Official Report: Minutes of Evidence

The Chairperson (Ms Maeve McLaughlin): Folks, you are very welcome. Sharon Gallagher is the director of corporate services in the Department of Health, Social Services and Public Safety, and Chris Matthews is the head of the information management branch. I invite you to make your opening remarks before we open up to questions and comments from members.

Ms Sharon Gallagher (Department of Health, Social Services and Public Safety): Good afternoon, Madam Chair and members, and thank you for this further opportunity to brief the Committee on the principles of the forthcoming Health and Social Care (Control of Data Processing) Bill. You may recall that Chris and I briefed the Committee in October last year and February this year. In February, I advised that, given the overwhelming support for the proposals that manifested through the consultation process, the Department would progress to the legislative process. Yesterday, Minister Hamilton introduced the Bill to the Assembly, and the Second Stage is scheduled for 29 June.

The purpose of the Bill is primarily to put in place a legal basis, with robust checks and balances, for the sharing of information that identifies Health and Social Care (HSC) users, for reasons other than their direct care, in limited and controlled circumstances. This provision is already available in other jurisdictions, including England and Wales, where the benefits have been shown, among other things, to improve the planning and delivery of Health and Social Care services, assess the effectiveness of existing policies and provide information to inform the diagnosis and treatment of illnesses.

By way of context, and as a reminder to the Committee, the HSC may already share a patient's information for non-direct care purposes if consent has been given. When consent is not possible, new arrangements have been put in place to allow for the sharing of information when a patient's identity has been anonymised or pseudonymised. In the absence of consent and when anonymised and pseudonymised information cannot secure the required outcome, organisations can already use patient-identifiable information for purposes other than direct care.

In these cases, the requirements set out under the Human Rights Act, the Data Protection Act and the common law duty of confidentiality must be met.

The requirements of the Human Rights Act and the Data Protection Act are clearly defined. However, aspects of the common law duty of confidentiality are less clear, and that can present a challenge. Under the common law duty of confidentiality, where consent has not been given, personal information may be shared only if there is a statutory basis for doing so or if disclosure is deemed to be in the public interest. At present, because we do not have statutory authority, the use of patient identifiable information for any purpose other than direct care is predicated on the organisation's ability to satisfy the public interest test. Deciding what is or is not in the public interest is open to interpretation, and that creates a significant risk for patients and the Health and Social Care (HSC) organisations that hold the information, as well as those using the information. The ambiguity about what constitutes public interest means that decisions may be more subjective and prone to challenge. Additionally, organisations may simply decide not to pursue that option in the absence of a robust framework, and, as such, the associated benefits outlined may not be realised.

This is where the proposed legislation will come into play. The legislation would put in place a statutory framework to allow for the sharing of patient identifiable information in limited and controlled circumstances. The proposals would remove any ambiguity and safeguard the patient, the HSC and the information user. The Bill would make provision for safeguards to be put in place, including an oversight body that would critically assess and be the decision-making authority for requests for access to information. Safeguards have been a strong theme during the consultation process, and for that reason the Department has decided that the detail around the governance arrangements will be subject to a separate consultation process that will inform the regulations. Those regulations will be subject to affirmative resolution. The Department has welcomed the opportunity to brief the Committee regularly on the development of the Bill and would be very happy to continue that level of engagement in developing the regulations.

I point out that the Department envisages that approval to use patient identifiable information would be granted only in very limited circumstances and where it could be proved that the results could not be achieved without access to the data sought, that it was not possible to secure consent and that anonymised or pseudonymised information could not provide the same outcome. It is important to emphasise that, based on the experience of other jurisdictions, it is the Department's view that, in the majority of cases, information that does not identify the patient will be sufficient to deliver the required outcomes. I also stress that it remains the Department's policy that primarily an individual's consent will be obtained for the use of their information.

Thank you once again for the opportunity to brief the Committee. Chris and I are happy to address any questions you might have.

The Chairperson (Ms Maeve McLaughlin): Thank you, Sharon. Why has the Bill gone beyond health and social care?

Ms Gallagher: Into public interest? We looked at what was happening in other jurisdictions, paying particular attention to our close neighbours in England and Wales. Whilst they have not invoked that provision to any great extent, we had representations from within Northern Ireland, coming from organisations such as the Northern Ireland Fire and Rescue Service (NIFRS), on using information to advance their community development agenda and education and awareness programmes. So, it would not fall strictly under health and social care; it is more about education and developing strategies to protect the most vulnerable.

The Chairperson (Ms Maeve McLaughlin): What do you mean by "public interest"?

Ms Gallagher: There is no definition of "public interest" as such; it is based on case law. It would be a requirement for the organisation making the application to prove that access to and sharing of the information outweigh the lack of disclosure of the information. It very much puts the weight of evidence on the organisation.

The Chairperson (Ms Maeve McLaughlin): Clause 1(1) states:

Clause 1(1)(b) continues with the words "in the public interest".I will come back to some of that language, but what is necessary or expedient in the public interest?

Ms Gallagher: That will be tested in the application. As I said, there is no definition of "public interest" per se; it is based on case law. Its definition also refers to public interest as it is used and defined in the Human Rights Act. It will be very much up to the organisation. The example that I outlined is a potential example in that area.

GB has used it for some of their research requests when the information that they received could not change their approach to health and social care at that point but could be used to inform future policies or delivery approaches.

The Chairperson (Ms Maeve McLaughlin): Would you accept, then, that maybe that is very broad?

Ms Gallagher: I would accept that it is broad, Chair. The information available needs to be on medical or social care, so it is obviously grounded in that premise. It will be a key responsibility of the oversight group to critically assess each application about whether the sharing of the medical and social care information is necessary to advance the elements of the public interest that do not cover health and social care. The representation that we had from the Fire and Rescue Service is one example of education awareness of the most vulnerable.

The Chairperson (Ms Maeve McLaughlin): This is a critical point. There is reference in some of the initial memorandums about social well-being referring to the quality of life. Clause 1(10)(a) talks about "care or treatment", and clause 1(10)(b) refers to:

Clause 1(11)(b) refers to:

To me, "social well-being" can cover a plethora of social issues.

Ms Gallagher: You are absolutely right, Chair, and that was a concern that the Committee raised at a previous briefing. We took that on board. We grounded the social well-being reference in the concept that was used in the Health and Social Care (Reform) Act (Northern Ireland) 2009, which sets out the duty for the Department. It says that, although there is no formal definition of this term, it may be taken to refer to the quality of life, social inclusion and the protection of the vulnerable in respect of individuals, families or communities.

So, we have taken on board your comments about being clear about our definitions and understanding what we mean so that social well-being does not stray into other areas. Hopefully, we described the circumstances in which it could be used.

The Chairperson (Ms Maeve McLaughlin): I note that you said "medical or social care", but what about "other similar circumstances"? That is at clause 1(11)(b).

Ms Gallagher: I acknowledge the point you are making, Chair. I guess there needs to be some level of flexibility within the definitions that we set out, because the use of this could be quite broad in the protection of the vulnerable.

Clause 1(11)(b) states:

That is not an exhaustive list.

The Chairperson (Ms Maeve McLaughlin): Yes, but the point is the phrase "or ... any other similar circumstances". What other similar circumstances? You have given a list of everything from pregnancy to dependence on alcohol or drugs "or ... any other similar circumstances".

Ms Gallagher: It is an illustrative list of social well-being by qualifying what it means. I do not mean to repeat it, but it may be taken to refer to the quality of life, social inclusion and the protection of the vulnerable.

That is quite broad. It will be up to the organisation to prove how it sits within those definitions.

The Chairperson (Ms Maeve McLaughlin): If it is up to an organisation, I am asking the Department of Health specifically what its definition is of "other similar circumstances".

Mr Chris Matthews (Department of Health, Social Services and Public Safety): There is not a clear definition of "other similar circumstances".

Ms Gallagher: I think that the breadth of the term is to allow some flexibility.

The Chairperson (Ms Maeve McLaughlin): I tend to look at this in the sense of having a very clear, robust definition in place, as opposed to having flexibility.

I am interested in why we are using words like "may". Clause 1(1) states:

Why is there not a requirement? Why is it "may"? I am talking even about terms like "reasonably practicable". Why is it not "absolutely essential"?

Mr Matthews: Part of the term "may" make regulations is about the regulations requiring the processing of information that may be required. The Department may seek to make regulations that would require the sharing of information in a very serious situation that arises in Northern Ireland, such as a pandemic or something similar. It may require that information to be made available, so it may bring those regulations forward.

Ms Gallagher: In addition, the term "may" is acknowledgement that consent is our primary driver in the anonymised and pseudonymised information. There is no compulsion on the Department to make provision on it. It may make provisions where the conditions set out in the regulations are satisfied.

The Chairperson (Ms Maeve McLaughlin): Is it only for when consent has not been given?

Ms Gallagher: That is right.

The Chairperson (Ms Maeve McLaughlin): There is an issue about safeguards. In my view, the policy objective is not even apparent. We have very broad, sweeping statements around social well-being, care and treatment, and quality of life. We are talking about safeguards to protect or enhance issues that we have not properly defined.

Mr Matthews: The safeguards that will be put in place through the committee will challenge the requests that will be made by the person seeking to use the information. There are a range of safeguards. Initially, in making an application to the committee, you would have to prove why consent is impractical and why you cannot achieve the same outcome from pseudonymisation or anonymisation. In fact, of the 900 applications that England has processed since 2001, a third have been rejected. Many of the 600 that were approved have had very stringent requirements placed on them about how the data is handled and processed and the amount of information that the requester can access. They can access it only if the person who owns the information is prepared to share it. This is only an enabling Bill. It will not actually make a requirement on the person who holds the data to share it; they will make an assessment based on the risk of the relationship that they have with the service user on whether they deem it appropriate to share that service user's information.

The Chairperson (Ms Maeve McLaughlin): Is it to make right something that is not procedurally correct at the minute in sharing data?

Ms Gallagher: It is not that it is not procedurally correct; it is just that it is open to a heightened level of challenge because there is no legal basis for it. It happens at the minute. I think that is a key driver for the Department. The cancer registry and cerebral palsy registry both do it. Both share the information. They have opt-outs in place. They have information in place, but they rely on satisfying public interest under the common law duty of confidentiality. That is the risk for key organisations: that they do not have the legal basis to do it. The safeguards are primarily that any decisions need to comply with the Data Protection Act but that the committee makes the decision in the light of the regulations that we would set out. Those are the key safeguards in this. There is an element of providing additional protection to decisions that are being taken.

The Chairperson (Ms Maeve McLaughlin): There is something else that I want to refer to. The original explanatory note used the phrase "assist research", so patients' data would be used to assist research. What does that mean? What research? What type or breadth of research?

Mr Matthews: Obviously, it has to be health and social care related, but it could help research. There is no guarantee that an application by somebody wishing to carry out a piece of research would be granted. It goes back to the point about the other safeguards that are in place on seeking consent and using anonymised or pseudonymised information. There is a new process as part of the overall package that has been set up within the Business Services Organisation (BSO) to provide anonymised or pseudonymised information, but it also has to have ethical approval before you would even consider it.

The Chairperson (Ms Maeve McLaughlin): But, ultimately, as it stands now, data could be shared to assist research that would be viewed to be in the public interest or for the social well-being of an individual.

Mr Matthews: Currently, it is extremely unlikely that it would be shared for research at this point in time. We have not —

The Chairperson (Ms Maeve McLaughlin): But under the Bill.

Mr Matthews: Under the Bill, it could be shared if they are deemed that to have the necessary public interest benefits and that the committee scrutiny believes that, as well as having ethical approval, they meet the requirements of the committee for a safe and beneficial approach.

The Chairperson (Ms Maeve McLaughlin): So, data could be shared if it is deemed to be in the public interest. Again, I will go back to my point — I think, Sharon, you agreed with it — that a definition of the social well-being of an individual is very general.

Mr Matthews: That is the definition of "social well-being", but it has to have a direct impact on health and social care. The public interest is an underlying requirement. It still has to have a health and social care aspect, so you cannot just have —

The Chairperson (Ms Maeve McLaughlin): Why use "social well-being", then?

Mr Matthews: Because there are also substantial benefits of social well-being as part of health and social care, so, whilst it has to be within health and social care, there could be social care well-being. One of the issues, for example, which Sharon alluded to, was research into a particular medical condition that may or may not be taken forward in the future. There would be a public interest in perhaps understanding the issues around that particular illness at this point, so researchers may get approval by the committee for giving them access to the information.

The Chairperson (Ms Maeve McLaughlin): I just think that social well-being could be anything from access to housing to education. It is not definitive in any shape, form or fashion in the Bill.

Ms Gallagher: I think you are right. The definition is grounded in the 2009 reform Act, which sets out the duties of the Department. You are right. It is broad, Chair, and it may be used to consider some of those broader aspects. It needs to be proven that consent cannot be given. They cannot use anonymised and pseudonymised information. There is no other way of doing it, so that narrows down how and when it could be used. There will need to be an assessment and determination taken by the oversight group — the advisory group — of whether the sharing of information in that circumstance is reasonable and necessary.

The Chairperson (Ms Maeve McLaughlin): I am just going through this again. You keep referring to the oversight group, but clause 2 is on the establishment of a committee to authorise processing of confidential information. Clause 2(1) states:

There is not even a requirement to do that.

Ms Gallagher: Yes, I accept that. Certainly, that is the intention.

The Chairperson (Ms Maeve McLaughlin): I suggest that, if it is in a Bill and if that is the intention, it is a requirement, as opposed to being "may", if this is the oversight through the definition and benchmarking of issues around social well-being. It needs to be stronger than "may".

Mr Matthews: I accept that. I think the intention was not to predetermine what would happen when the regulations are brought forward for consideration by making it that we will establish a committee. The intention would be to establish it, but obviously the regulations will need to —

The Chairperson (Ms Maeve McLaughlin): I suggest that that should be reflected in the Bill in black and white and not with the use of the word "may".

Ms Gallagher: That is helpful, Chairperson. We will take that on board. Certainly, 98% of our respondees to the consultation said that they would be absolutely in favour of an oversight group in some form. That is certainly the direction of travel.

Mr McKinney: I want to revisit some of the stuff on the policy objective. I note that clause 1(1) mentions "medical or social care purposes". Already, we have contested space here, if you like, about what all that means. Clause 1(1) qualifies that by saying that it is:

That becomes an "or in the public interest". What overrides it?

Mr Matthews: It is grounded in the need for it to be for medical or social care purposes. The public interest would still have to be grounded in the need for medical or social care purposes.

Mr McKinney: Even already, health and social care extends right out. The Chair is right. Who defines that? It certainly goes beyond NIFRS requesting information, I suggest.

Mr Matthews: It goes back to the example that I used, whereby you would be looking at a particular condition at this point in time but would not be intending to move that forward under health and social care.

Mr McKinney: For us, it must be about how wide we open the gate to access information and for what purpose. The policy objective, for example, is described as "a public good". What is that? It sounds sunny and nice and fluffy and all the rest, but what does it mean?

Mr Matthews: This goes back to the position with the committee and the robustness of its scrutiny of the applications that come through to access that information and whether it deems it has a public interest in providing that information for health and social care purposes.

Mr McKinney: Yes, but I sense in your demeanour and in some of your replies that you accept that some of this opens that gate much wider than even the context that you are describing. I have forgotten the example that you gave.

Ms Gallagher: It was the Fire and Rescue Service.

Mr McKinney: No, the next one, on specific conditions. There was a specific condition where people are now giving information on —

Ms Gallagher: In the cerebral palsy and cancer registry.

Mr McKinney: Yes. This could and would extend, notwithstanding what you are saying about protections in the committee, way beyond all that. In other words, the committee could be looking at a whole raft of stuff that this provision would allow for but that is not even in the limited context of what you are describing. This is much broader, or it could, in my view, extend much broader than the narrow individual cases, treatments or areas that you described.

Ms Gallagher: One of the safeguards built in to that for the test of public interest is that the organisations need to set out in very clear terms why the outcome could not be achieved in any other way.

Mr McKinney: Do you have in your mind a vision of what types of organisations those are? Are they private companies doing —

Ms Gallagher: No, absolutely not. This is not about advancing that aim for private purposes. The consultation on engagement with the Fire and Rescue Service is the most prominent, because it was quite vocal during the consultation. The public interest is an area that it would like to invoke, because the purpose of this is not improving health and social care per se; it is about the education and awareness of vulnerable people who have presented to A&E or hospital as a result of fire.

Mr McKinney: I understand that, but it does not say that here. The definitions of "public interest" and "public good" are very broad.

Ms Gallagher: There is no definition of public interest, unfortunately. It is based on case law. It is grounded on the medical or social care purposes, and a decision would be taken by the committee on the basis of a very sound argument put forward by the organisation that it cannot get the same outcome by other means and that it will adhere to the Data Protection Act and the Human Rights Act. There are safeguards, but you are absolutely right to say that the definition is broad —

Mr McKinney: By the way, I am not attaching a motivation to that. It is just that it is a broad definition and that the vagueness would allow for it to be used elsewhere. Do you accept that?

Ms Gallagher: I accept that there is a potential for that without appropriate safeguards. England and Wales have this provision and over 10 years' experience of making and overseeing these decisions, and they have very few applications using the public interest test. Their definition is quite different, because they make some decisions under public interest where the health and social care benefits cannot be readily realised. Now, we would not necessarily see them sitting in that category. The particular example we had in mind was of the NIFRS, having looked again at public interest on foot of engagement.

Mr McKinney: Can we have a look at experience from elsewhere, by way of cost-benefit analysis etc?

Ms Gallagher: Indeed.

Mr McKinney: Thank you. I am not sure whether that was requested earlier.

The Chairperson (Ms Maeve McLaughlin): Does that exist?

Ms Gallagher: I am not sure if we have a cost-benefit analysis. There is a repository of decisions taken by the Confidential Advisory Group in England and Wales. The purpose for which information was disclosed and the types of decision are set out, and public interest is always considered, even where there is a health and social care benefit. It is accepted that public interest is a critical aspect of the decision-making process.

Mr McKinney: Is this copycat legislation? Is it word for word?

Ms Gallagher: No, we have taken account of a number of local changes and of our integrated health and social care system.

Mr McKinney: What is the legislative basis for access in England?

Ms Gallagher: The broad framework is generally the same; the structures underpinning it will have some changes —

Mr McKinney: Yes, but what is the legislation? Where are the words? What is the Act?

Ms Gallagher: Bear with me a second.

Mr Matthews: The provision is section 60 of the Health and Social Care Act 2001. It has been through a number of iterations.

Mr McKinney: If it has robust safeguards, why not do the same?

Ms Gallagher: We could copy it. The purpose of taking it stage by stage, setting out the broad provision in the Bill and then entering into further consideration and consultation on the regulations, is to make sure that the model reflects the needs of Northern Ireland.

Mr McKinney: You are accepting that this is broader than what they have in England.

Ms Gallagher: The public interest provision is the same.

Mr McKinney: Maybe it would be worthwhile seeing a legislative comparator, and it might even short-circuit some of the work. If they have the robust safeguards that you are talking about, it might be helpful to see them, especially as we are clearly puzzling over some of the broader issues — even our earlier comments reflected some anxiety over this.

Ms Gallagher: You want a comparison and a contrast.

Mr McKinney: Please, if that is acceptable, Chair.

The Chairperson (Ms Maeve McLaughlin): Absolutely. Just to clarify, has a cost-benefit analysis been done? Is there one?

Ms Gallagher: We need to check. I suspect not, because over the period of the 14 years, 600 decisions have been made. You would need to go back to the organisations to cross-check whether the outcome of the research or piece of work actually —

The Chairperson (Ms Maeve McLaughlin): For here?

Ms Gallagher: No.

The Chairperson (Ms Maeve McLaughlin): For this legislation, it is not.

Mr McKinney: Can we even have a list of the 600 organisations?

Mr Matthews: It is all published. They publish everything on the web, so we can certainly give you access to that information.

Mr McKinney: Point us to it. Thank you.

Mrs Cameron: Thank you for your presentation. For clarification: the information that is proposed to be gathered is currently being gathered.

Mr Matthews: Yes. It is the existing information within the HSC.

Mrs Cameron: And that is open to challenge by individuals, if they discover that it has been shared.

Ms Gallagher: Yes, that is right.

Mrs Cameron: Would it not be simpler just to gain consent?

Mr Matthews: The difficulty in gaining consent is that you face a situation where you are asking somebody to consent to something but they do not know what will happen, necessarily, with the information. So, if you consent overall, you are consenting to anything happening with your information. There are people who would choose not to give such consent and would opt out of their information being shared, and that can currently be the case. We need to be sure that we do not just open the doors and let the information be shared by anybody for any purpose.

Ms Gallagher: The primary driver is absolutely consent. It is the main premise. There may be situations where it is simply impractical to do that. A good example is the decision back in 2011, a cross-departmental initiative, to pay winter fuel payments to cancer sufferers. It was simply too difficult to get consent from every cancer sufferer at that point. Had we had this legislation, we could have gathered the information in a more expedient way; but, as it happened, we had to go through the GPs and to source information in a very piecemeal way. So it was about the practicalities of getting consent from every single person who was suffering that illness at that time.

Mrs Cameron: I understand that, although I cannot imagine too many cancer sufferers taking a challenge against you for making a payment to them. OK.

The Chairperson (Ms Maeve McLaughlin): Just to go back to that point: you said that this is about seeking consent in a situation where effectively somebody, in layperson-speak, had not given that consent. If somebody opts out of giving that information, this legislation, on the basis of a definition of public interest, could override that person's decision.

Ms Gallagher: The opt-out has primacy.

The Chairperson (Ms Maeve McLaughlin): What if there is a decision taken by the committee, which may be set up, that it is in the public interest or in the interest of social well-being?

Mr Matthews: In the circumstances in England and Wales, the committee does not override the individual's opt-out. The individual has made a conscious decision not to —

The Chairperson (Ms Maeve McLaughlin): Has it never done that?

Mr Matthews: It has not. It has never advised the Secretary of State that it would be content to override the opt-out, if somebody has consciously opted out or "dissented", as they refer to it.

The Chairperson (Ms Maeve McLaughlin): Ultimately, the question is this: in the Bill, as it currently stands, could the committee override a person's opt-out?

Mr Matthews: Under data protection legislation, the person can choose to opt out of having their information shared. Also, the applicant would have to prove "fair and lawful" processing and prove to the committee that there is a reason why somebody, who has opted out, cannot continue to opt out of having their information shared.

The Chairperson (Ms Maeve McLaughlin): However, as it stands, the committee, if it defined a request for the sharing of that data as being in the public interest or in the interest of social well-being, could override a person's opt-out.

Mr Matthews: Making that decision is enabling, so the choice about whether to release that information is a choice for the person who holds the information, say from a HSC organisation.

The Chairperson (Ms Maeve McLaughlin): But it is legislation. There is a proposed Bill in front us, which would give the power. I am looking for a yes or no on this. The Bill, as it stands, could allow that established committee to override a person's opt-out for data sharing because it is deemed to be in the public interest.

Mr Matthews: It could, but there are more circumstances —

The Chairperson (Ms Maeve McLaughlin): OK. That is what I was attempting to get to. Have you finished, Pam?

Mrs Cameron: I think so, Chair.

Mrs Dobson: Apologies for missing your briefing; my question may already have been covered. Paragraph 13 of your written submission talks about steps that have been taken to reduce the risk of loss of personal information. Will you outline the steps that have already been taken?

Ms Gallagher: The first stage of that was to work with the Health and Social Care organisations in order to improve their information-management processes. Chris will maybe talk a little bit more about the detail.

Mr Matthews: This piece of legislation is part of a three-year strategy that we have been engaged in to strengthen and improve information sharing whilst protecting information. We have put in place a number of structures. We have introduced senior information risk owners within all of the HSC organisations whose responsibility it is to manage the information. We have also increased the level of governance over information governance within the HSC organisations over that time.

Mrs Dobson: When was that put in place?

Mr Matthews: It started about three and a half years ago and was a developing process until we got to this stage. We have also put in place standardised processes for sharing service-user information to ensure that the systems are robust and that there are appropriate sign-offs for any information that is being shared. We have also made sure that every member of staff has received training, online or instructor-led, to ensure that they know what to do. We asked the privacy advisory committee to review the code of practice on the sharing of service-user information, which was done in 2009, initially, and reviewed in 2012. We have also introduced an honest broker service. If you need information within the HSC, you make an application to the honest broker service within the Business Services Organisation, and it will provide you with information that is anonymised or pseudonymised, if it is available. So, we have reduced the need for identifiable information within the HSC family, but improved the ability to make information available to the HSC family, in an anonymised or pseudonymised way, that they can use for planning purposes.

Mrs Dobson: That alarms me, and I know that others on the Committee feel the same. All of this is, essentially, going on below the radar of people knowing that their information is being shared. My son is a transplant patient. I have never once been aware of his details or information about him and his transplant being shared. I have certainly never been asked or approached, and neither has he. The things that have been happening, and what is proposed to happen further, concern me a lot. You describe provisions in the Bill as "much more robust". Why do you feel that they are? You have just outlined what you have been doing in the last three and a half years. Why do you feel that they are more robust than the steps you have already taken? What is different from what has gone before, given the fact that the public is, largely, unaware of what has gone before? I certainly have been unaware of it, and I know my son has.

Mr Matthews: I can reassure you that the majority of sharing of information within the health and social care sector is for direct care purposes. This is about information that is shared for purposes other than direct care. In terms of assessing the level of sharing, most of the sharing is done in an anonymised or pseudonymised way, as it was prior to the set-up of the honest broker service, but we took additional steps because we wanted to look at this legislation position. The legislation will put a robust process in place for identifiable information. Not only will it provide the legal cover for information being shared for the likes of the cancer registry and the cerebral palsy registry; it will enable information to be shared for purposes that we currently do not share it for. There have been a number of national audits and pieces of work that Northern Ireland has not been involved in and has not obtained the benefits from.

Mrs Dobson: Does that not, in a sense, open the floodgates for where the information goes? You talked about sharing for direct care only and being anonymous. You said that you are going to make this much more robust, but, essentially, you are making it easier to access people's —

Mr Matthews: Easier to access in limited and controlled circumstances. Since 2001, England and Wales have had 900 applications for the information, of which about 600 have been successful. In many instances, the information accessed will be the information to enable you to contact the service user to ask them whether they would consent to being involved in whatever piece of analysis or research is being carried out.

Mrs Dobson: Up to now, they have not known.

Mr Matthews: Up to now, we have not done it in a lot of instances. In the example of the cancer payment, we were not able to give the information for the cancer patient to be contacted to be asked whether they wanted a payment. The vast majority of the information will be used to contact the individual without being specific about what the issue is and ask them to contact the organisation to ascertain whether they are happy to be involved in whatever the piece of work may actually be.

Mrs Dobson: You talked about limited and controlled circumstances. My concern is about how limited and controlled those circumstances will be.

Mr Matthews: That, again, is back to the committee; you need to, first of all, show it why consent is not possible or practical, why you cannot obtain the information through pseudonymisation or anonymisation, and why the only practical solution to obtain the outcome required for health and social care benefit is to have access to identifiable information. Again, that will be, in the main, to contact the individual to seek their consent to be involved in whatever the piece of work may happen to be.

Ms Gallagher: It grounds it back to the medical and social care purposes, where the interests of improving health and social care are in the public interest and in full adherence to the Data Protection Act and the Human Rights Act.

Mrs Dobson: That takes it back to Fearghal's point about the safeguards and what lessons can be learned from other jurisdictions that have safeguards in place. That is something that we certainly need to explore in greater detail.

The Chairperson (Ms Maeve McLaughlin): Just on that, what if the person is deceased?

Mr Matthews: If the person is deceased at this time, you technically cannot access the information.

Ms Gallagher: The Data Protection Act refers only to living individuals.

The Chairperson (Ms Maeve McLaughlin): So, you cannot override the original opt-out if a person said that they did not want their information to be shared.

Mr Matthews: To go back to the point that you made about the committee overriding the decision, I do not know in how many cases you would have an individual who is deceased and who had opted out, but, in cases where individuals are deceased, it is impossible to gain consent. Depending on the course of whatever the research is, the committee could give the authorisation to access that information because there is no other means of doing so.

The Chairperson (Ms Maeve McLaughlin): So, the committee could override that. It goes back to the previous —

Mr Matthews: It could potentially, but the data holder, under data protection or human rights, may decide not to release that information.

The Chairperson (Ms Maeve McLaughlin): But there is still, ultimately, a power there, and so that could happen.

Mr Matthews: The power is to make the decision; it is not to ensure that the information is released. It is enabling legislation.

Ms McCorley: Go raibh maith agat, a Chathaoirligh. Thanks for the presentation. My question is about the code of practice. This, obviously, is going to dictate how everything should be carried out. The Bill states:

That will be what guides it, if that were the case. It also says:

in a couple of places. Is that robust enough? Should it not be "must adhere"? The phrase "must have regard" is like you can take it or leave it.

Mr Matthews: Maybe it is just the way in which it is worded. The code of practice actually sets out detailed practical guidance on the sharing of information and the things that you need to consider. At this time, the code of practice does not have any legal standing apart from, obviously, the link to data protection and human rights. We have a code of practice, but in light of the legislation, it will be revised and made more robust, if the Bill makes its way through and we have the regulations in place. It is expected that the organisations give due regard because the code of practice reflects data protection. That is a legal requirement. There would be a requirement that people take that into consideration. Other factors may influence the decision as to whether the information is shared or not. There may be legal or child-protection reasons why the information should or should not be shared. Obviously, they have to look at the process in practice.

Ms McCorley: It just strikes me that, when you have a choice of words and it is something that must be followed, why would you not use the most stringent form of words?

Mr Matthews: I think that "due regard" means that it is one of the pieces of governance and advice that you consider in the overall picture of deciding whether to share. It does not stand by itself. Data protection, human rights and other issues need to be considered. That is obviously the tone that it is used for.

Mr Easton: Thank you for your presentation. Some of these questions might sound stupid, so I apologise. Is this already in place in other parts of the United Kingdom?

Ms Gallagher: It has been in place in England and Wales since 2001.

Mr Easton: What about Scotland?

Ms Gallagher: Scotland currently does not have the legal basis for it. They are keeping it under review. They do have a privacy advisory committee that gives advice and guidance on the sharing of information.

Mr Easton: My next question is about people who refer to the committee to get information. Theoretically, could anybody refer to the committee, or is it just health-related people?

Mr Matthews: Anybody could make an application to the committee.

Mr Easton: So, I could.

Mr Matthews: You could potentially, but obviously your case would be scrutinised as to why you want the information. If it were research related, you would have to have ethical approval before you approached the committee.

Mr Easton: Why would anyone want access to medical notes if it were not for information on a medical condition?

Ms Gallagher: That is probably the debate that we had earlier about the public interest and what scenarios might play out. I think that I said earlier that, in the experiences of England and Wales, they have not invoked that provision very often. Given our consultation in Northern Ireland, particularly in relation to the Fire and Rescue Service, we see at this point that there is an opportunity to use the public interest test for the information for that particular set of circumstances, as long as there is a robust case, the checks and balances are in place and it is compliant with data protection and the Human Rights Act.

Mr Easton: This obviously has not been in place, so will its being in place cover any information that has been shared in the past?

Ms Gallagher: No.

The Chairperson (Ms Maeve McLaughlin): Who gives ethical approval or not?

Mr Matthews: It is the ethics committee, which is established across the UK with a UK-based structure. There are offices in Northern Ireland, but they work collaboratively to assess applications.

Mr McKinney: Who, typically, would apply to that organisation for ethics approval?

Mr Matthews: It would usually be a researcher. Most often, at this time, it would be university researchers. For example, in the honest broker service, that process involves the ethics committee, where people would apply to access anonymised or pseudonymised information for a piece of research that they are doing, but it has to have health and social care benefit. There are robust governance processes built in around the access to that information, but it is for only anonymised or pseudonymised information.

Ms Gallagher: I would like to go back to one point, Chair, that Fearghal and you raised earlier on the cost-benefit analysis of the Bill. I apologise if I picked you up incorrectly. Whilst we have no robust cost-benefit analysis, we envisage that the cost of introducing this Bill will be nominal. We have a number of committees already extant in Northern Ireland that we envisage, without predetermining the outcome of the consultation, could execute this role, so any additional cost would be nominal. We envisage that the cost would be outweighed by the benefits in terms of the protection of the organisation and safeguarding of client information and the benefits that could be realised by accessing the information, particularly in relation to the experience in Wales and England.

The Chairperson (Ms Maeve McLaughlin): OK. Thank you both for your time and detail today.