I propose to take Questions Nos. 1176 and 1247 together.
The Government approved and published a strategy in 2013 for developing eHealth capability in the Irish health system called the eHealth strategy for Ireland, 2013. This strategy sets out a number of objectives and a road map for the delivery and implementation of eHealth for the benefit of patients. One of the recommendations in the strategy was the development of a system of unique identifiers for patients to underpin patient safety and efficiency. A similar recommendation was made by the Health Information and Quality Authority and the Commission on Patient Safety and Quality Assurance in 2008.
The Health Identifiers Act 2014 provides a basis, in primary legislation, for the development and deployment of health identifiers for individual patients and also for health services providers and health professionals. The initial phase of the health identifier implementation project is concerned with individual health identifiers (IHIs). Each patient is being assigned a unique identifier when they engage with the health system for the purposes of better patient care and safety both of which are of paramount importance. The 2014 Act includes express provisions for the efficient seeding of the National IHI Register from identified sources that are tied directly to establishing and maintaining the accuracy of the Register.
In that regard, section 8 of the Act provides that a Minister of the Government may, solely for the purpose of establishing, or maintaining the accuracy of, the National Register of Individual Health Identifiers, provide the Minister for Health with an individual’s other identifying particulars and the Minister may use any such particulars so provided for that purpose. This explicit legislative basis for the sharing of specified data and the strict parameters on what data may be shared, and in what circumstances, distinguish section 8 critically from the circumstances of the Bara case where the data were transferred under an internal legal protocol, which was not a legislative measure, and was not the subject of an official publication like an Act of the Oireachtas.
The data held in the Register of Individual Health Identifiers, as specified in section 2 of the 2014 Act, is composed only of data to identify a patient using the (PSI) public service identify dataset and the health identifier number itself. Only demographic data is stored on the Register and, under the Act, it is expressly provided that no clinical information on an individual can be held as part of the IHI dataset. The individual elements of that dataset are those required for unique identification and like the rest of the Health Identifiers Act were the subject of engagement with the Office of the Data Protection Commissioner. Accordingly, I do not feel that the data being collected is excessive in view of the patient’s safety aims of the legislation which are greatly enhanced and supported by unique identification. It is important to note that the IHI is only a number and is, of itself, not a medical record of any type. It is also important to point out that the roll out of a system of health identifiers for patients has no linkage with any eligibility for any type of health service or benefit. It is primarily a patient safety initiative and a fundamental building block for eHealth and ICT developments into the future.
As part of the work to establish the IHI Register, a privacy impact assessment (PIA) was conducted. A public consultation exercise was also undertaken as part of the preparation for the implementation of the IHI. There has also been engagement with the Office of the Data Protection Commissioner in relation to the deployment of the IHI. It is most important to bear in mind that the Health Identifiers Act 2014 did not change in any way the law, including data protection law, in relation to the statutory rights of patients regarding their medical records or the obligations that data controllers have for protecting patients' personal health data.