Mr William Beausang,
Asst. Secretary and Head of Government Reform Unit,
Department of Public Expenditure and Reform,
79 Merrion Row,
Dublin 2
15 September 2014
Mr Beausang,
The Health Information and Quality Authority, HIQA, welcomes the opportunity to make a
submission to your Department’s consultation about the planned Data-Sharing and
Governance Bill.
HIQA exists to promote sustainable improvements, safeguard people who use health and
social care services and support informed decisions on how services are delivered. Our
approach to regulation is aligned with government policy and with national and international
principles of good regulation. The Authority identifies and advises on health information
deficiencies in Irish public services, sets standards for health information and health
information systems, and evaluates and provides information on the provision of health and
social services.
HIQA welcomes the Government’s intention to enact legislation for data-sharing and
governance, and the Authority endorses the principles that underpin the Department of
Public Expenditure and Reform’s relevant policy proposals. The commitment to reducing
costs, reducing manual document-checking, facilitating evidence based policy making,
creating incentives for appropriate cross-cutting, and supporting the elimination of fraud and
error, are all aligned with HIQA’s corporate objectives.
The Authority encourages your Department to consider a number of important matters
when developing the Bill. These are set out on subsequent pages of this letter. This paper
also sets out HIQA’s responses to the 22 questions that your Department’s consultation
paper poses.
I would like to compliment your Department for taking the time to consult with interested
parties about the structure of the Data-Sharing and Governance Bill. HIQA would welcome
an opportunity to make a further submission to your Department at a later stage in the
legislative process.
Yours sincerely
Professor Jane Grimson
Acting Chief Executive,
Health Information and Quality Authority
Matters which should be considered when developing the
Data-Sharing and Governance Bill
 Sharing of data, including aggregated data, should be transparent to pertinent
individuals.
 Sharing of data should be based on consent.
 The Data-Sharing and Governance Bill should complement the Health Act 2007,
including section 10 and section 12 of the Act.
 It would be beneficial to review HIQA’s Guiding Principles for National Health and Social
Care Data Collections which sets out what all data collections should have in place (e.g.
governance arrangements, data quality aspects, information governance, etc.
 New legislation should address sharing of data for purposes other than the purposes to
which pertinent individuals consented when the relevant data was first shared. This
should observe unenumerated rights to privacy, and should also deal with practical
encumbrances that arise for users and sharers of data.
 Will the Bill specifically address sharing of data in health and social care settings and, if
so, what is the relationship between this Bill and the proposed Health Information Bill?
 HIQA, in undertaking economic evaluations and health technology assessments,
conducts secondary and tertiary data analyses. The Authority uses data that is not
patient-identifiable and is not individual-level data, and relevant data is typically
published in our studies. HIQA notes that there is an ethos of minimising duplication of
effort across the health technology assessment discipline.
 Will the Bill complement the draft Health Information Bill 2014, specifically in relation to
proposed data matching programmes?
 Under the purposes for which data sharing will be permitted outlined on Page 9, the
Authority has concerns about (g) and (h). Would these provisions create mistrust and
thereby potentially lead to general reluctance to share data with any public body?
 Will the Bill legislate for what may happen after data is received by a data processor?
Will the Bill deal with appropriate storing of data.
 Will the Bill nominate the person or organisation with ultimate responsibility for data at
a governance level? Who is to be the data custodian?
 Clarity about ‘requirements for unambiguously identify oneself’ [page 17] would be
helpful.
 The Data-Sharing and Governance Bill should provide clarity about the role of
Memoranda of Understanding between regulatory authorities.
 FOI CPU Circular 20 (informal consultation between public bodies on foot of FOI
requests, December 2003) obliges an organisation’s FOI Officer to inform other public
organisations when the FOI Officer receives an FOI request that may have an impact on
the other organisation(s). Consideration should be given to establishing this obligation
in law.
 The Data-Sharing and Governance Bill should address limitations that arise for
organisations which seek data from another organisation which does not directly benefit
from the sharing of data. This should be an important consideration.
____________________________
HIQA responses to 20 questions posed in the
Consultation Paper
1: Do you agree with the definition of data-sharing as “Two public bodies sharing
structured data about an entity such as a person, business, property or event”?
The definition should be further refined and terms used within the definition should be
clearly defined. Should consent in some way be included? Will it be confined to two
government bodies? There should be scope for multi-party agreements. What is
‘unstructured data’? Also, there need for further detail and explanation about what qualifies
as ‘an event’.
2: If you do not agree, how do you believe the definition could be improved?
One or more public bodies consent to share quality-assured data about an entity such as a
person, business, property or event.
3: What do you believe are the priority areas for data-sharing to contribute to
improved public services?
Data-sharing including sharing of national health and social care data collections within the
remit of HIQA should be considered.
4: Do you agree that more effective data-sharing can help drive public service
reform?
Yes. HIQA in principle is committed to sharing data with other organisations in line with
legislation and appropriate safeguards when it serves the public interest.
5: What are the main areas where you believe that this can be achieved?
There is scope for achievement of more effective data-sharing between public service
providers and organisations in healthcare. HIQA promotes a ‘collect once, use often’
approach. Improvement can be achieved through elimination of unnecessary duplication of
effort.
6: Do you share the assessment that a new legislative framework for datasharing is required?
Yes. The existing legislative framework is disjointed and upcoming legislation may not
accommodate data-sharing within the health and social care sector. Data-sharing will enable
organisations in the health and social care sector to implement government policy and will
enable the development of e-health initiatives. Legislation will also ensure clarity in relation
to what data can be shared and under what conditions.
7: In terms of the interoperability framework set out in the DPER paper, what do
you see as the main obstacles to data-sharing, and how should they be
addressed?
Consistent data architecture, standards and information systems need to be developed for
public sector organisations. Criteria for data-sharing should be clear, transparent and
achievable. Progress will rely on the presence in such organisations of professionals with
skills in managing data quality, information governance and information systems.
Assurances about quality of data will be necessary. The Bill should also provide for creation
of awareness across organisations about accessible data that is actually available. The Bill
should provide for appropriate training and guidance for individuals and organisations which
are charged with data custody.
8: Do you have suggestions for how best to embed these data protection
principles in the Data-Sharing and Governance Bill?
Active engagement with the Office of the Data Protection Commissioner would help to
ensure that the Data-Sharing and Governance Bill would be compatible with the Data
Protection Acts (1988 and 2003). It would be worthwhile to include set criteria for sharing of
data in the Data-Sharing and Governance Bill. The scale of security and data protection
considerations should be a foremost consideration when the Bill is being developed. Public
organisations should only share data on a legislative basis.
9: Do you have any ideas or proposals to ensure that consideration of these
proposals benefit from wide public consideration, analysis and debate?
HIQA, when creating or updating standards that relate to the Authority’s remit for promoting
sustainable improvements and safeguarding people who use health and social care services,
uses a range of hardcopy, online and interactive tools to engage with the public and with
individuals and organisations to whom standards may relate. Communications is an
important element of policy development.
10: How far can the Bill go in providing the necessary powers to share data while
at the same time ensuring clarity around what exactly is permitted?
The legislation will need to be fully in accordance with the Data Protection Acts (1988 and
2003). It will probably also be helpful to provide guidance for those who wish to share data
and for those using the shared data.
11: Should both personal and sensitive personal data (within the means of the
Data Protection Acts) be covered by these provisions? If so, what extra
protections are required around sensitive personal data?
Personal and sensitive data (within the means of the Data Protection Acts) should be
covered by these provisions. Strict and clear information should be put in place that sets out
the individuals/organisations to which access is permitted. This should also address
purposes for which data can be accessed, and should deal with relevant auditing and
recording of accesses. The system will rely for credibility on private individuals and
organisations being assured about confidentiality.
12: Should the Oireachtas have a role in overseeing or approving some types of
data-sharing arrangements? If so, how extensive should this role be?
There may not be direct value in Oireachtas oversight in this regard. It would be sensible to
have an independent third party that would oversee or approve all data-sharing
arrangements. The draft Health Information Bill provides for a role for the Minister for
Health in data matching.
13: What specific data-sharing arrangements should be considered? Should a
general provision be added to enable widespread access to information on births,
marriages and civil partnerships?
Data should be made accessible on the basis of consent and in a manner that complies with
the Data Protection Acts. The Bill should address issues relating to access to information
which is publicly available but is not easily accessible, where it is to be used on a needs
basis and with permission from an independent third party.
14 & 15: Some jurisdictions are examining the concept of an ‘honest broker’ or
‘trusted third party’ – this would have the power to accept any data and process
it on behalf of public bodies, while preventing the public body from accessing the
raw data. Is this a concept that could usefully be included in the Bill?
This concept could usefully be included in the Bill. Such a party would give credibility to data
sharing. It would relieve the concerns of the public, as it would limit access and use of data,
and potentially reduce data breaches.
16: Should specific provisions relating to the sharing of anonymised data be
included?
Yes, it should be included in the Bill because it would encourage and promote data sharing
and it would create trust and public confidence. The datasets outlined on pages 10-12 incl.
have potential for identity theft. Stringent role-based access control should be in place, and
information security and encryption must be maintained at the highest evidence-based level.
Strict provision relating to the sharing of anonymised data should be included in the
legislation.
17: Is the problem of data governance primarily one of better implementation,
rather than an absence of legislation?
Yes, implementation must come from senior management to provide the impetus and drive
to embed good data governance.
18: Should the Data Protection Commissioner have a role in monitoring and
reporting on compliance with these governance provisions?
Yes, given the amount of personal data involved.
19: In what circumstances should a Department be able to opt out of the
transparency requirement for a particular data-sharing arrangement?
It should be a matter for the independent trusted third party and also perhaps the Office of
the Data Protection Commissioner, to decide if it were appropriate or otherwise to opt out of
a data-sharing agreement where it is in the public interest..
20: Is it practicable for arrangements to apply to all existing data-sharing
arrangements, and not just to new arrangements?
It is a good opportunity to standardise data sharing to align and ensure consistency
regarding same.
21 & 22: Is the base register concept a useful one? What other base registers
could usefully be defined?
The Health Identifiers Act 2014 is relevant to this base register concept. The scale and
purpose of health identifiers should be considered when drafting the Data-Sharing and
Governance legislation.
_____________________________