Consultation response form

Transcription

1 Consultation response form This consultation document seeks your views about how we respond to the proposals arising from the ehealth & Care Strategy for Northern Ireland. During the consultation process there will be a series of engagement events. We aim to ensure that everyone is informed and involved in this process and has the opportunity to make their views known. We therefore encourage you to engage with this important consultation, let us know your views, and so contribute to improvements to our ehealth and Care services. We are seeking your views on the proposals and questions in the strategy. This questionnaire is available to help you record your comments and can be filled in online at or downloaded and sent to us. You can send us your answers or comments by post or to: ehealth and care strategy consultation Health and Social Care Board Linenhall Street Belfast BT2 8BS However you choose to give us your views, we want to hear from you. Please send us your comments by web survey, , phone or in writing I am responding: As an individual Y On behalf of an organisation It would be helpful if you provided more information: Name: Shauna Dunlop Address: Information Commissioner s Office, 3 rd Floor, 14 Cromac Place, Gasworks, Ormeau Road, Belfast, BT7 2JB Job title: NI Group Manager Organisation: Information Commissioner s Office Please note we will list the responses received through this consultation in the response to the consultation. All responses to this consultation can be requested through a Freedom of Information request and may be made public, with very limited exceptions. If you are concerned about this issue, please contact us for further information Consultation on the

2 In the strategy we have described our vision, principles and objectives. To what extent do you agree with these? Please select one option Completely or mostly agree Slightly disagree Slightly agree Completely or mostly agree We welcome the ehealth and Care Strategy (the strategy) vision, principles and objectives. However, our focus is on how strategic actions will comply with the Data Protection Act 1998 (the DPA). Further information is provided in the sections below. To what extent do you think we should be using ehealth technologies to help people look after their own health and wellbeing? Examples include: websites, mobile apps, online support tools, social media and personal text/ messaging. Please select one option. Completely or mostly agree Slightly disagree Slightly agree Completely or mostly agree Overall we welcome the application of ehealth technologies as outlined in the strategy. To ensure compliance with the DPA we have the following suggestions and comments. Digital processing may be advantageous to patients but it will require compliance with all the DPA principles. In the first instance, processing of personal and sensitive personal data must be fair and lawful. This requires that a condition must be met in schedule 2 of the DPA and also a condition in schedule 3 of the DPA for sensitive personal data. Much of the information processed through ehealth will be defined as sensitive personal data. It will be necessary to ensure understanding of the requirements in this respect. For example, sensitive personal data may be being processed even when it does not directly state what illness etc. a patient may have. The scenario given on p13 describes how the new HSC portal enables Brian to book an outpatient s appointment. If this reveals the Department that Brian must report to, it could inadvertently reveal sensitive personal data about Brian s medical condition. In addition, the aspect of fairness will need to be considered. Engagement with individuals about these technologies is paramount. To be fair, people will need to know and understand how their information will be processed, shared and stored and for what purpose.

3 It is unclear if the personal health portal proposed will be the mechanism to also access an individual s health record online. With the principle of patient access to their health records enshrined within the DPA, we welcome easier access to personal information. However, consideration would need to be given to the application of the Data Protection (Subject Access Modification) (Health) Order 2000 which exempts disclosure of information which may be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person. In addition, the DPA requires that appropriate technical and organisational measures must be taken to keep personal data secure, including within the cloud. We would refer you to the ICO Guidance on Cloud Computing and remind you that a severe breach of the DPA may result in a monetary penalty from the ICO of up to 500,000. The social media and alternative communications plan should include consideration of the data controller/s of any proposed online discussion forums. In particular we would draw attention to the security aspects of the forums. Further guidance is available here on data protection with regard to social media. The strategy highlights the proposed development of new mobile health apps, to support, facilitate and extend the relationship between care professionals and users for self-care and management. We have developed significant advice with regard to the development of mobile apps, which includes a privacy by design approach and the necessity to ensure adequate fair processing notices are in place with the use of any apps. The ICO advice is available here: Given the issues referred to above, we would strongly recommend that a Privacy Impact Assessment (PIA) is completed for each of the proposed technologies/projects. The PIAs would help determine where privacy risks and issues which could be to the detriment of the individuals are present in the innovative proposals around telecare, telemonitoring, social media clubs and extending access to personal electronic medical records and help identify solutions or mitigating actions. The ICO Code of Practice on PIA s is available here: To what extent do you agree that the implementation of ehealth technologies such as online booking of appointments and requests for prescriptions, , video consultations or texting care professionals for advice will be useful? Please select one option

4 Completely or mostly agree Slightly disagree Slightly agree Completely or mostly agree We would remind the HSCB of the need for consent with regard to the delivery of some of these services. Please note that the Privacy and Electronic Communications Regulations may apply where services are promoted by electronic mail. It therefore would be necessary to establish at what point consent is obtained for a patient to receive text messages or other electronic communications for these purposes.

5 Are there any other areas you would propose? Not Applicable Will the proposals in the strategy support independent living? Please select one option Not at all Very little Somewhat To a great extent Not Applicable While communicating with patients and clients, care professionals may use a computer to support their decision making. Do you think that the computer: Please select one option Would get in the way of the discussion Could improve the quality of care provided Would make no difference at all Not Applicable Do you feel that ehealth will change the way professionals work? Please select one option Yes No Don t know/no views Throughout the strategy there is a strong objective to share more information and to expand on the existing tools which can be accessed by health professionals such as the continued and effective use of services such as the enisat. The health economy is defined in the consultation to include housing and councils, as well as pharmacies, dentists, opticians, and independent services such as nursing homes. Having increased digital facilities with additional data sharing mechanisms established may be beneficial to patients but this is likely to require training for care professionals to ensure compliance with the DPA. In this regard, it is particularly

6 important to appreciate the DP risks associated with the use of portable media, including in this case, the volume of information which may be accessed remotely through laptops and tablets. Full encryption of equipment and appropriate user-access logging is essential where any form of mobile working is allowed. How useful would it be to have access to your ehealth records? Please select one option Very useful Slightly useful Useful Not useful at all Comments? (If you had access to your ehealth records what might you want to do or look at and why?) Providing this provision online may be helpful. A patient is entitled to access their health record under the DPA. However, as previously indicated, this right to access must be qualified, consideration must be given to any information held on their record which if accessed could cause them severe distress or detriment. In the consultation, it is suggested that an individual can add to their record to ensure it is accurate. We would urge consideration of what information can be added, what can be accessed and what, if anything can be amended or deleted on the record. There are specific considerations with regard to accuracy within the DPA, which should be understood in this respect as accuracy relating to matters of fact. Professional opinions/diagnoses should not be edited or deleted and, instead, a note of dispute can be added. We would also reiterate the fact that providing access to the ehealth record does not negate from the data controllers obligations under Section 7 of the DPA. If a breach of confidence takes place, particularly with third party access, processes must be in place to ensure action can be taken immediately. Access controls must take account of the security requirements within the DPA. Do you expect that information about the health and care of patients and clients would be shared among professionals to improve decisions they make about the care they provide? Please select one option Yes No Don t know/no views

7 Whereas the sharing of information may lead to improvements, it is important to comply with the requirements of the DPA in this respect. The consultation highlights an objective to develop plans for linking citizencaptured information into shared care records, including data from telemonitoring and information directly input by the patient or carer. Particular importance will need to be given to the fair processing of sharing information, both in terms of clearly informing people what data will be shared, with whom and for what purpose. With the combination of sensitive personal data and new technologies within this strategy it would be advisable to consider data sharing agreements between organisations and services where this is appropriate to do so. The ICO Code of Practice on Data Sharing is available here: Reference is made on p.16 to sharing electronic records. It is stated that only in rare circumstances that sharing will not require explicit and informed consent. It may be difficult therefore to achieve many of the objectives proposed in the strategy such as working with housing and councils to develop new ideas to enhance quality of life and wellbeing. If one of the overall aims is connections and being able to share information across community services as highlighted we would suggest that thought is given to how this will work in practice. It is outlined in the consultation that HSC needs information standards to ensure that information systems work well with each other. This must also take into account compliance with the legislation. The consultation includes reference to the Caring for Your Information strategy. In this respect, we would welcome further information on how ehealth will take account of this proposal in the future. Only identifiable data is subject to the requirements of the DPA, however if the use of identifiable data will be extended as part of this work in the future, this will need further consideration. How confident are you that we will keep information about you safe and secure, so that only those who need to access it can do so. Please select one option Completely confident Slightly confident Confident Not confident at all

8 The DPA requires that appropriate technical and organisational measures are taken to ensure personal data is kept secure. Failure to comply with this can lead to enforcement action from the ICO. The difficulties associated with existing digital technology with respect to staff training, and access to resources referenced in the consultation is a concern. Secure HSC devices must be available to staff, who must be trained in how to effectively ensure processing of personal data is compliant with the DPA. We welcome the suggestion of pilot schemes for staff to improve how staff access shared information and the commitment to staff training. It is proposed that staff have mobile access to the HSC network in the near future; we would state the requirement of Principle 7 of the DPA relating to security and would suggest that perhaps this initiative may also benefit from the completion of a PIA. The HSCB list actions on p.16 which they are committing to ensuring. We would strongly advise that staff training is included on this list. All staff should be fully trained and confident on how this ehealth strategy will affect their role. It is also important to note that information, once held, may be disclosed in response to Freedom of Information requests or it may be requested by authorities outwith the health and social care sector for their own purposes (for example, for the detection of crime or audit). Such disclosures should also be made in a secure manner. To what extent do you feel that the adoption of ehealth will encourage innovation and economic development in Northern Ireland? Please select one option Not at all Very little Somewhat To a great extent Not Applicable Do you have any comments about the adoption of ehealth?

9 Not Applicable

10 Equality Impact Assessment Equality and human rights implications Do you agree with the conclusions reached by the HSCB in the draft Equality Impact Assessment, which is on the consultation web page? If no, please give further information along with any supporting evidence Is there any other evidence that you think we should have taken into account? We believe the strategy would benefit from the completion of a PIA for many aspects as highlighted above.