Health Information Act 2026
|
PART 4 Provision of Health Information to Executive | ||
|
Provision of health information to Executive | ||
|
22. (1) Subject to this section, and without prejudice to any other obligation or power to provide or request information under any other enactment or rule of law, the Executive may request a relevant person to provide the Executive with such class or classes of health information as it specifies in the request. | ||
(2) The Executive may make a request under subsection (1) where it considers that such a request is necessary for— | ||
(a) a public interest purpose in the area of public and occupational health, including activities for the protection against serious cross-border threats to health and public health surveillance or activities ensuring high levels of quality and safety of health services, including patient safety, and of medicinal products or medical devices, | ||
(b) the development of policy and regulatory activities in order to improve, promote and protect the health and welfare of the public, including integrated service planning, performance management and the efficient and effective use of resources in the area of health, or | ||
(c) the purpose of statistics, including national, multi-national and EU level official statistics within the meaning of Regulation (EC) No. 223/2009 of the European Parliament and of the Council of 11 March 20095 , related to health or care sectors. | ||
(3) A request under subsection (1)— | ||
(a) shall request only such information as is relevant, necessary and proportionate for the purpose in relation to which the request was made, and | ||
(b) may request such information to be provided on a recurring or periodic basis. | ||
(4) Where a request under subsection (1) relates, in whole or in part, to personal data, the Executive may not make the request unless— | ||
(a) it has decided, following consideration, that the purpose of the request could not be met by anonymised or other data (not being personal data), and | ||
(b) it has carried out an assessment of the data protection implications of the request and, where the assessment indicates a high risk to the rights and freedoms of individuals, the Executive has carried out a data protection impact assessment. | ||
(5) (a) Where a request under subsection (1) relates, in whole or in part, to special categories of personal data, the Executive shall adopt suitable and specific measures to protect the data, which may include: | ||
(i) limitations on access to the data undergoing processing within the Executive in order to prevent unauthorised consultation, alteration, disclosure or erasure of the data; | ||
(ii) strict time limits for the erasure of the data and mechanisms to ensure that such time limits are observed; | ||
(iii) specific targeted training for those involved in processing operations; | ||
(iv) technical and organisational measures to ensure respect for the principle of data minimisation, including pseudonymisation provided that the purposes of the data processing can be fulfilled in that manner. | ||
(b) The Executive shall consult the Data Protection Commission on the suitable and specific measures it proposes to adopt under paragraph (a). | ||
(6) A request under subsection (1) shall be in writing and shall specify the following: | ||
(a) the date of, and the reason for, the request and the purpose for which the information is to be processed; | ||
(b) the legal basis for making the request and the requirement to comply with it; | ||
(c) the structured collection of health information to be provided; | ||
(d) the period within which the request shall be complied with including, where information is to be updated, the period within which updates are to be made; | ||
(e) the digital format in which the information shall be provided; | ||
(f) that, if a relevant person fails to comply in whole or in part with the request within the period specified in paragraph (d) the Executive may, in accordance with section 23 , apply to the Circuit Court for an order directing the relevant person to comply with the request. | ||
(7) A relevant person shall comply with a request under subsection (1). | ||
(8) A notice in relation to every request made under subsection (1) shall be published on a website maintained by or on behalf of the Executive and shall specify the following— | ||
(a) the purpose referred to in subsection (2) for which the health information was requested, | ||
(b) a description of the class or classes of health information requested, | ||
(c) the relevant person or category of relevant persons to whom the request was made, | ||
(d) where a data protection impact assessment has been carried out, a summary of the findings of the assessment. | ||