act 2007 about what HIQA's role is, under section 8 of that Act, and HIQA's formal role under the Office of Chief Inspector of Social Services. I ask Ms Dunnion to go into some detail on both roles.

In terms of the workforce planning issue and keeping pace with HIQA's expanded role, function and diversity, we have continually tried to take a step back on this matter. It is not always just about getting additional staff into the health information department or additional inspectors. HIQA is an independent authority that is required to support itself in terms of ICT functions, human resources, finance, etc. Let us remember that within our functions we must generate income through fees from registrations, etc. Despite the fact that we are a small organisation that is comprised of 222 people at present, we carry out a wide range of functions. It is essential that the Department of Health recognises that fact when it resources new and additional functions that we may undertake in the future.

I ask Ms Dunnion to address the issues related to the three pieces of legislation.

As Mr. Quinn has outlined, one can draw a line down the 2007 Health Act. One can consider it in the context of registry services, which is disability and older persons, and with that there is a registration cycle and enforcement powers. There are regulations which define what a service must have in place. HIQA does not develop the regulations because they are developed by the Department of Health. That is designated centres.

In terms of the public health service, we are talking about the acute general hospitals. HIQA has no powers in that context bar the power to monitor and report. What determines what we monitor are the national standards for safety and better health care. While HIQA develops those standards they are handed to Government and mandated by the Minister as the direction of travel for the health service.

If we begin to take a look at the health information and patient safety Bill in the context of the private health service, as we are currently legislated to, what we would do and all that we could do, and the latter is the important bit, is continue the programme similar to the public service. The resource requirement to continue to do that equates to eight wholetime equivalents. The important piece here is that we do not regulate the health service. We regulate the social services at present. As Mr. Quinn outlined in his introductory paper, we conduct quality initiatives across the acute service.

The Health Act also gives us the power to investigate. We can investigate at the behest of the Minister or the board of HIQA and at that time we will make recommendations. Again, HIQA has no role in monitoring or ensuring that those recommendations are implemented.

That is the differential. The HIPS Bill will allow us to go into private health care but we will only be able to do what we currently do.

In the context of the licensing Bill, HIQA is working in a multi-sectoral committee which is led by the Department of Health and has private health care representation and HSE representation also. In its preparations in the context of the development of that legislation and, hopefully, to influence its design, HIQA conducted an international review of what happens in health care across all jurisdictions. In essence, all health care has some form of regulation. That may be called "licensing". It can have different names but it is much the same type of thing. Where it becomes different from Ireland is that it does not have a registration cycle. Currently, we register an older person's home or a disability centre on a three-year cycle albeit it was extended in respect of disability to five years. This cyclical approach does not happen in acute health care. There would be enforcement powers in the context of the licensing of health care but whether those powers should be similar to what is involved in the regulation of social services is a subject that must be examined carefully. By way of example, it would be untenable to suggest that one would close a hospital.

We will be looking at the potential licensing of services, which we would very much advocate. A key thing members should consider is that many licensing agencies internationally have a commissioning service for health care. That means the national provider will commission a hospital to provide orthopaedic surgery for example. However, when the provider engages with the hospital, it addresses security around the quality and safety of services. Currently, that system does not exist in Ireland. What would enhance any licensing regime but more importantly the quality and safety of services would be if something like that was aligned to the licensing model in Hackney. In that context, it is impossible for us to describe at this moment in time the resources that would be required for that. We are actively working with our colleagues on what should be included in a licensing Bill. We have drafted an expansive paper looking at other regulators and we have considered what it would look like if we were to apply the enforcement regime in designated centres across the Irish health service. It is an interesting exercise to conduct because the feasibility of doing it is daunting.

Yes. It will be impossible for us to even determine at the moment what the resources would be. However, I know HIQA has the skill to do this because over ten years we have developed that regulatory knowledge.

In the context of disability services, which Deputy Kelleher referenced, I can understand how one gets the perception that on occasions, HIQA is a hard regulator. What we need to remember is that the regulations determined and described by the Department of Health, with which we have to ensure compliance, and the legislative framework are the most basic one could have. I would be remiss if I was not doing that. When I look at the services we regulate in the disability area, I am very encouraged by their excellence. By way of example, we published 22 reports last week, of which 11 were on really good centres. Where it becomes poor, it is not always a resource issue. It is about the concepts of institutionalised care. It is about the concept that these are citizens of Ireland who deserve the same human rights as any other citizen but somewhere along the line that may have been forgotten. That is what HIQA does and in that context I do not feel it is a hard regulatory approach. It is a just one and the right one and it is based on very baseline regulations.

In the context of decongregation of services, we are talking about moving people who have been in residential care for a long time into a more homely and welcoming environment. HIQA works with providers in this regard, but what we expect of providers is to show us not only where the person may be moving but also how they are rehabilitating people to allow them to transition to the new environment safely. One of the risks that HIQA is beginning to talk about involves the concept of the regulation of home care. What can happen as an unintended consequence is that people who have had the benefit of regulation may be moved to an environment where there is none. One is taking someone from residential care into a decongregated setting, which is positive, but there may be an unintended risk in doing that of moving a person to an unregulated place. There may be no choice about that. These are some of the issues that come when one begins interregulation.

There are huge opportunities to begin to look at how we regulate. Currently, we regulate a centre and people will hear us talking about the regulation of St. X. HIQA believes we should be regulating services, which would allow us to transition with people into a regulated environment. We could work with providers and people in the service to improve quality. I hope that answers the questions.

I asked the previous witness about the following also. It is the difficulty I have in terms of the regulation and inspection programmes and all of that. We talk about clinical governance and accountability. HIQA arrives in, makes an assessment based on the regulations, but clinical governance is always the one we target in terms of holding people to account. For example, we never seem to be able to hold the policy makers behind clinical governance or the administrators implementing the policy to account. While I do not want to make individual comments, it is very often the case that things have been highlighted about hospital settings, including in HIQA reports, but there is never a system in place whereby there is accountability for senior management. It is always left up to the clinicians and, by and large, that accountability is through the professional governing bodies. I wonder where we get to a system whereby there is regulation not only of clinical governance and accountability but also accountability for senior management as opposed to clinicians.

It is to save Mr. Quinn from having to repeat himself. I may come back in afterwards. We have discussed here before exactly what Deputy Kelleher raises. The buck stops with the Irish Medical Council or the pharmaceutical regulator. The professional has to answer to his or her body. We were discussing open disclosure here last week or the week before and the same issue arose about administrative people not having the same stick to be beaten with as a professional. I do not see anything in what has been said that addresses that issue. I get the idea of the commissioning and all of that and the service, which are separate things, but how many layers of regulation are needed? If something goes wrong, does HIQA come in and identify that X, Y or Z regulation was breached and then the doctor has to go before the Irish Medical Council? Why are so many people involved in professional regulation and does HIQA consider that we are going to move from professional regulation, which has to do with continuing professional development and all of that, to a position where adverse events and issues to do with following guidelines are dealt with in some other way?

I agree that there are a number of critical issues here. I will go back to some of the points that Ms Dunnion made on the scope and limitation of HIQA's role in respect of section 8 of the Act to monitor against nationally mandated standards. We have demonstrated both through our investigative work and our review work that, in fact, we can highlight issues not only of clinical governance but in fact issues relating to the governance and leadership of the health and social care services. There is a very specific theme within the national standards that deals with leadership and governance and that has been highlighted. It was critically highlighted, for example, through the investigation by and publication of the Portlaoise report where we highlighted deficits in governance and leadership at various levels within the structure.

Ms Dunnion spoke earlier about how binding or enforceable are the recommendations. That is a matter for policy makers and, in the absence of a commissioner of care, somebody needs to hold the HSE to account for the implementation of any recommendations we make. Ms Dunnion made a point about commissioning as a parallel process to the regulation of health and social care and I genuinely believe this is becoming an increasingly obvious deficit. In the main, a regulator can only make its assessment and recommendations. It is not normally the case in other jurisdictions that the regulator manages the performance or implementation of recommendations. In other jurisdictions, we see the commissioner stepping in to ensure the quality and safety of those services. Critically, it is not just about what HIQA does or comments upon with regard to clinicians and care providers within services. We have highlighted, and will continue to highlight, the issues at leadership and governance levels, be they at local hospital or hospital group level, and at national level.

This is an area we all have an interest in because in the course of our business as public representatives we generally come across issues pertaining to HIQA and data protection on a daily basis. On HIQA, I agree entirely with the two previous speakers with regard to the decongregation model. I do not agree with it in any situation. It seems to have taken on a life of its own and, like it or not, it is going in a particular direction. I have serious doubts. Legislators should have some access to a means whereby questions can be raised and the process can be halted in certain circumstances, or that it could be amended in a way that is more amenable to the requirements of the patients, be they children or people with special needs.

I was a member of a health board during the time of the Grangegorman closure and scaling down process. I heard all the arguments that were put forward about the aftercare and the degree to which attention would be paid to the alternative provisions that were going to be made. It did not happen that way. We have seen some issues arise repeatedly, particularly in relation to homelessness. Again and again, those issues were not addressed. I am worried about what might happen in some of the circumstances we are talking about now. I do not want to name specific institutions.

When considering children with special needs such as educational, physical or sensory difficulties, I am not sure that decongregation will serve them well. I suppose I am only a passer-by but it has not yet been proven to me that it would serve them well. Similarly, we should consider hospitals that cater for older people. I run foul of HIQA on a regular basis in questioning the re-creation of private hospital wards for individuals in all cases. It does not apply in all cases. In some of those cases the patients have a collegiality that has existed for years and they rely on each other for support. From an operational point of view, the nursing staff in such places can observe ten patients at a glance without having to enter ten different private rooms to find out precisely what is happening and it can contribute to the efficacy, efficiency and delivery of a service to the required quality in such circumstances. I would like to know how we can deal with this in a way that would make us feel, in some way, in a position to influence what happens. We do not seem to be able to do so. We were not able to do so in the situations I have referred to.

I will now turn to the issue of data protection. I cannot allow the occasion to go without having a little one to one with the Data Protection Commissioner. I opposed the Data Protection Act on its introduction to this House, and that is not today or yesterday. I opposed it for the very reason and the very fears that eventfully became the issues that have caused this problem. I foresaw that public representatives would be affected by the Data Protection Act and they are, but they should not be affected by it. This issue applies to health and all aspects of life. I am not blaming the Data Protection Commissioner as this is something I pointed out at the time, but we now have a situation where one can readily obtain information by way of a freedom of information request which one cannot get through a parliamentary question. The primacy of the parliamentary question should go without saying. We are either in a parliamentary situation or we are not. There are no circumstances in which a senior, superior or primary body should have access to information that is restricted from the parliamentary system, or our whole parliamentary system is undermined. I can see all the grounds for friction between HIQA, the health services and the Data Protection Commissioner. I cannot see, for example, how the transfer or swapping of information will be done smoothly in the future for the benefit of research, patients, quality of patient care, etc., if there is a further process to be superimposed on the system where a person has to go back and forth, on a number of occasions and making a written application justifying their existence, before they get an answer to their questions. I do not think that is going to work or can work. I worry about it.

Reference has been made to care for children and direct provision. This refers again to HIQA, and rightly so. There have been instances, and like others here I have dealt with a fair number of those cases in recent years where I saw serious difficulties in the community which were far worse than cases in direct provision. People were not registered, did not have a Garda National Immigration Bureau number and were floating around in the community while vulnerable, especially small children. I have come across countless cases, as I am sure have other members, where there may be one parent doing his or her best to ensure that he or she could care for their children. They are staying downwind of the law, which would be ready to deport them at the first opportunity if they did not have the proper registration, and they are taking risks in the course of this that would not be at all advisable and that would be obvious to some third party. I am not sure the witnesses can shed any light on that now. I refer to these issues and compare them with the need for the rapid response, and there are such needs, which are regular and not occasional. I am interested in hearing the Data Protection Commissioner's comments on this issue. I could go for a lot longer as the Vice Chairman knows but-----

I agree with Mr. Quinn that decongregation will not be possible for all people living in disability centres. Decongregation is national policy. However, the 3,500 people living in designated centres have aged and have developed health care needs, so the concept of decongregation for some of them will not be possible. As it stands, HIQA would work with the people providing these services to see what is the best environment and also what is acceptable to persons in designated centres.

This emphasises the next point concerning models of care. A ward with four or five people who have high health care needs may be safer in an environment like that. Equally, there are people who do not require that level of care. They may have physical requirements such as being helped to wash or whatever it may be. Various types of services are required by people whom we are currently regulating. However, as currently legislated, we regulate what is defined as a designated centre. That is why I agree with Deputy Durkan that there is now an opportunity to begin to examine the regulation of services. It means then that design can be more appropriate to what care requirements a person needs. As it is set up, that is not possible at the moment. I agree with the Deputy's point, however.

Another issue was raised concerning vulnerability. In the opening statement we spoke about our review of child protection and welfare issues in direct provision. Childhood vulnerability, child protection and welfare issues exist in other settings. In recent times we have expressed a concern about vulnerability which also exists in circumstances where other vulnerable adults live. We have been trying to work within the legislative framework we have with Tusla by looking at governance and leadership elements of the national standards for child protection and welfare. In addition, we examine how Tusla is organising itself to address issues concerning where children in need live and how that State agency is dealing with child protection, care and welfare issues for those children. That applies to children in direct provision, in the community, children's residential services or foster care services.

Another issue was raised that Ms Flynn has picked up.

Yes. As regards the Deputy's concern about sharing information, that is a real issue, especially at the coalface in hospitals. In other jurisdictions, there is legislation covering electronic health records which not only protects patients' privacy but also deals with consent, sharing information across professionals, and the use of secondary data for researchers. We do not have such legislation in this country and we feel that is a deficit. We addressed that point in our opening statement. It should be included in the Bill and built on the principles of data protection legislation, while going into more detail to allow for the transfer and sharing of data across different professionals that provide care. We have spoken about research data, but we need data to be shared at the coalface from a patient safety perspective.

I thank Deputy Durkan for his comments. His question related to the implementation of data matching and sharing projects. He asked whether, with a system that has so many steps in it, actual implementation can occur in health research that is in the public interest. Health research concerns the processing of sensitive personal data, which means it is inevitable that there will be robust processes involved to ensure the necessary analysis is done to underpin the lawfulness of any data sharing or matching that occurs. However, I do not think that data protection needs to be an impediment to that analysis happening. The Deputy is correct to say that there could be pitfalls in the implementation in terms of these projects. However, those pitfalls could centre around data quality, interoperability assistance and other issues. A big and complex infrastructure is necessary to underpin health research, but I do not think data protection is an impediment. In fact, this set of laws will underpin carrying out this research in a way that ensures public trust is engendered and maintained as it is conducted.

When I go into an institution I am often asked whether I have the permission of those whom I represent to speak on their behalf. My response to that is that I have already got prior permission. The Data Protection Commissioner has issued a document to indicate that when the inquirer has already registered, by way of letter, informing the body to whom he or she is inquiring what they are about, it is normal that the information would be forthcoming. It does not come in all cases, however. Even some civil servants have had the temerity to question my authority from time to time. It would not be a normal thing, but it has been known to happen. I am sure the Vice Chairman is as surprised by that as I am.

It is no harm to remember, and Ms Dixon may be certain, that in some circumstances the authority of the questioner is questioned. There is a tendency to extend that along the road a little bit, like Lanna Machree's dog, and end up in a place one did not want to go. In that respect, one may end up restricting information, failing to co-operate and, as a result, some person or system is put at risk.

I am sorry about that, Madam Chairperson. You will be glad to know that is my last intervention.

I will be brief. I want to get my head straight on the licensing of services. HIQA, therefore, does not have a role in the acute hospital setting. It was said that a particular menu of services would be commissioned, such as knee replacements. The Department of Health sets a standard against which boxes must be ticked. Will it be so prescriptive that two consultants are needed on site to do ten hip operations or will it be a case of hip operations being done to a particular level of outcome without any professional input? I want to be clear on whether it is the mechanics of it rather than the professional input. Are these lines blurred or is it all together? If the Department of Health is not being prescriptive about who does the operation, does it fall down somehow? I hope I am making myself clear.

The witness was talking about regulatory cycles for nursing homes and mental health services in a social care setting. Three-year and five-year cycles were mentioned. When it comes to commissioning particular services, such as knee replacements or whatever, will there be a built-in review? In that way, it could be checked out in three years. What sort of protections are there for the operator, that is, the person providing a service, be they private or public? In that way, the goalposts cannot be changed and it would protect the provider, be it the State or somebody else.

Home care was also mentioned, including moving people - I do not want to misquote the witness - from a regulated setting to an unregulated one.

I assume what the witness was getting at is that we do not want to do any harm to anyone. We do not want to take people out of a good place and put them into a bad place. We are all okay with that. By saying that, is the witness saying that we are doing that already? My understanding is that there is very little regulation of care in the home. There is a correlation there with the idea of funding child care or any sort of care in the home in which the State is giving money to somebody to perform something in an unregulated setting. For me personally, there is an issue in that there is no governance or regulation of standards. Is the witness now saying that this is happening and that we are bringing people from regulated settings to unregulated settings? In light of the witness's comments, have there been issues there already? What are we doing about this for the future?

Data and data protection are so important. We have had so many things happen in the health service in Ireland. I am delighted that Deputy Durkan has left because I am referring to the health boards. We have moved from the health boards to where we are now. We are looking at patient identifier numbers and that sort of model. Is the Data Protection Commissioner looking at a particular hospital group in which to roll the model out or will it be a national roll out? Is it a case of seeing how it works out in fixing the mid-west and, from that, rolling it out elsewhere, or will it be a national picture straight off? Depending on which answer is given, why is that model being chosen?

I will take the issue of the regulation of home care in the first instance that the Deputy spoke about. That also relates to our articulation of what is happening around moving people out of traditional congregated settings into more community integrated types of services. In some instances, we have seen people move from those large congregated settings into smaller community-based settings that fall into the definition of a designated centre and therefore remain regulated. However, in other instances we have found that the models of care that are starting to emerge can involve things like supported housing, in which case the person becomes a tenant within a particular service. In that case, the care and support services are provided by a provider, but they do not fall in under the definition of a designated centre because it is home care that is being provided.

Our concern is that, at the minute and since November 2013, we have a regulatory framework that affords protection to the people in receipt of residential care services. We are worried that if people move out of residential care services into home care services, they might be not be afforded the same protections. In exactly the same way, people who have not been in residential care are in some instances extremely vulnerable in their own homes while in receipt of care from service providers that are providing home care. I am not saying that as a blanket negative comment on home care provision. Like any other service, the vast majority of service providers are well motivated. However, people are particularly vulnerable in receipt of care in their own home on a one-to-one basis. It is on that basis that we have been asking for the introduction of home care regulation as a policy priority. Looking at other jurisdictions, we see that home care regulation has been established since well into the early 2000s because of the recognition of the specific vulnerabilities of people. That includes conventional home care, which is people in what is termed their own home, or people in individual or group living settings who are tenants within that setting and require the receipt of care and support services. For that reason, we have expressed concern.

Deputy O'Connell also asked about licensing and HIQA's role in, for example, the acute health care setting. Ms Dunnion might be able to expand on this. What I wish to highlight from today's perspective is that we are talking about the health information and patient safety Bill and what will be contained within it. We have concerns because it is not licensing and it is really an extension of our current role and remit within publicly provided services. Our concern is that while it will provide some level of oversight within those services, the powers that we have are relatively limited. Under a licensing regime, I believe the powers can be much more clearly defined and, as a result of that form of regulatory model, we may effect greater improvements within services.

With regard to our application of standards and regulations, I repeat that regulations are developed by Government or by the Department. We apply ourselves accordingly. Yes, we develop standards within HIQA, but those standards are developed by HIQA for Government to mandate and prescribe to services. We do not change those services ad lib. They become the established framework for improvement and are disseminated into the sector. The sector is allowed some time to those standards. Another critical issue within a licensing regime is what we call a statement of purpose. A hospital clearly sets out what it proposes to provide and how it proposes to provide it safely. It is against that statement of purpose that we regulate the service. Ms Dunnion might wish to expand on that.

The only thing I will expand on is the clarity and difference between licensing and commissioning. Commissioning is not done by the regulator. It is done by the entity that is purchasing the service. In this context, that is the HSE. That contract between the party providing the service and the party purchasing the service has controls as to quality and safety within it. It may well state how many particular procedures will be conducted and have all of those elements to it. It is not something that is currently in Ireland but it is in other jurisdictions. Those kinds of safeholds such as the purchasing of a service, the funding being received based on the delivery of that quality care service and the contractual monitoring of it between both parties are parts of the arrangement made between the party purchasing and the party providing. What the licensing or the regulator does is assess compliance with the regulations which are determined by Government.

Regarding Deputy O'Connell's query about the roll-out of national systems, our role in HIQA is to set standards in the area of health information. The Deputy mentioned the individual health identifier. We set the standards around how that identifier is implemented within the HSE. We talk about how it should be governed and managed, what privacy should be in place for it and the conduct of a privacy impact assessment, which is standard procedure in privacy by design.

To answer the Deputy's question, the Department of Health published an e-health strategy in 2014. It relates to the introduction of things like the electronic health record, e-prescribing and identifiers. The office of the chief information officer within the HSE published a knowledge plan that set out the plan for implementing the e-strategy over the next seven to eight years. One of the projects it is involved in is implementing the individual health identifier. The Deputy's question is whether it will be rolled out nationally first or whether a proof of concept will be picked. The idea is that it will prove that it works in a jurisdiction before it is rolled out nationally. The second area it is hoped to get funding for is around electronic records. I referred to that earlier. We need a legal framework around that to introduce it in Ireland. That is well recognised in documentation produced by the Department. Again, that would be rolled out as a proof of concept initially and then rolled out nationally.

I thank the witnesses for their presentation. My apologies for my absence. We had votes in the Seanad. My apologies for not being present for all the presentations. To come back to the comments of my colleague, Deputy O'Connell, on the regulation of home care, I have published a Bill on that and it has been debated in the Seanad. A very comprehensive report on it was produced by the Law Reform Commission. The one problem I had when the debate took place in the Seanad was that there appears to be resistance from the Department of Health to progressing the matter. That is a concern I have. It is essential that we have that regulation.

There are now 32 different companies in the country providing home care and, while they are all very good, it is still something we need to do.

I will refer to the data protection issue and how far we have come. A number of years ago I spoke to someone who worked in a maternity unit where it was accepted practice that a person living in a particular area could telephone the maternity unit to find out the up-to-date news on Margaret who was in labour and whether the baby was delivered. It was accepted practice within the particular unit to give out information freely about the progress of someone's labour, but that has now changed and at least we have moved away from that situation.

Mr. Quinn stated that the framework for the management of health data does not address the sharing and collection of data within the private sector. Many of the organisations that are providing care for people with intellectual or physical disability are technically in the private sector. Is he saying that the legislation does not cover them or am I getting that wrong? What do we need to do if we want to cover the private sector's collection of data? Do we need to amend the proposal that is before us or is it a case of further legislation being required?

I will leave it at that because I think most of the other issues I want to raise have been raised.

The European Commission conducted a review of the legal framework or information governance frameworks on the sharing of information in European jurisdictions. We have data protection legislation in this area and general data protection regulation, GDPR, is coming down the tracks in 2018. Other jurisdictions have in place at a national level either an information governance framework that is set out in legislation or very specific legislation around the introduction of electronic health records to their system. Usually this legislation deals with matters such as consent and the sharing of information across different entities. The way we are set up in Ireland, we go from public to private. If a person attends a general practitioner, that is a private entity. If he or she then attends a hospital, that is a public entity. If he or she then goes to the pharmacy, that is another private entity. They are all seen as data controllers under data protection legislation. To enhance the protection of data for patients, other jurisdictions have implemented more detailed legislation that allows for the sharing of information based on a sound information governance framework and the principles of data protection legislation.

From our experience of working within the health and social care sector, we would welcome the efforts of members in attempting to progress the regulation of home care. Through our ten years of experience within the sector, we see it as a key or critical vulnerability. The commencement of such regulation is a policy decision and, therefore, rests with the Department of Health. However, it is very hard for us to ignore sometimes what it is that we see in our daily activities in the health and social care sector.

I will probably revert to Mr. Quinn about the matter. We are on Second Stage of the Bill in the Seanad and I want to progress it, but there seems to be resistance from the Department.

If I could be excused, a vote has been called in the Seanad. I express my apologies and thank the witnesses for their presentations.