Jennifer Carroll MacNeill (Dún Laoghaire, Fine Gael)

I move amendment No. 57:

In page 20, to delete lines 8 to 14.

This Bill complements and builds on data protection legislation, including the GDPR. Section 21 of Part 4 provides for a number of procedural and processing safeguards in respect of the HSE's use of its power to mandate the provision of health information. These safeguards must include proportionality, data minimisation, purpose limitation and transparency measures. Amendment No. 57 seeks to serve a number of purposes, including reducing any confusion in respect of the definition of "relevant person", as well as better alignment with the EHDS regulation, which does not make a distinction between public and private healthcare or in terms of its definition of a "health data holder". This amendment also seeks to avoid duplication in respect of the necessary safeguards for requests under Part 4 to be necessary and to be proportionate. The Bill also provides that a request under Part 4 must be relevant, necessary and proportionate for the purpose in relation to which the request was made. Additionally, amendments Nos. 57, 59, 60 and 62 seek to provide clarity on the purpose behind Part 4.

In practical terms, the understanding of the definition of and requirements for "pseudonymisation" vary significantly across the sector. The Bill's text as drafted could be confusing and its interpretation could frustrate the intended benefits of data sharing, so we need some clarification. According to GDPR definitions, "anonymised data" is not personal data and cannot be associated with an individual, while "pseudonymised data" is personal data and allows for data linkage to using identifiable data if and where needed. Amendment No. 61 provides that the HSE shall adopt suitable and specific measures to safeguard the rights of data subjects when processing personal data and this may include limitations on access to the data undergoing processing to prevent unauthorised collection, consultation, alteration, disclosure or erasure of the data, strict time limits for the erasure of the data and mechanisms to ensure such time limits are observed, specific targeted training for those involved in processing operations and technical and organisational measures to ensure respect for the principle of data minimisation. These suitable and specific safeguards are not intended to be exhaustive. My Department has engaged with the Data Protection Commission on these amendments and the HSE is required to consult with the Data Protection Commission on suitable and specific measures it proposes to adopt.