Fergus O'Dowd (Louth, Fine Gael) | Oireachtas source

Fáiltím roimh an díospóireacht seo. Dearbhím go bhfuil sé an-tábhachtach. Caithfimid díriú ar chúrsaí sláinte ach go háirithe agus ní bheidh mé ag cuidiú leis an méid a dúirt an Teachta Shortall mar tá ceist eile an-phráinneach le phlé agam. This is a welcome debate and important issues have been raised. I want to come at it from different perspectives. One is supporting the legislation, two is supporting further changes and three is pointing out significant anomalies and problems with the lack of data sharing where people's health, lives and limb are at stake. These are of grave concern to me and, indeed, I have no doubt to the people who make these complaints to the authorities. It is important to share data. It is important when somebody comes into my office, or that of any other Deputy, that he or she fill in the data protection form.

I find an increasing awareness, alertness and willingness to sign that form. I thought there would be some difficulty with it but now automatically when somebody comes into my office, on the reverse of the form that he or she fills in, we put in the data protection notifications and ask him or her to sign and date it. That is useful because it protects the individual, the data received and it is also useful for records management that everything is clear and transparent. The record includes who came in, what was said, what was done, where it went and that consent was received. I welcome that. I also welcome sharing of data between Departments. It is hugely important if anybody is trying to find out what happened to a social welfare application that data can be shared, an answer found and the query followed through effectively and efficiently.

I welcome the speed with which public authorities generally, and in particular the Department of Employment Affairs and Social Protection which deals with most of my queries, respond to them. All of that is good, healthy and the right way to go, notwithstanding concerns people might have. I have serious concerns about data given to the Health Information and Quality Authority, HIQA, and which is not transferred. I will explain my case to the House. The difficulty is that currently about 4,800 individual items of information are mandatorily reported by private or HSE nursing homes to HIQA every year. There are also unsolicited complaints from people like us who might be visiting a relative or from somebody who works in a nursing home about concerns about the care and people being at risk.

The data is treated differently in different cases. I refer to the mandatory requirements for data transfer. If a nursing home is legally obliged to state that Mary Jones fell and broke her femur or she has very bad bed sores, the data is only given in numeric form. The individual is never identified. Of the thousands of reports which HIQA gets, it only knows where they come from. It does not know who the individual is and it is not able to go in and look at the file. It cannot look to see what happened to Mary Jones, why she fell, how she fell and why she had ten or 15 falls in the last year. HIQA is not able to inquire into that level of data. I believe there is a need to look at that anew and to make sure that HIQA, if it wishes, should be able to go into private or HSE nursing homes to follow the facts and get the full facts. That is protecting people who are extremely vulnerable and people who, unfortunately, in many of these incidents have significant adverse impacts on their health.

If the nursing home mandatorily reports data, it is in alphanumeric format and nobody knows who the individuals are or what they are. All that is known is the name of the home and HIQA cannot inquire and get to the bottom of what in many cases is abuse. Second, I refer to the case where, if I am a member of a family or a visitor, I ring up and say I am concerned about Mary Jones, that I found her lying on the floor where she was covered in sores or faeces or whatever the issues are. There have been hundreds of issues, in fact thousands of them, over the last few years. HIQA can state that is terrible and record everything. Guess what happens? Nothing.

The data is not used. Why is it not used? It is because the person who makes the complaint is not the individual concerned. There is an issue about that. A third party who rings up HIQA, be it a family member, a personal visitor or a friend, will give data. That is recorded but not used and not acted on because it is not legally allowable for HIQA to act on it. The third case is also worrying. If I work in a nursing home and if I ring up and tell HIQA that I have seen abuse of an elderly person - it could be financial, sexual, emotional, or under many different headings - that data cannot be acted on either because it works under different legislation. The legislation that applies there relates to work and employment. That data is not followed up. Wherever the data comes from, if it concerns the health, welfare and well-being of an elderly vulnerable person, it should be capable of being acted upon quickly and efficiently by HIQA or the relevant authority.

The other problem with data protection is that in 2015 HIQA agreed a memorandum of understanding with the Office of the Ombudsman. There were about six meetings. They were great meetings and everything was going to happen. Guess what happened in 2016, 2017 and 2018? No data transferred, not one single bit. I think that is a disgrace. I do not doubt the intentions of the people who did up the memorandum in HIQA because I have met and spoken to them. I also do not doubt the intentions of the Office of the Ombudsman to do it. Nothing, however, has happened.

When I brought this matter to HIQA's attention it said it would deal with it. Earlier this year, HIQA assured me that data transfer would now take place between HIQA and the Office of the Ombudsman so these matters could be investigated properly. The problem is that HIQA also said in the same letter to me that it was now reviewing all of the memoranda of understanding under the Data Protection Act 2018. It was reviewing every single one of them because the issues I had raised with HIQA might, could and probably will apply to all other memoranda that it has.

The law, while it is there to protect the individual, and I do not doubt the intention when we did that as lawmakers, needs to be more flexible. That is particularly the case where there is a health risk and a report of a concern. The sharing of data between statutory agencies, and I hope that is what this Bill is about, should be automatic without any of this bureaucracy which is unhelpful. A question then arises. If I ring up HIQA with an unsolicited complaint, as it is called, that data should automatically transfer. I do not know if this is in the law or not, but perhaps it might be looked at on Committee Stage. If a complaint is made, implicit in making that complaint is the intention that the person making it is acting in good faith and that the person wants it acted upon. If that complaint is made, it ought to go automatically to the person who has the statutory powers to investigate it, namely the Office of the Ombudsman. That would make much sense if it were to happen seamlessly and automatically. It would protect many vulnerable people. I ask that the Minister of State and his Department deal with that.

I have a few other things that I want to mention.

Data is very valuable, particularly in politics. I specifically refer to information and facts as to who did what where and when and how something happened. The former Minister of State, Deputy Shortall, raised the question of spending millions of euro on a system that does not work. Unfortunately, there is nothing new in that regard in the context of the public service. We need to ensure that people are accountable. Part of the problem is that the Freedom of Information Act needs to be reformed. There must be a much quicker method and means of getting at facts. There are unnecessary delays and obfuscation. I will raise the matter of a particular body at a different event after I get information from a freedom of information request. It holds up information about serious and significant internal audits that account for tens of millions of euro. It means we cannot get at the facts because the body hides behind the freedom of information process. I will be going to the Office of the Information Commissioner shortly about this matter. I hope that when I eventually get to the truth, the legislation will be changed. We should abridge some of the times in the freedom of information process.

There is the question of how data is treated. On the one hand, data might not be transferred when it should be. On the other, we need to change the law so that people not deemed to be the individuals in a case but acting in good faith can get through to an investigating authority. There is also the matter of how the HSE, my favourite organisation, dealt with medical data that just happened to end up approximately 30 miles from the hospital where it originated. The medical records of 12 patients were found on a public road beside the River Boyne near Baltray. I read about this in the newspapers and submitted a parliamentary question to find out what happened to the data and whether the Minister would investigate the breach. The question specifically referred to the personal medical data found at Baltray relating to accident and emergency department patients at Beaumont Hospital and it went in on 18 October. On 1 November, I submitted another question as more medical data relating to personal health information of patients was found. We do not know what is the problem or the hospital in question. The question asked for an outline of the results of an inquiry into the reasons significant personal and medical data was found for the second time in a few weeks at the same place. It was an unacceptable breach of privacy and data protection laws and the hospital must be held accountable for this second very serious breach. I do not know if it is the same hospital. We want absolute assurance that this will not happen again.

I got a lovely reply from Mr. Ian Carter, the chief executive of Beaumont Hospital, in response to both my queries. He stated that a recent incident occurred whereby personal health information on patients was found outside Beaumont Hospital. It was found 30 miles away from the hospital, which is a bit different from it being blown out the window or falling out of a waste bin. On review of the incident - there was more than one - Mr. Carter indicates that the source of the information was identified as an accident and emergency department summary clinical handover report used by nursing and medical staff during shift changes. As a result of the incident, Mr. Carter indicates that all accident and emergency department staff have been directed to use the "confidential" bins provided for such reports prior to leaving the hospital. There we have it. Data protection amounts to putting the data into a confidential bin. How can a bin be confidential and the data relating to very serious medical histories of patients who may be extremely ill end up 30 miles away beside the River Boyne in County Louth? That is entirely and absolutely unacceptable.

The current position regarding protection of data, certainly within Beaumont Hospital, is unacceptable. I do not know what is this confidential bin or how it works but there is no reason in the world any doctor, nurse or anybody else working in a hospital would have to bring personal medical records to a place in County Louth and leave them in grass beside the River Boyne. It is unacceptable, appalling and disgraceful. I rang the gentleman who signed this letter and told the person on the phone I was not happy with the reply, which is insulting and disgraceful. I said that it did not answer the question. I asked if a person had been sent to the site or if the incident had been reported to the Garda or the Data Protection Commissioner. I am still awaiting a reply, despite the fact that I stated my intention to raise the matter during this debate. This is a direct message to Mr. Ian Carter and Beaumont Hospital. I want to know the facts and the public is entitled to that knowledge. I am challenging the hospital here. The people responsible for this matter are unaccountable and they are acting in a very high-handed manner. What they are doing is shameful and disgraceful.

That problem demonstrates another lacuna in the law. If data in the private sector were allowed to fall into the public domain, there would be a fine or sanctions. The HSE is not held accountable, however, and certainly not through parliamentary questions. It will face no fine. This is a major problem because authorities such as those at Beaumont Hospital have very sensitive personal records but they can allow them, through weak and appalling management of the data, be found 30 miles away. This happened once and probably twice, although I do not know that for sure. With the second incident I got a call because somebody found the data and asked me what to do with it. I asked if the name of the hospital was on the data but it was not. I told the person to take the data to the Garda station in Drogheda and put it in its safekeeping. That is where it went. I asked that gardaí should look to see if there is more data at the location, as it would not be acceptable to have it left there.

I welcome the legislation and the changes being proposed. I welcome the fast-tracking of exchange of information, on the one hand, but, on the other, I am pointing out weaknesses and where data is extremely vulnerable. I have particularly referred to personal medical data held by at least one hospital in this country that was found, in a disgraceful fashion, on the side of a road. The question arises of how many confidential bins are there in Beaumont. Why does the hospital need them in any event? I do not work in a hospital but we all work with computers. If a worker wants to find out how a patient is doing, I am sure he or she could access the data electronically. Why is there a need to print physical copies of data across the public sector when everybody has computers and millions of euro have been spent by the HSE on all sorts of computer systems? It is just wrong and it is not acceptable. I thank the Minister of State. I will speak to him later about some of the changes that I hope he will help to introduce. We could learn from other jurisdictions about some of these matters. I welcome the legislation and I will vote for it. Nevertheless, I would like to see those changes enacted.

See this speech in context