GDPR

GDPR  (General Data Protection Regulations)

 

1. DATA  PROTECTION  PATIENT  INFORMATION

Here at Custom House Square Medical Centre (“CHSMC”/”Practice”), we take your privacy seriously.  This leaflet sets out information in relation to data protection and how this Practice operates.  It should be read in conjunction with our “Practice Privacy and Confidentiality Policy” which is available on our website  www.custommedical.ie.

What information do we collect about you?

When you attend or register with us as a patient, we collect the personal details specified on the “Patient Registration Form”.  With your prior knowledge and consent, we may obtain copies of your medical records from your previous healthcare professionals.  Your GP at CHSMC is also likely to receive updates from other healthcare professionals, hospitals, etc involved in your treatment and care.

Why do we collect this information?

We collect this information to provide appropriate treatment and services to you and to ensure your continuity of care and safety.  We also collect information as required by law.

On what basis do we process this information?

Your personal information is mostly collected directly from you and processed by us with your knowledge and express consent.  You may withdraw your consent to the processing of your personal information at any time.  Sometimes, we need to process your personal information to fulfil a legal contract with you.  For example, we will process your debit/credit card details in order to take payment, etc.  Sometimes, your personal information may be processed in accordance with Custom House Square Medical Centre’s legal obligations, e.g. mandatory reporting obligations in relation to infectious diseases, etc.  Where possible, your personal information will be anonymised beforehand.  Your personal information may need to be shared within the healthcare team and support staff in order to provide safe and effective care to you.  Your personal information is only accessible by staff as necessary for the fulfilment of their legitimate employment and professional duties.

Who may we share your information with?

We may share your information with other healthcare professionals and third party service providers, e.g. laboratories, when it is necessary and appropriate for your treatment and care.  We share such information strictly on the basis that it will be kept confidential.

How long do we hold your information for?

We retain your records for a minimum of 8 years after your death and at least 8 years since your last contact with CHSMC.

“Lead” for Data Protection

The Practice Manager is the “Lead” for data protection at CHSMC.  If you have any queries in relation to data protection rights they may be addressed by email to practicemanager@custommedical.ie.

Under Data Protection legislation, you have rights in relation to the transfer of data to a third country, and to:

  • Withdraw consent to the processing of your personal information

(Note:  If you withdraw consent, we may not be able to continue to provide treatment and services to you. We will talk to you about the possible consequences of withdrawing consent if and when you let us know that you are thinking of this.  The withdrawal of consent will not undermine the lawfulness of processing carried out prior to the withdrawal.)

  • Request to access the information we hold about you
  • Request the correction of inaccuracies in/erasure of the information held about you
  • Request the restriction of processing of the information we hold about you
  • Exercise your entitlement to data portability
  • Make a complaint to the Office of the Data Protection Commissioner of Ireland

Custom House Square Medical Centre reserves the right to amend this Leaflet and its “Practice Privacy and Confidentiality Policy” at any time, at its discretion.  You are encouraged to review this Policy from time-to-time.

 

2. PRACTICE  PRIVACY  AND  CONFIDENTIALITY  POLICY

Custom House Square Medical Centre (“the Practice”) wants to ensure the highest standard of medical care for our patients.  We understand that confidentiality is a fundamental principle of medical ethics and is central to the trust between patients and doctors.  The privacy practices we adopt in our Practice are in line with the Medical Council guidelines, the privacy principles of the Data Protection legislation, and the guidance provided by the Irish College of General Practitioners’ on Data Protection legislation regarding Irish General Practice.  It is not possible to undertake medical care without collecting and processing personal data and data concerning health.  In fact, to do so would be in breach of the Medical Council’s “Guide to Professional Conduct and Ethics for Doctors”.  We see our patients’ consent as being the key factor in dealing with their health information.  This Policy is about making consent meaningful by advising you of our policies and practices on dealing with your medical information.

Here in Custom House Square Medical Centre, we have set out a summary of this Policy in our “Data Protection Patient Information” document which is available on the Practice website www.custommedical.ie.  That document should be read in conjunction with this Policy.

Legal Basis for Processing Your Data

This Practice has adopted the requirements of the ICGP Data Protection Guideline for GPs.  The processing of personal data in general practice is necessary in order to protect the vital interests of the patient and for the provision of health care and public health.  You can access the Guideline at http://www.icgp.ie/data.  In most circumstances we hold your data until 8 years after your death or 8 years since your last contact with the practice.  There are exceptions to this rule and these are described in the Guideline referenced above.

Managing Your Information

  • In order to provide for patient care we need to collect and keep information about patients and their health on our records.
  • We commit to retaining patient information securely.
  • We will only record and store information that is necessary for your care. We aim to keep it as current as possible.
  • We ask all patients to inform us about any relevant changes to their history. This would include such things as any new treatments or investigations being carried out that we are not aware of.  Patients are asked also to inform us of change of address and phone numbers, etc.
  • Staff in the Practice sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.
  • Access to patient records is necessary to enable the employee in question, whether Administrator, Manager, or Healthcare Professional perform their tasks for the proper functioning of the Practice. In this regard, patients should understand that Practice staff may have access to their records for the following reasons:
  • Preparation of repeat prescriptions
  • Generating Social Welfare Medical Certificates
  • Transmitting referral letters to hospital consultants or allied health professional such as physiotherapists, occupational therapists, psychologists and dieticians
  • Opening letters from hospitals and consultants
  • Scanning clinical letters, radiology reports and any other documents not available in electronic format
  • Downloading laboratory results and Out of Hours Co-op reports and performing integration of these results into the electronic patient record
  • Photocopying or printing documents regarding a patient’s referral to a consultant, attendance at an antenatal clinic or when a patient is changing GP
  • Checking for a patient if a hospital or consultant letter or if a laboratory or radiology result has been received by the Practice, in order to schedule a conversation with the GP
  • When a patient makes contact with the Practice, to check if they are due for any preventative services, such as vaccination, antenatal visit, contraceptive pill check, cervical smear tests, etc
  • Handling, printing, photocopying and postage of medico-legal and life assurance reports, and of associated documents
  • Sending and receiving information via Healthlink, secure clinical email
  • Other activities related to the support of medical care appropriate for Practice support staff
  • The Practice is committed to guarding against accidental disclosures of confidential patient information. Before disclosing identifiable information about patients, the Practice will:
  • Take into consideration Freedom of Information and Data Protection principles.
  • Be clear about the purpose for disclosure
  • Have the patient’s consent or other legal basis for disclosing the information
  • Have considered using anonymised information and be certain it is necessary to use identifiable information
  • Be satisfied that we are disclosing the minimum information to the minimum amount of people necessary
  • Be satisfied that the intended recipient is aware the information is confidential and that they have their own duty of confidentiality

Disclosure of Information to Other Health and Social Care Professionals

We may need to pass some of your information to other health and social care professionals in order to provide you with the treatment and services you need. Only the relevant part of your record will be released. Other health professionals are also legally bound to treat your information with the same duty of care and confidentiality as we do.

Disclosure With Consent

If a patient is capable of making their own decisions about their healthcare, we will obtain their consent before giving confidential information that identifies them to the patient’s relatives close friends, or for research or to disease registers.

If the patient does not consent to disclosure of identifiable information we will respect that decision except where failure to make the disclosure would put the patient or others at risk of serious harm or the disclosure is required by law or in the public interest as outline below.

Patients should understand and accept that their healthcare information must be shared within the healthcare team and with support staff to provide effective and safe care.  If disclosure of a patient’s information within our Practice or to other health care providers is necessary as part of a patient’s treatment and care, we will explain this to the patient and disclose the information to an appropriate person making sure they are aware of their duty of confidentiality.  If a patient objects to the transfer of the information we deem necessary we will explain to the patient that we cannot arrange referral or treatment without disclosing the information.

We recognise that clinical audit, quality assurance, education and training are essential for providing safe and effective healthcare.  If we are providing patient information pursuant to any of these activities, we understand the information must be anonymised or coded before it is disclosed outside the healthcare team.  If that is not possible we will make sure a patient is told about the disclosure in advance and given the opportunity to object.  We will respect a patient’s wishes in respect of the disclosure.

Disclosure Without Consent

The law provides that in certain instances personal information (including health information) can be disclosed, for example, in the case of infectious diseases.  We will endeavour to inform the patient in advance of such an intended disclosure, unless this would cause the patient serious harm or would undermine the purposes of the disclosure.

We will disclose patient information where required by law, for example, pursuant to a court order or infectious disease notification or if we hold a reasonable belief that a crime involving a sexual assault or other violence has been committed against a child or other vulnerable person.  We may make a disclosure in the public interest to protect a patient, other identifiable people or the wider community.  Before making such a disclosure the Practice will be satisfied that the possible harm the disclosure may cause to the patient is outweighed by the benefits that are likely to arise for the patient or others.  The disclosure will be limited to the minimum information and minimum number of people necessary.

If a patient lacks capacity to give consent and is unlikely to regain capacity we may consider making a disclosure only if it is in the best interests of the patient.

As a general rule, where possible we will always tell the patient in advance that we are disclosing information without the patient’s consent and why the GP is doing so, unless to do so would put the patient or third party at risk of serious harm.

Your Right of Access to Your Health Information

You have the right of access to your personal information held by this Practice.  If you wish to see your records, in most cases, it is quickest to discuss this with your doctor who will outline the information in the record with you.

Alternatively, you can make a formal written access request to the Practice whereupon an “Access Request for Medical Records Form” will be issued to you for completion.  Medical records must be collected from this Practice by the patient in person* and will only be released on production of an acceptable form of photo ID (passport/driving licence/Public Services Card).

*  rare exceptions may occur

Request for Records from a Patient or Third Party Before and After Death of a Patient

If the Practice receives a request from a patient to release a copy of their records we will consider carefully the obligation to remove all references to third parties.

In the case of requests for disclosures to employers, insurance companies or solicitors for a patient’s records we will only release the information when the following conditions have been met.  To obtain a copy of their medical records a patient must complete an “Access Request for Medical Records Form” (available from Reception).  Medical records must be collected from this Practice by the patient in person* and will only be released on production of an acceptable form of photo ID (passport/driving licence/Public Services Card).

*  rare exceptions may occur

We are aware that patient information remains confidential even after death.  We will consider how disclosure might impact on the family/carers and the reputation of the deceased.  We will require written consent to disclosure of a deceased patient’s records from the personal representative or executor of the deceased’s will.  We are aware that a GP’s discretion may be limited if a disclosure of a patient’s records is required by law.

Medical Reports

We will prepare a Medical Report on a patient with their consent.  A report will be specific to the episode for which the report has been requested.  We understand that a medical report requested by a third party such as an employer, insurance company or legal representative must be factual, accurate and not misleading.  We will seek to ensure that the patient understands the scope and purpose of the report and that the GP cannot omit relevant information.  We will also seek to ensure the patient is aware of our duty of care to them and to the person/company from whom the report was requested.

Medical Certificates

In general, work related Medical Certificates from a GP will only provide a confirmation that a patient is unfit for work, e.g. “medical illness” with an indication of when the patient will be fit to resume work. Where it is considered necessary to provide additional information we will discuss that with the patient.  However, Social Welfare Medical Certificates of incapacity for work must include the medical reason the patient is unfit to work.

Recordings

We are committed to ensuring that any audio, visual or photographic recordings of a patient or relative of a patient, in which the person is identifiable, should only be made with express consent of that person.  We will do all we reasonably can to protect the confidentiality of the recording. We will obtain consent before sharing such videos, photos or other images of a patient.

We will only take photographic images of patients when necessary for the patient’s care.  Such images will not identify a patient and shall only be kept for the minimum time necessary.

Use of Information for Training, Teaching and Quality Assurance

It is usual for GPs to discuss patient case histories as part of their continuing medical education or for the purpose of training GPs and/or medical students.  In these situations, the identity of the patient concerned will not be revealed.  In the case of medical students, each student is bound by a signed confidentiality agreement with the Practice.  Furthermore, you will be asked to give consent to their attendance at your consultation, which is entirely at your discretion.

In other situations, however, it may be beneficial for other clinical staff (e.g. doctors, nurses) within the Practice to be aware of patients with particular conditions and in such cases this Practice would only communicate the information necessary to provide the highest level of care to the patient.

Use of Information for Research and Audit

It is usual for patient information to be used for research and audit in order to improve services and standards of practice.  GPs are required to perform an annual clinical audit.  Information used for such purposes is done in an anonymised or pseudonymised manner with all personal identifying information removed.

Your Data Protection Rights

Under Data Protection legislation, you have rights in relation to the transfer of data to a third country, and to:

  • Withdraw consent to the processing of your personal information

(Note:  If you withdraw consent, we may not be able to continue to provide treatment and services to you. We will talk to you about the possible consequences of withdrawing consent if and when you let us know that you are thinking of this.  The withdrawal of consent will not undermine the lawfulness of processing carried out prior to the withdrawal.)

  • Request to access the information we hold about you
  • Request the correction of inaccuracies in/erasure of the information held about you
  • Request the restriction of processing of the information we hold about you
  • Exercise your entitlement to data portability
  • Make a complaint to the Office of the Data Protection Commissioner of Ireland

Custom House Square Medical Centre has a Lead for Data Protection within the team.  Any queries, concerns or requests to exercise your rights under Data Protection legislation may be addressed to practicemanager@custommedical.ie.

Transferring to Another Practice

If you decide at any time and for whatever reason to transfer to another Practice we will facilitate that decision by making available to you directly a copy of your records on receipt of a completed “Access Request for Medical Records Form” (available from Reception).  Medical records must be collected from this Practice by the patient in person* and will only be released on production of an acceptable form of photo ID (passport/driving licence/Public Services Card).  For medico-legal reasons we will also retain a copy of your records in this Practice for an appropriate period of time which may exceed eight years.

*  rare exceptions may occur

We hope this Policy has explained any issues that might arise.  If you have any questions please speak to the Practice Manager or your doctor.