Data Protection Policy
Medel Healthcare Ltd needs to collect information and data on individuals, namely its clients using the services.
This policy outlines how personal data will be processed so as to meet the practices data protection policy and to comply with the law.
This policy applies to the use of the Medel Healthcare Ltd computerised Medical Records System and any paper notes taken and filed by staff of Medel Healthcare Ltd.
Why this policy exists:
This data protection policy ensures Medel Healthcare Ltd;
Medel Healthcare Ltd Policy
Medel Healthcare Ltd policy and procedures are guided by the GDPR (2016/79) and Irish Data Protection Act 2018 below mentioned principles and the informational Annex’s.
Medel Healthcare Ltd obtains and holds data to administer its functions. Staff are provided with access to that data in order to do their jobs. Under no circumstances should personal data be accessed without a direct service requirement. Confidential client information must never be discussed with or disclosed to any unauthorised third party, either internal or external without getting written consent.
The area of data protection and its accompanying legislation is evolving and can be complex. However our approach can be summed up by as follows
and
If any staff are in doubt about the processing of specific information they should consult the Data Protection Officer. The Data Protection Officer for Medel Healthcare Ltd is;
Data Protection Officer | Contact Number | Contact Email |
Name: Thomas Browne | 0834469194 | tom@medelhealthcare.com |
Our guiding principle is one of the ‘need to know’ and specifically Medel Healthcare Ltd will follow the protocol below.
Appointment of a Data Protection Officer
Medel Healthcare Ltd has appointed a named Data Protection Officer, Thomas Browne. The Data Protection Officer responsibilities will be to;
Data Protection Officers should note that the Data Protection Commissioner has a wide range of enforcement powers to assist in ensuring that the principles of data protection are being observed, including:
Data Protection Legislation
On May 25th, 2018 the EU GDPR replaced the Irish Data Protection Acts of 1988 and 2003 as the primary legislation governing the processing of personal data. The Irish Data Protection Act of 2018 is expected to be passed sometime after the GDPR is law. Under the law enhanced rights are conferred on individual’s rights as well as new responsibilities and stricter rules on data processors and data controllers processing personal data. In addition, a new principle, one of being able to demonstrate compliance was introduced under GDPR.
The main principles of the GDPR are summarised in the following Data Protection Principles;
Personal data is obtained lawfully if at the time prior to the recording of their personal details the patient has signed a written consent agreeing to the processing and the purpose of the processing. Personal data taken against the wishes of the data subject or when the data subject is unable to give consent can only be lawfully done so in the case that not to processing their personal data would cause serious injury or detriment to their health or the health of others.
Personal data is obtained fairly and transparently if the data subject, is at the time the personal data is being collected made aware of.
Medel Healthcare Ltd is committed to treating the information given to us in confidence and ensure that it will not be used or disclosed except as provided for by law, and will collect no more information than is necessary.
To comply with this rule Medel Healthcare Ltd will ensure that:
Article 5 of the Regulation gives a person a right to seek to have their personal data amended or erased where it is established that it is incorrect.
Medel Healthcare Ltd may only keep data for a purpose/s that are specific, lawful, legitimate and clearly stated and the data should only be processed in a manner compatible with the purpose.
Where consent is the lawful basis of the processing any additional processing of personal data will not proceed without further consent from the data subject.
The Regulation requires that personal information held should be retained for no longer than is necessary for the purpose/s for which it was obtained.
Medel Healthcare Ltd will be informed of the limitations of the retention of data by generally, the data protection and privacy legislation in Ireland and specifically by the various legal requirements, e.g responsibilities to Revenue, retention for compliance with employer responsibility under the various employers, workplace, health and safety, and industrial relations Acts, limitation periods on civil actions and in the establishment, exercise or defence of legal claims.
For retention of health data Medel Healthcare Ltd with be guided by code of practices from Irish College of General Practitioners and/or Irish Medical Organisation.
A Medel Healthcare Ltd policy on Data Retention is separately developed which defines this section further for guidance to employees.
Medel Healthcare Ltd must provide “appropriate” security measures to protect personal data from unauthorised access when in use and in storage or in transit and must protect it from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing.
In compliance with this requirement Medel Healthcare Ltd has put in place physical and technical security measures to protect the confidentiality of personal data. Including, inter alia;
Access to personal information is restricted to authorised staff on a
“need-to- know” basis and in compliance with the Data Protection Acts.
Electronic personal data is protected by stringent access controls, passwords, access logs, audit logs, back-ups etc.
Screens, print-outs, documents and files showing personal data should not be visible to unauthorised persons.
Appropriate facilities are in place for disposal of confidential waste.
Personal manual data should be held securely in locked cabinets, locked rooms, or rooms with limited access.
Special care must be taken if storing personal data on mobile computing and storage devices. Where deemed high risk, the data must be encrypted, and a record kept of the nature and extent of the data and why it is being stored on a portable device. Arrangements should be in place to fully delete the data on the portable device when it is no longer being used.
Members are not to disclose personal security passwords to anyone within Medel Healthcare Ltd who does not have a legitimate need to know the information in the normal course of their duties, or to anyone outside Medel Healthcare Ltd, unless authorised through the proper mechanisms and in accordance with the relevant requirements (e.g. Non-Disclosure Agreements, contracts, etc.).
When collecting personal data from patients, employees, suppliers or their stakeholders that Medel Healthcare Ltd engages with we will only collect the information we need to carry out the task, request or function it is required for.
We will not work on the basis of collecting information ‘just in case’ and we will encourage a questioning culture in Medel Healthcare Ltd so that when designing our work flows and tasks that privacy and the importance of it remains to the fore of our approach.
Annex 1
Data Protection Commissioner Code of Practice for data security breaches
Code of practice for data security breaches:
Annex 2.
Selected FAQ from medical services in relation to data protection, courtesy of www.dataprotection.ie
I’m a general practitioner: can my locum access my patient records?
Yes. The Data Protection Commissioner’s view is that making clinical patient records available to a locum doctor, so that the locum may provide medical care to patients, is compatible with the purpose for which the GP keeps the patient record.
Should my secretary or office manager be allowed access to my patient records?
Yes, although only to the extent necessary to enable the secretary or manager to perform their functions. Non-medical professionals should have no need to access clinical material or medical notes, as distinct from administrative details (such as patients’ names and addresses). The patient is entitled to an assurance that their medical information will be treated on a need-to-know basis
Can I pass patient details on to another health professional for clinical purposes?
If you are passing patient data on to a person or body acting in an agency capacity for you – such as a clinical laboratory – then this is not a “disclosure” under the Data Protection Act, and the Commissioner does not insist on specific patient consent in such cases. However, you should inform the patient in advance that their data will be used in this way.
If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the ([2]explicit) consent of the patient in advance, except in cases of urgent need.
Can I pass patient data to the HSE or other bodies for administrative purposes?
You can pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data.
What if I need to disclose patient data, and I don’t have the time to obtain consent?
If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Acts makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.
Can I use patient data for research or statistical purposes?
Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Acts provide that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.
Can I disclose patient data to others for research or statistical purposes?
You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.
Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister for Health or anybody or agency for the purpose of compiling a list of people who may be invited to participate in a cancer screening programme which is authorised by the Minister.
If I may only disclose anonymised data for research purposes, how can the researchers avoid duplication of data in respect of the same individual?
Researchers who obtain anonymised patient data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual, received from different sources. To address this problem, it may be permissible for a data controller (such as a doctor) to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher. For example, a data controller might “code” a unique data-set using a patient’s initials and date-of-birth. The essential point is that the researcher should not be in a position to associate the data-set with an identifiable individual.
Do my patients have a right to see their medical records?
Yes, they do. An individual is entitled to see a copy of any records which you keep relating to him or her on computer or on paper. This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual
[1] Processing includes the; collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction and the erasure or destruction of personal data.
[2] ‘Explicit’ added by XYZ Practice to reflect GDPR change – March 2018
Copyright Medel Healthcare Technology Department