Office of the Chief Information Officer delivering eHealth Ireland, Feidhmeannas Seitbhise Slainte Health Service Executive 8" December 2015, Re: FOI request C394/15, oo I refer to the appeal which you made under the Freedom of Information Act 2014, dated 29!" November seeking a review of the earlier decision of this body. Tama more senior member of the staff than the original decision maker in this case. I decided to vary the original decision on your request in part. I have reviewed the original request, the reply and your appeal. As part of my review of the FOI decision I have discussed the request with the original decision maker and the individuals within the IHI project team. I am satisfied that the decision maker carried out a full search within the scope of the project. All HSE staff who are associated directly with the project were requested to provide information pertaining to the request. It would not be practical to conduct a search across the full organisation and the request would have been refused under FOI 15(c). (See attached appendix 1) I propose to deal with each of the requests and outline my decision for each separately. 1. Legal advices relation to IHI The Minister of Health and Government drafted the Health Identifiers Bill in conjunction with the Attorney Generals office. The Health Identifiers Act 2014 provides the legislative basis for the introduction of a system of identifiers for recipients of a health service as well as healthcare providers, both professionals and organisations. The HSE’s role is to implement the IHI based on the 2014 legislation for and behalf of theMinister. The HSE did not seek or receive any legal advice in relation to the Health Identifiers Act. Any subsequent changes to the legislation or policy changes would be conveyed to the HSE by the Department of Health. The Twitter exchanges by Mr. Richard Corbridge were a conversational interaction in a personal capacity. They should not be interpreted as an ‘official’ response by the Office of the CIO or the HSE. Der in: It is not possible for the HSE to release documents it does not have therefore I uphold the original decision. 2. Relevant HSE OOCIO risk assessment(s) and its implementation The Risk Assessment is part of the draft Privacy Impact Assessment (PIA), which at the time of the FOI request, was in early draft form. The draft PIA was not completed and therefore not fit for publication or release. Disclosing the draft positions could inhibit future negotiations and discussions with some or alll stakeholders Granting access to deliberative/unfinished documents could have a significant adverse effect on the HSE’s effective management of the project through the current phase, involving multiple stakeholders, and in my opinion would damage overall project performance. At the stage of drafting the PIA, the risk assessment had not been completed. Risks were articulated in the draft but not all risks had associated mitigations. Therefore releasing the draft could have an adverse impact on public perception and consequentially the project. The PIA will be a public document which prior to finalisation will be subject to a public consultation process within the next few weeks. De in: Tam upholding the decision not to release the Risk Assessment. 3. Relevant HSE DPO risk assessment(s) relating to IHI and its implementation The risk assessments are being dealt with as part of the IHI project. The HSE DPO have not undertaken a separate risk assessment and therefore no HSE DPO risk assessment(s) exist. Decision: It is not possible for the HSE to release documents it does not have therefore I uphold the original decision.4, Detail of ODPC engagements in relation to the IHI and its implementation During the course of discussions with the relevant parties it became apparent that the question you had asked had been misinterpreted. Two informal meetings were held between a number of the project team and DPC. These were exploratory meetings in order for the project team to seek advice on their continuing work on the Privacy Impact Assessment. There were no formal minutes but some personal notes were taken by the team and I am now enclosing the notes as recorded in Appendix 2. Decision: | am releasing the documents as requested. 4. Rights of appeal You may appeal this decision by writing to the Information Commissioner at 18 Lower Leeson Street, Dublin 2. If you wish to appeal, you must usually do so not later than 6 months from the date of this notification. Should you write to the Information Commissioner making an appeal, please refer to this letter. If an appeal is made by you and accepted, the Information Commissioner will fully investigate and consider the matter and issue a fresh decision. Should you wish to discuss the above, please contact me by telephone at I Yours sincerely, Programme DirectorAppendix 1 Refusal on administrative grounds to grant FOI requests 15. (1) A head to whom an FO! request is made may refuse to grant the request where— {a) the record concemed does not exist or cannot be found after all reasonable steps to ascertain its whereabouts have been taken, (b) the FO! request does not comply with section 12(1)(b), (c) in the opinion of the head, granting the request would, by reason of the number or nature of the records concerned or the nature of the information concerned, require the retrieval and examination of such number of records or an examination of such kind of the records concemed as to cause a substantial and unreasonable interference with or disruption of work (including disruption of work in a particular functional area) of the FO! body concemed, (d) the information is already in the public domain, (e) publication of the record is required by law and is intended to be effected not later than 12 weeks after the receipt of the request by the head, (f) the FOI body intends to publish the record and such publication is intended to be effected not later than 6 weeks after the receipt of the request by the head, (g) the request is, in the opinion of the head, frivolous or vexatious or forms part of a pattern of manifestly unreasonable requests from the same requester or from different requesters who, in the opinion of the head, appear to have made the requests acting in concert, (h) a fee or deposit payable under section 27 in respect of the request concemed or in respect of a previous request by the same requester has not been paid, or (i) the request relates to records already released, either to the same or a previous requester where— (i) the records are available to the requester concerned, or (ii) it appears to the head concemed that that requester is acting in concert with a previous requester. (2) Subject to subsection (3), a head may refuse to grant— 32 | [2014] Freedom of Information Act 2014. [No. 30,]Pr.3 8.15 (a) a record that is available for inspection by members of the public whether upon payment or free of charge, or (b) a record a copy of which is available for purchase or removal free of charge by members of the public, whether by virtue of an enactment (other than this Act) or otherwise. | (3) A record shall not be within subsection (2) by reason only of the fact that it contains information constituting personal data to which the Data Protection Acts 1988 and 2003 apply. (4) Ahead shall not refuse, pursuant to paragraph (b) or (c) of subsection (1), to grant an FOI request unless he or she has assisted, or offered to assist, the requester concemed in an endeavour so as to amend the request for re-submission such that it no longer falls within those paragraphs.Appendix 2 Personal notes of Project Team Notes Set 1 [gore « verted vpdela en reg esegust wien , HR, 64 06,EA Goareth = thegd eqech We 218 te cover all vee gee Conmssein Ge Gray Caslelin Ine dae cq axlensive Pid Ce smut mc Else, (us ben apg on GB quart) «CER fae pith shen Hate tbl Chane = eve cork PIR cope IML wah GPK eptlepty Sashes | | | = Za|sWS BPC wile Rosine Clean, Jha, Gene, | | DEC sie A asm ollig, asessntcks In paige ent Std be | Seondany POEs on abn ee IM veguted Bh he nel Be ownitloty, 86 ( Roisin ~ wert co eh cel) | [DEP = Rawds a Lge gain Ve Hes to Ge sed weuting ms oF Bake Crease 15 bad ytreng to Centensn Seed) DPC wold Wee ce te ba sale ok clenthy We D306 Wi Adds ahon ake Yaad alles Ara tosig we fe the Bsa oe bent cn ROAS ge neve ne glnn «Ric seated Wadiy ser OSE quasisls of Bin neseals. Gamit = West mony be eps co ether non-resiants whe dort weub Haar WM cecord assessible, No need aanmgte Heder Urose receals dormenty and an explantlin te aire be scdh people, Wb sand be Ludi He cue bvscness processes all he quashins peng have « evil fo aste unter Dale Protection Desansd cadvidnels do acd te ve contvAssth a8 thins atculs wih be tequiced « Mee he Ya Lege cove fegersenkdane eset mans a veg ad wag AeA access Ao IML of ininpactetel dividual ole Wie need te awe or Say we dak Inwe, a guecess Er meaber bask pe. Hse fer dilien oud alse seqemtacl Foals and grostions, gered olla en. Rd atopted chddven ce aedlee’g enrly reals Weg endit beat CLAN Fincly Rebronaiip bill pohaldy Blocks thus oe Wild oF wxsbrig and Gree Nas velabvig to These Wigs » So our buenas dawn reals te tele Ine ReArutin Adbo account, Bn Granta Stoshone gi WyO0d acoess sequed's ger yuat (axel. vebra) Recess requek prgnnk & yk 6. © Ipncevmds veces = Clee — vele as taueccicta heb basin, Ceive wh gu tegthar oe sgggsed SoA Raepoey AEE SM pre cad Man ay Yo ables Sakebes . Also Lydd bess for debs sheng Hast Anfecmshin Be Decistiy Mog Bib al\ mm eayes Child & Findlay Galstiinchg 2i- S Gieofng Shannen, Beghen Bead cnn cory JephteahiensSila cae cee Gord, Taba, Clas Rein, Dun . Cae GS assed vper eur tube PIA. Daa oetowtes Toe gasiion on ceaseat fr epilepsy, pas te wile ook be pieks adeag fee conten ~ i Goes > sgfhe Biba Mako mese fie! segs woth acesuller whe . "Wsides = Alerts ently of vanity ont te peers and pulley PORE dewesin «hay seh senile wiht wee docs bo ore the ded Gore - signe wills egilysy, thajve wens ch info Shecving , hes dane Bene werk will epileyiny, Cash Fhmans geupone wea) alle , Mecfiadus, seyisier 6 eoadsegnide - - DRE col Khe te S86 aferebti whe we dando sels Ge censunh, New BPC Aeeit appre co cthenase, Nrey gyre commune. | Sada chased Nhe were Fenty Ye Iie can ancily Mead Issues flow eve cleft PIR: mothe eset dhe breads? whe Sathudes iweeshuydtins? Wee, weal Mage odvitic. Er an sepesed peethut wilh BEC. Cid seagsadiney jo 8 GORE cewaghronits| Ving cen cove sich [Gest ~ DEC cently geisew am eegpleyse od Vrigie Geumglr onder oe ack (Teh they con ap acter Unik pastes. Erngheyeos cre Sunget te thse employer's Asc Mowe preceduies (WH saad te be sie Vee, tboenens Aasaye wala gaesecadoiy, Hocegliny er whwdwer espe ahs te tbe clathicd Imepenteny cveiseQir us a Mag Viele Clone aides shed the edleescd TSP deesch have Seoul oe Saat 1 HS AL wade, ostntlar’s cenbiel FRciuing Waele take We ceneuuiaes ayglins 7 Anah Wlabe boc Wag slabioe wh wills os feeds (TW adress fuabert gation ey. dats woe 8 eset poser? GPs nd GRY news = He cou write te DPC Br ceumteds bul Wily Weare Vanes crdd be Db? referred (BIEN) on “ne was! ve | shuns Aadabese Ntmsfer, TTnaglet Wed Sule Sideges atk U6, Hees feed Seusas Yhey con ike FO AWS Game mei Sccmumwnicabien tS (soe acanysounl ~ yynente lugint = delegated aadlently. A Leash Te Nllrsch 5005 hua = Soflam ad eguisctn . [Gesell ~ dibs pectiny acgeemeat — Aubyet seatubeauddey (@@> eansisienl)y the aoe Gad Seaneity ( tas scNotes set 21/07/2015 (31/07/2015. 11:03, fark introduced Legal - commencement , delegation order, setup of IHI register, provide to consumer systems, hspi's (Consent from epilepsy. Health identifier act hat is the legal basis. (Clare. Legislation. Delegation of powers Setup of register. IHI. Providing IH into consumer system pilepsy pationt record. joing to look for consent. ‘Cystic fibrosis register. - have newsletter. - good contact. How to get the enllpsy consent requenoy of contact. In next visit rite out to them nsitivity - stigma, 13% of population signed up for register. fenal register. - anather good one ive Dpe a look at the consent material before issuing. Page 11/07/2015 11:20 ivacy assessment progress Setting up the register HIQA consultation. Risk that information might be accessed illegally. - valuable asset perator ensures best practice. Security Prosecution taken ? Who prosecutes. incompatible into the data protection act. lagging. - point of contact, nly from known person , ring back, Summary offences. Indictment not summary. Dpp. - who does the investigation, it could be the police clarification who is responsible Who prosecutes. et investigates )PC is investigator for health information bill Legal advice re who owns register. linister is owner data controller etc eed legal advice 10's going to decide an investigation needs to take place. pe }ecisions nforcement order. ferious breach for unauthorised disclosures private investigations of Garda information, Civil versus criminal }p cannot prosecute an employee can only prosecute, Organisation. farda could not be prosecuted rivate Invistagor was prosecuted as director. Inder section 4. Jan prosecute under the 2. Managing the register by the business unit [Lack of independent oversight. Of. Definition of independent oversight. Any changes of use need to have a PIA. Page 21J07/2015 Data quality independent board - ethics research committee. fore senior independent panel. ludige review lothers surname , previous names. egitimate interest to provide it Irish water reated relevant bodies. tilities. ‘et patients know and want to object to i. bligation is on the individual to provide the correct information possible an indicator that this is not the latest address sn, ‘ublic information piece with Dpe and dsp. lot approved. - not P s. Organisations. ‘odes of practice. aft a note to professionals \6s. Had the same. iser Management. ek level of assurance that the system and the organisation Page 3 ata processing agreement security. Both technical and procedural. Duty of confidentiality negligence, joney, reputation compliment - how many of duty of confidentiality cases are smalluperye 1/07/2015 12:25 [Uttan is the technical person acle 29. Medical. Apps.