Note: The FAQ responses below are produced from our interpretation of the various legislations, reference to material provided by the Data Protection Commission and other Authority and discussions with fellow data privacy consultants, advisors and Clinical Professionals. It does not constitute legal advice an should not be considered to be so and cannot be guaranteed to be without error.

It’s true that maybe you cannot be absolutely sure. Even the largest legal and service providers caveat that their advice does not guarantee compliance. However indications from the Data Protection Commission are that they expect every organisation to understand their obligations and take reasonable measures to safeguard the rights and freedoms of individuals with regards to their Personal Data. We’ve not seen cases where Data Protection Authorities have issued sanctions or fines against organisations who have taken reasonable measures to ensure accountability for the personal data they hold.

We have produced a training course for Practice Owners and Managers that outlines what we believe those reasonable measures to be for a typical Clinical Professional Practice. This course is currently available free to Practices who register with us. 

Any Clinical Practice handles data concerning health. This is deemed to be a “Special Category of Data”. The GDPR legislation states that organisations holding special categories of data must maintain a Record of Processing Activities. This is a straightforward document describing the types of data you keep, how you keep it, who you share it with and other basic details. 

Whilst you are not obliged to maintain a Data Privacy Policy and Privacy Statements for patients, it is highly recommended that you do because in the event of a dispute or a complaint made to the Data Protection Commission, you can indicate if and how the patient was made aware of how you would handle their data. Having documented policies also provides evidence that you have thought carefully about Data Protection for your Practice and demonstrates accountability.

The Irish Data Privacy Acts and GDPR state that personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. There is no prescribed timeline by which you must delete aged patient records. Medical Protection (2017)   recommends that at a minimum, Patient Medical records should be retained for eight years after date of last treatment or death. Children’s records should be retained until the individual reaches 25 years of age or age 26 if the patient was 17 of age at the end of treatment. Some Clinicians indicate a significantly longer retention period due to the nature of the treatment they provide, and this is valid once the Clinician can explain the rationale for maintaining such retention periods.

Certain Practice Management Software Products currently do not permit patient records to be deleted which renders them to be on compliant with GDPR legislation. Most, if not all are aware of this risk to non-compliance and will most likely remedy this in future versions of their software.

Yes. Some Associates work on behalf of the host Practice and others avail of the Practice’s facilities to treat their own patients. It is important that you determine who is the Data Controller and who is the Data Processor for data provided by patients based on

  1. Who bills the patient? Your Practice or the Associate?
  2. Who owns the systems where the patient records are maintained?
  3. Who decides how the patient record is structured, maintained, retained?
  4. Who is the patient likely to think is the controller of their data? Who will they hold accountable in the event of a breach?
  5. Who is the Data Commissioner likely to hold to account in the event of a breach?

We would advise that both parties must agree controller/processor roles and understand their obligations once the roles are defined. We strongly recommend that the Practice avoids agreeing a joint controllership arrangement.

You need explicit consent if you intend to engage in marketing activities towards your patients but most Clinical Practices do not market to their patients. If you are contacting a patient, who has selected you as their Clinician, on a matter related to treatment or recommended treatment. we believe that this is exercising a duty of care. As such, it should not warrant explicit consent unless the patient has previously indicated that they do not want you to provide this information or that they no longer wish to be considered a patient of your Practice.

The right to be forgotten is not an unequivocal right. When you create your Record of Processing Activities you will declare one or more permitted basis upon which you process data. Clinicians regularly choose Consent or Vital interest as their basis for processing but should also choose “Legitimate Interest” as a valid basis. So for example if you have a reasonable concern that a patient or even staff member may initiate legal proceedings against you, you may continue to hold that data on the basis of legitimate interest but may have to cease to process that data in the normal way if Consent is revoked or if Vital Interest no longer applies.  

No, it does not. The legislation states that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). You will hear software vendors suggest that unencrypted email is not “GDPR Compliant” suggesting that their solution is compliant. There is no Compliance certification for products. There are a number of measures and precautions that we advise should be taken when using email as a means to communicate data that could impinge on the rights and freedoms of the person to whom that data relates. This is covered in our training course for Practice Owners & Managers that is currently available on our website free of charge.

According to Article 28 Clause 3 of the GDPR legislation, yes you do. Negotiating and agreeing a contract with every potential data processor could be a time consuming and frustrating activity. However, the requirements of a Data Processor are fairly standard and outlined clearly as eight clear points under the aforementioned GDPR clause. We provide our clients with a standard template letter to send to the entities that we identify as being their Data Processors. This letter addresses the eight requirements that set out the processor’s obligations.  Some Practices simply send the letter to their Processors and request acknowledgement or challenge, others send my registered mail and others follow up until they get written signatures. Larger suppliers like Practice Software Providers will often have already sent you their Data Processing Agreement which will typically follow the same eight requirements in sequence.