Data Protection Policy

Data Protection Policy

Medel Healthcare Ltd needs to collect information and data on individuals, namely its clients using the services.

This policy outlines how personal data will be processed so as to meet the practices data protection policy and to comply with the law.

This policy applies to the use of the Medel Healthcare Ltd computerised Medical Records System and any paper notes taken and filed by staff of Medel Healthcare Ltd.

Why this policy exists:

This data protection policy ensures Medel Healthcare Ltd;

• Complies with Data Protection legislation and follows good practice
• Protects the rights of its patients
• Is transparent about how its stores, processes and utilises individual’s personal data
• Protects itself from the risk of a personal data breach or breach of data protection legislation.
• Reduces the risk of a personal data breach or breach of data protection legislation

Medel Healthcare Ltd Policy

Medel Healthcare Ltd policy and procedures are guided by the GDPR (2016/79) and Irish Data Protection Act 2018 below mentioned principles and the informational Annex’s.

Medel Healthcare Ltd obtains and holds data to administer its functions. Staff are provided with access to that data in order to do their jobs. Under no circumstances should personal data be accessed without a direct service requirement. Confidential client information must never be discussed with or disclosed to any unauthorised third party, either internal or external without getting written consent.

The area of data protection and its accompanying legislation is evolving and can be complex. However our approach can be summed up by as follows

• Processing[1] of health and personal information is authorised only in circumstances where there is a clear official health reason requiring such access;

and

• Any unauthorised processing constitutes a serious breach of discipline and will be dealt with accordingly.

If any staff are in doubt about the processing of specific information they should consult the Data Protection Officer. The Data Protection Officer for Medel Healthcare Ltd is;

Our guiding principle is one of the ‘need to know’ and specifically Medel Healthcare Ltd will follow the protocol below.

• In general, the sharing of information on patients with third parties will only occur if that third party is also involved or will be involved in the care of the patient.
• Request for information on any Medel Healthcare Ltd patient from any 3^rd parties must be accompanied by written consent from the patient if the 3^rd party is not directly involved in the care of the patient.
• Consent forms or letters presented or sent from third parties where it’s obvious that the patient had no ‘genuine or free choice or would be unable to refuse or withdraw consent without detriment’ then that consent will be deemed unlawful and the request for information will not be provided to the third party.
• Care must be taken with phone calls in relation to queries about patients to ensure that information is not unintentionally passed on to an unauthorised third party.
• Data from the Medel Healthcare Ltd database can only be used for research/evaluation purposes if authorised by Medel Healthcare Ltd
• Any data used from the Medel Healthcare Ltd database to generate reports, audits or service evaluations must be fully anonymised and stripped of any identifying features.

Appointment of a Data Protection Officer

Medel Healthcare Ltd has appointed a named Data Protection Officer, Thomas Browne. The Data Protection Officer responsibilities will be to;

• Liaise with the Data Protection Commissioner
• Manage valid Data Subjects rights requests in a timely and thorough manner.
• Ensure employees are aware of their obligations under data protection legislation.
• Monitor compliance with the data protection legislation.
• Ensure that this policy is applied, review its annual and makes suggested changes for the formal approval by the board of directors
• Lead on any investigations into personal data breaches or breaches of data protection legislation and introduces measures to prevent it reoccurring
• Brings to the attention of Medel Healthcare Ltd partners any data protection risks identified or anticipated

Data Protection Officers should note that the Data Protection Commissioner has a wide range of enforcement powers to assist in ensuring that the principles of data protection are being observed, including:

• Serving legal notices compelling Data Protection Officers to provide information needed to assist their enquires or compelling a Data Protection Officer to implement one or more provisions of the Acts.
• Investigate complaints made by the general public or carry out investigations proactively. The Commissioner may, for example, authorise officers to enter premises and to inspect the type of personal information kept, how it is processed and the security measures in place.
• Impose administrative fines of up to €20 million or 4% of turnover
• Obtain access to any premises in the course of an investigation
• Impose a temporary or definitive limitation including a ban on processing
  
  

Data Protection Legislation

On May 25^th, 2018 the EU GDPR replaced the Irish Data Protection Acts of 1988 and 2003 as the primary legislation governing the processing of personal data. The Irish Data Protection Act of 2018 is expected to be passed sometime after the GDPR is law.  Under the law enhanced rights are conferred on individual’s rights as well as new responsibilities and stricter rules on data processors and data controllers processing personal data. In addition, a new principle, one of being able to demonstrate compliance was introduced under GDPR.

The main principles of the GDPR are summarised in the following Data Protection Principles;

1. Data must be processed lawfully, fairly and in a transparent manner

Personal data is obtained lawfully if at the time prior to the recording of their personal details the patient has signed a written consent agreeing to the processing and the purpose of the processing. Personal data taken against the wishes of the data subject or when the data subject is unable to give consent can only be lawfully done so in the case that not to processing their personal data would cause serious injury or detriment to their health or the health of others.

Personal data is obtained fairly and transparently if the data subject, is at the time the personal data is being collected made aware of.

• The identity of the Data Protection Officer
• The purpose for which the Medel Healthcare Ltd is collecting the data at the point of collection
• The person or categories of persons to whom the data may be disclosed
• Any other information which is necessary so that processing may be fair

Medel Healthcare Ltd is committed to treating the information given to us in confidence and ensure that it will not be used or disclosed except as provided for by law, and will collect no more information than is necessary.

2. Data must be accurate, and where necessary, kept up to date 

To comply with this rule Medel Healthcare Ltd will ensure that:

• Clerical and computer procedures are adequate to ensure high levels of data accuracy, the general requirement to keep personal data up-to-date has been fully implemented,
• Appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.
• Procedures are in place to ensure personal data held is accurate, including reviewing records on a regular basis, identifying areas where errors are most common and providing guidelines to members on eliminating errors.

Article 5 of the Regulation gives a person a right to seek to have their personal data amended or erased where it is established that it is incorrect.

3. Data must have been collected for specified, explicit and legitimate purposes and not used for other purposes

Medel Healthcare Ltd may only keep data for a purpose/s that are specific, lawful, legitimate and clearly stated and the data should only be processed in a manner compatible with the purpose.

Where consent is the lawful basis of the processing any additional processing of personal data will not proceed without further consent from the data subject.

4. Data must not be kept for longer than is necessary for that purpose

The Regulation requires that personal information held should be retained for no longer than is necessary for the purpose/s for which it was obtained. 

Medel Healthcare Ltd will be informed of the limitations of the retention of data by generally, the data protection and privacy legislation in Ireland and specifically by the various legal requirements, e.g responsibilities to Revenue, retention for compliance with employer responsibility under the various employers, workplace, health and safety, and industrial relations Acts, limitation periods on civil actions and in the establishment, exercise or defence of legal claims.

For retention of health data Medel Healthcare Ltd with be guided by code of practices from Irish College of General Practitioners and/or Irish Medical Organisation.

A Medel Healthcare Ltd policy on Data Retention is separately developed which defines this section further for guidance to employees.

5. Data must be processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures

Medel Healthcare Ltd must provide “appropriate” security measures to protect personal data from unauthorised access when in use and in storage or in transit and must protect it from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing.

In compliance with this requirement Medel Healthcare Ltd has put in place physical and technical security measures to protect the confidentiality of personal data. Including, inter alia;

Access to personal information is restricted to authorised staff on a
“need-to- know” basis and in compliance with the Data Protection Acts.

Electronic personal data is protected by stringent access controls, passwords, access logs, audit logs, back-ups etc.

Screens, print-outs, documents and files showing personal data should not be visible to unauthorised persons.

Appropriate facilities are in place for disposal of confidential waste.

Personal manual data should be held securely in locked cabinets, locked rooms, or rooms with limited access.

Special care must be taken if storing personal data on mobile computing and storage devices. Where deemed high risk, the data must be encrypted, and a record kept of the nature and extent of the data and why it is being stored on a portable device. Arrangements should be in place to fully delete the data on the portable device when it is no longer being used.

Members are not to disclose personal security passwords to anyone within Medel Healthcare Ltd who does not have a legitimate need to know the information in the normal course of their duties, or to anyone outside Medel Healthcare Ltd, unless authorised through the proper mechanisms and in accordance with the relevant requirements (e.g. Non-Disclosure Agreements, contracts, etc.).

6. Data must be adequate, relevant and limited to what’s necessary to carry out the intended processing.

When collecting personal data from patients, employees, suppliers or their stakeholders that Medel Healthcare Ltd engages with we will only collect the information we need to carry out the task, request or function it is required for.

We will not work on the basis of collecting information ‘just in case’ and we will encourage a questioning culture in Medel Healthcare Ltd so that when designing our work flows and tasks that privacy and the importance of it remains to the fore of our approach.

7. Accountability and being able to demonstrate that accountability to external assessment and examination will underpin and reinforce Medel Healthcare Ltd’s commitment to these principals and our compliance with all data protection and privacy legislation we are subject to.

Annex 1

Data Protection Commissioner Code of Practice for data security breaches

Code of practice for data security breaches:

1. The Data Protection Acts 1988 and 2003 impose obligations on data controllers to process personal data entrusted to them in a manner that respects the rights of data subjects to have their data processed fairly (Section 2(1)). Data controllers are under a specific obligation to take appropriate measures to protect the security of such data (Section 2(1)(d)). This Code of Practice does not apply to providers of publicly available electronic communications networks or services.

2. This Code of Practice addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration. The focus of the Office of the Data Protection Commissioner in such cases is on the rights of the affected data subjects in relation to the processing of their personal data.

3. Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, the data controller must give immediate consideration to informing those affected. Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures. In appropriate cases, data controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions etc.

4. If the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard.

5. All incidents of loss of control of personal data in manual or electronic form by a data processor must be reported to the relevant data controller as soon as the data processor becomes aware of the incident.
6. All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature. In case of doubt- in particular any doubt related to the adequacy of technological risk-mitigation measures – the data controller should report the incident to the Office of the Data Protection Commissioner.

7. Data controllers reporting to the Office of the Data Protection Commissioner in accordance with this Code should make initial contact with the Office within two working days of becoming aware of the incident, outlining the circumstances surrounding the incident. This initial contact may be by e-mail (preferably), telephone or fax and must not involve the communication of personal data. The Office of the Data Protection Commissioner will make a determination regarding the need for a detailed report and/or subsequent investigation based on the nature of the incident and the presence or otherwise of appropriate physical or technological security measures to protect the data.

8. Should the Office of the Data Protection Commissioner request a data controller to provide a detailed written report of the incident, the Office will specify a timeframe for the delivery of the report based on the nature of the incident and the information required. Such a report should reflect careful consideration of the following elements:

• the amount and nature of the personal data that has been compromised;
• the action being taken to secure and / or recover the personal data that has been compromised;
• the action being taken to inform those affected by the incident or reasons for the decision not to do so;
• the action being taken to limit damage or distress to those affected by the incident;
• a chronology of the events leading up to the loss of control of the personal data; and
• the measures being taken to prevent repetition of the incident.
  1. Depending on the nature of the incident, the Office of the Data Protection Commissioner may investigate the circumstances surrounding the personal data security breach. Investigations may include on-site examination of systems and procedures and could lead to a recommendation to inform data subjects about a security breach incident where a data controller has not already done so
  2. If necessary, the Commissioner may use his enforcement powers to compel appropriate action to protect the interests of data subjects.

9. Even where there is no notification of the Office of the Data Protection Commissioner, the data controller should keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record should include a brief description of the nature of the incident and an explanation of why the data controller did not consider it necessary to inform the Office of the Data Protection Commissioner. Such records should be provided to the Office of the Data Protection Commissioner upon request

10. This Code of Practice applies to all categories of data controllers and data processors to which the Data Protection Acts 1988 and 2003 apply.

Annex 2.

Selected FAQ from medical services in relation to data protection, courtesy of www.dataprotection.ie

I’m a general practitioner: can my locum access my patient records?

Yes. The Data Protection Commissioner’s view is that making clinical patient records available to a locum doctor, so that the locum may provide medical care to patients, is compatible with the purpose for which the GP keeps the patient record.

Should my secretary or office manager be allowed access to my patient records?

Yes, although only to the extent necessary to enable the secretary or manager to perform their functions. Non-medical professionals should have no need to access clinical material or medical notes, as distinct from administrative details (such as patients’ names and addresses). The patient is entitled to an assurance that their medical information will be treated on a need-to-know basis

Can I pass patient details on to another health professional for clinical purposes?

If you are passing patient data on to a person or body acting in an agency capacity for you – such as a clinical laboratory – then this is not a “disclosure” under the Data Protection Act, and the Commissioner does not insist on specific patient consent in such cases. However, you should inform the patient in advance that their data will be used in this way.

If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the ([2]explicit) consent of the patient in advance, except in cases of urgent need.

Can I pass patient data to the HSE or other bodies for administrative purposes?

You can pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data.

What if I need to disclose patient data, and I don’t have the time to obtain consent?

If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Acts makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.

Can I use patient data for research or statistical purposes?

Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Acts provide that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.

Can I disclose patient data to others for research or statistical purposes?

You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.

Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister for Health or anybody or agency for the purpose of compiling a list of people who may be invited to participate in a cancer screening programme which is authorised by the Minister.

If I may only disclose anonymised data for research purposes, how can the researchers avoid duplication of data in respect of the same individual?

Researchers who obtain anonymised patient data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual, received from different sources. To address this problem, it may be permissible for a data controller (such as a doctor) to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher. For example, a data controller might “code” a unique data-set using a patient’s initials and date-of-birth. The essential point is that the researcher should not be in a position to associate the data-set with an identifiable individual.

Do my patients have a right to see their medical records?

Yes, they do. An individual is entitled to see a copy of any records which you keep relating to him or her on computer or on paper.  This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual

[1] Processing includes the; collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction and the erasure or destruction of personal data.

[2] ‘Explicit’ added by XYZ Practice to reflect GDPR change – March 2018