The names, contact details, email addresses, medical records and health data of individuals and patients who attend a GPs practice are protected by strict European and Irish data protection laws and it is of critical importance for Irish GPs to understand that given the sensitive personal data which they hold about individuals, the requirements of data protection law must be taken particularly seriously. GPs need to be able to show that patient information, whether stored electronically or on paper, is stored securely and that data processing agreements are in place with any third parties to whom access to patient's personal data is given, including staff, software providers such as HealthLink, interns, and so on.

Breaches of the EU General Data Protection Regulation (the "GDPR") and the Irish Data Protection Act 2018 (the "2018 Act") can lead to investigations, audits, enforcement proceedings and the imposition of significant fines and as we continue to see Irish practices with no privacy notices, data protection policies or confidentiality agreements in place, we have set out a summary of the key requirements below.

For the past number of years, the principal source of data protection guidance tailored for Irish GPs has been "Processing of Patient Data – A Guideline for General Practitioners" issued by the Irish College of General Practitioners. This guidance is designed to assist practitioners in implementing their legal requirements under the GDPR and the 2018 Act and reading this document should be the first step for GPs to take order to understand the key legal requirements in this area.

However, a mere understanding of the fact that data protection laws apply to a practice is not enough – data protection law requires GPs to implement and maintain ongoing active measures to ensure that the personal data which they collect is used in a lawful and secure manner.

Pursuant to the terms of the GDPR, patients are required to be informed of, amongst other matters:

  • The purposes their personal data is to be used for, including whether it is to be used for training, clinical audits, etc;
  • The parties to whom their personal data may be disclosed;
  • The legal basis which permits the practice to use their personal data – this must be recorded in respect of each category of personal data separately; and
  • Their rights in relation to their data – their rights of access or erasure, their right to complain to the Data Protection Commission, and so on.

This information would be set out in a Privacy Policy, which must be distributed to patients at the time that their personal data is being collected. The Privacy Policy should relate to the specific requirements of the practice and the specific activities which the practice concerned does with the personal data of patients, and this policy would often be drafted by data privacy lawyers.

In order to ensure that the patients are made aware that the practice has a GDPR-compliant Privacy Policy in place and deals with personal data in a manner compliant with the ICGP guidance, a short notice drawing attention to these facts should be displayed in the waiting room of the practice.

In the event that a security incident occurs as a result of the behaviour of an employee of the practice, it is important that a record exists of practice staff members having agreed to treat the personal data of patients as confidential information and to store patient information securely. All members of staff should therefore be required to sign a confidentiality agreement – a useful template may be found at Appendix H of the ICGP guidance document.

Another common issue for GPs to be aware of is the retention of paper files and records of patients, which are sometimes held in the practice for years or even decades after the last contact with the patient concerned. From a data protection perspective, it is crucial that patient records are stored in a secure location and are retained for no longer than is necessary. Access to patient records should be regulated to ensure that they are accessible only to the extent necessary to enable staff to perform their tasks for the proper functioning of the practice.

Paper files and records should be examined individually in order to determine whether they should be retained in the practice, or disposed of – this will involve making a judgment call to determine whether it is in the best interests of the patient that the record be kept or destroyed. In general, records of an adult patient should be retained for eight years after his or her last contact with the practice, records of a child patient should be retained until the child's 25th birthday, records of a maternity patient should be kept for 25 years after the birth of the last child, and records of deceased persons should be kept for eight years after death. Again, these are general guidelines only and the best interests of the patient must considered in every case.

In relation to data security, it is important for the practice to be able to show that the security of the PC's and software systems which contain the sensitive personal data of patients are regularly checked and updated to ensure the data is protected from viruses, malware and unauthorized access. In the event of a data breach or security incident, the practice should be able to point to a record of having conducted regular checks and evaluations of the operating systems, data backups, anti-virus and controls in place over who has access to the data. Examples of data breaches in a medical practice might include sending emails or reports to the wrong patient, loss of equipment containing personal data, loss of medical records, etc.

In the event of a data breach, an assessment will need to be undertaken immediately as to whether the breach has resulted in a risk to the fundamental rights and freedoms of individuals – if so, the individual affected by the breach must be notified without undue delay and the Data Protection Commission must be notified within 72 hours. In the event that it cannot be clearly determined whether a risk to the fundamental rights and freedoms of a patent has occurred as a result of a breach, legal advice should be sought without delay.

Contracts entered into with data processors such as software vendors and HealthLink should be examined to ensure that they are in line with the requirements of the GDPR and the personal data of patients identifiable from the use of these platforms is protected – where any concerns arise, legal advice should be should be sought in order to ensure the contracts are appropriate, or to draft new contracts where none are in place.

Originally published by BHSM, October 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.