Information in the form of data is at the core of the Health Service Executive’s (HSE) activities. The security and privacy of this data, especially patient and client personal data, is of the upmost importance to the HSE. In order to maintain public confidence in the HSE and the delivery of our services to the public, the HSE and its staff, agents, representatives, contractors and data processors must ensure they process and protect this data in accordance with the relevant legislation and the HSE’s policies, procedures and guidelines.
Privacy Impact Assessment (PIA) for the Individual Health Identifier
A privacy impact assessment examines the measures that need to be put in place to protect your personal information. Privacy Impact Assessments are particularly important in health and social care settings. Your privacy is really important to the HSE and so we undertook a Privacy Impact Assessment for the IHI.
The Privacy Impact Assessment, identifying risks and outlining the safeguards that will be put in place to reduce risk of your personal information being accessed has been published.
Click here for the IHI Privacy Impact Assessment
Memorandum of Agreement
On November 8th 2016, a Memorandum of Agreement was signed with the Department of Social Protection for the provision of Public Service Identify Records for the population and maintenance of the IHI Register allowing for the population of the IHI Register with 6.2 million approx. records for known residents of Ireland.
The Department of Social Protection is the data controller for the Public Service Identity Dataset.
The Health Identifiers Act 2014 was introduced to provide for the assignment of a unique number to an individual to whom a health service is being, has been or may be provided. Individual Health Identifiers (IHI) can be used in both the public and private sector. For operational reasons, the Health Identifier Act 2014 provides for the delegation of certain functions to the Health Service Executive (HSE). The HSE will operate the Health Identifiers Register on behalf of the Minister of Health. Notwithstanding the delegation of function, Section 26 of the Health Identifiers Act 2014 provides for the functions continue to be vested in the Minister concurrently with the HSE and the delegation does not remove or derogate from the responsibility of the Minister.
On receipt of the data from the Department of Social Protection, the HSE will become responsible for the personal data which it has received, i.e. it is the data controller for information received from that point.
Public Consultation on the Privacy Impact Assessment (PIA) for the Individual Health Identifier
The PIA for the IHI is about the protection of your personal information. We conducted a public consultation about the PIA as we wanted to hear from you whether you thought that we had identified sufficient safeguards to protect your privacy.
Information about the public consultation on the Privacy Impact Assessment can be found with a Privacy Impact Assessment Infographic and an animation is available by clicking below:
We shared an IHI Privacy Impact Assessment Public Consultation Document outlining what the Individual Health Identifier is, what it’s benefits are and what a Privacy Impact Assessment is. It also summarised a draft Privacy Impact Assessment that had been prepared and listed all the risks identified and the safeguards that were proposed to reduce those risks.
We requested feedback using an Online Feedback Form which asked for opinions on the following 3 questions:
1. Have we identified all the benefits of the IHI?
2. Have we identified all the privacy risks?
3. Are the safeguards that we are proposing sufficient?
In addition an IHI PIA feedback form was made available.
The public consultation closed on Friday 8th April 2016.
The finalisedStatement of Outcomes outlining the Health Service Executive’s response and proposed actions arising from the feedback received during the Public Consultation was published on the eHealth Ireland website.
In addition, all individual submissions received as part of the Public Consultation were anonymised and published on the eHealth Ireland website.
IHI Service Data Protection Policy
In 2014, the Health Identifiers Act was enacted and this allowed for the creation and operation of a unique Individual Health Identifier (IHI) for any person using a health or social care service in Ireland and the establishment of a national IHI register. The Minister for Health delegated the authority to establish and operate the IHI to the HSE and the HSE IHI Business Service is responsible for this. As the IHI includes an individual’s personal data, the HSE is legally required to ensure that all personal data is processed in accordance with the Health Identifiers Act, the Data Protection Acts, the GDPR (when effective) and other statutory and legal obligations.
The purpose of this policy is to provide HSE staff, agents, representatives, contractors and data processors and others with clear guidance and instruction on the appropriate, safe and legal way in which they can make use of the information stored on the IHI register. This policy has been approved by the HSE Director General and the HSE leadership team.
Click here for the full IHI Service Data Protection Policy