privacy impact assessment for individual health identifier · final version for publication page |...

FinalVersionforPublication P a g e |1

28January2016

A Privacy Impact Assessment for the Individual Health Identifier (IHI)

28January2016

TableofContents

1 PurposeoftheDocument..............................................................................................................4

2 PIAMethodologyandApproach....................................................................................................5

2.1 WhatisaPrivacyImpactAssessment?..................................................................................5

2.2 Stage1–ThresholdAssessment...........................................................................................8

2.3 Stage2–IdentificationofPrivacyRisks.................................................................................9

2.3.1 EvaluationofPrivacyRisks...........................................................................................10

2.4 Stage3–IdentificationofArrangementsandControlstoMitigateRisks...........................10

2.5 Stage4–DocumentationofthePrivacyImpactAssessment..............................................11

3 EstablishmentofaNationalRegisterofIndividualHealthIdentifiers.........................................12

3.1 Background..........................................................................................................................12

3.2 TheBenefitofImplementinganIndividualHealthIdentifier..............................................12

3.3 LegalBasisfortheestablishmentoftheIndividualHealthIdentifierRegister....................14

3.3.1 AssignmentofaUniqueIdentifier...............................................................................14

3.3.2 EstablishmentandMaintenanceofaNationalRegister..............................................15

3.3.3 UseandProvisionoftheIdentifyingInformation........................................................15

3.3.4 AccesstotheNationalRegisterofIndividualHealthIdentifiers..................................16

3.3.5 OffencesRelatingtoIndividualHealthIdentifiers.......................................................16

3.4 LegalBasisforUsingtheDepartmentofSocialProtectiondatabasetopopulatetheNationalRegister.............................................................................................................................17

3.4.1 DataHeldbytheDepartmentofSocialProtection.....................................................17

3.4.2 ProvisionundertheIndividualHealthIdentifiersAct..................................................17

3.4.3 ProvisionundertheSocialWelfareConsolidationAct................................................17

4 SpecificationfortheIndividualHealthIdentifierandtheNationalRegister...............................19

4.1 FormatoftheIndividualHealthIdentifier...........................................................................19

4.2 ContentoftheNationalRegister.........................................................................................20

4.3 CreationoftheIndividualHealthIdentifierRegister...........................................................21

4.3.1 ImplementationoftheIndividualHealthIdentifierRegister.......................................21

4.3.2 MaintenanceoftheNationalRegister.........................................................................24

4.3.3 BusinessOperationsUnit.............................................................................................24

4.3.4 AccesstotheNationalRegister...................................................................................25

28January2016

4.3.5 IHIProofofConceptRegister......................................................................................27

5 PrivacyIssuesassociatedwiththeIndividualHealthIdentifier...................................................29

5.1 HIQAInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland..........................................................................................................................29

5.2 SummaryofPrivacyIssues,RiskScoresandMitigations.....................................................30

5.2.1 PrivacyIssuesassociatedwiththeestablishmentofaNationalRegisterofIndividualHealthIdentifiers.........................................................................................................................31

5.2.2 PrivacyIssuesassociatedwiththeongoingtransferofdatafortheupdateandmaintenanceoftheNationalRegisterofIndividualHealthIdentifiers.......................................32

5.2.3 PrivacyIssuesassociatedwithmanagementoftheregisterbyHSEPrimaryCareReimbursementService(HSEPCRS)............................................................................................33

5.2.4 PrivacyIssuesassociatedwiththeproposeddataset..................................................35

5.2.5 PrivacyIssuesassociatedwithprovisionofIndividualHealthIdentifierstoEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)system)andschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme).........................................................................................................37

5.2.6 PrivacyIssuesassociatedwiththeongoinginclusionanduseoftheIndividualHealthIdentifierinEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)..................................................................40

5.2.7 IndividualHealthIdentifierPrivacyIssuesassociatedwiththefutureusesoftheIndividualHealthIdentifier..........................................................................................................42

5.3 GovernanceFramework......................................................................................................43

5.4 AssignmentofResponsibilityforPrivacyMitigationSafeguardsorControls......................43

5.5 MitigationImplementationResponsibilityandTimescales.................................................43

5.6 AppendixA–HIQAproposalsforInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland.......................................................................................50

5.7 APPENDIXB:OrganisationsWeHaveConsultedtoDate....................................................52

28January2016

1 PURPOSE OF THE DOCUMENT ThepurposeofthisdocumentistoprovidethefindingsofthePrivacyImpactAssessmentfortheestablishmentofaNationalRegisterofIndividualHealthIdentifiersthathasbeenconductedbytheHealthServiceExecutiveinIreland.

TheNationalRegisterofIndividualHealthIdentifierswillholdanIndividualHealthIdentifierforeverypersonwhohasused,isusingormayuseahealthandsocialcareserviceinIreland.

ThePrivacyImpactAssessmentalsoconsiderstheprivacyimplicationsofaccesstoandadoptionoftheIndividualHealthIdentifierbythefirstsystemsthatwillaccesstheregisterandusetheIHI:

• EpilepsyElectronicPatientRecord(EPR)

• selectedGPpracticesystemsand

• aHospiceElectronicMedicalRecord(EMR)system

• schemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)

EachfuturechangeintheuseoftheIndividualHealthIdentifier,adoptioninothersystemsoraccesstotheNationalRegisterbyotherbodieswillarenotwithinthescopeofthisPrivacyImpactAssessment.TheimpactofsuchchangeswillbereviewedagainstthisPrivacyImpactAssessmenttoensurethatanyadditionalprivacyissuesarisingareconsideredandadditionalsafeguardsputinplaceifrequired.

WewillmakesurethatasothersystemsstarttousetheIndividualHealthIdentifierandaccesstheIHIRegisterwewillcheckthattherearenonewprivacyimplicationsthatwehaven’tconsideredinthisdocumentandiftherearewewilladdtothePrivacyImpactAssessmentdocumenttocoverthemtoo.

28January2016

2 PIA METHODOLOGY AND APPROACH

2.1 WHAT IS A PRIVACY IMPACT ASSESSMENT?

Privacycanbedefinedastherightofanindividualtokeepinformationaboutthemselvesfrombeingdisclosed.Provisionofeffective,safehealthandsocialcarerequirespersonalhealthinformationtobeprocessedwhichcanpresentsignificantriskstoprivacywhichmustbeappropriatelymanaged.

Anindividual’srighttoprivacyisprotectedunderIrishlegislationbytheDataProtectionActs1988and2003

andwithinArticle8oftheEuropeanHumanRightsAct.

TheIrishlegislationoutlinestherightsofindividualsundereightkeyprinciplesofdataprotectionandtheresponsibilitiesofthosewhoholdandprocesspersonalinformation.CompliancewithdataprotectionlegislationisregulatedbytheDataProtectionCommissionerwhoisresponsibleforupholdingtherightsofindividualsassetoutintheDataProtectionActsandforenforcingtheobligationsonthoseholdingandprocessingpersonalinformation.

Theneedtoprotectandrespectpatients’andserviceusers’dignity,privacyandautonomyhasalsobeenreflectedinkeyhealthinformationstrategiessuchastheeHealthStrategyforIreland,2013andtheKnowledgeandInformationPlan,2015.

Promotionofpatientandserviceusers’privacyisembeddedwithintherolesandresponsibilitiesoftheHealthInformationandQualityAuthority(HiQA)1.InrespectoftheirroleinthisregardHiQAhavepublishedGuidanceonPrivacyImpactAssessmentinHealthandSocialCarewhichhasbeenfollowedinthedevelopmentofthisPrivacyImpactAssessment.TheprocessofconductingaPrivacyImpactAssessmenthasissummarisedinFigure1below.

APrivacyImpactAssessmentinvolvesevaluationoftheprivacyimplicationsofprojectsandassessmentoftheircompliancewithrelevantlegislation.Wherepotentialprivacyrisksareidentifieditshouldbepossible,inconsultationwithstakeholders,toidentifysafeguardsorcontrolstomitigateorreducetheseriskswithoutimpactingontheobjectivesorrealisationofthebenefitsoftheinitiative.Anappropriateseniormanagershouldbeidentifiedtobeaccountableandresponsiblefordeliveryoftheagreedsafeguardsorcontrols.

PrivacyImpactAssessmentsshouldbeusedwhereverpersonalinformationisprocessedbutareparticularlyimportantinthehealthandsocialcaresectorwheretheinformationisconsideredtobesensitiveinformation.CompletionofaPrivacyImpactAssessmentforaprojectsuchastheimplementationoftheIndividualHealthIdentifierensuresthatthattheproposedprocessesandproceduresforhandlingpersonalhealthinformationarereviewedtoensurethattheycomplywithlegislationandbestpractice.Further,stakeholderinvolvementinthePIAprocessincreasesawarenessamongprofessionalsandcreatesaculturewheremaintainingpersonalhealthinformationprivacyisapriority.

1MoredetailsaboutTheHealthInformationandQualityAuthoritycanbefoundathttp://www.hiqa.ie/

28January2016

AlthoughaPrivacyImpactAssessmentisnotalegalrequirement,itisaneffectivewaytodemonstratehowtheprocessingofpersonaldatacomplieswithdataprotectionlegislation.

PatientsandServiceUserscanbereassuredthattheHealthServiceExecutivehasfollowedbestpractice.ThePrivacyImpactAssessmentshouldensurethattheimplementationoftheIndividualHealthIdentifierislessprivacyintrusiveandthereforelesslikelytoaffecttheminanegativeway.Inaddition,publicconsultationonthefindingsofthePrivacyImpactAssessmentwillimprovetransparencyandshouldmakeiteasierforthepublictounderstandhowandwhytheirinformationisbeingused.

ByconductingaPrivacyImpactAssessmentontheimplementationoftheIndividualHealthIdentifier,theHealthServiceExecutivewillbeinformedofpotentialimpactsonindividualprivacyandactionsthatshouldbetakentomitigateanyimpact.Thisshouldinturnreducethelikelihoodoftheorganisationfailingtomeetitslegaldataprotectionobligations.Further,consistentuseofPrivacyImpactAssessmentsforallrelevantprojectswillincreasetheawarenessofprivacyanddataprotectionissueswithintheHealthServiceExecutiveandwillensurethatstaffinvolvedindesignconsiderprivacyissuesintheearlystagesofaproject.

28January2016

2.2 STAGE 1 – THRESHOLD ASSESSMENT

ThefirststageoftheprocessistheThresholdAssessment.ThisinvolvesidentificationofwhethertheimplementationoftheIndividualHealthIdentifierpresentsanypotentialprivacyissues.Thisrequiresresponsestoaseriesof11questionsinrelationtotheproject.AYESresponsetoanyoneofthesequestionsindicatestheneedforaPrivacyImpactAssessmenttobeconducted.

TheIndividualHealthIdentifierandassociateddatasetcanbeconsideredtobePersonalHealthInformation.Itconsistsofpersonaldemographicinformationthathasbeencollectedandusedforthepurposeofdeliveringhealthandsocialcare.However,itdoesnotincludeanySENSITIVEPersonalHealthInformationwhichrelatestothecondition,careandtreatmentofanindividual.

Doestheprojectinvolveanyofthefollowing?

• Thecollection,useordisclosureofpersonalhealthinformation?

YES:Itinvolvestheallocation,processinganddistributionofanIndividualHealthIdentifierandassociateddemographicdata

• AnewuseforpersonalInformationthatisalreadyheld?

YES:PersonaldemographicinformationfromtheDepartmentofSocialProtectionandthePCRSwillbeusedtocreateandmaintaintheNationalRegister.

• Thelinking,matchingcrossreferencingofpersonalhealthinformationalreadyheld?

YES:TheIHIRegisterwilllinkdatafromDSPwithdatafromthePCRSwhereappropriate

• Establishingoramendingaregisterordatabasecontainingpersonalhealthinformation?

YES:TheIHIRegisterwillbeestablishedusingdatacurrentlyheldbyPCRS.Thiswillonlyholddemographicinformationandwillnotincludesensitivehealthinformation.

• Thecollectionuseordisclosureofadditionalpersonalhealthinformationheldbyanexistingsystemorsourceofhealthinformation?

YES:PopulationoftheIndividualHealthIdentifiersintotheEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)willrequiredisclosureoftheirmasterpatientindex(personaldataonly,notsensitivepersonaldata)formatching.

• Sharingofpersonalhealthinformationbetweenorganisations?

YES:IndividualHealthIdentifiersandassociatedpersonalinformationwillbesharedacrossconsumersystemswithinotherorganisations

• Thecreationofanewortheadoptionofanexistingidentifierforserviceusers:for

YES:Theprojectwillcreateanewuniquepersonalidentifier(theIndividualHealth

28January2016

exampleusinganumberorbiometric? Identifier)forpatientandserviceusers

• ExchangingortransferringpersonalhealthInformationoutsidetherepublicofIreland?

NO:NotwithinthescopeofthisPIA,however,subjecttorelevantnationalauthority,futureusesoftheIHImayincludesharingwiththeUKforIrishpatientstreatedwithintheirjurisdictionandmaybesharedwithotherEUcountriesaspertheEUDirectiveontheapplicationofpatients'rightsincross-borderhealthcareDirective2011/24/EU,Article14.SuchuseswillbethesubjectofamendmenttothisPIA.

• Theuseofpersonaldataforresearchorstatisticswhetherde-identifiedornot?

NO:AlthoughtheHealthIdentifierActallowsfortheIndividualHealthIdentifiertobeusedforthedefinedsecondarypurposesincludingresearchandanalysisanyfutureuseoftheIndividualHealthIdentifierforsecondarypurposeswillbesubjectofanamendmenttothisPrivacyImpactAssessment.

• Anyothermeasurethatmayaffectprivacyorthatcouldraiseprivacyconcerns?

• Aneworchangedsystemofdatahandling;forexamplepoliciesorpracticesaroundaccess,security,disclosureorretentionofpersonalhealthinformation?

YES:ForExample-rulesrelatingtotheprovisionofinformationwhentracinganindividual’sIndividualHealthIdentifierontheNationalRegister

AsaresultoftheresponsestothesethresholdquestionstheneedforaPrivacyImpactAssessmentwasclearlyestablished.

ToensurethatallprivacyimplicationsandpossibleprivacyenhancementopportunitieswereconsideredduringthefollowingStages2and3ofthePrivacyImpactAssessmentwidespreadconsultationhasbeenconductedwithstakeholdersintheHealthServiceExecutive,VoluntaryHospitals,apatientrepresentativebody,theDepartmentofHealth,theDepartmentofSocialProtection,theOfficeoftheDataProtectionCommissionerandHiQA.AlistofthosethathavebeenconsultedhasbeenincludedasAppendixB.

2.3 STAGE 2 – IDENTIFICATION OF PRIVACY RISKS

Thesecondstageoftheprocessinvolvesidentifyingtheprivacyrisksbyexploringthescope,informationflowsandsecurityarrangementsoftheproject.ThisstageinvolvedestablishinghowtheinformationwillbeusedtocreatetheIHIRegister,howitwillbemaintainedthroughupdatesfromotherdatasources,thefunctionalitythatwillbeavailabletotheBusinessOperationsUnitandhow

28January2016

itwillinteractwiththe‘consumersystems’includedwithinthePrivacyImpactAssessment,EpilepsyElectronicPatientRecord,selectGPpracticesystems,aHospiceElectronicMedicalRecordandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)

AninitialcheckwasconductedtoensurethattheplannedimplementationcompliedwiththerelevantlegislationsuchastheHealthIdentifiersActandtheDataProtectionActs.

TheriskstotheprivacyofindividualshavealsobeenconsideredincludingthecorporateimpactsthatmightarisesuchasactionbytheDataProtectionCommissioner,reputationaldamageandlossofpublictrustweretheriskstomaterialise.TheseriskshavethenbeenscoredandcategorisedasHigh,MediumorLow.

2.3.1 Evaluation of Pr ivacy Risks

Eachprivacyriskwillbeevaluatedtoassesstheprobabilityoftheriskoccurring(likelihood)andtheconsequence(impact)ifitweretooccur.Thecorrespondingriskscorewillidentifywhethertheriskishigh,mediumorlowassetoutinthefollowingtable.

Likelihood

Impact Rare1

Unlikely2

Possible3

Likely4

Highly Likely5

Negligible - 1 1 2 3 4 5Minor - 2 2 4 6 8 10Moderate - 3 3 6 9 12 15Major - 4 4 8 12 16 20Critical - 5 5 10 15 20 25

LOW (1-7) MEDIUM (8-14) HIGH (15-25)

2.4 STAGE 3 – IDENTIFICATION OF ARRANGEMENTS AND CONTROLS TO MITIGATE

Stage3addressestheprivacyrisksidentifiedinStage2.Theaimofthisstageistoseeksafeguardswhichwilleliminatetheprivacyriskswhereverpossibleorreducethembyimplementingmeasuresthatproviderobustcontrolsinthehandlingofthepersonaldataandreducetherisktoprivacy.NotallprivacyriskscanbeeliminatedbutitisimportanttoensurethattheriskcanbereducedasfaraspossiblewhilestillachievingtheaimsandobjectivesoftheimplementationoftheIndividualHealthIdentifier.

Thisstagecreatesaseriesofactionsthatmustbeincorporatedwithintheprojectplan.Eachaction(whichmayaddressoneormoreoftheprivacyrisks)willbeassignedtoabusinessownerandwillbegivenatargetdeliverydate.

28January2016

Theseactionswillbeincorporatedintotheprojectdeliveryplanandimplementationmonitoredaspartoftheoverallmanagementoftheproject.

2.5 STAGE 4 – DOCUMENTATION OF THE PRIVACY IMPACT ASSESSMENT

Thefinalstage,Stage4,istheproductionofaPrivacyImpactAssessmentReportwhichdetailsthefindingsoftheassessment.ThereportmusthaveappropriatesignofffromwithintheHealthServicesExecutiveandwillbemadepublic.

28January2016

3 ESTABLISHMENT OF A NATIONAL REGISTER OF INDIVIDUAL

HEALTH IDENTIFIERS

3.1 BACKGROUND

TheeHealthStrategyforIrelandDecember2013identifiedtheprovisionofhealthidentifiersforindividualsandhealthserviceprovidersasakeyenablertothesuccessofthestrategy.

TheHealthIdentifiersAct,enactedinJuly2014,allowedforthe“establishmentandmaintenanceof”

• ANationalRegisterofIndividualHealthIdentifiers

• ANationalRegisterofHealthServiceProvidersIdentifiers

TheimplementationandoperationofHealthIdentifiersmustbeinlinewiththeprovisionsoftheActinaccordancewithcommencementorders,delegationordersandregulationstobemadebytheMinisterforHealth.TheMinisterforHealthsignedaninitialcommencementorderinSeptember2015fortheprovisionsintheactrelatingtotheassignmentoftheIndividualHealthIdentifier,theestablishmentoftheIHIRegisterandadelegationorderprovidingtheHSEwiththeauthorityforthesefunctions.

TheMinistermay,afterconsultationwiththeDataProtectionCommissioner,establishregulationsundertheAct.AllregulationsrelatingtotheprovisionsoftheActmustnotbemadeunlesstheMinisterissatisfiedtheyareinthepublicinterestwithdueregardtotheprivacyandtheeffectiveachievementofoneormorepurpose.

RegulationsmadeundertheActaretobelaidbeforeeachhouseoftheOireachtasassoonastheyaremade.Ifaresolutionannullingtheregulationsispassedbyeitherhousewithin21daystheregulationwillbeannulled.

ThisPIAisconcernedsolelywithIndividualHealthIdentifiers.APIAfortheNationalRegisterofHealthServiceProviderIdentifierswillfollowatalaterdate.

3.2 THE BENEFIT OF IMPLEMENTING AN INDIVIDUAL HEALTH IDENTIFIER

ThemainbenefitofhavinganIndividualHealthIdentifieristoensurepatientsafety.Beingabletouniquelyidentifyeachuserwillimprovepatientsafetybyreducingthenumberofadverseeventsthatmayhappen,suchasgivingthepatientthewrongmedicationorvaccinationoradmittingthewrongpersonforsurgery.TheIndividualHealthIdentifierhasthefollowingbenefits:

• PatientSafety

– Reducedlikelihoodofprovidingtreatmenttowrongpatient

– Enhancedabilitytoreliablyassociateallrecordsforthesamepatienttherebyprovidingamorecompletepictureavailabletoprofessionals

• Efficiency

28January2016

– Reducedeffortincollectingthesameinformationmultipletimes

– Obviatingtheneedforsomerepeateddiagnostics

– Enhancedabilitytoreliablyassociateallrecordsforthesamepatienttherebyprovidingamorecompleteprofileavailableforadministrationpurposes

• EnablingeHealthapplications

– Akeyenablerintheimplementationofelectronichealthrecords

– Akeyenablerinoverallinformationsharingrequiredacrossthehealthsystem

• Privacy

– Reducestheneedforidentifyinginformationtobeincludedwithelectronicpatientorserviceuserinformation

Thebenefitsforserviceusersare:

• Improvedaccuracyinidentifyingtheserviceuserandtheirmedicalrecordswillleadtosaferandbettercarebeingprovided.

• ServiceUser’srecordsindifferenthealthcareorganisationsmaybeaccuratelyassociatedwiththecorrectserviceuser

• Healthinformationcanbesharedsafelyandseamlesslybetweenpublicandprivatehealthserviceproviders,forexamplereferralletterssentfromapublichospitaltoaprivatesectorGP

• IndividualHealthIdentifiersenableelectronictransferofserviceuserhealthinformation,whichresultsinfastercare.

ThebenefitsforhealthcarepractitionersarethatIndividualHealthIdentifiers:

• Accuratelylinkserviceuserstotheirrecords

• Identifypatientsinallcommunicationswithotherhealthandsocialcareproviders

• Enablesafetransferofpatientrecordselectronically

• Enableelectronicreferrals,dischargesummariesandelectronicprescriptionstobesentwhichresultsinamoretimelyexchangeofinformation.

ThebenefitsforhealthcareprovidersarethatIndividualHealthIdentifiers

• Helptocreateandmaintainacompleterecordforeachpatient

• Enablepatientinformationtobesharedsafelywithinandacrossorganisationalboundaries

• Improveefficiencyinadministrativetasks

ThebenefitsforsocialcareprovidersarethatIndividualHealthIdentifiers

• Accuratelyandsafelyidentifypeoplewhousesocialcareservices

28January2016

• Helptocreateacompleterecordofaperson’scarebyinclusionofrecordsthatmayspandifferenthealthandsocialcareorganisations

• Facilitatesafeandefficientcoordinationofsocialcarewithhealthcare.

3.3 LEGAL BASIS FOR THE ESTABLISHMENT OF THE INDIVIDUAL HEALTH IDENTIFIER

REGISTER

ThelegislationtoallowthecreationoftheIndividualHealthIdentifierRegisterandthedatafieldstobecontainedthereinissetoutintheHealthIdentifiersAct2014:

TheelementsofHealthIdentifiersActthatrelatetotheuniquenumbersforapersonororganisationthatprovidesahealthservicearenotincludedwithinthisPrivacyImpactAssessment.

InrelationtotheuniquehealthidentifierthereforetheActprovidesthelegalbasisfor:

• Theassignmentofauniquenumbertoeveryindividualtowhomahealthserviceisbeing,hasbeen,ormaybeprovided.

• TheestablishmentandmaintenanceofaNationalRegisterofindividualhealthidentifiersandinformationrelatingtotheindividualstowhomthenumbersareassigned.

• ThebasisonwhichtheNationalRegistermaybeaccessedandthepersonaldatawithinitmaybeprocessed.

• ThedelegationofcertainfunctionsconferredontheMinisterofHealthtotheHealthServiceExecutive.

• AmendmenttootherActsrequiredasaconsequenceoftheHealthIdentifiersAct.

3.3.1 Assignment of a Unique Identif ier

TheActallowstheMinistertoassignanIndividualHealthIdentifierto:

• anylivingindividual,whetherornottheyareresidentinIreland,towhomahealthserviceisbeing,hasbeenormayhavebeenprovided

• anindividualwhohasdiedbeforetheActcomesintooperation.

28January2016

TheActrequiresthattheIndividualHealthIdentifiershouldnotcontainanypersonaldataforexampleitmustnotcontaintheindividualsdateofbirthandidentifiesthatpossessionofauniqueidentifierisnotofitselfanindicationofentitlementtohealthservices.

TheActalsomakesprovisionfortheIndividualHealthIdentifiertobemadeavailabletotheindividualorwherethepersonisdeceasedorlackscapacity,theirpersonalrepresentative,iftheMinisterwishestodoso.

3.3.2 Establ ishment and Maintenance of a National Register

TheActmakesprovisionforaNationalRegisterofIndividualHeathIdentifierstobeestablishedwhichwillholdtheIndividualHealthidentifierandotheridentifyingparticularswheretheyareknown.TheNationalRegistercancontinuetoholdinformationrelatingtodeceasedpersonsandcanannotatetheirrecordstoindicatethattheyaredeceasedandthedateoftheirdeath.

Theregistermustonlycontainthefollowingpersonaldata:

• surname

• forename

• dateofbirth

• placeofbirth

• sex

• allformersurnames

• mother‘ssurnameandallformersurnamesofhisorhermother(includingmotherssurnameatmother’sbirth)

• address

• nationality

• personalpublicservicenumber

• dateofdeathinthecaseofadeceasedindividual

• signature

• photograph

• andanyotherparticularsasdeterminedbytheMinistertoberelevanttoidentifyingtheindividual

3.3.3 Use and Provis ion of the Identify ing Information

TheActmakesprovisionsforthecollectionofhistoricaldatarelatingtoanindividualwithaUniqueHealthIdentifier.

TheActalsomakesprovisionfororganisationsthatareprovidingorhaveprovidedhealthservicestoanindividualtorequestthattheindividualorwhereappropriatetheirpersonalrepresentativeshouldprovideinformationtoallowthemtobeidentified.ThiswillbeprovidedtotheMinister

28January2016

within30daysandiftheserviceproviderfindsthemtobeinaccuratewillbecorrectedwithin30daystoallowcorrectionstobemade.

TheActenablesanyotherMinisteroftheGovernmenttoprovideidentifyinginformationtotheMinisterandenablesatARD-Chlaraitheoir(aregistrarofbirthsdeathsandmarriages)toprovideinformationrelatingtoanindividual’sbirthordeathinorderthattheministercanestablishormaintaintheaccuracyoftheNationalRegister

Therearealso,withintheAct,clearrestrictionsinrelationtohowconsumerssystems(inthefirstinstancethisreferstoEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)system)andschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)caninterfacewiththeNationalRegistertoobtainIndividualHealthIdentifiersforinclusionwithintheirsystems.Theconsumersystemswillprovideacopyoftheirlocalmasterpatientindex(MPI)totheNationalRegisterandwillbeprovidedwithanIndividualHealthIdentifierforallpatients.Atnostagewillacopyoftheregisterbeprovidedtoanythirdparty.IndividualHealthIdentifierdatawillonlybeprovidedbythesubmissionofknownindividualpatient\clientdetailsbyanauthorisedHealthserviceprovidertotheHSEfortheprovisionofanIndividualHealthIdentifierandtheotherIndividualHealthIdentifierdataasoutlinedinthelegislation.

3.3.4 Access to the National Register of Indiv idual Health Identif iers

TheActrequirestheMinistertoputarrangementsinplacefortheNationalRegistertobeaccessedbyrelevantpersonsforarangeofrelevantpurposesandtobeprotectedfrombeingaccessedinappropriately.

TheActalsomakesaseriesofprovisionsforhealthserviceproviderstorequestinformationfrompersonstheyareprovidingservicestothatwillenabletheirIndividualHealthIdentifiertoberecordedortracedforandtoberecordedintheindividual’srecordsandusedinappropriatecommunications.

3.3.5 Offences Relat ing to Indiv idual Health Identif iers

TheActmakesitanoffenceforanindividualtoprovidefalseinformationinordertobeassignedanIndividualHealthIdentifier.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfineoronconvictionorindictmenttoafinenotexceeding€100,000.

TheActsetsoutthepurposesforwhichapersonmayaccesstheNationalRegisterorprocessanindividual’sIndividualHealthIdentifierandestablishesthatitisanoffencetoknowinglycontravenetheseprovisions.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfineoronconvictionorindictmenttoafinenotexceeding€100,000.

ItisanoffenceforapersontoimpersonateanotherpersoninordertoaccesstheNationalRegister.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfine.

28January2016

3.4 LEGAL BASIS FOR USING THE DEPARTMENT OF SOCIAL PROTECTION DATABASE

TO POPULATE THE NATIONAL REGISTER

3.4.1 Data Held by the Department of Socia l Protection

TheDepartmentofSocialProtectionissuesauniquePersonalPublicServicenumbertoassistindividualsinaccessingbenefitsandinformationfrompublicservicesagenciesinIrelandsuchasSocialWelfare,RevenuePublicHealthcareandEducation.

APersonalPublicServicenumberisissuedto:

• AnyoneborninIrelandsince1971

• AnyonewhohasworkedinIrelandsince1979

• AnyonereceivingaSocialWelfarepayment

• AnyoneparticipatingintheDrugsPaymentScheme.

ThePublicServiceIdentitydatabaseistheNationalRegisterofPersonalPublicServicenumbersandtheassociatedpersonalidentifyinginformation

ItisintendedthattheNationalRegisterofIndividualHealthIdentifierswillbecreatedandmaintainedbydatasuppliedfromthePublicServiceIdentityregister.

3.4.2 Provis ion under the Indiv idual Health Identif iers Act

Asreferredtoabove,theHealthIdentifiersAct(Part2Section8)makesspecificprovisionforanothergovernmentMinistertoprovideinformationrelatingtoindividualssolelyforthepurposeofestablishingormaintainingtheNationalRegister.TheActthereforemakesprovisionforindividuals’datatobeobtainedfromtheDepartmentofSocialProtectioninordertoestablishtheNationalRegister.

3.4.3 Provis ion under the Social Welfare Consol idation Act.

InorderfortheDepartmentofSocialProtectiontohavealegalbasistoprovidedatatotheNationalRegistertherealsoneedstobeprovisionsundertheSocialWelfareConsolidationAct2005.

28January2016

Section262(6)oftheSocialWelfareConsolidationAct,2005statesthat:

(6)(a)Whereaspecifiedbodyhasatransactionwithaperson,theMinistermaysharetheperson’spublicserviceidentitywiththespecifiedbodytotheextentnecessaryinrespectofthattransaction*forauthenticationbythespecifiedbodyoftheperson’spublicserviceidentity.

(b)Aspecifiedbodymayuseaperson’spublicserviceidentityinperformingitspublicfunctionsinsofarasthosefunctionsrelatetothepersonconcerned.

(*Insertedbys.32(a)(iii)SocialWelfare&PensionsAct2007).

Section262alsoprovidesthata“transaction”means—

(a)anapplication,

(b)aclaim,(c)acommunication,(d)apayment,or(e)asupplyofaservice,relatingtoapublicfunctionofaspecifiedbodywhichrelatestoanaturalperson.”.

TheseprovisionsintheSocialWelfareConsolidationAct2005allowtheDepartmentofSocialProtectiontoprovidedatarelatingtothepopulationofIreland(includingdeceasedpatients)totheHealthMinisterfortheestablishmentoftheNationalRegisterofIndividualHealthIdentifiers.

28January2016

4 SPECIFICATION FOR THE INDIVIDUAL HEALTH IDENTIFIER

AND THE NATIONAL REGISTER

4.1 FORMAT OF THE INDIVIDUAL HEALTH IDENTIFIER

TheIndividualHealthIdentifierwillbeauniquenumberusedforthepurposesofidentificationofindividualpatientsandserviceuserswithinhealthandsocialcareservicesandwillbebasedupontheNHS’sNationalPatientIdentifiermodel,adaptedforusewithintheIrishhealthenvironment.

KeycriteriausedtoselectthefinalstructureandcontentoftheIndividualHealthIdentifierwere:

• TheformatofthenumbermustsupportusabilityintheHealthsector

• Theproposednumberrangemustprovideamorethanadequatevolumeofnumbersforexistingandfuturepopulation

• ThedevelopmentcostrequiredforthecentralIndividualHealthIdentifiersystemmustbesignificantlylessthanalternativeoptions

• Thereshouldbepre-existingfunctionalityinmanyconsumersystemsforsupportofthenumberintheproposedformat,significantlyreducingthecostofanydevelopmentrequiredforconsumersystems

• Theprescribedstandardsmustbemet(HiQA,ASTMUHID-1995)

• Thenumberformatandstandardcanbesharedworld-wideinclusiveofNorthernIrelandinparticular.

• Thenumbermustbecompatiblewithdevicessuchasscanners,bar-codereadersandotherdevices.

AsaresultithasbeenexpectedthattheIndividualHealthIdentifierwillbecomprisedof3items;a7digitGS1standardprefix;a10digitcorenumber(thefinaldigitbeingamodulus11checkdigit);andafinalcheckingdigit.Atotalof18digits.

ItisproposedthattheGS1healthcarestandard,alreadyinusewithintheHSE,willformapre-fixtothecoreIndividualHealthIdentifier.TheformatofthecorenumberisthesameasthatusedfortheNHSNumberintheUKandmayuseoneofabankofnumbersreservedfortheRepublicOfIrelandwhichare800000000to859999999.

Asanexamplethenumberbelowshowstherelativecomponentsofitsconstruct;

5393-014 -999-999-999 -9 -7

[GS1GSRNPrefixnumberwithnocheck-digit]

[CoreIHInumberwith check-digit] [FinalGS1checkdigit]

28January2016

4.2 CONTENT OF THE NATIONAL REGISTER

TheDatasetitemstobeheldontheNationalRegisterweredefinedintheHealthIdentifierActas:

• surname

• forename

• dateofbirth

• placeofbirth

• sex

• allformersurnames

• mother‘ssurnameandallformersurnamesofhisorhermother(includingmotherssurnameatmother’sbirth)2

• address

• nationality

• personalpublicservicenumber

• dateofdeathinthecaseofadeceasedindividual

• signature

• photograph

• SAFElevelofregistration–thishasbeendefinedbytheMinisteras‘otherparticularsrequired’

• PersonalServiceCardNo.–thishasbeendefinedbytheMinisteras‘otherparticularsrequired’

SAFElevelofregistrationreferstotheStandardAuthenticationFrameworkEnvironmentdesignedtoassignalevelofcertaintytotheinformationheldaboutanindividual–e.g.informationaboutaclientisonlyassignedSAFELevel2afteraface-to-faceinterviewweretheclientisrequiredtoproducedocumentary,includingphotographic,evidenceofidentity.

TheIHIwillutilisetheSAFE*PublicServiceCardinfrastructureoperatedbytheDepartmentofSocialProtection.Inthisway,theIndividualHealthIdentifierwillleveragethesignificantinvestmenttodateandtheongoingworkbytheDepartmentofSocialProtection(DSP).ItisnotintendedtoreplicatetheDSPdatacollectionandverificationprocess,exceptforthesmallnumberofpatientswheretheDSPdoesnothaveinformationabouttheindividualsconcernedbecausetheywouldnotnormallybeissuedwithaPPSNe.g.touristsortemporaryresidents.Thisapproachwillensure

2InfactthedatathatwillbeheldontheIHIRegisterwillbemother’ssurnameatbirthonlyasthereisnoavailablesourceforothersurnamestobecollected.

28January2016

maximumleveragingofthepublicservicedataset(operatedbyDSP)whileenablingthehealthsectortooperateasectoralidentifier.Inmanyrespects,thehealthservicewilloperatefromacarboncopyofthepublicserviceidentitydatasetandthiswillsignificantlyreducethecostoftheinitiative

4.3 CREATION OF THE INDIVIDUAL HEALTH IDENTIFIER REGISTER

4.3.1 Implementation of the Indiv idual Health Identif ier Register

ThefollowingdiagramsetsoutthewayinwhichtheIHIRegisterwillbegeneratedandmaintained

Figure1–GenerationandMaintenanceoftheIHIRegister

1. IHIRegister:TheexistingHSEPCRSindexwillbedevelopedtobecometheNationalIHIRegisterandPCRSSchemeswillprovideupdatesasatrusteddatasourcebasedonbusinesslogicputinplace.

2. DepartmentofSocialProtectionPublicServiceIdentity:DSP-PSIwillbetreatedasatrusteddatasourceandwillfeeddataviaanappropriateinterfacewhichwillbeputinplace.

28January2016

3. ConsumerSystems:Consumersystems(includingPCRSschemesystems)willbeinterfacedtoaccessIHInumbersonaplannedandphasedbasisviaastandardisedinterfacewhichwillcontrolaccess.UpdatestoIHIrecorddatamaybefacilitatedwherepermittedbythebusinesslogicputinplace.

Note:Thelistofconsumersystemsinthediagramareforillustrativepurposesonly.Theactualroadmapforconnectivitywilldependonlegalcommencement,technicalandbusinessreadiness,andstrategicplanning.

Onceestablished,theIHIRegisterwillbeheldinanencryptedenvironment.

TheHSE’sPrimaryCareReimbursementServicesupportsthedeliveryofawiderangeofprimarycareservicestothegeneralpublic,throughover6,600primarycarecontractorsacrossarangeofcommunityhealthschemes.Theseservicesareprovidedtomorethan3.4millionpeopleintheircommunitybydoctors,pharmacists,dentistsandoptometrists.

ThePrimaryCareReimbursementServiceMasterPatientIndex(OHMPI)willbeleveragedtosupporttherequirementsoftheIndividualHealthIdentifier,utilisingexistinghardwareandsoftwareinfrastructureandwillbemodifiedandadoptedtobecometheNationalRegister.

ThePrimaryCareReimbursementServiceMasterPatientIndexonlyholdsrecordsforindividualsthatareinreceiptofpublicallyfundedprimarycareschemes.InorderfortheIndividualHealthIdentifierProjecttomeetitsobjectivesandrealisethepotentialbenefitsinfull,itisimperativethattheNationalRegistercontainsarecordforallindividualswhohavepreviouslyaccessedormayneedtoaccessahealthserviceinIreland,irrespectiveofwhethertheserviceisprovidedpublicallyorprivately.

TheDepartmentforSocialProtectionoperateadatabasewhichholdsPublicServiceIdentityrecordsforallmembersofthepopulationwhotransactwithpublicservicedepartmentsoragencies.AllindividualsareprovidedwithaPersonalPublicServiceNumberfortransactingwithpublicservicedepartments,whentheyareregisteredatbirthoruponimmigrationtoIreland.ThisdatabaseaggregatesinformationfromwithintheDepartmentofSocialProtectionandotherchannels,forexampletheGeneralRegistrationsOffice.

ThePublicServiceIdentitydatabaseisthemostcompleteregisterofthepopulationofIreland.

Utilising PSI data as the source of the IHI register leverages awell-managed, quality assured androbust registerprovidinga significant levelofassurance that there isaunique identifier, correctlyassigned, foreach individual. Inaddition,theDSParecurrentlyundertakingaregistrationprocessforPSIclientswhichwillprovideanevenhigherlevelofassuranceinrelationtotheidentitydataforindividualsonthePSIregisterandconsequentlyfortheIHIregister.

ThereforeitisproposedthattheDepartmentofSocialProtection’sPublicServiceIdentityrecordswillbecomethemainsourceforthecreationoftheIndividualHealthIdentifierregisterwithadditionaldataprovidedbyPCRSwhereavailable.

ThisissubjecttoaMemorandumofAgreementbetweentheDepartmentofSocialProtection,theDepartmentofHealthandtheHSE,whichoutlineshowinformationgovernanceandcompliancewillbeappliedbytheHSEfortheuseofPSIdatainthecontextoftheIndividualHealthIdentifier.

28January2016

AsecureinterfacebetweentheHSEandDSPwillbeimplementedinordertofacilitateon-goingrecordmaintenanceviatheprovisionofnewandupdatedPSIdetails.

ThePrimaryCareReimbursementServiceMasterPatientIndexalreadyholdsasignificantsubsetofthePublicServiceIdentitydatabaserecordsasthePersonalPublicServiceNumberisrequiredfortheprocessingofschemessuchastheMedicalCardandDrugPaymentRefundbothofwhicharepublicallyfunded.

PriortothematchingofDSPPSIandHSEPCRSrecords,abodyofworkwillbeundertakentoassessandremediateanylegacyororganicdatavariancesinthePCRSMasterPatientIndex.AppropriatecleansingwillbeundertakentoensurePSIrecordsarebeingcomparedagainstcleanandvaliddata,forthepurposesofcreatingtheIHIRecord.

TofacilitatecreationoftheIHIRecord,relevantPublicServiceIdentitydatafields(asauthorisedbytheHealthIdentifiersAct)willbeprovidedbytheDepartmentofSocialProtection.Arobustmatchingandrecordjoiningtriageprocess(asdevelopedandtestedduringtheIHIRegister’sDesignandDevelopmentstages)willresultinafinalIHIRecord.AnIndividualHealthIdentifierwillthenbegeneratedandassignedtoeachIHIRecord.

EachIndividualHealthIdentifiermustbegeneratedinamannertoensurethat:

• itisunique

• itisrandomlygenerated

• hasnoassociationtoanyattributebelongingtothepersonitisgeneratedfor

• itisnotgeneratedinanidentifiablesequencewithotherIHInumbers

• isappliedtoasingleindividual

• NoindividualhasmorethanoneIHI

• Itisneverrecycledorre-used

• Itiscomprisedofandformattedtothespecifiedparametersofcreation

ThePSIdatawillbematchedagainstexistingPrimaryCareReimbursementServiceMasterPatientIndexrecords.ForuniquelymatchedrecordsthePrimaryCareReimbursementServiceMasterPatientIndexwillbeupdatedwiththerelevantPSIdetailsandtherecordswillbeassignedIndividualHealthIdentifiers.AnyrecordscurrentlyheldbytheDepartmentofSocialProtectionthatdonotalreadyexistonthePrimaryCareReimbursementServiceMasterPatientIndexwillbeaddedtotheNationalIndividualHealthIdentifierRegisterandassignedIndividualHealthIdentifiers.

28January2016

Figure2-ExampleofcreatingtheSBRfrommultiplerecords3

ThematchingalgorithmusedtomatchrecordsfromthePublicServiceIdentitydatabaseandthePrimaryCareReimbursementServiceMasterPatientIndexwillbedesignedtomaximisethenumberofrecordsthatcanbecorrectlymatchedautomaticallybutminimisethenumberofrecordsthatrequiremanualinterventionbytheBusinessOperationsUnit.Thiswillensurethatthenumberoffalsepositivematches(recordsthatarematchedbutarenotforthesameperson)andfalsenegativematches(recordsthatareforthesamepersonbuthavenotbeenmatchedautomatically)arekepttoaminimum.

Developmentofthematchingandupdateruleswilltakeplaceduringthedesign.Anyrulesforupdateandmatchingwillbethoroughlytestedpriortofinalisation.

4.3.2 Maintenance of the National Register

Oncecreated,ongoingmaintenanceoftheNationalRegisterwilloccurthroughroutineupdates(ataminimumdailyfrequency)fromtheDepartmentofSocialProtection.Theupdateswillprovidedetailsofchangestoexistingrecordsandinsertionsofnewrecords:newrecordswillbeassignedanindividualHealthIdentifier.

4.3.3 Business Operations Unit

GiventhecurrentroleofthePrimaryCareReimbursementServiceinmanaginganexistingMasterPatientIndexfortheHSEwithmanyofthetechnicalandoperationalaspectsalreadyinplace,thePrimaryCareDirectoratehasbeenappointedbytheHSEtoestablishtheIHIBusinessServiceUnitthatwillberesponsiblefortheoperationoftheIndividualHealthIdentifierservice.

3takenfromHealthIT2presentation

28January2016

TheresponsibilitiesoftheBusinessOperationsUnitwillinclude:

• IHIRegisterDataManagementfromAutomatedFeeds–themanualactivitiesnecessarytoresolveanyissuesidentifiedthroughautomateddatamatchingprocesses

• IHIRegisterDataManagementfromServiceProviderRequests–themanualprocessestodealwithrequeststochangedataheldintheCentralIHIRegister

• ServiceProviderAccessManagement–themanualprocessestogrant/update/removeaccessforusersoftheCentralIHIRegister

• ServiceProviderRelationshipManagement–theprocessesrequiredtosuccessfullymanagetherelationshipbetweentheBusinessSupportTeamandServiceProviderstoensureallstakeholdersthattheyaresupported

• ComplianceManagement–theprocessestoensurethattheoperationoftheCentralIHIRegisterisincompliancewithalllegislativeandstandardsguidelines,andtoreportsuchcompliance

• CentralIHIRegisterSystemMaintenance–theprocessesthatsupporttheongoingtechnicalmaintenanceoftheCentralIHIRegister

• BusinessSupportTeamManagement–theprocessestoensurethesuccessfuloperationoftheBusinessSupportTeam

• PublicRequestsforInformation–theprocessestoprovidemembersofthepublicdetailsabouttheIHInumber,ifrequested

4.3.4 Access to the National Register

“InformationSecurity”fortheIHIRegisterisalargerconsiderationthanjustprotectionfromunauthorisedaccess,whichisjustoneareaofmajorconsideration.InformationSecuritycanbeviewedinthemainasensuringConfidentiality,Integrity,andAvailabilityofdata,howeverfortheIHIprojectitwillbeconsideredinallareasrelatingto:

• Securityatatechnicallevel

• Securityatapolicy/governancelevel

• Thepracticalimplicationsofimplementationwhichmustbebothappropriateandfeasible

AccesstotheIHIRegisterwillthereforebedrivenfromanumberoffocusareasofwhichsomewillbedrivenfrom:

• Businessdecisionsdeterminingwhatisrequiredfromasecurityperspective

• Technicaldecisionsdetermininghowsecurityisimplemented

AccesstotheIHIRegisterwillbedeterminedbasedontheextenttowhichinternalandexternalpartiesareviewedas“untrustednetworks”.The“level”ofaccessavailablewillbebaseduponthis,forexampledifferentmethodsofaccesscontrolmaybeappropriatefore.g.:

• PCRSinternalsystem

• Previouslyinterfacedsystem

• Brandnewconsumersystem

AtaminimumbothAuthorisationandAuthenticationwilltakeplace.

28January2016

AuthorisationcanbeconsideredasboththebusinessperspectiveintermsofhavinganassessmentframeworkandprocessinplaceaswellasthetechnicalimplementationsfacilitatingthatsuchasRoleBasedAccessControl(RBAC)andappropriateauditandtrackingtechnologies.

Authenticationcanbeconsideredastheprocessofensuringaccountabilityfordataaccess./management/handlingonceauthorisedandwilllargelybetechnologydrivenutilisingappropriatetechnologycontrols.

FordirectIHIAccess,theBusinessServiceTeamwill(ascontrolledthroughRBAC)beabletoperformfunctionssuchas:

• SearchorFinddataitems

• Traceactivityanddataitems

• Addnewdataitems

• Updateexistingdataitems

• Mergedataitems

• Un-MergeorSplitdataitems

ThesefeatureswillonlybeavailableorusedasdefinedinspecificUseCases(forexamplewhentheautomatedmatchingalgorithmcannot100%determinewhethertomergearecordornotandsothecaseisaddedtoaworklistfortheIHIBusinessServiceTeamtoreviewandresolve).

ThecontentsoftherecordsvisibletotheIHIBusinessServiceTeamwillbelimitedtothedemographicsasspecifiedintheHealthIdentifiersAct,andtherewillbenopossibilityofaccesstoclinicalorotherassociatedinformation(asitwillnotbeheldintheIHIRegister).

Consumersystemswillbesimilarlyrestrictedinhowthey“access”datawithintheIHIRegister,andinreality,willnothavedirectaccess,butwillbereturnedcontrolleddataviaastandardisedinterfacewhichwillsitbetweentheconsumersystemandIHIRegister.Requestsfordatabasedonalimitedsetoffunctionalityfordifferentusecases(forexampleTraceIHIforanewpatient)willbeprocessedbytheinterfaceandresponsesreturnedasappropriate.Forexampleifforsomereasonarecordhasbeenmarkedas“sensitive”foranyreasonintheIHIRegister,aconsumersystemrequestingthatrecordmaynotbeabletoretrievethedemographicdetailsandmayinsteadberespondedtowithanappropriateinformationmessagehighlightingthattherecordcannotbereturned.

Thesecontrolswillensure“accessabuse”isrobustlymanaged.Additionally,aswellasperforminga“controlledmessagebroker”role,thestandardisedconsumersysteminterfaceandIHIRegisterwillfullytrackconsumersystemaccessactivity,withalertsorloggingtakingplacesasappropriate.

Connectiontothisstandardisedinterfacewillonlybepermittedoncetheconsumersystemshasfullycompletedallnecessaryactivities(e.g.implementationofrequiredtechnicalchanges,signingofnecessarydocumentation)andhasbeenverifiedbytheBusinessServiceteamasreadytoconnect.

Section4.2aboveliststhedataitemsthatwillbeincludedontheNationalRegister.Althoughthesedataitemscanbeusedforsearchpurposesalltheitemsmaynotbereturnedtotheuserortoconsumersystems.

28January2016

Inadditiontothestandardisedinterfacebeingdesignedground-up,anyexistingorlegacysysteminterfacesalreadyconnectedtotheMasterPatientIndexwillbeidentified,assessed,andmodifiedasrequiredtoensurecompliancewithIHIInformationSecuritybeforebeingpermittedtoreadanydatacontainedwithintheRegister.ThiswillensurethatconsistentBusinessLogicforaccesscontrolisappliedacrossallchannels.

InlinewiththisrequirementexistinginterfacesbetweenthePCRSregisterforPCRSschemescanonlycontinuetoaccesstheIHIregisterwhenthesamecontrolsareinplace.

Anassessmentoftheagreedstandardisedinterfacefunctionalityandcontrolstogetherwiththebusinesscomplianceprocesswillbeundertakenbeforeimplementationoftheconsumersysteminterface.

FollowingthecreationoftheNationalRegister,accesstoanduseoftheIndividualHealthIdentifierwillbeintegratedwithinatargetedsetofexternalconsumersystems(EpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)),withtherequisiteinterfacesandprocessesalsoputinplacetomaintaintheseinterfacesgoingforward.

Typically,duetobirthregistrationprocessing,newbornbabiesarenotassignedwithaPersonalPublicServiceNumberandassociatedPublicServiceIdentitydatasetuntiltheyareapproximately28daysold.ToensurethatanIndividualHealthIdentifiercanbeavailabletobabiesatbirth.TheIHIwillbeallocatedtobabiesviaaseparateprocessbasedonthebirthnotificationsysteminhospitalswhichwillthenbereconciledwiththeirPublicServiceIdentityrecordonceitisavailable.

Thesystemsandprocessestomaintainthisforthecurrentandfuturepopulationwillalsobeputinplace.

FunctionalitytoprovidenewbornbabieswithanIndividualHealthIdentifieratbirthanduseofthenumberwithinadditionalconsumersystemswillbeaddedasacapabilityinthefuture.TheprivacyimplicationsofallsuchfurtherexpansionsofthefunctionalityanduseassociatedwiththeIndividualHealthIdentifierwillbeconsideredwithinseparatePIAsasappropriate.

4.3.5 IHI Proof of Concept Register

TheexpectedleadtimeforthedevelopmentandsubsequentintegrationoftheIHIRegisterwithconsumersystemsdrovetheneedtogeneratepracticallearningsearlysothatlessonsandunderstandingcouldbederivedandsubsequentlyappliedtothedevelopmentoftheIHIRegister.

Tothisend,anIHIProofofConcept(IHI-POC)RegisterwascreatedtofacilitatedirectpracticalexperienceandinsightinpreparingdataandproducingIHInumbers,forboththedevelopmentteamandbusinessserviceteammembers.TheoutputofthisactivitywilldirectlyfeedintotheIHIRegisterprojectdesignanddevelopmentactivities.

TheIHIProofofConceptRegisterwasintroducedafterworkonthePrivacyImpactAssessmentwasalreadynearingcompletionandasaresultthedevelopmentteamwereabletoimplementappropriateprivacycontrolsasrecommendedfortheIHIregister.

28January2016

TheIHIProofofConceptRegisterwork-streamutilisedadedicatedSQL-baseddatabasefromwhichdatawasstoredandanalysed.Thisdatabaseisencryptedandhasstrictaccesscontrolsattached,withformalauthorisationrequiredforanyprojectresourcesrequiringaccessforanalysispurposes.Inaddition,fullauditingofaccesseswasimplemented.AnauditofaccessestotheIHIProofofConceptregisterwasrecentlycompletedtotesttheauditprocessandtoestablishthatnounauthorisedaccesseshavebeenmadetotheIHIProofofConceptRegister.

ThefirstphaseoftheIHI-POCwastocreatethedatabaseandloadthedata.Algorithmswereproducedfordataimport,cleansingandreporting;IHIgenerationandallocation

DatacleansingactionsenabledassessmentofpotentialscenariostobeconsideredfortheIHIRegister.

FurthervalidationchecksweremadebyaccessingPSIrecords.

PSIrecordswerematchedagainstHSErecords,onthebasisthatthefinalIHIRegisterwillbeutilisingPSIasaprimarytrustedsource.

Theapproachtodatavalidationbroadlytookthefollowingsteps:

• TheexistingencryptedIHI-POCSQLdatabasewasusedasthesourceofdatatobematchedagainstthePSIrecords

• AbespokeJavamodulewithappropriatesecuritypermissionswasdevelopedto:

o ReadandretrievePCRSandPSIdatarespectively

o ParseandperformanumberofmatchingscenarioswhichwouldresultinasetofvalidatedIHI-POCrecords

• TheSingleCustomerViewXMLAPIwasusedasthesecurechannelfordataretrievalbytheJavamodule

• TheJavamodulewashostedwithinthesameHSEenvironmentastheIHI-POCRegisterandaccessedtheIHI-POCRegisterusingasecurecertificateandauthenticationprocess

• Theprocesswassplitintotwodistinctphases:

o Retrieveandstoreallnecessaryinformation

o Usetheretrieveddatatoperformvalidation/analysis/reportingasrequired

SubsequentanalysisoftheparseddatahasinformedappropriatematchingrulesfortheIHIRegisterOHMPImatchingengineintheIHIRegisterdevelopment.

ThedataretrievedwasrestrictedtothatspecifiedintheHealthIdentifiersActandwasusedsolelyforthepurposesofdevelopingtheIHIRegisterdatamodelandprocessingrulesandhasneverbeenaccessedorusedbyanyconsumersystem.

TheIHIProofofConceptdatabaseandassociateddatawillbesecurelydisposedofassoonastheprojectnolongerrequirestheseentitiesforanalysis.

28January2016

5 PRIVACY ISSUES ASSOCIATED WITH THE INDIVIDUAL HEALTH

IDENTIFIER ThissectiondescribestheprivacyissuesassociatedwiththeestablishmentofanIndividualHeathIdentifierandNationalRegisterandproposescontrolsandmitigationactionsforthosethatposeaprivacyrisk.

ItshouldbenotedthatsomeaspectsoftheimplementationoftheNationalRegistermaypresentaprivacyprotectionorenhancingopportunity,notallissuesleadtoanegativeprivacyrisk.

5.1 HIQA INFORMATION GOVERNANCE AND MANAGEMENT STANDARDS FOR THE

HEALTH IDENTIFIERS OPERATOR IN IRELAND

InAugust2015,TheHealthInformationandQualityAuthority,HIQA,followingonfromapublicconsultation,publishedInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland.ThesestandardsrelatetoarangeofinformationgovernanceandmanagementstandardstobeimplementedbytheBusinessOperationUnit(s)withintheHealthServiceExecutivethatwillberesponsibleforestablishingandmaintainingtheNationalRegisterofIndividualHealthIdentifiersandtheNationalRegisterofHealthServiceProvidersIdentifiers.HiQArefertotheseBusinessOperationUnitsastheHealthIdentifiersOperator.

ImplementingthesestandardswillpromotetrustamongserviceusersandhealthserviceprovidersthattheNationalRegistershavebeenestablishedinaccordancewiththelawandinlinewithbestpractice.Inturn,thiscreatesconfidencethathealthserviceproviderscanbeuniquelyidentifiedandcanuniquelyidentifytheserviceuserstowhomtheyareprovidingservices,whichultimatelyleadstoimprovementsinpatientsafety.

TheHiQAInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIrelandstandards,whichwillbereferredtointhisdocumentattheHiQAstandards,aresummarisedinAppendixA.

DetailsoftheHiQAstandardsandtheconsultationprocesscanbefoundathttp://www.hiqa.ie/publications/information-governance-and-management-standards-health-identifiers-operator-ireland

TheseHiQAstandardsprovideasetofgovernancecontrolsthatwillhelptomitigatemanyoftheprivacyissuesthathavebeenidentifiedandarelistedassuchinthefollowingtables.

28January2016

5.2 SUMMARY OF PRIVACY ISSUES, R ISK SCORES AND MITIGATIONS

ThissectionsetsouttheprivacyissuesassociatedwiththeimplementationofanIndividualHealthIdentifieraswellastheproposedmitigatingsafeguardsorcontrolsthathavebeenidentified.

ItshouldberecognisedthattherearealsoprivacyadvantagesassociatedwiththeimplementationofanIndividualHealthIdentifierthatshouldnotbeoverlooked.Forexample,sharingpatientinformation,whichalreadyhappens,willbecomemorereliablethroughtheuseofanIndividualHealthIdentifier,therightrecordbeingsharedfortherightpatient.Itmayalsobepossibletoreducetheamountofidentitydataneededwithinelectroniccommunicationswhichwillimproveprivacy.

HiQAstandardsmitigationsandcontrols,whereapplicable,arereferredtobytheirHiQAreferencenumbersandappearfirstinthefollowingtables.ToremainconsistentwiththeterminologyadoptedbyHIQAstandards,theIHIBusinessOperationsUnitisreferredtoastheHealthIdentifiersOperator.

28January2016

5.2.1 Privacy Issues associated with the establ ishment of a National Register of Indiv idual Health Identif iers

PrivacyIssue Probab

Impact Risk

Proposedmitigation:safeguardsorcontrols Prob’y Impact Risk

Informationaboutyouthat

isheldontheIHIRegister

maybeaccessedillegally

(e.g.foridentitytheft,sold

orotherwisemisusedby

commercialorganisations)

4 5 20 HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthservice

providersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationand

standards.

HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsources

thatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeof

establishingandmaintainingtheNationalRegisters.

HIQA4.1.TheHealthIdentifiersOperatordeliversregularevidence-basedtraining

programmesforitsownworkforceinrelationtoestablishing,maintainingandusingthe

NationalRegisters.

TheHealthIdentifiersOperatorhassafeandeffectiverecruitmentpracticesinplace.

TheHealthIdentifiersOperatorlogsalldataaccessestotheIHI,traceabletoanaccountable

individual’saccount.

TheHeathIdentifiersOperatorroutinelyandrandomlyauditsaccessbyitsstafftotheIHI

registertoensureaccesswasforbusinesspurposesonly.

TheHealthIdentifiersOperatorseekstoprosecutethose(bothinternalstaffandexternal

organisations)thatknowinglyaccessorprocesstheIndividualHealthIdentifierdata

inappropriatelyasprovidedforwithintheprovisionsoftheAct.

TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceof

managingnationaldemographicsystemsintotheestablishmentofitsproceduresand

processes.

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundtheIHI

28January2016

PrivacyIssue Probab

Impact Risk

registerwillminimisetheriskofunlawfulaccessandhacking

TheIHIRegisterisonlyheldonserversphysicallylocatedwithinIreland.

Thetransferofdatafrom

trusteddatasources

(includingtheDSP)tothe

IHItoestablishtheIHI

registerresultsinpersonal

informationbeingaccessed

illegally(e.g.identitytheft,

soldorotherwisemisused

bycommercial

organisations)

4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsestablishedforthe

transferofdatabetweentrusteddatasourcesandtheIHIregisterwillminimisetheriskof

unlawfulaccess,datalossandhacking.

5.2.2 Privacy Issues associated with the ongoing transfer of data for the update and maintenance of the National Register of Indiv idual Health Identif iers

PrivacyIssue Prob’y Impact Risk

Transferofdatafrom

trustedsources(including

theDSP)totheIHIto

4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe

ongoingtransferofdatabetweentrustedsourcesystemsandtheIHIregisterwillminimise

theriskofunlawfulaccess,datalossandhacking

28January2016

maintaintheIHIregister

resultsinpersonal

bycommercial

organisations))

5.2.3 Privacy Issues associated with management of the register by HSE Pr imary Care Reimbursement Service (HSE PCRS)

TheappointmentoftheHSEPrimaryCareReimbursementServiceastheHealthidentifiersoperatorfortheNationalRegisterprovidespositiveprivacyimpacts:theHSEisa

statutoryauthoritywithlimitsonwhatitcandodefinedinlegislation.Inaddition,theHSEPrimaryCareReimbursementServiceareanestablishedorganisationwithinthe

HSE;theyareexperiencedinhandlingpersonalhealthinformation;theyhaveagoodsecurityrecordandrobustincidentmanagementprocesses.

Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk

Thepubliclosetrustinhow

theIHIbusinessservice

operates,howtheIHI

registerisusedand

managedbecauseofalack

4 4 16 HIQA1.1-TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcritical

pointsduringtheestablishmentandoperationoftheNationalRegisters.

AllHIQAstandardsinTheme2:Leadership,governanceandmanagement

HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealth

identifierrecordscontainedintheNationalRegisters.

28January2016

ofindependentscrutiny.HiQAdevelopauditproceduresandconductauditsinlinewiththeInformationand

GovernanceStandardsfortheoperationoftheHealthIdentifierRegisters.

TheDataProtectionCommissioner,theControllerandAuditorGeneralandHSEinternal

auditfunctionprovideoversightoftheHealthIdentifierOperator.

PoordataqualityontheIHI

Registerleadstoduplicate

numbers/twoormoreIHI

recordsbecomingmixed

4 4 16 HIQA3.2-TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdata

containedintheNationalRegisters.

DataQualitychecksareundertakenintheconstructionandmaintenanceoftheIndividual

HealthIdentifierRegister.

Lackofappropriate

governancecontrolswithin

theIHIBusinessService

Teamleadstoaccidentalor

deliberatebreachorlossof

5 5 25 AllHIQAstandardsinTheme2:Leadership,governanceandmanagement 2 3 6

TheHealthidentifiersoperatorhassafeandeffectiverecruitmentpracticesinplace.

TheHealthidentifiersoperatorseekstoprosecutethose(bothinternalstaffandexternal

organisations)thatknowinglyaccessorprocesstheIndividualHealthIdentifierdata

inappropriatelyasprovidedforwithintheprovisionsoftheAct.

TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceof

managingnationaldemographicsystemsintotheestablishmentofitsproceduresand

processes.

TheHealthIdentifiersOperatorisrequiredtocomplywiththeHSEIGpoliciesand

procedures.

28January2016

5.2.4 Privacy Issues associated with the proposed dataset

TheIndividualHealthIdentifierdatasetdoesnotincludeanysensitivehealthinformationwhichshouldbeseenasapositiveprivacyimpact.

Theformatorallocationof

theIHIdisclosespersonal

informationaboutyou.

2 3 6 TechnicalSpecificationfortheallocationofanIndividualHealthIdentifierincludes

requirementsthat:

• EachIndividualHealthIdentifiermustbeunique

• IndividualHealthIdentifiersmustberandomlygeneratedwithnoassociationtothe

personitisgeneratedfor.

• IndividualHealthIdentifiersmustnotbegeneratedinanidentifiablesequence.

InclusionofthePersonal

PublicServiceNumber

(PPSN)intheIHIRegister

resultsininappropriate

disclosureofinformation

aboutyouheldbythe

DepartmentofSocial

Protection(DSP)

3 4 12 StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthe

PersonalPublicServiceNumberwhichmustprovideequalorbetterprotectionasprovided

bytheDepartmentofSocialProtection

TechnicalSpecificationrequiresthataPersonalPublicServiceNumbercanbeusedtoassist

inobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorservice

userbutwillonlybeprovidedbackwithinthetraceddatasetinlinewithSocialWelfare

legislation.

TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthePersonalPublic

ServiceNumberandmustprovideequalorbetterprotectionasprovidedbytheDepartment

ofSocialProtection.

InclusionofMother’s

surnameatbirthintheIHI

registerdiscloses

1 5 5 StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthePSIdata

andmustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocial

Protection

28January2016

relationshipdetails TechnicalSpecificationrequiresthataMother’ssurnameatbirthcanbeusedtoassistin

obtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorservice

userbutmustneverbeprovidedbackwithinthetraceddataset.

TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthemother’s

surnameandmustprovideequalorbetterprotectionasprovidedbytheDepartmentof

SocialProtection

Statutoryresponsibilityfor

respondingtoaDataAccess

RequestmadetotheIHI

Registerresultsinpersonal

informationbeinggivento

anapplicantthatwasnot

entitledtoit.

3 5 15 TheHealthIdentifiersOperatorprocedureforrespondingtoDataAccessRequestsshould:

• BeatleastasrobustasthatoftheDepartmentofSocialProtection,requiringevidence

ofidentityoftheapplicant.Includingproofoflatestaddressdetails,photoid(passport,

publicservicescard,ordriverslicence)andutilitybill

• Ensurethatparentalrequestsonbehalfofchildrenaremadejointlyorrequireproofof

legalguardianship

• Ensurethat‘assisteddecisionmaking’proceduresareimplementedinlinewiththe

AssistedDecision-Making(Capacity)Bill2013.

• Ensurethatrequesthandlingsupportsprovisionsmadeunderrecentlegislationin

respectofadoptedchildren.

28January2016

5.2.5 Privacy Issues associated with provis ion of Indiv idual Health Identif iers to Epi lepsy Electronic Pat ient Record (EPR), selected GP pract ice systems, a Hospice Electronic Medical Record (EMR) system) and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)

ThissectionidentifiestheprivacyimpactsarisingspecificallyasaresultofthedeliveryofIndividualHealthIdentifierstothesesystems.

ProvisionoftheIndividual

HealthIdentifiertothe

consumersystemresultsin

personalinformationbeing

accessedinappropriatelyor

beinginappropriately

shared

2 4 8 TheHealthidentifiersoperatorstandardoperatingprocedureswillensurethatany

applicationforaccesstotheNationalRegisterisfromthelistof“specifiedpersons”as

definedintheHealthIdentifiersAct.

TheHealthidentifiersoperatorwillensurethatconsumersystemsarepopulatedbyonly

performingamatchusingthoserecordswhichareheldbytheconsumersystemmaster

patientindex(MPI).

TheHealthidentifiersoperatorwillqualityassuretheassignmentofIndividualHealth

IdentifierstorecordsontheconsumersystemMPItoastandardthatwillminimiseriskof

falsepositiveandfalsenegativematchestoensurethatthecorrectIndividualHealth

Identifierisreturned.

TheHealthidentifiersoperatorwillensurethatacopyoftheNationalRegisterwillneverbe

providedtothirdpartyconsumersystems.

Technicalspecificationoftheinterfacewithconsumersystemswillminimisetheriskof

inappropriatedisclosureofanIHIbyrequiringaminimumofdatatobeingprovidedandwill

controlthedatabeingreturnedtotheconsumersystem.

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe

transferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskof

unlawfulaccess,datalossandhacking.

28January2016

consumersystemresultsin

personalinformationbeing

accessedwithout

knowledgeorconsentof

patients.

3 4 12 HIQA1.2-TheHealthIdentifiersOperatordevelops,implementsandreviewsa

communicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusers

inrelationtotheuseoftheNationalRegisters.

HIQA2.2-TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementof

purpose

HIQA2.3-TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropean

legislationandstandardswhenestablishingandmanagingtheNationalRegisters

HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthservice

providersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationand

standards.

Transferofdatafromthe

consumersystemtotheIHI

forthepurposeofproviding

theconsumersystemwith

IHIdataresultsinpersonal

bycommercial

organisations))

4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe

transferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskof

unlawfulaccess,datalossandhacking

TheHealthidentifiersoperatorisrequiredtoestablishappropriateInformationGovernance

controlsforconsumersystemorganisationstomeetbeforeinterfacingwiththeIHI

TheHealthidentifiersoperatorisrequiredtoestablishappropriatetechnicalstandardsfor

consumersystemstomeetbeforeinterfacingwiththeIHI.

consumersystemincreases

theriskofpersonal

2 4 8 PriortoreceiptofIndividualHealthIdentifiers,thehealthserviceproviderresponsiblefor

theconsumersystemdemonstratesthattheyarecompliantwiththeInformation

GovernancepoliciesandproceduresestablishedbytheHealthIdentifiersOperator.[Non

HSEserviceproviderswillberequiredtodemonstrateequivalentInformationGovernance

28January2016

bycommercial

organisations)

controls].

InappropriateaccesstoIHI

Registerauditrecordsof

accesstopatientrecordsby

consumersystemsdiscloses

clinicalinformation(e.g.

recordaccessesbyepilepsy

EPRwouldindicatethat

individualmaysufferfrom

Epilepsy)

3 4 12 TheHealthIdentifiersoperatorensuresstrictaccesscontrolsonauditrecords.

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundaudit

recordswillminimisetheriskofunlawfulaccess,datalossandhacking.

DataQualityissuesarising

fromtranscriptionerrorsin

theIHIresultin

inappropriateaccessto

incorrectIHIrecords

3 3 9 TheHealthIdentifiersoperatorprovidesclearguidancetoproviderswhenimplementingthe

IHIwithintheirsystemstoensure:

• TheIHIisprintedbytheconsumersystemwhenlabellingisrequiredforpaper

recordsgeneratedbytheconsumersystem

• ProceduresavoidtheneedtowritetheIHImanually

• ElectronicmessagesbetweensystemsincorporatetheIHI

28January2016

5.2.6 Privacy Issues associated with the ongoing inclusion and use of the Indiv idual Health Identif ier in Epi lepsy Electronic Pat ient Record (EPR), selected GP pract ice systems, a Hospice Electronic Medical Record (EMR) system and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)

ThissectionidentifiestheprivacyimpactsarisingspecificallyasaresultoftheongoinginclusionanduseoftheIndividualHealthIdentifierwithinthesesystems.

GiventhattheIndividualHealthIdentifierisanotherdataitemontheconsumersystemmasterpatientindex(MPI)itcouldbearguedthatthereisnoincreasedprivacy

issuesrelatedtotheholdingandprocessingoftheIndividualHealthIdentifierthroughouttheorganisation.Nonethelessthisservesasanopportunitytoensurethatgood

practiceinformationgovernance(IG)isimplemented.

OngoinguseoftheIHI

withinconsumersystems

resultsinpersonal

2 4 8 HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsources

thatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeof

establishingandmaintainingtheNationalRegisters.

28January2016

bycommercial

organisations)

Thehealthserviceproviderresponsiblefortheconsumersystemwilldemonstratecontinued

compliancewiththeInformationGovernancepoliciesandproceduresestablishedbythe

HealthIdentifiersOperator.[NonHSEserviceproviderswillberequiredtodemonstrate

continuedcompliancewithequivalentInformationGovernancecontrols].

TheIHIBusinessUnitManagerdevelopsstandardsforInformationGovernancecontrols

withinconsumersystemstobemetbeforethesystemcanreceiveIHIinformation.

TheHealthServiceProviderresponsiblefortheconsumersystemwilldeliverregular

evidencebasedtrainingprogrammeforitsworkforceinrelationtoaccessanduseofthe

consumersystem

TheHealthIdentifiersOperatorandtheconsumersystemorganisationmustensurethat

appropriatesecuritymeasuresareadoptedfortheinterfacesprovidingmaintenancetothe

consumersystem.

ConsumersystemshaveappropriateRoleBasedAccesscontrolswithinthemtominimisethe

riskofinappropriateaccesstorecordsandwillensurethataccesstoauditlogsissufficientto

identifyinappropriateaccessbyamemberofstaff.

TheHeathServiceProviderroutinelyandrandomlyauditsaccesstotheIHIregisterbyits

stafftoensureaccesswasforbusinesspurposesonly.

TheHealthIdentifiersOperatorwillensurethatanyuseoftheIHIforpurposesotherthan

thoseforwhichitwassharedarerigorouslyinvestigatedandmisuseisprosecutedwhere

appropriateasperthetermsoftheHealthIdentifiersAct.

28January2016

5.2.7 Indiv idual Health Identif ier Pr ivacy Issues associated with the future uses of the Indiv idual Health Identif ier

ThisPIAisrestrictedtotheestablishmentoftheregisterandusewithinEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedical

Record(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme).However,itisappropriatetoflaguppotential

privacyissuesconcernedwithasyetunknownfutureusesandestablishcontrolstomanageandpreventfutureprivacyimpacts.

Futureexpansionofthe

IndividualHealthIdentifier

datasettoincludefurther

personaldetailsincreases

privacyimpact

2 3 6 BothHIQAstandardsinTheme1:PersonCentred

HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealth

identifierrecordscontainedintheNationalRegisters.

TheHealthIdentifiersOperatorensuresthatdatacollectedintheIHIregisterislimitedto

thatspecifiedintheHealthIdentifierAct.

UnauthoriseduseoftheIHI

byotheruserorganisations

2 4 8 BothHIQAstandardsinTheme1:PersonCentred

28January2016

5.3 GOVERNANCE FRAMEWORK

Compliancewithcurrentlegislation(DPAs,theHealthIdentifiersActandthefutureHealthInformationBill)willbeattheheartofmanagingtheprivacyimpactsassociatedwiththeestablishmentoftheIndividualHealthIdentifierNationalRegisteranditsuses.HowevertheGovernanceFrameworksetoutwithinTheme2oftheHIQAstandardsprovidesopportunitiesforfurtherpositiveprivacyimpacts.ThegovernancearrangementsfortheNationalRegistershouldfurtherdefine:

• TheuserorganisationsthathavebeengrantedaccesstotheNationalRegister• TheorganisationsthatwillbeprohibitedfromaccesstotheNationalRegister• ThepermissibleusesoftheIndividualHealthIdentifierandtheinformationintheIndividual

HealthIdentifierDataset• Whethercontrolsrequirefurtherlegislationordatasharinganduseagreements(inparticular

penaltiesassociatedwithimproperuseordatabreaches)• RegulatoryoversightoftheBusinessOperationsUnit

Theneedforthesegovernancearrangementstoincludeanindependentoversightpanelwillbeexploredinthenextstagesofstakeholderengagement.

5.4 ASSIGNMENT OF RESPONSIBILITY FOR PRIVACY MITIGATION SAFEGUARDS OR

CONTROLS

Thefollowingtablesummarisestheprivacyriskmitigationsafeguardsandcontrolsandidentifiesthebusinessownerwhowilltakeresponsibilityforimplementingtheactionwithintheidentifiedtimescale.

Monitoringoftheimplementationofthesesafeguardswillbeincorporatedintotheoverallprojectmanagement:thebusinessownerwillberequiredtoreportonimplementationprogressonaregularbasistotheprojectboard.

5.5 MITIGATION IMPLEMENTATION RESPONSIBILITY AND TIMESCALES

Action BusinessOwner DeliveryDate

HIQA1.1-TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcriticalpointsduringtheestablishmentandoperationoftheNationalRegisters.

HeadofIHIBusinessService

AsRequired

HIQA1.2-TheHealthIdentifiersOperatordevelops,implementsandreviewsacommunicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusersinrelationtotheuseoftheNationalRegisters.

InadvanceoftheIHIServicebecomingoperational.

HIQA2.1-TheHealthIdentifiersOperatorhaseffectiveleadership,governanceandmanagementarrangementsinplace

NationalDirectorforPrimaryCare

InadvanceoftheIHIServicebecoming

28January2016

withclearlinesofaccountability. orHealthIdentifiersSteeringGroup

operational.

HIQA2.2-TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementofpurpose.

HIQA2.3-TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropeanlegislationandstandardswhenestablishingandmanagingtheNationalRegisters.

Ongoing

HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthserviceprovidersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationandstandards.

InadvanceofprovidingtheIHIServicetohealthserviceprovidersystems.

HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsourcesthatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeofestablishingandmaintainingtheNationalRegisters.

InadvanceoftransferringdataforestablishingandmaintainingtheIHINationalRegister.

HIQA2.6-Thehealthidentifieroperatormonitors,reviews,evaluatesandimprovestheserviceitprovidesonanongoingbasis.

Ongoing

HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealthidentifierrecordscontainedintheNationalRegisters.

Ongoing

HIQA3.2-TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdatacontainedintheNationalRegisters.

Ongoing

HIQA4.1-TheHealthIdentifiersOperatordeliversregularevidence-basedtrainingprogrammesforitsownworkforceinrelationtoestablishing,maintainingandusingtheNationalRegisters.

InadvanceofIHIServicebecomingoperationalandongoingthereafter

TheHealthidentifiersoperatorhassafeandeffectiverecruitmentpracticesinplace.

Ongoing

TheHealthIdentifiersOperatorlogsalldataaccessestotheIHI,traceabletoanaccountableindividual’saccount.

TheHeathIdentifiersOperatorroutinelyandrandomlyauditsaccessbyitsstafftotheIHIregistertoensureaccesswasfor

Ongoing

28January2016

businesspurposesonly.

TheHealthidentifiersoperatorseekstoprosecutethose(bothinternalstaffandexternalorganisations)thatknowinglyaccessingorprocessingtheIndividualHealthIdentifierdatainappropriatelyasprovidedforwithintheprovisionsoftheAct.

Ongoing

TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceofmanagingnationaldemographicsystemsintotheestablishmentofitsproceduresandprocesses.

Ongoing

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundtheIHIregister(includingtransferofdatafromtrustedsourcesandconsumersystems)willminimisetheriskofunlawfulaccessandhacking

ChiefInformationOfficer

DuringtheimplementationoftheIHIRegisterandongoingthereafter

TheNationalRegisterisonlybeheldonserversphysicallylocatedwithinIreland

HiQAdevelopauditproceduresandconductauditsinlinewiththeInformationandGovernanceStandardsfortheoperationoftheHealthIdentifierRegisters–inclusiveoftheIHIRegister.

HiQA Ongoing

TheDataProtectionCommissioner,theControllerandAuditorGeneralandHSEinternalauditfunctionprovideoversightoftheHealthidentifieroperator.

Controller&AuditorGeneral

HSEinternalaudit

Ongoing

DataQualitychecksareundertakenintheconstructionandmaintenanceoftheIndividualHealthIdentifierRegister

ChiefInformationOfficerduringimplementation

HeadofIHIBusinessServiceonceoperational

TheHealthIdentifiersoperatorisrequiredtocomplywiththeHSEIGpoliciesandprocedures.

Ongoing

TechnicalSpecificationfortheallocationofanIndividualHealthIdentifierincludesrequirementthat:

• EachIndividualHealthIdentifiermustbeunique

• IndividualHealthIdentifiersmustberandomlygeneratedwithnoassociationtothepersonitisgeneratedfor.

• IndividualHealthIdentifiersmustnotbegeneratedinan

InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.

28January2016

identifiablesequence.

StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthePersonalPublicServiceNumbermustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection

TechnicalSpecificationrequiresthataPersonalPublicServiceNumbercanbeusedtoassistinobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorserviceuserbutwillonlybeprovidedbackwithinthetraceddatasetinlinewithSocialWelfarelegislation.

TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthePersonalPublicServiceNumbermustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection.

StandardOperatingProceduresincludesrestrictionsontheuseandavailabilityofthemother’ssurnamemustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection

TechnicalSpecificationrequiresthataMother’ssurnamescanbeusedtoassistinobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorserviceuserbutmustneverbeprovidedbackwithinthetraceddataset.

TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthemother’ssurnamemustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection

TheHealthidentifiersoperatorprocedureforrespondingtoDataAccessRequestsshould:

• BeatleastasrobustasthatoftheDepartmentofSocialProtection,requiringevidenceofidentityoftheapplicant.Includingproofoflatestaddressdetailsphotid(passportordriverslicence)andutilitybill

• Ensurethatparentalrequestsonbehalfofchildrenaremadejointlyorrequireproofoflegalguardianship

• Ensurethat‘assisteddecisionmaking’proceduresareimplementedinlinewiththeAssistedDecision-Making(Capacity)Bill2013

• Ensurethatrequesthandlingsupportsprovisionsmadeunderrecentlegislationinrespectofadoptedchildren.

28January2016

TheHealthidentifiersoperatorstandardoperatingprocedureswillensurethatanyapplicationforaccesstotheNationalRegisterisfromthelistof“specifiedpersons”asdefinedintheHealthIdentifiersAct.

Ongoing

TheHealthidentifiersoperatorwillensurethatconsumersystemsarepopulatedbyonlyperformingamatchusingthoserecordswhichareheldbytheconsumersystemMPI.

Outlineprocedurepriortoconsumersystemimplementation

TheHealthidentifiersoperatorwillqualityassuretheassignmentofIndividualHealthIdentifierstorecordsontheconsumersystemMPItoastandardthatwillminimiseriskoffalsepositiveandfalsenegativematchestoensurethatthecorrectIndividualHealthIdentifierisreturned.

TheHealthidentifiersoperatorwillensurethatacopyoftheNationalRegisterwillneverbeprovidedtothirdpartyconsumersystems.

Ongoing

TechnicalspecificationoftheinterfacewithconsumersystemswillminimisetheriskofinappropriatedisclosureofanIHIbyrequiringaminimumofdatatobeingprovidedandwillcontrolthedatabeingreturnedtotheconsumersystem

Priortoconsumersystemimplementation

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthetransferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskofunlawfulaccess,datalossandhacking

TheHealthidentifiersoperatorisrequiredtoestablishappropriateIGcontrolsforconsumersystemorganisationtomeetbeforeinterfacingwiththeIHI

TheHealthidentifiersoperatorisrequiredtoestablishappropriateTechnicalstandardsforconsumersystemtomeetbeforeinterfacingwiththeIHI.

PriortoreceiptofIndividualHealthIdentifiers,thehealthserviceproviderresponsiblefortheconsumersystemdemonstratesthattheyarecompliantwiththeInformationGovernancepoliciesandproceduresestablishedbytheHealthIdentifiersOperator.[NonHSEserviceproviderswillberequiredtodemonstrateequivalentIGcontrols].

TheHealthIdentifiersoperatorensuresstrictaccesscontrolsonauditrecords.

Ongoing

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundauditrecordswillminimisetheriskofunlawful

ChiefInformation Ongoing

28January2016

access,datalossandhacking. Officer

TheHealthIdentifiersoperatorprovidesclearguidancetoproviderswhenimplementingtheIHIwithintheirsystemstoensure:

• TheIHIisprintedonallpaperrecordsgeneratedbytheconsumersystem

• ProceduresavoidtheneedtowritetheIHImanually

• ElectronicmessagesbetweensystemsincorporatetheIHI

Outlineprocedure1monthpriortoconsumersystemimplementation

ThehealthserviceproviderresponsiblefortheconsumersystemwilldemonstratecontinuedcompliancewiththeHSEIGpoliciesandprocedures.[NonHSEserviceproviderswillberequiredtodemonstratecontinuedcompliancewithequivalentIGcontrols].

HealthServiceProvider

Asrequired

TheHealthidentifiersoperatordevelopsstandardsforIGcontrolswithinconsumersystemstobemetbeforethesystemcanreceiveIHIs.

TheHealthServiceProviderresponsiblefortheconsumersystemwilldeliverregularevidencebasedtrainingprogrammeforitsworkforceinrelationtoaccessanduseoftheconsumersystem

Asrequired

TheHealthIdentifiersOperatorandtheconsumersystemorganisationmustensurethatappropriatesecuritymeasuresareadoptedfortheinterfacesprovidingmaintenancetotheconsumersystem.

HeadofIHIBusinessService/HealthServiceProvider

ConsumersystemshaveappropriateRoleBasedAccesscontrolswithinthemtominimisetheriskofinappropriateaccesstorecordsandwillensurethataccesstoauditlogsissufficienttoidentifyinappropriateaccessbyamemberofstaff.

Asrequired

TheHeathServiceProviderroutinelyandrandomlyauditsaccesstotheIHIregisterbyitsstafftoensureaccesswasforbusinesspurposesonly.

Ongoing

TheHealthIdentifiersOperatorwillensurethatanyuseoftheIHIforpurposesotherthanthoseforwhichitwassharedarerigorouslyinvestigatedandmisuseisprosecutedwhereappropriateasperthetermsoftheHealthIdentifiersAct.

Asrequired

TheHealthIdentifiersOperatorensuresthatdatacollectedintheIHIregisterislimitedtothatspecifiedintheHealthIdentifierAct.

Ongoing

28January2016

5.6 APPENDIX A – HIQA PROPOSALS FOR INFORMATION GOVERNANCE AND

MANAGEMENT STANDARDS FOR THE HEALTH IDENTIFIERS OPERATOR IN

IRELAND

Theme1-Person-centred

Standard1.1 TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcriticalpointsduringtheestablishmentandoperationoftheNationalRegisters.

Standard1.2 TheHealthIdentifiersOperatordevelops,implementsandreviewsacommunicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusersinrelationtotheuseoftheNationalRegisters.

Theme2-Leadership,governanceandmanagement

Standard2.1 TheHealthIdentifiersOperatorhaseffectiveleadership,governanceandmanagementarrangementsinplacewithclearlinesofaccountability.

Standard2.2 TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementofpurpose.

Standard2.3 TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropeanlegislationandstandardswhenestablishingandmanagingtheNationalRegisters.

Standard2.4 TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthserviceprovidersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationandstandards.

Standard2.5 TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsourcesthatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeofestablishingandmaintainingtheNationalRegisters.

Standard2.6 Thehealthidentifieroperatormonitors,reviews,evaluatesandimprovestheserviceitprovidesonanongoingbasis.

28January2016

Theme3-Useofinformation

Standard3.1 TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealthidentifierrecordscontainedintheNationalRegisters.

Standard3.2 TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdatacontainedintheNationalRegisters.

Theme4-Workforce

Standard4.1 TheHealthIdentifiersOperatordeliversregularevidence-basedtrainingprogrammesforitsownworkforceinrelationtoestablishing,maintainingandusingtheNationalRegisters.

28January2016

5.7 APPENDIX B: ORGANISATIONS WE HAVE CONSULTED TO DATE

HealthServiceExecutive(HSE)

DepartmentofHealth(DOH)

DepartmentofSocialProtection(DSP)

OfficesoftheDataProtectionCommissioner(DPC)

HealthInformationandQualityAuthority(HiQA)

BeaumontHospital

TheCouncilofClinicalInformationOfficers(CCIO)

IrishPlatformforPatients’Organisations,Science&Industry(IPPOSI)

privacy impact assessment for individual health identifier · final version for publication page |...

Documents

binding corporate privacy rules (bcpr)...approach data...

national privacy research strategy workshop...national...

ccpa tipping the scales balancing individual privacy …

privacy in microsoft cloud services€¦ · 26/06/2017 ·...

politics of privacy: the role of individual political

social networking & individual privacy test

data, privacy and the individual...data, privacy and the...

hipaa privacy & security policies and procedures ·...

formato privacy collection statement (4)7) individual...

data privacy update - wichita state university · •...

national privacy principles - oaic · privacy fact sheet 2...

multiple-sized bucketization for privacy...

patient and client privacy and dignity policy - · pdf...

dpcube: differentially private histogram release through...

an introduction to the privacy act privacy act 1993 promotes...

privacy, confidentiality, and civil rights 4299...

improving wireless privacy with an identifier-free link...

cbp and trade automated interface requirements...record...

data identifier and application identifier standard

the data privacy matrix project: towards a global alignment...