Data Protection Acts (the Acts) require that personal data must be obtained for a
specified purpose, and must not be disclosed to any third party except in a manner
compatible with that purpose. The General Data Protection Regulation (GDPR) is a new
European directive relating to data protection that was adopted on 27 April 2016 and
Came into effect on 25 May 2018. It replaces the data protection directive from
1995.
This Practice undertakes to uphold this principle and only to use or disclose the data
collected and held for purposes compatible with the Acts. The Practice seeks to assure
patients that their medical information will be treated strictly on a need-to-know basis by
staff.
This medical Practice, stores your data both on paper files and on computer. Both are
secured within the office and on a secure server/cloud service. This data storage is in
compliance with Section 2(b)(vii) of the Acts that allows for the processing of sensitive
data for medical purposes by health professionals. This is the legal basis relied upon to
process your data.
Patient data may be passed to the HSE, your G.P. or other clinical care providers such as
(but not limited to) laboratories, scanning or diagnostic facilities for the purpose of
clinical care, clinical tests, diagnostics or other clinical purpose and to health insurance
companies for the purpose of processing insurance claims under a medical insurance
policy.
Should data need to be passed to any other person, for example a family member,
insurance company, solicitor or other third party, then the patient’s explicit consent will
be sought in advance, except in cases of urgent need (as allowed for under the Acts).
If patient details are urgently needed to prevent injury or other damage to the health of a
person, then Section 8(d) of the Acts permits disclosure. However, if the reason for the
disclosure is not urgent, consent in advance, will be sought from the patient.
As a physician with significant academic interests, and belief in academic study
furthering medical knowledge and ultimately benefiting patients, I may use patients’ data
for research purposes. These data will always be anonymised. The Acts provide that such
uses of personal data are permitted, even where the patient was not informed in advance,
provided that no damage or distress is likely to be caused to the individual.
The Acts permit me to pass on anonymised or aggregate data, from which individual
patients cannot be identified. Should it be necessary to pass on personal data, including
identifying details, for research purposes, patient consent will be obtained, in advance.
As a data controller, the practice may use a unique coding, which falls short of actually
identifying the individual, to allow data to be passed to researchers. The practice
undertakes to ensure that any researcher should not be in a position to associate the dataset provided with an identifiable individual.
The practice seeks to ensure that personal data are secure and used only for medical care or
research, any other use will be specifically requested, using the sample prior consent
forms attached. You should note that any consent given will only be relied upon for the
specific purpose and event explicitly outlined in the consent form. It is your right to
withdraw consent and should a further event requiring consent be necessary, then a
separate and newly-dated consent form will need to be completed. It is your right to
withdraw consent at any time and you can do this by simply completing the withdrawal
of consent form available.
Your data are held in a secure database with restricted access. The practice will ensure the
protection of the confidentiality, integrity and security of all data provided to it. No
information will be disclosed if it is the view of the practice that to do so would be a
breach of GDPR. Data are kept for a minimum of 7 years for regulatory and auditing
purposes.