The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission
Referral of medical consultant's clinical notes for review without his or the patients' consent

The issue of access to medical records was addressed by the Commissioner in his Annual Report for 2003 in the following terms:

A medical consultant complained that a health board had sent the clinical notes of five of his patients to a risk management group in England in March, 2000. His consent was not obtained for the release of his patients' personal information while it also appeared that patient consent was not obtained.

On inquiry by my Office the health board stated that following the appointment of a temporary consultant in his place, concerns were brought to the attention of the General Manager of the Hospital, who in the interests of care to patients requested an independent assessment of the concerns raised. The Health Board requested the assistance of an English healthcare risk management group in relation to a review of the patients' treatment specifically in the area of internal medicine and cardiology and to advise if the concerns were justified. The board also stated that the patients' consent was not requested as it was an assessment considered necessary in relation to the concerns raised, and that legal and medical advice was obtained in relation to the matter. The patient charts were treated in a confidential and a sensitive way, with circulation restricted .The outcome of the assessment was that the concerns raised were not significant in relation to the treatment and care of the patients.

In a case such as this when concerns, with implications for the health and welfare of patients, were brought to its attention, the Board had a duty to fully establish all of the facts using whatever expert resources were necessary and indeed in a speedy and urgent manner. Having regard to the public health issues involved, I considered that the Board was justified in making the disclosures, in order to have the risk assessment carried out and did not breach the Data Protection Acts.

In this case and indeed for patients in acute public hospitals it has to be recognised that the health board or the hospital is the data controller and not the consultant. However where a consultant has private patients then he/she becomes the controller if he/she is treating them in a private hospital or in his/her private rooms. "