The HSE, privacy and data-sharing projects

 

Sir, – The article by Elaine Edwards on her view of the risks and issues concerning the sharing of data, with particular regard to EU regulations, while well informed, focused one perspective and did not consider the reality of the need to share data between agreed clinicians in the delivery of patient care (“Government continues data-sharing projects despite EU ruling”, Technology, December 8th). It also did not highlight the way in which the Irish health system is striving to consult the public on this beneficial change.

The change to how healthcare delivery is supported through digital solutions will be a cornerstone in the improvement of the healthcare system in Ireland.

The article infers that centrally hosted data is more at risk in some way than locally hosted data. This is not the case. Data held in centrally managed, corporate-grade data centres enables larger investment to be made in cyber-security which results in a far more protected data set than hosting data in many disparate hospital-based computer rooms.

A further comment suggests that primary legislation in Ireland is somehow surpassed by EU rulings such as the one quoted, the Bara case from Romania. The Health Identifiers Act, 2014, passed in Irish law, allows for the creation of a demographic identity for patients in Ireland. Only demographic information will be used, as clearly set out in the Act. Legislation passed as primary legislation is law in Ireland. The suggestion that the Bara incident somehow makes the Health Identifiers Act null and void is misleading.

The article recognises the effort that the eHealth Ireland team has applied to the communications and engagement exercises. The quote refers to the “concerted effort” undertaken to discuss the Act in the public domain. The Irish healthcare system is the first in the world to conduct a privacy impact assessment in the public domain, allowing the public of Ireland to comment as the assessment was created, at each point. This is an example of how the eHealth Ireland team strives to remain thoroughly transparent in all that it does.

A final assertion that needs to be clarified is an inference that data concerning Irish patients could be transferred to other countries outside of the EU.

This is absolutely not the case. All contracts involving the hosting of patient data, by any organisation on behalf of the HSE and eHealth Ireland, are defined today as within Ireland and in the future potentially within the EU only. This is a contractual obligation that will be enforced diligently by the eHealth Ireland team. – Yours, etc,

RICHARD CORBRIDGE,

Chief Information Officer,

HSE,

Dr Steevens’ Hospital,

Dublin 8.

Elaine Edwards writes: The Data Protection Commissioner’s office has informed the HSE that it is concerned about the lack of public consultation on the issue and it makes specific reference to the low number of submissions on the privacy-impact assessment, as well as the fact that the majority of responses seem to have come from within the health service.

There is no suggestion or “inference” in my piece that centrally hosted data is more at risk in some way than locally hosted data. The article did not address the question of where data is hosted. The privacy concerns are about inappropriate access and sharing, regardless of where the data is hosted. It is an issue of governance rather than an IT issue.