Official Report: Minutes of Evidence

The Chairperson (Ms Maeve McLaughlin): I welcome Sharon Gallagher, director of corporate services; and Chris Matthews, former head of information management branch at the Department. I advise you that we want you to work through the table of issues that were raised in the written submissions and to provide positions on each. We will pause for questions from members after each clause. I will invite — I am not sure; Sharon, is it you? I invite Sharon to brief the Committee on the clause 1 issues, and then we will respond accordingly.

Ms Sharon Gallagher (Department of Health, Social Services and Public Safety): Thank you, Madam Chair. Would you like me to make some opening remarks before we start?

The Chairperson (Ms Maeve McLaughlin): If you want, yes, but I ask that you keep them as succinct as possible.

Ms Gallagher: OK. Thank you for the opportunity to provide further evidence on the Health and Social Care (Control of Data) Processing Bill.

The Department has listened to the very constructive evidence that has been presented to the Committee, orally and in writing, and is encouraged by the support given by stakeholders to this important legislation, which would allow the controlled use of information for important secondary uses. The level of support from those who have campaigned to have the legislation brought forward is very reassuring and mirrors the findings of our public consultation held last year, when 94% of the 59 respondents indicated their agreement with our proposals. That said, it is quite clear that there are a number of areas on which the Department will reflect. It might be helpful if I touched on some of those today, and I am conscious that we will work through the detail, as you said, Chair.

First, there exists a level of confusion about the purpose of the Bill. The oral evidence provided by Professor McClelland and Dr Colin Harper was particularly helpful, I think, in setting out the position. From the Department's perspective, I will emphasise again today that the public interest provision at clause 1(1)(b) does not stand alone. Information sharing would not be permissible solely on the basis of public interest. All uses must be connected to a medical or social care purpose, such as medical research, management of healthcare services or provision and management of social care services. It is, therefore, a rather narrower provision than some comments may have suggested. The Department is currently reflecting on the drafting of the provision with a view to ensuring that the intention is very clear. Similarly, we are reflecting on other parts of the Bill to ensure that the definitions and phrasing reflect the policy intent and that no ambiguity can arise.

The permissive nature of the Bill, in relation to the making of regulations and the establishment of a committee, has caused a level of concern also. Committee members and stakeholders have questioned why, when those elements will be an integral part of the process, they are not mandatory upon the Department. Again, the Department is reflecting on the feedback received.
In written and oral evidence, the Northern Ireland Human Rights Commission (NIHRC) raised the issue of the Bill's compliance with article 8 of the European Convention on Human Rights (ECHR). Section 6 of the Northern Ireland Act 1998 states that, if a provision is incompatible with any convention rights, it is outside the legislative competence of the Assembly. I can advise that, in May this year, in advance of Executive clearance on the Bill, the Attorney General for Northern Ireland advised that the Bill is within the legislative competence of the Northern Ireland Assembly and is, therefore, compatible with article 8 of the European Convention on Human Rights. Moving forward, the Department will work closely with key stakeholders, including the Northern Ireland Human Rights Commission, to ensure that provisions set out in regulations remain fully compliant.

Further concerns were voiced about the governance arrangements that will be put in place around the process; for example, the make-up of the committee and the right of an individual to opt out of having their information processed under the Bill. Views were expressed that those other elements should be included in the Bill.

This is primarily an enabling Bill, and the detail of the process will be set out in regulations. While it is right and proper that those concerns are expressed, the Department will consider them as part of the next stage of the process, that is, the development of the regulations. I re-emphasise that those regulations will be subject to public consultation, Committee scrutiny and draft affirmative procedure in the Assembly.

The Department will continue to consider the feedback received and the views of the Committee as the legislative process progresses.

Again, I am happy to take questions and to take the time to set out our position.

The Chairperson (Ms Maeve McLaughlin): OK. At this point, we want to move to clause 1. Do you want to outline anything on clause 1?

Ms Gallagher: I want only to say that, as I advised in my opening remarks, we have taken on board the comments thus far about it being open to a level of confusion. We are considering the drafting at this point.

The Chairperson (Ms Maeve McLaughlin): Thank you, Sharon. A number of members have indicated they want to ask a question on the clause, so I request specific responses to what I think are fairly direct questions on the detail that we are looking for.

During the evidence session in June with the Department, in relation to the Fire and Rescue Service, you said:

What is the rationale for viewing that as a medical or social care issue, rather than as a public health issue? Are you then saying that education is one of the areas that would fall under "public interest"?

Ms Gallagher: We are saying that the medical and social care purposes are defined and that the public interest has to be grounded in the medical and social care purposes. So, whilst we had talked about NIFRS as an example of an organisation that may go down this route, there is no expectation that, if it did make an application, it would succeed. Obviously, it would need to look at other options, such as consent and anonymised and pseudonymised information, and it would need to be proven that it was in the interests of medical or social care.

The Chairperson (Ms Maeve McLaughlin): Do you think that medical and social care purposes are currently defined?

Ms Gallagher: I think that medical and social care purposes — certainly, social care purposes — are defined in clause 1(14)(a) and clause 1(14)(b), and medical is defined in clause 1(13).

The Chairperson (Ms Maeve McLaughlin): Are you honestly saying that you believe that medical and social care purposes are defined in the Bill?

Ms Gallagher: I believe they are, Chair.

The Chairperson (Ms Maeve McLaughlin): Why then are you considering the public interest issue being developed more?

Ms Gallagher: We are saying that the clause is crafted in such a way as to potentially cause confusion with the use of the word "or". The intention of clause 1 is to process prescribed information of a relevant person for medical or social care purposes in the interests of improving health and social care or, equally, for prescribed information for medical or social care purposes in the public interest. There was a level of confusion that the public interest was not grounded in medical and public care interests. That is where we talked about the use for education, benefits and other things. That could not happen.

The Chairperson (Ms Maeve McLaughlin): It was the way it is crafted.

Ms Gallagher: I believe that it is the way that it is crafted that has caused confusion. I think the intention is very clear. We are looking at the way it is crafted to make sure —

The Chairperson (Ms Maeve McLaughlin): Is there a better way to craft it?

Ms Gallagher: We are currently considering that, because it has caused a level of confusion, but we have not come to a conclusion on that yet.

The Chairperson (Ms Maeve McLaughlin): You also said that the requirement provision would be used to address only unforeseen emergency circumstances and would be done by regulation. Why can it not say that clearly in the Bill and that the final decision in other cases rests with the data controller?

Mr Chris Matthews (Department of Health, Social Services and Public Safety): Compelling the sharing of information would be done through a regulatory process. Regulations would be made, brought to the Committee and then brought through the Assembly. In those instances, the Committee and the Assembly would decide that that information should be shared. Therefore, it would be setting aside, for medical purposes only, the ability of the data controller to not share the information, but you and the Assembly would have the authority on that.

The Chairperson (Ms Maeve McLaughlin): Why would it not state that clearly in the Bill? We have just had a conversation about how the Bill has been crafted and is creating some confusion, so, if we are talking about requirement and saying that it is to be used only for unforeseen emergency circumstances and by regulation, why we would not have that in the Bill?

Ms Gallagher: We are suggesting that, this being an enabling Bill, the detail will be in the regulations and we would consult on that. We have set out in clause 1(2)(a) the provision for requiring, but the detail on that would be set out in regulations about what circumstances that would prevail in.

The Chairperson (Ms Maeve McLaughlin): In your view, is it not better to have it in the Bill?

Ms Gallagher: I think that the Bill sets out the position, in that it allows for the sharing of information. Our intention is that the detail will come in the regulations, because there are lots of specifics in this that we need to tease out and consult on at the next stage.

The Chairperson (Ms Maeve McLaughlin): Can I ask whether you are considering bringing forward something that may put this into the Bill, or are you satisfied with it as it stands?

Ms Gallagher: To date, we have been satisfied that clause 1(2) sets out the provision for requiring or authorising the disclosure of prescribed information. The prescription would come in the regulations. It is not just for the requiring; it is also for the authorising. We would need to set out what type of information we are talking about for the authorisation of information as well. There is more detail to follow. This provides the enabling provision.

The Chairperson (Ms Maeve McLaughlin): OK. In relation to consent, what does "cannot practically ask" mean? Does it mean that you cannot ask for consent because of the number of persons affected, or does it also include where someone has refused consent or the data subject is deceased?

Mr Matthews: It could include a number of situations, including where the data subject is deceased, obviously. If you are talking, potentially, about large numbers, perhaps tens of thousands of people, it might be impractical or extremely difficult to be able to gain their consent. In most of those situations in England, what is provided is the basic information that enables the person to be contacted to seek their consent. It does not necessarily mean that all that information would be shared without consent; it is just sufficient information to contact the individual to ask whether they would consent to their information being used for whatever the purpose may be.

The Chairperson (Ms Maeve McLaughlin): Could it mean the numbers of people affected?

Ms Gallagher: It could. The Cancer Registry's evidence is a good example of that, where it was set out that it was impractical to ask people for consent at that point in their life when they are going through a very difficult time.

The Chairperson (Ms Maeve McLaughlin): The opt-out has come up and has certainly been raised by a number of members. Why is something as critical and as fundamental as opt-out not in the Bill?

Mr Matthews: The opt-out provision already exists in health and social care. Under section 10 of the Data Protection Act, somebody can opt out of having their information shared. It also exists for the provision of care, either for direct or secondary uses, for example, in the electronic care record (ECR), where people have opted out of having their information shared. The process is already there, and all the Bill will seek to do is educate the public and organisations better on the use of the existing provisions.

The Chairperson (Ms Maeve McLaughlin): How many people honestly would know that it is already there in section 10 of that Act?

Mr Matthews: They can already opt out, because there are provisions in the health and social care sector to opt out. Leaflets and posters are provided, and the Cancer Registry is one organisation that provides the opt-out information in its leaflets. The information is already out there. Every home in Northern Ireland received a leaflet advising of the electronic care record and how people can go about opting out of that process.

Ms Gallagher: We have heard, with interest, the level of concern about the opt-out. Chris is absolutely right; there is legal provision in section 10 of the Data Protection Act. However, as we move into implementation, there is an issue about how we raise awareness internally in the health and social care arena and externally to service users. That is being done at the minute in England with care.data and its roll-out. We would absolutely need to consider that in Northern Ireland to raise awareness once again of the ability to opt out. Is that fair to say, Chris?

Mr Matthews: Yes, we have already put processes in place to educate staff within health and social care on the provisions and the processing of service user information. We have been doing that work over the past three years. There is some mandatory training, and there are also requirements under data protection for fair processing, so staff need to know how to process information fairly. Otherwise, the Information Commissioner's Office (ICO) can come in and fine them up to, as you are probably aware, £500,000.

The Chairperson (Ms Maeve McLaughlin): Given the issues created in public confidence, particularly in England, on data sharing and the fundamental nature of opt-out, I remain to be convinced of the rationale for not including it in the Bill and having a very clear definition.

Ms Gallagher: The situation in GB was very different from the provision that we are trying to bring through at the minute. That is the first thing that I would say. This is an enabling Bill. Where the regulations and the consultation are concerned, we will of course take stakeholders' views to get the temperature for opt-out and what needs to happen at that point, but there is legislative provision at the minute under the Data Protection Act, and our Bill is fully compliant with that. So, the issue is, I think, raising awareness and the actual practical solutions and practical interventions to make the public aware of their ability to opt out, should they wish to do so.

The Chairperson (Ms Maeve McLaughlin): OK, there are a number of members who want to ask questions on clause 1.

Mr McKinney: This is the first question, as I have two points to raise. What does "medical" mean in juxtaposition with "social care purposes"?

Ms Gallagher: "Medical" is set out at clause 1(13)(a) and (b), while "social care" is at clause 1(14)(a) and (b), on page 3.

Mr McKinney: When I think of all the issues, I know that clause 1 is the one that has caused us the most concern. You have heard that. I know you are looking at it, so, just to short-circuit it, can you give us a flavour of what would emerge as a potential clause 1 that would address these issues? You have heard all that we said, and that means what we have said and what others have said to us. You know that issues of definition and generalities have caused us some concern. What would it look like if it was right?

Ms Gallagher: What it would look like is that everyone would be quite clear of the intention, and that is certainly not the case at the minute. We believe that it is as a result of the phrasing, rather than the intent. It is the Department's absolute intent that clause 1(1)(a) and (b) are linked with medical and social care purposes, which are set out very clearly in the Bill. Public interest is not a stand-alone matter; it is considered only in the context of medical purposes set out at clause 1(13)(a) and (b) and social care purposes set out at clause 1(14)(a) and (b). That has created a level of confusion about leaving this very broad.

Mr McKinney: Yes, but we are probably in danger of rehearsing the arguments again, which I am not keen to do, because I think we should be advancing on ground here. That is why I ask the question. Yes, there is public interest, and there are questions on all those vague issues. We are looking for greater definition or greater clarity around the thing. Have you got a draft amendment?

Ms Gallagher: We are certainly working with the Office of the Legislative Counsel (OLC) on the options. The social care and medical purposes are not new definitions, though. Social care purposes are grounded in the enabling Act for the Department, and the medical purposes —

Mr Matthews: They are both in the Health and Social Care (Reform) Act (Northern Ireland) 2009. We have taken the general responsibilities of the Department and, as it states, the "medical" and "social care purposes". We have just reflected what are already defined as being the responsibilities of the Department for medical and social care purposes.

If those are its responsibilities, we just reiterated that to ensure there is consistency in people's views of those responsibilities.

Mr McKinney: Yes, but the issues are also on "medical research" and what that means. I am not hearing what I am asking for. I think that you know what I am asking for, but I am not hearing back what that definition would look like if it was changed in clause 1.

Mr Matthews: I think that is where the challenge lies. It is in fully understanding everybody's viewpoints on what the definition would say.

Mr McKinney: Do you accept that there is confusion?

Mr Matthews: We have heard, through evidence sessions, that people are not understanding the intention of it. It is medical research; it is not research into numbers of people for an insurance company, which is an example that has been given to the Committee on occasions. It is certainly not the intention that it would be used for that. It is medical research that obviously also needs ethical approval from the Office of Research Ethics Committees (OREC).

Mr McKinney: I do not know quite how to phrase this, but, if you are hearing and accept all these concerns, how will this be shaped to ameliorate them?

Mr Matthews: That is what we are working on with the OLC. We are trying to come up with something on the purposes for which the information is being shared that will be acceptable and clear to everybody.

Ms Gallagher: I think that the terms "medical purposes" and "social care purposes" are set out as they were in the 2009 Act.

Mr McKinney: Are you minded to change that?

Ms Gallagher: That is not our focus at the minute, but we are clearly reflecting on all the feedback. We have heard clearly that public interest is wide and about how it sits against the rest of the —

Mr McKinney: Public interest is part of it, but our concern is clause 1 in its entirety, because it is not clear.

Ms Gallagher: We are very keen to take on board the Committee's views on how we could make that clearer. We will take on board any comments that you or any other stakeholders might have about the clarity of it. The Department has tried to stay with the definitions of medical purposes and social care purposes as set out in existing provisions so that we do not stray away from them. If we can, we will rephrase or recraft the clause so that the intention is absolutely clear. That is our direction of travel at the minute, but we are clearly very happy to take any comments on board.

Mr McKinney: I am conscious that we have all heard of these concerns and you have heard of them. I would be looking for another point to rest on, if you like, in how you define it so that we can further interrogate it, rather than reinterrogate the same issues.

The Chairperson (Ms Maeve McLaughlin): We have put this in writing to you as well, but we have not had any response back. We presented these issues as we saw them.

Mr McKinney: We are going round in circles here.

Ms Gallagher: It is absolutely not our intention to go round in circles. We have been very clear in the drafting of the Bill to consider the OLC's guidance and to look at the provision in England about the use of the terms "medical purposes" and "social care purposes" because they are grounded in the 2009 Act. The services that the Department has are set out in the provision. We believe that that is relatively clearly defined. The conjunctive nature of "public interest" was causing confusion about that.

I am not sure how much clearer we can be or what action that we could take at this point, albeit that we are happy to hear feedback about how we can further define medical purposes and social care purposes. This is an enabling Bill, and when we move into regulations and into the operation, the Committee will consider each set of circumstances and look at what other methods can be achieved. There will be a process to go through, so there is a provision that I think is sufficient for those two terms in the Bill.

The Chairperson (Ms Maeve McLaughlin): This is a bit like struggling in the dark. When are we likely to see your amendments?

Ms Gallagher: We are working with the OLC and others at the minute.

The Chairperson (Ms Maeve McLaughlin): Obviously, we are working through our process as well. Do you have any timescale for that?

Ms Gallagher: As I said, we are working through with stakeholders, such as the OLC and others, to try to understand the best approach on this. We are pretty well advanced in that work, but I do not want to put forward any suppositions today that have not been properly considered in the Department. I think we need to reflect again on the evidence given today.

However, our focus has been on the phrasing and crafting of the clause, particularly the use of the term "public interest", to try to make sure that it is clearly linked to the medical and social care purposes. We believe that medical purposes and social care purposes are clearly defined in the Bill at this point, but we are happy for the Committee to give us any pointers.

The Chairperson (Ms Maeve McLaughlin): With respect, we have done that and are awaiting the response. Given our scrutiny role, we find ourselves in the difficult position of not knowing what you are coming forward with or when we are likely to see it.

Ms Gallagher: As I said, for the purposes of the Department, the medical purposes and social care purposes are set out in the 2009 Act. That is where we are taking that from.

Ms McCorley: I am still looking at clause 1, and there is a bit of confusion about clause 1(1), which says:

We had views of our own, and the private advisory committee in the Law Centre felt that "and" might have been more appropriate. Maybe your intent was to use "or" instead of "and", so could you comment on that?

Ms Gallagher: We are certainly looking at that at the moment in the recrafting of the clause. We are considering the offerings thus far to see if they better align with the policy intent.

Ms McCorley: The Royal College of Psychiatrists recommended an amendment referring to the sharing of information and said:

You have not responded to that. We would like to hear your views on that.

Ms Gallagher: Sorry, what suggestion?

Ms McCorley: It is to do with sharing of information. The quote is:

The Chairperson (Ms Maeve McLaughlin): It is from the College of Psychiatrists.

Mr Matthews: In circumstances where there would be small numbers of people, a consent model would be required, as opposed to sharing their information without their consent in many cases. The application for the information would go through the scrutiny of whatever committee is established, and one of its determinations would be on what purpose the information is being used for, how it is being stored and obviously the consideration of any impact on the individuals. This legislation is still Human Rights Act-compliant as well as Data Protection Act-compliant. That committee will look at that through the Human Rights Act to make sure that there is no detriment. It would up to the requester to prove that that is the case.

Ms McCorley: Do you agree that that would be a suitable amendment?

Mr Matthews: Given that the Bill is enabling legislation, that level of detail would not be appropriate at the Bill stage. It may be considered in the detail of the regulations, but, given that it is human rights-compliant and data protection-compliant, that already exists and, therefore, that requirement is already in statute.

Therefore, it would replicate something that I think already exists, but we could certainly look at it in the regulations when we do the detail.

Ms McCorley: As it was raised by the Royal College of Psychiatrists, from its perspective, it is obviously a safeguard that it would like.

Mr Matthews: We will consider that in the overall drafting, but, at this point, the view is that it is probably more likely to come under regulations.

Ms Gallagher: As Chris said, the Data Protection Act covers the potential risk and harm in releasing information, so there is provision there. However, as far as recrafting or looking again at clause 1 is concerned, we are taking on board and reflecting on all feedback.

Mrs Cameron: The Data Protection Act requires all processing to be lawful. To process confidential information lawfully, you must have the consent of the data subject or have a statutory basis for doing so. For clarity, can the committee authorise the release of information when there is no statutory basis and the data subject has refused to consent?

Mr Matthews: The statutory basis is the legislation. That will provide the statutory basis on which the release of information can be permitted. The committee's role will be to scrutinise requests for access to that information and then recommend whether it can be shared, but it will be the data controller's decision. The committee will decide whether it is legally within the gift of the Bill to be able to share that information, but the data controller will have the ultimate decision.

The Chairperson (Ms Maeve McLaughlin): Can the committee authorise that?

Mr Matthews: The committee considers —

The Chairperson (Ms Maeve McLaughlin): It is just yes or no, I would have thought.

Mr Matthews: It is not just as straightforward as that. The committee can give you the authority to share the information, if you choose to do so as the data controller.

The Chairperson (Ms Maeve McLaughlin): I think that Pam was asking whether the committee can authorise the release of information if there is no statutory basis and the data subject has refused to consent. Can the committee authorise that?

Mr Matthews: No.

Mrs Cameron: Thank you for that clarity. Concern has been expressed about the open-ended definition of processing. Of particular concern was that it could include selling. How could that definition be tightened up in the Bill?

Mr Matthews: The processing of information goes back to our discussion on the definition of medical and social care purposes in clause 1. The committee will scrutinise the request to ensure that it meets those requirements. There has never been an intention that information could be sold. In fact, with the current process for anonymised information in the health and social care sector, information cannot be sold even if it is anonymised. It would have to be proven that it was for medical and social care purposes, and it would have to be for improving health and social care or — as we have talked about — in a related public interest. The selling of information will not be allowed through the Bill or the regulations. The regulations will probably make that clearer.

Ms Gallagher: I think that we followed the GB approach: an enabling Bill, with regulations setting out the provision in more detail. GB further extended the definition of processing. We will look at the GB regulations, the Data Protection Act and the terms of processing, and we will consider what is relevant and right for the legislation in Northern Ireland when we come to the regulation stage. We will consult on that. We will go through a process: it will go through the Health Committee and affirmative resolution. We were trying to pre-empt putting something in the Bill that we needed to tease out a little more and give the appropriate consideration.

The Chairperson (Ms Maeve McLaughlin): Is there a way that that definition could be tightened up in the Bill itself?

Ms Gallagher: Certainly, in the regulation, it will be clear what is —

The Chairperson (Ms Maeve McLaughlin): No, in the Bill.

Ms Gallagher: We can look at that, Chair. It is not the model followed in GB, and we have tried to follow that extensively. However, we could certainly look at what it says in the GB regulations and see whether it is feasible to put it in the Bill. We will take it away and look at it.

Mr Easton: Data protection is identified in clause 1(8) as the overarching protection. Clause 1(10)(c) mentions information derived "directly" and "indirectly". Does the Data Protection Act cover data derived directly and indirectly?

Ms Gallagher: Yes. That was the first single-word answer today.

Mr Easton: Keep it going. That is good.

Could the references in the Bill to "social well-being" be substituted for "social care"?

Ms Gallagher: We have listened carefully to the concerns about the use of "social well-being" and the breadth of that term. We are looking at that carefully to see whether we can ground it totally in the 2009 Act in terms of the enabling authority for the Department.

Mr Easton: It is not a no.

Ms Gallagher: It is not a no; it is more long-winded.

Mr Easton: OK.

A level 5 offence is low-level. Is that fitting for an issue of such importance?

Ms Gallagher: The level 5 offence should be seen in the context of its sitting alongside the sanctions from the Information Commissioner's Office. The sanctions that the Information Commissioner's Office can apply for a data breach are much more severe: up to £500,000 and even imprisonment if it is very serious. Those are the key sanctions, but we wanted to make some provision for that in the Bill as well.

Mr Matthews: In the Bill, it is a deterrent, whereas the ICO fine of £500,000 is significant. However, other legislation, such as the Fraud Act, the Bribery Act, the Regulation of Investigatory Powers Act and the Computer Misuse Act, can lead to two years in prison. Situations could arise in which someone who takes data and misuses it or does not protect it adequately could end up in prison for up to two years under the Computer Misuse Act.

Mr Easton: You could be hit in a number of ways.

Mr Matthews: Yes.

Mr G Robinson: Why does a Bill about facilitating the lawful secondary use of information include the possibility of:

Mr Matthews: The purpose of informing individuals is that the outcome of the work undertaken following the request for information can — in research, for example— lead to improvements in service provision. You would expect that the people who have that condition would then be able to avail themselves of those improvements in service. That is what that means. It does not mean that you look at an individual to decide on his or her care. You look at the issue, come up with an improvement, hopefully, and then all the people who suffer from that condition, whatever it is, benefit as a result of the research or work undertaken.

The Chairperson (Ms Maeve McLaughlin): Moving on to clause 2, I open up the floor to questions.

Mr McKinney: If it is the intention that all applications for access to identifiable information will be made to the proposed committee and that is supposed to be a stringent safeguard, why is that not in the Bill?

Ms Gallagher: We have heard that loud and clear through the feedback process. We are looking at that

Mr McKinney: I will test you on this again: does "looking at" mean that we will see movement on it?

Ms Gallagher: Absolutely. However, we have some further drafting considerations in the Department and with OLC colleagues. Clearly, we want to get it right for when we come back to the Committee. We are looking closely at it. It is our absolute intent that the committee will be set up. We hear that loud and clear.

Mr McKinney: Sufficiently so for it to be in the Bill?

Ms Gallagher: It is certainly something that would merit consideration for being in the Bill.

Mr McCarthy: Given that the Bill deals with patient information, what are your views on a statutory guarantee that the committee will include people who represent patients' interests?

Mr Matthews: It has always been the intention that the committee will be made up of a broad representation because, ultimately, it has a responsibility to ensure that the information is protected and shared. At this stage, our intention is that it will have a representative from clients, probably a legal representative, a medical representative and others.

Mr McCarthy: Is there a statutory guarantee that that will happen?

Mr Matthews: It is our intention.

Ms Gallagher: As part of the process for developing the regulations, we will consider the make-up of the committee and the best skills for it.

Mr McCarthy: Absolutely. In the Department's consultation document, the defined purpose of the committee, or "advisory group", as it was referred to then, was to protect the security and interests of the service user from the unauthorised use of personal data. The Bill states that the purpose of the committee lies in "the processing of confidential information" in "prescribed circumstances" and subject to "compliance with prescribed conditions". Has there been a shift in emphasis from protecting the interests and security of the service user to compliance with the legislation?

Mr Matthews: No, one is a subset of the other. The intention is that the committee will protect the information. In making sure that the information is protected when it is used, it will ensure that it is used lawfully and in line with the Bill and that the adequate protections are put in place: for example, IT security, data protection compliance, human rights compliance. The two go hand in hand. One is not a weakened version of the other.

Mr McCarthy: There has not been a shift. It is as it was.

Mr Matthews: It is.

The Chairperson (Ms Maeve McLaughlin): Kieran asked about a statutory guarantee, and you said that that was the intention: will that be in the regulations?

Mr Matthews: It is our intention that the regulations will —

Ms Gallagher: We do not know what will be in the regulations at this point. We will consult, draft the policy and come to the Health Committee to take its views. We will certainly look at it as part of the regulation process.

The Chairperson (Ms Maeve McLaughlin): Thank you for that.

We move on to clause 3.

Mr McCarthy: Your rationale for not making the code of practice a compliance code is that it would restrict consideration of that code only. That implies that a compliance code has to be a stand-alone document. Is that your view?

Mr Matthews: No, the code of practice provides advice and guidance to professionals on how to share and protect information, but that has to be considered in line with the detailed Data Protection Act and other legislation. It is a guide to help and assist. That is what it is seen as, and that is what the legal advice would be.

Mr McCarthy: Do you believe that a court or tribunal should have the option of taking into account a breach of the code in any proceedings?

Mr Matthews: There has already been a case where the court took into consideration a code and said that, whilst it did not have a statutory basis, it had a lot of weight. Therefore, it was considered in the evidence against the case being heard by the judge, and he put a lot of weight behind the fact that the code was there.

Mr McCarthy: That is fair enough.

The Chairperson (Ms Maeve McLaughlin): Do members have any questions on clauses 4, 5 and 6? I take it from the silence you do not.

Fearghal has one of a number of general questions.

Mr McKinney: My question springs out of evidence that we had, I think, last week, and it is about how robustly you have consulted, particularly the general public. Clearly, professionals have an interest in the Bill, but, when it became clear that only a small number of members of the public had contributed to the consultation, did the Department make any effort specifically to target the wider public?

Ms Gallagher: You will be aware from my opening remarks that we had 59 respondents. You are absolutely right in saying that most were organisationally based. However, quite a few were representative groups, and Chris and his team at the time engaged quite closely with them on a personal basis as well as through the formal consultation process. Maybe Chris will talk you through one or two examples.

Mr Matthews: I visited a number of key stakeholders and representative groups to discuss the Bill and the Department's three-year strategy for information governance. The purpose of the visits was to explain the Bill to them, give them clarity and encourage them to provide feedback. I offered to attend any forums that they had with their stakeholders and the clients whom they represent. The consultation period was also slightly extended: we made it 14 weeks instead of the standard 12.

Mr McKinney: We heard that, in England, some 700,000 people opted out of the process.

Mr Matthews: Is that figure from the care.data programme?

Mr McKinney: Yes. They opted out, and we reflected on that. The scale of opt-out potential reflects a general concern. Even though the figure was 700,000 of x million, it reflects general public concern. In light of that, have you considered the option of consulting more widely, up to and including advertising or whatever, to tell people directly what you propose and find out what their views are?

Mr Matthews: I recognise that care.data shows that 700,000 were affected, and, obviously, there was a bit of scaremongering around that at the time. From our perspective — I think that this point was made by one of the people who gave evidence last week — the intention is to have a robust handling strategy in the implementation. An opt-out provision exists at present, and the intention is to strengthen the existing provisions for making citizens and staff aware of the process and giving them information about opting out at that time in the process.

Mr McKinney: Sorry, is that at the earliest stage — the care record that you talked about earlier — or does it relate to specific secondary use?

Mr Matthews: Specific secondary use.

Mr McKay: How does that happen?

Ms Gallagher: Earlier, we talked about the provision in the Data Protection Act, and the Bill is fully compliant with that Act. We talked about the need for engagement with the public to raise awareness and make them clearly aware that they can opt out and that that provision is there. I think that some members said that even though the provision exists at the minute, there is not the level of awareness that is needed. That needs to happen as part of the implementation process: there has to be proactive engagement with health and social care professionals and with citizens so that they understand their right of opt-out should they wish to invoke it.

Mr Matthews: From a regulatory perspective and from the ICO's perspective, that is particularly important, given the need for fair processing. I think that Dr Macdonald mentioned that his consideration was the point at which we share the information, and he is looking for that to be fair. Unless we put the process before that in place, he will find that it is not fair, and the data controller will potentially be in breach of the Data Protection Act.

Mr McKinney: Are you listening to that point?

Mr Matthews: Yes, very clearly.

Mr McKinney: Will action follow on that point?

Mr Matthews: We have already taken action within the organisations to raise understanding of the issue of using and sharing people's information. That is part of what we have doing for the past few years.

Mr McKinney: This might be outside your remit because it is about a mechanical issue within the system: if people opt out, and a tick on a piece of paper does not get transferred to a computer to show that that data is active, will there be a system whereby their opt-out is guaranteed?

Mr Matthews: Yes, their opt-out has to be respected by the data controller. The data controller has a responsibility to honour someone's opt-out when that is what they have chosen. I think that one of the evidence-givers last week mentioned the system and talked about privacy impact assessments. There will not be an individual system because you would end up creating another system full of people's information. In the existing process, there is a range of systems, so opt-outs will have to be honoured at GP level, secondary care level or wherever that opt-out happens to take place. It will be the data controller's responsibility to respect that opt-out.

Mr McKinney: You have followed — I know that these are two different things — the legislation in England fairly closely, but it has failed at some level. You might say that it was not the legislation but the process. However, can we be guaranteed that, when we end up with this refined legislation and the process married alongside it, people's opt-out will be fundamentally honoured?

Mr Matthews: Yes. The system in England is fundamentally different. There, an IT system was created to suck information from secondary and primary care without considering the implications of people choosing to opt out. My understanding is that that system does not or did not have the functionality. This is a process, not a system, so it works completely differently.

Mr McKinney: Thanks for that.

In response to the concerns about the time that needs to be dedicated to processing information, you said that the process across the water strongly suggests that there is no significant impact on individual data controllers. What evidence have you seen that that is the case?

Ms Gallagher: Chris and his team worked very closely with colleagues in England — the committee that makes the decisions there.

Mr Matthews: There is a back room process that takes a lot of the responsibilities for the understanding of and questions about the process, so, when it comes to the committee, a lot of the issues have been considered. A lot of requests are very quickly weeded out of the system. People are told that this is not an option that would be considered and that they should go for anonymised or pseudonymised information, or get consent. The point that we always try to reinforce is that this is only a possibility of getting access to patient-identifiable information. The chances of getting access to it, given the processes that are already in place and given what we expect the stringent considerations by the committee to be, should be quite remote. When we look at the number of applications in GB over the past 12 or 13 years, we do not expect, pro rata, the number of applications here to be significant. In England, only 700 applications have been approved in that whole time.

Ms Gallagher: It is important to say that this happens at the moment, but there is no statutory authority for it. In some instances, data controllers release the information, but, as Chris quite rightly says, the funnel effect of consent, and then anonymised and pseudonymised information moving into this process, means that we expect very few applications to get that far and even fewer affirmative applications. We do not expect the floodgates to open.

Mr McKinney: You just want to make sure that there are locks on it.

Ms Gallagher: Yes.

Ms McCorley: Go raibh maith agat, a Cathaoirleach. Paragraph 3 of the explanatory and financial memorandum (EFM) includes the phrase:

We had a lot of commentary on that being a very loose statement to use when referring to a Bill that is supposed to provide a clear statutory framework to enable the use of identifiable information. What are your thoughts?

Ms Gallagher: We would probably accept that we need to look at that area. The phrase "public good" is quite broad. In working through any redrafting of the Bill and consulting with the Committee, we will look at the EFM to ensure that the language is as tight as it can be and absolutely reflects the policy intention.

Ms McCorley: Do you agree that that is a loose statement?

Ms Gallagher: It certainly needs to be looked at, yes.

The Chairperson (Ms Maeve McLaughlin): The policy objective in the EFM was to minimise the legal risk. We have discussed at length the fact that public interest is not defined at present, and it is not defined in the Bill. Therefore, the Bill will not mitigate the risk of legal challenge. It may minimise some of it because of the establishment of the committee. What is your assessment of by how much, in percentage terms, it will reduce risk or challenge?

Ms Gallagher: It is very difficult to say. You heard the evidence of Cancer Registry, which was that it operates in a very robust regime but could still be liable to legal challenge. For our purposes, the Bill and the underpinning regulations will set out very clear and robust mechanisms that are absolutely compliant with the Data Protection Act and the Human Rights Act. That means that, by the end of this process, a very clear and codified decision will have been made. While that cannot prevent a legal challenge, a successful legal challenge, I suggest, would be much less likely.

The Chairperson (Ms Maeve McLaughlin): We asked for clarification on how the Bill is compliant with the Human Rights Act, but we have not received that yet either. It has been suggested here that it is compliant. I am not suggesting that it is not, but, equally, we have not had any memorandum to give us a sense that it is compliant. A lot has been said today in asserting that it is compliant, but we have not received that information.

Mr Matthews: Prior to the Bill moving to the Executive, we get the Attorney General's agreement on it. One of the considerations at Attorney General level is whether it is compliant with the Human Rights Act. The Attorney General gave the Department the view that it was within the legislative framework and therefore compliant with the Human Rights Act.

The Chairperson (Ms Maeve McLaughlin): I suggest that that be shared with the Committee, as requested.

Ms Gallagher: My apologies, Chair. I advised the Committee of that in my opening remarks. If that was not clear, I apologise, but I said that, in May this year, we received assurance from the Attorney General on that. We can, of course, share that with you.

The Chairperson (Ms Maeve McLaughlin): By way of conclusion, there are a number of points. Thank you for your evidence today. I stress the need for us, as a Committee, to see the information. You put a lot of emphasis on the fact that this is enabling legislation. We need to get a sense from you directly of the amendments that are being considered or proposed. We are hearing today that the drafting of the Bill has created confusion. I want to raise one point so that we have clarity. I initially raised it in relation to the Fire and Rescue Service. You said:

Has that changed or does it still stand?

Mr Matthews: No, it has always been for health and social purposes.

The Chairperson (Ms Maeve McLaughlin): So that quote does not stand.

Mr Matthews: They can make an application, but it does not mean that they will get the committee approval needed to give them access to the identifiable information.

The Chairperson (Ms Maeve McLaughlin): I am sorry, but I do not understand what you are saying at all. Does that quote stand or not? It states clearly in black and white:

Does that no longer stand?

Ms Gallagher: My language was probably clumsy, to be honest. That is all I can comment on, because it absolutely is about medical and social care purposes. I want to be totally clear on that.

The Chairperson (Ms Maeve McLaughlin): That is clear.

Thank you for your time. You have heard from us and reflected on the evidence. We will reflect on what we have heard today. Thank you for that.

I have one last point before you leave. It relates to Fearghal's question earlier. You put great emphasis on education and awareness, particularly in relation to the opt-out, but clause 6 says:

Where does that leave the period for educating people about and raising awareness of the opt-out?

Mr Matthews: The Bill provides the enabling power to make the regulations. As the regulations are consulted on and taken forward, the engagement and open consultation on those will start to educate the public.

The Chairperson (Ms Maeve McLaughlin): OK. Thank you for your time today.