BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
Statutes of Northern Ireland |
||
You are here: BAILII >> Databases >> Statutes of Northern Ireland >> Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 No. 12 URL: http://www.bailii.org/nie/legis/num_act/2016/nia_201612_en_1.html |
[New search] [Printable PDF version] [Help]
An Act to make provision about control of data processing in relation to health and social care.
[11th April 2016]
BE IT ENACTED by being passed by the Northern Ireland Assembly and assented to by Her Majesty as follows:
1.-(1) The Department must by regulations make such provision for and in connection with requiring or regulating the processing of prescribed information of a relevant person for health care or social care purposes as it considers necessary or expedient in the public interest.
(2) Regulations under subsection (1) may, in particular, make provision-
(a)for requiring or authorising the disclosure or other processing of prescribed information of a relevant person who is a recipient of health care to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information),
(b)for authorising the disclosure or other processing of prescribed information of a relevant person who is a recipient of social care to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information),
(c)for securing that, where prescribed information of a relevant person is processed by a person in accordance with the regulations, anything done by that person in so processing the information must be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it,
(d)for creating offences punishable on summary conviction by a fine not exceeding level 5 on the standard scale or such other level as is prescribed or for creating other procedures for enforcing any provision of the regulations.
(3) Regulations under subsection (1) which make provision in relation to the authorisation of the processing of confidential information of a relevant person must provide that such information may only be processed if authorisation is granted by the committee established under section 2(1).
(4) Subsections (1) and (2) are subject to subsections (5) to (8).
(5) Regulations under subsection (1) may not make provision requiring the processing of confidential information of a relevant person who is a recipient of health care for any purpose if it would be reasonably practicable to achieve that purpose otherwise than pursuant to such regulations, having regard to the cost of and the technology available for achieving that purpose.
(6) Where regulations under subsection (1) make provision requiring the processing of confidential information of a relevant person who is a recipient of health care, the Department-
(a)must, at any time within the period of one month beginning on each anniversary of the making of such regulations, consider whether any such provision could be included in regulations made at that time without contravening subsection (5), and
(b)if the Department determines that any such provision could not be so included, must make further regulations varying or revoking the regulations made under subsection (1) to such an extent as the Department considers necessary in order for the regulations to comply with that subsection.
(7) Regulations under subsection (1) may not make provision for requiring the processing of confidential information of a relevant person who is a recipient of health care solely or principally for the purpose of determining the care and treatment to be given to particular individuals.
(8) Regulations under this section may not make provision for or in connection with the processing of prescribed information of a relevant person in a manner inconsistent with any provision made by or under the Data Protection Act 1998.
(9) Subsection (8) does not affect the operation of provisions made under subsection (2)(c).
(10) For the purposes of this Act, "information" means-
(a)information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of an individual's condition or to the care or treatment of an individual,
(b)information (however recorded) which relates to the social well-being of an individual or to the care of, or assistance to, an individual, and
(c)information (however recorded) which is to any extent derived, directly or indirectly, from such information,
whether or not the identity of the individual in question is ascertainable from the information.
(11) For the purposes of this Act, "a relevant person" means an individual who is a recipient of-
(a)health care, or
(b)social care.
(12) For the purposes of this Act, the information of a relevant person is "confidential information" where-
(a)the identity of the individual in question is ascertainable-
(i)from that information, or
(ii)from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and
(b)that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.
(13) In this section "health care purposes" means the purposes of any of-
(a)preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health services, and
(b)informing individuals about their physical or mental health or condition, the diagnosis of their condition or their care and treatment.
(14) In this section "social care purposes" means the purposes of any of-
(a)assessment of social care needs, research into social care or social well-being, and the provision and management of social care, and
(b)informing individuals about their social care needs or the provision of social care in relation to them.
(15) In this Act "processing", in relation to information, means the use, disclosure or obtaining of the information or the doing of such other things in relation to it as may be prescribed for the purposes of this definition.
2.-(1) For the purposes of subsections (2) and (4), the Department must by regulations establish a committee.
(2) Where regulations under section 1 make provision by virtue of subsection (3) of that section, the committee may authorise the processing of confidential information of a relevant person in prescribed circumstances and subject to compliance with prescribed conditions (including conditions requiring prescribed undertakings to be obtained as to the processing of such information).
(3) The circumstances in which the committee may authorise the processing of confidential information of a relevant person shall not include circumstances where that person has made representations to the committee that the relevant person's confidential information should not be disclosed or processed.
(4) The committee must arrange for the dissemination in such form and manner as it considers appropriate of such information as it may appear to it appropriate to give to the public about the operation of this Act and any other relevant matter, and in particular about the rights of relevant persons regarding the processing of confidential information of those persons.
(5) Regulations under subsection (1) may, in particular, make provision as to-
(a)the persons or bodies who are to be represented by members of the committee,
(b)the appointment, tenure and vacation of office of a Chair and of other members of the committee,
(c)the procedure of the committee,
(d)the payment by the Department of-
(i)such expenses incurred by the committee, and
(ii)such allowances in respect of expenses incurred by members of the committee,
as the Department may determine,
(e)the publication of any authorisations granted by the committee.
3.-(1) The Department must, as soon as reasonably practicable, prepare and publish a Code of Practice on the processing of information.
(2) The Department must review the Code of Practice at least once in every two year period starting with the date of publication of the first Code of Practice.
(3) The Department may revise the Code of Practice whenever it considers it appropriate to do so.
(4) Health and social care bodies must have due regard to the Code of Practice in exercising their functions in relation to the provision of health and social care.
(5) Any other person who provides health and social care under arrangements made with a public body who exercises functions in relation to the provision of health and social care, must, in providing such care, have due regard to the Code of Practice.
(6) Failure to observe any provision of the Code of Practice does not of itself make a person liable to any criminal or civil proceedings.
(7) A Code of Practice-
(a)is admissible in evidence in criminal and civil proceedings; and
(b)may be taken into account by a court or tribunal in any case in which it appears to the court or tribunal to be relevant.
(8) In this section "health and social care bodies" means the Department and any of the bodies established by section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009.
4.-(1) Regulations under this Act may contain incidental, supplementary, consequential, transitional, transitory or saving provision.
(2) Regulations under this Act may not be made unless a draft of the regulations has been laid before, and approved by a resolution of, the Assembly.
5. In this Act-
"confidential information" has the meaning given by section 1(12);
"the Department" means the Department of Health, Social Services and Public Safety;
"health care" has the meaning given by section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009;
"information" has the meaning given by section 1(10);
"prescribed" means prescribed in regulations made by the Department;
"processing" has the meaning given by section 1(15);
"relevant person" has the meaning given by section 1(11);
"social care" has the meaning given by section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009.
6.-(1) This Act may be cited as the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016.
(2) This Act comes into operation on the day after Royal Assent.