Data protection cannot be an ‘afterthought’ in plans for electronic patient records, says watchdog 

The concerns come as the Health and Information and Quality Authority (Hiqa) is seeking submissions from members of the public on the plans for an electronic patient summary by September 11.

The electronic record aims to provide a summary of a patient’s key clinical information, for example past treatment, allergies and medicines, to ensure the safe and effective treatment of a patient receiving emergency treatment or care. It will also support information sharing, patient empowerment, and the development of digital services.

DRI director Antoin O’Lachtnain said the organisation was not opposed to the concept of an electronic patient record but said a data protection impact assessment will be needed.

“Because a lot of design ideas have been put forward, I think there needs to be a data protection impact assessment, which is a legal requirement and can’t be added as an afterthought,” he said.

“This is all about trust and patients trusting the system but ultimately you can't have that if a solid data protection framework is not in place,” he added.

Mr O’Lachtnain said DRI intended to make a submission on the proposals and raise concerns at government level.

Among his key concerns is the type of information recorded, patient consent, and how information can be shared and accessed.

“There’s a question over what information goes into that record and do you have discretion over what information goes into because some patients may not want to have all of their information shared across the health system,” he said.

“The benefit is centralised information but the problem is that the patient and the patient's GP has less and less stewardship over their health records,” he said, adding that GPs are currently the “gateway” for patients to access information and the current proposals would fundamentally change that and see records managed by the HSE.

“There are benefits to doing this but the benefits need to be carefully considered in parallel to the risks,” Mr O’Lachtnain added.

A spokesperson for HIQA said the authority expects the HSE to carry out a Data Protection Impact Assessment (DPIA) as it is the agency rolling out the record: “We would expect the HSE to undertake a DPIA in relation to this as they are the implementation body and will have data process/controller responsibilities.”