Frequently Asked Questions

Note: The FAQ responses below are produced from our interpretation of the various legislations, reference to material provided by the Data Protection Commission and other Authority and discussions with fellow data privacy consultants, advisors and Clinical Professionals. It does not constitute legal advice an should not be considered to be so and cannot be guaranteed to be without error.  

1. I have attended many GDPR seminars and made changes within my Practice recommended at these events but I am still unsure if I am GDPR compliant or not. How can I be sure if I am Compliant?

It’s true that maybe you cannot be absolutely sure. Even the largest legal and service providers caveat that their advice does not guarantee compliance. However indications from the Data Protection Commission are that they expect every organisation to understand their obligations and take reasonable measures to safeguard the rights and freedoms of individuals with regards to their Personal Data. We’ve not seen cases where Data Protection Authorities have issued sanctions or fines against organisations who have taken reasonable measures to ensure accountability for the personal data they hold.

We have produced a training course for Practice Owners and Managers that outlines what we believe those reasonable measures to be for a typical Clinical Professional Practice. This course is currently available free to Practices who register with us.

2. What Policies and Other Data Privacy Documents am I obliged to keep?

Any Clinical Practice handles data concerning health. This is deemed to be a “Special Category of Data”. The GDPR legislation states that organisations holding special categories of data must maintain a Record of Processing Activities. This is a straightforward document describing the types of data you keep, how you keep it, who you share it with and other basic details.

Whilst you are not obliged to maintain a Data Privacy Policy and Privacy Statements for patients, it is highly recommended that you do because in the event of a dispute or a complaint made to the Data Protection Commission, you can indicate if and how the patient was made aware of how you would handle their data. Having documented policies also provides evidence that you have thought carefully about Data Protection for your Practice and demonstrates accountability.

3. How long should I keep Patient Data and what if my Practice Management Software doesn’t allow me to delete data?

The Irish Data Privacy Acts and GDPR state that personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. There is no prescribed timeline by which you must delete aged patient records. Medical Protection (2017)   recommends that at a minimum, Patient Medical records should be retained for eight years after date of last treatment or death. Children’s records should be retained until the individual reaches 25 years of age or age 26 if the patient was 17 of age at the end of treatment. Some Clinicians indicate a significantly longer retention period due to the nature of the treatment they provide, and this is valid once the Clinician can explain the rationale for maintaining such retention periods.

Certain Practice Management Software Products currently do not permit patient records to be deleted which renders them to be on compliant with GDPR legislation. Most, if not all are aware of this risk to non-compliance and will most likely remedy this in future versions of their software.

4. I have Associates working in my Practice. Does that matter?

Yes. Some Associates work on behalf of the host Practice and others avail of the Practice’s facilities to treat their own patients. It is important that you determine who is the Data Controller and who is the Data Processor for data provided by patients based on

  1. Who bills the patient? Your Practice or the Associate?
  2. Who owns the systems where the patient records are maintained?
  3. Who decides how the patient record is structured, maintained, retained?
  4. Who is the patient likely to think is the controller of their data? Who will they hold accountable in the event of a breach?
  5. Who is the Data Commissioner likely to hold to account in the event of a breach?

We would advise that both parties must agree controller/processor roles and understand their obligations once the roles are defined. We strongly recommend that the Practice avoids agreeing a joint controllership arrangement.

5. Do I need to have explicit consent to contact Patients?

You need explicit consent if you intend to engage in marketing activities towards your patients but most Clinical Practices do not market to their patients. If you are contacting a patient, who has selected you as their Clinician, on a matter related to treatment or recommended treatment. we believe that this is exercising a duty of care. As such, it should not warrant explicit consent unless the patient has previously indicated that they do not want you to provide this information or that they no longer wish to be considered a patient of your Practice.

6. I’ve heard that GDPR provides the individual with the “Right to be Forgotten” – Does this mean that I must delete all personal data I hold about them if they ask me to do so?

The right to be forgotten is not an
unequivocal right. When you create your Record of Processing Activities you
will declare one or more permitted basis upon which you process data.
Clinicians regularly choose Consent or Vital interest as their basis for
processing but should also choose “Legitimate Interest” as a valid basis. So
for example if you have a reasonable concern that a patient or even staff
member may initiate legal proceedings against you, you may continue to hold
that data on the basis of legitimate interest but may have to cease to process
that data in the normal way if Consent is revoked or if Vital Interest no
longer applies.  

7. Does the GDPR legislation prohibit me from using email to communicate with and about patients?

No, it does not. The legislation states
that personal data must be processed in a manner that ensures appropriate
security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures (‘integrity and
confidentiality’). You will hear software vendors suggest that unencrypted
email is not “GDPR Compliant” suggesting that their solution is compliant.
There is no Compliance certification for products. There are a number of
measures and precautions that we advise should be taken when using email as a
means to communicate data that could impinge on the rights and freedoms of the
person to whom that data relates. This is covered in our training course for
Practice Owners & Managers that is currently available on our website free
of charge.

8. Do I really need to have written signed Processor contracts with Labs, suppliers, my IT Provider and Accountant

According to Article 28 Clause 3 of the GDPR
legislation, yes you do. Negotiating and agreeing a contract with every
potential data processor could be a time consuming and frustrating activity. However,
the requirements of a Data Processor are fairly standard and outlined clearly
as eight clear points under the aforementioned GDPR clause. We provide our
clients with a standard template letter to send to the entities that we
identify as being their Data Processors. This letter addresses the eight
requirements that set out the processor’s obligations.  Some Practices simply send the letter to their
Processors and request acknowledgement or challenge, others send my registered
mail and others follow up until they get written signatures. Larger suppliers
like Practice Software Providers will often have already sent you their Data
Processing Agreement which will typically follow the same eight requirements in