The Irish State loves a good database, as regular readers will know.
I was doing the washing up recently, listening to the video of a recent event in TCD’s Science Gallery when I heard about the latest one.
A store of electronic health records for women and infants, starting in four maternity hospitals in the new year. This is a subsection of the wider eHealth project being run by the HSE, which also includes the Individual Health Identifier database system.
There was a problem connecting to Twitter.
The Health Identifier Act 2014 provides the statutory basis for the creation of this database which is intended to eventually take in everyone born or resident in Ireland, citizen or not. To build this (latest) national identity database, the Government has spared itself no power. The Minister for Health has been given the power to take information from every other database within the reach of any part of the Government. Section 8 of the Act reads;
A Minister of the Government may, solely for the purpose of establishing, or maintaining the accuracy of, the National Register of Individual Health Identifiers, provide the Minister with an individual’s other identifying particulars and the Minister may use any such particulars so provided for that purpose.
The Department of Social Welfare’s register of PPS numbers, the Department of Education’s Primary and Post Primary Online Database, the Department of Environment’s Local Property Tax… personal data from all of them now combined into a single database.
We know this has already happened because Richard Corbridge, the official charged with bringing in the eHealth project, has confirmed that the data transfer has already taken place and that the IHI database is populated with a full cohort of real citizens’ data.
All of which is to say that this is a plan with far reaching consequences for the whole population, involving what most people would agree is the most sensitive of sensitive data.
All of which makes the impact of the recent judgment by the CJEU in the Bara case all the more significant.
The Irish Times has a report today arising from my questions on Twitter to Mr. Corbridge (which he admirably engaged with) on the new ruling forbidding the transfer of people’s personal data between state agencies without giving people prior notice of the intention to do so. I asked how Section 8, above, could be legal in the light of that judgment.
There were the usual reassurance statements made- The Dept of Health has legislation and, of course, the Data Protection Commissioner is happy.
Later, however, he confirmed that as a result of legal investigation the Department of Health is now ‘seeking advice’ on the impact of the Bara judgement before taking their next steps in the Health Indentifer project.
Section 8 of the Health Identifiers Act is now profoundly challenged by the CJEU’s finding of what is acceptable manipulation of private data by States under the EU Charter. And, more broadly, I would question the focus on patient privacy of a project where the Privacy Impact Accessment is still only in draft form at a time when the database has already been fully compiled and filled with our personal data.
The recent example of the UK’s Care.data project should give pause to the Department of Health in treating the question of patient privacy and consent as an afterthought. There, a multi-million pound project simply came off the rails as it became clear the patients did not trust officials to respect the privacy of their medical history.
Dr. Ben Goldacre, writing in the Guardian, set out the stakes if patient trust is lost in dealing with their medical data.
This breaks my heart. I love big medical datasets, I work on them in my day job, and I can think of a hundred life-saving uses for better ones. But patients’ medical records contain secrets, and we owe them our highest protection.
Castlebridge has compiled the only independent Information Governance review of the Health Identifiers Act and the relevant HIQA standards. We started when the HIQA standards were in draft, with the 2nd edition looking at the impact of the final standards (which were significantly dented), and we have just published a 3rd edition that includes a section by section impact assessment of Bara and Schrems on the day to day operations of the health identifier system.
https://castlebridge.ie/product/reports/2015/implementing-health-identifiers-strategic-information-governance-perspective
This edition also references the EDPS Opinion on Ethics and looks at the use of Privacy Impact Assessments in the context of the Information Life Cycle (gives hints at when best to do them).