Official Report: Minutes of Evidence

The Chairperson (Mr McGuigan): I welcome from the Department of Health Dr Paul Rice, chief digital information officer; Mr Tom Simpson, director, Digital Health and Care; and Dr Frances Burns, lead, Trusted Research Environment, Health and Social Care (HSC) data institute. I will hand over to you for opening remarks, and we will then take questions.

Dr Paul Rice (Department of Health): I have a wee bit of a rasp, so I will take a glass of water as I kick off. I will not say a great deal, not just because my throat is sore but because the experts on the context of the legislation are in the room.

We are here to give the Committee an update on our efforts to close a gap that was discovered when we looked at the regulatory aspect of following through on the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. We want to keep the conversation relatively tight, if the Committee is comfortable with that, because, fundamentally, the proposed Bill has a specific purpose that relates to secondary use of data. Today is a matter of courtesy to some extent — you have invited us to brief you — but, beyond that, we will have steps to take in the process as we go forward, and you will have the opportunity to talk to us again at any point.

That is all that I will say by way of framing. I will turn to Tom to cover the next level of detail. If there are questions that go into the depths of the detail, Frances, as the colleague with the greatest knowledge of the area, will answer them.

Mr Tom Simpson (Department of Health): Chair and members of the Committee, thanks very much for the opportunity to brief you today. As Paul said, we are here to explain, on behalf of the system, why an amendment to the 2016 Act is required to enable the previously agreed safeguard-based framework to operate lawfully.

I am the director of Digital Health and Care NI (DHCNI). I am joined by Frances, who has deep subject matter expertise on the development of the Control of Data Processing Act. She will assist with specific technical questions.

The purpose of the proposed amendment Bill is straightforward: to correct legal defects in the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 that were identified during the development of the regulations required to give effect to the Act.

I will briefly set out the intention of the 2016 Act. It was designed to create a statutory framework in which, in strict and limited circumstances, the common law duty of confidentiality can be set aside so that identifiable confidential Health and Social Care information can be used without consent for a secondary purpose — not for direct care provision — only where necessary for a health or social care purpose, in the public interest and where anonymisation or de-identification, for example, of privacy-protected information would not be sufficient. The Act also placed duties on the Department of Health to make regulations, establish the statutory committee, publish a statutory code of practice, establish a public opt-out mechanism and introduce fines and penalties for breaches of the legislation. Those steps have not yet been completed because of the defects that we are describing today.

The 2016 Act followed a full public consultation, and the proposed amendment that we are discussing today does not change that original intent. It is there simply to ensure that the framework can operate lawfully, protecting the rights of everyone for whom the HSC is a data controller.

I will turn now to the issue that was identified when drafting the regulations. As part of that drafting in 2024, the Departmental Solicitor's Office (DSO) identified that the core definition in the 2016 Act restricted scope to current, living patients in receipt of care.

Under that interpretation, the Act does not lawfully cover people who have received care in the past, deceased people, retrospective analysis and longitudinal or population-level datasets and pre-existing records that were created before the regulations came into force.

Additionally, it does not provide a definition of what being "in receipt of care" means, which, therefore, leaves that open to interpretation. That undermines the statutory intent because many of our public interest secondary uses rely on looking back over time, linking historic records and, in some cases, including deceased service users.

Further to that, there are technical and definitional issues, such as outdated terminology, such as the words "relevant person", which can obstruct regulation-making. The proposed 2026 amendment Bill would address that directly. It would address the key legal barrier by inserting a definition of "recipient of health or social care", meaning any individual who has ever received such care, whether alive or deceased. It would then replace the references to "relevant person" with that updated definition and make the minor consequential adjustments across the Act.

It is equally important to be clear about what the proposed Bill does not seek to do. It does not expand the fundamental powers. It does not seek to relax safeguards for information that is held. The 2016 framework remains one in which identifiable information can only be used for secondary purpose without individual, explicit consent in strict, limited, public interest circumstances and only where consent is impossible or impractical, where privacy protection cannot meet the need and with the approval of the statutory committee. It does not set aside the wider data protection and human rights obligations. Any processing must still comply with the Data Protection Act, UK GDPR and the Human Rights Act 1998.

Why does this matter, and what will happen next? Without the amendment, the Department remains unable to fully operationalise the mechanism that the 2016 Act intended, which includes finalising our regulations, establishing a statutory committee, issuing a statutory code, establishing a public opt-out mechanism and introducing fines and penalties for breach of the legislation. That continues to restrict HSC participation in such things as UK-wide audits, research, surveillance and service improvement programmes, which, most notably, are the development of our trusted research environments that would require lawful, identifiable data linkage.

If the Bill is passed, the Department's next step is to complete a further full public consultation on the regulations and to run a structured engagement and communications approach to support transparency and public trust.

That is the essence of the Bill. It is a targeted amendment to correct defects and allow the 2016 safeguards-based framework to be implemented as originally intended. We welcome any questions.

The Chairperson (Mr McGuigan): Thank you for that. That was very useful, as was your paper.

I have raised the secondary use of data a number of times with the Minister at Question Time, because it is continually raised with me when I engage with Cancer Research or the Cancer Registry in Belfast. I therefore welcome the Bill in principle.

Your briefing note states:

across the water, in Britain. A lot of my engagement with groups is about data and research across this island: what will be the Bill's impact for all-island data-driven research?

Mr Simpson: It will bring us in line with what we see across England and Wales, particularly under section 251 of the National Health Service Act 2006. I will ask Frances to talk a bit about the proposed European Health Data Space (EHDS) and other opportunities for all-Ireland work.

Dr Frances Burns (Northern Ireland Trusted Research Environment): Thanks, Tom.

In the Republic of Ireland, with the establishment of the European Health Data Space, participants whose information is held within health systems will be subject to protection under an opt-out mechanism. There will also be the development of secure data environments to allow the secondary use of their data. By putting in place a statutory body and an opt-out mechanism, the Bill will ensure that there is compatibility with the protections of information for people who reside on either side of the island. As Tom said, it will also bring us in line with the protections that people in England and Wales have under section 251 and those that citizens in Scotland have under the public benefit and privacy panel (PBPP) approval pathway.

The legislation in Scotland is complex, but the Bill will ensure that, across these islands, for collaboration particularly on cancer, for example, we will all have public opt-out mechanisms or systems in place whereby people can have knowledge about where their data is used and not used. One of the functions of the statutory committee will be to publish all its considerations, approvals and rejections. That will bring us in line with what is to be developed in the Republic and what exists in England, Wales and Scotland.

The Chairperson (Mr McGuigan): OK. Perfect. That is useful and welcome.

What consultation has the Department had, and what views did you receive during any consultation process?

Dr Burns: The full public consultation that happened in 2015, prior to the Bill, is well documented and still exists. We can share that information, if anybody wants to see it. In addition, with the development of the regulation, as well as the required public consultation, which is a formal process that we will adhere to, we are having a programme of socialisation and engagement with stakeholders, including patient groups, public groups, professional colleagues and people who work with us, around the use of data for research. We will put that in place. Part of that schedule will be shared with any individual who wishes to see it.

We hope to point people towards the public consultation. Typically, there can be something regulatory that is in the interest of many stakeholders and the first instance that they hear of it is through a public consultation. Through the HSC data institute, where we have resource around engagement, we will put together a programme to engage people in discussion and point them towards the public consultation, hopefully to bring all our stakeholders and publics with us. We aim to be completely transparent about this, because it is a significant piece of regulation for our publics, our patients and our stakeholders to be aware of.

The Chairperson (Mr McGuigan): Thank you.

Miss McAllister: My two questions are, like Philip's, on the secondary use of data and research. We will have more questions on the Bill when it reaches Committee Stage, but, since the Assembly has been back up and running, we have held, I think, two events in Stormont with health tech leaders from companies that drive research and innovation. The use of health data has come up with all of them. We know that it is important for curing diseases, doing new research and developing new medicines. Will the Bill help with access? You mentioned UK-wide and all-island collaboration: is that outside the collaboration that the Health Department or the health service has with universities? Will the Bill allow access for companies that are trying to drive innovation and research using data?

Dr Burns: I will answer that in two stages. First, the Bill pertains only to data for which Health and Social Care is the data controller. It is the only legislative protection in place for this. One of the primary things that the Bill will do is ensure that, when we bring identifiable information into the trusted research environment, we use the statutory committee to approve our bringing in that data in the first instance. Once it comes into our secure data environment — our trusted research environment — we can put it to multiple uses. One is by creating safe spaces to engage with academic partners on our HSC infrastructure but also to engage with industry in the longer term.

It provides a way in which we can adhere to the safe hierarchical use of data. In the first instance, when somebody can consent to their data being used for a clinical trial or to take part in a project for developing health devices, they can do that. Where they wish to use data, the primary use of that data will be in a privacy-protected way, de-identified and pseudonymised through our secure data environment. The third way — this way — is a very small number and examples of ways in which one would wish to use data when it is non-consented and identifiable. It would not really speak into that purpose but in the pillar of allowing a statutory committee to give approval to bring identifiable data into a secure environment, that will certainly be an underpinning to enable us to engage with industry and academia on a safer footing.

Miss McAllister: I am sure that we will have more questions once it reaches Committee Stage.

Mrs Dodds: Thank you for the presentation. I am always concerned about how we use and protect data. There are so many potential issues. We only have to listen to the news in Northern Ireland to hear how data can be misused, released mistakenly or whatever, so I look forward to seeing the legislation and having loads more questions about it.

Just to help me to understand, can you give me a concrete example of what exactly this will help with? Also, is the legislation necessary, and is it part of the recommendation that was made in relation to Northern Ireland's participation in the King's College research into hormone replacement therapy?

Dr Burns: I cannot answer the last question on hormone replacement therapy, so I would need to hand that over to one of my colleagues.

I will answer your first question in relation to the pillars. The legislation is already in place —

Mrs Dodds: Yes, I know.

Dr Burns: — so the requirement for it to be necessary is that it is already in place, and the Department is required to put the regulations in place. The amendment is necessary because the common law duty of confidentiality extends into death. The use of data longitudinally, as Tom pointed out, is where the benefit is. The amendment will enable us to do that. Primarily, it means that the protection of the statutory committee covers all that information. As the legislation sits, the statutory committee would be there to protect only the information of people who are currently participants in the health service from 2016 until now. The statutory committee in the amendment means that all of the information assets that we hold will fall under the subjection of the statutory committee and its protections. Therefore, anybody who has ever been a service user of the HSC — past, present, alive or deceased — will be covered by that statutory body. That is the requirement for it being in place.

I always give three examples of where people will apply to the committee. The first, as I exampled to your colleague, is bringing data into a trusted research environment. That is bringing identifiable information, in the first instance, into an environment where we then make it privacy protective for any further use. At each point, the honest broker service, for example, which is our trusted research environment, will make an application to the committee. Therefore, there will be transparency, and we will set aside the common law for that purpose. That is the first example.

The second example, which, I think, is what you were referring to in relation to cancer, is that, at the minute, we are not participating in a lot of UK-wide audits. Typically, those are for rare diseases, rare cancers or anomalies where there may be small numbers of population. When those audits are set up, typically in England, they set the criteria for our sharing information with them, and they usually ask for it in an identifiable format. At the minute, there is a reluctance to share that data in that way because somebody can bring a case against the usage of that data under the common law of confidentiality. In those examples, cancer specialists in particular can make an application to the committee, which will say, "Yes, we think it is in the public interest and in the health service's interest to allow that to happen". That is the second example.

The third example of applications is what I would call "two-stage consenting" to research. Where we have research projects — the Chief Medical Officer and Chief Scientific Adviser signed off on two in the past year — they are typically UK-wide research studies that want to target particular individuals and invite them to participate. They would ask for permission for the names and addresses of those individuals to be released in order for them to be contacted directly, to say, "Dear Dr Frances Burns, we understand that you may be interested in a research study pertaining to this. Would you like to take part in this study? Please consent. If we do not hear back from you or if you say no, we will not contact you again". That is called "two-stage consent". The committee will consider whether it is in people's best interests to enable them to be engaged with directly to take part in research using their identifiable information. That would be decided on a case-by-case basis.

Those are the three typical examples that might be seen with the confidentiality advisory group or the public benefits group in Scotland, and that is what we would expect to see with this committee. It will give transparency to organisations in HSC who wish to use identifiable information, such as the honest broker service, as there will be an independent statutory body to which they can apply to give them approval that will be transparent to them and to the public and that will ensure that the common law has been set aside and that they are operating with an HSC purpose and in the public interest.

Mrs Dodds: OK.

Dr Rice: In relation to your other question, I can see no logical correlation or link between those two things. This legislation addresses an anomaly that is a consequence of a gap in the 2016 legislation. As I see it, there is no direct correlation between that research study and the grounds on which this legislation will have a positive impact.

Mrs Dodds: OK. I will be interested to see the legislation. In your view, does it offer more protection?

Dr Rice: Totemically, that is its whole point and purpose. We currently rely on the common law duty of confidentiality, and, in reality, that does not fulfil the aspirations or expectations of what the Assembly wanted to do with that move in 2016.

Mrs Dodds: We want Northern Ireland to be part of UK, European and worldwide research. We have all the issues that mean that we can be a research hub. I am sure that there will be plenty more questions about it.

The Chairperson (Mr McGuigan): When should we expect to see the Bill introduced?

Dr Burns: We expect the Bill to be introduced in this legislative timetable. It will be submitted to the Executive in the next week or two.

The Chairperson (Mr McGuigan): OK. It depends on when it gets through the Executive. I will pass no comment on that.

Thank you very much for coming before the Committee. Hopefully, it will all go well and we will see you again shortly.