Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016

Publication Date:January 01, 2016
 
FREE EXCERPT


Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016

2016 (N.I.) c. 12

An Act to make provision about control of data processing in relation to health and social care.

[11th April 2016]

BE IT ENACTED by being passed by the Northern Ireland Assembly and assented to by Her Majesty as follows:

S-1 Control of information of a relevant person

1 Control of information of a relevant person

(1) The Department must by regulations make such provision for and in connection with requiring or regulating the processing of prescribed information of a relevant person for health care or social care purposes as it considers necessary or expedient in the public interest.

(2) Regulations under subsection (1) may, in particular, make provision—

(a) for requiring or authorising the disclosure or other processing of prescribed information of a relevant person who is a recipient of health care to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information)

(b) for authorising the disclosure or other processing of prescribed information of a relevant person who is a recipient of social care to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information)

(c) for securing that, where prescribed information of a relevant person is processed by a person in accordance with the regulations, anything done by that person in so processing the information must be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it

(d) for creating offences punishable on summary conviction by a fine not exceeding level 5 on the standard scale or such other level as is prescribed or for creating other procedures for enforcing any provision of the regulations.

(3) Regulations under subsection (1) which make provision in relation to the authorisation of the processing of confidential information of a relevant person must provide that such information may only be processed if authorisation is granted by the committee established under section 2(1).

(4) Subsections (1) and (2) are subject to subsections (5) to (8).

(5) Regulations under subsection (1) may not make provision requiring the processing of confidential information of a relevant person who is a recipient of health care for any purpose if it would be reasonably practicable to achieve that purpose otherwise than pursuant to such regulations, having regard to the cost of and the technology available for achieving that purpose.

(6) Where regulations under subsection (1) make provision requiring the processing of confidential information of a relevant person who is a recipient of health care, the Department—

(a) must, at any time within the period of one month beginning on each anniversary of the making of such regulations, consider whether any such provision could be included in regulations made at that time without contravening subsection (5), and

(b) if the Department determines that any such provision could not be so included, must make further regulations varying or revoking the regulations made under subsection (1) to such an extent as the Department considers necessary in order for the regulations to comply with that subsection.

(7) Regulations under subsection (1) may not make provision for requiring the processing of confidential information of a relevant person who is a recipient of health care solely or principally for the purpose of determining the care and treatment to be given to particular individuals.

(8) Regulations under this section may not make provision for or in connection with the processing of prescribed information of a relevant person in a manner inconsistent with any provision made by or under the Data Protection Act 1998.

(9) Subsection (8) does not affect the operation of provisions made under subsection (2)(c).

(10) For the purposes of this Act, “information” means—

(a) information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of an individual’s condition or to the care or treatment of an individual

(b) information ( however recorded) which relates to the social well-being of an individual or to the care of, or assistance to, an individual, and

(c) information (however recorded) which is to any extent derived, directly or indirectly, from such information,

whether or not the identity of the individual in question is ascertainable from the information.

(11) For the purposes of this Act, “a relevant person” means an individual who is a recipient of—

(a) health care, or

(b) social care.

(12) For the purposes of this Act, the information of a relevant person is “confidential information” where—

(a) the identity of the individual in question is ascertainable—

(i) from that information, or

(ii) from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and

(b) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.

(13) In this section “health care purposes” means the purposes of any of—

(a) preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health services, and

(b) informing individuals about their physical or mental health or condition, the diagnosis of their condition...

To continue reading

REQUEST YOUR TRIAL