The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

The Medical and Health Sector

The Data Protection Rules in Practice

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care. This tradition of confidentiality is in line with the requirements of the Data Protection Acts 1988 & 2003, under which personal data must be obtained for a specified purpose, and must not be disclosed to any third party except in a manner compatible with that purpose.

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data. The questions and answers set out below shed some light on the considerations for this sector. The issues raised in this section are dealt with in a general fashion. The Data Protection Commmissioner recognises that it would be preferable for comprehensive and carefully thought-through guidelines to be designed by the appropriate representative bodies in this sector, by way of statutory codes of practice.

I am a general practitioner: can my locum access my patient records?

Yes. The Data Protection Commissioner's view is that making clinical patient records available to a locum doctor, so that the locum may provide medical care to patients, is compatible with the purpose for which the GP keeps the patient record.

Should my secretary or office manager be allowed access to my patient records?

Yes, although only to the extent necessary to enable the secretary or manager to perform their functions. Non-medical professionals should have no need to access clinical material or medical notes, as distinct from administrative details (such as patients' names and addresses). The patient is entitled to an assurance that their medical information will be treated on a need-to-know basis.

Do I need to obtain patients' explicit permission before storing their medical details?

As a general rule, no. The Commissioner's view is that the patient's consent for the storage and use of their personal data is implicit in the fact that they come to you, as a medical professional, for help. However, it is good practice to inform people that you will keep their details, and to inform them of what use will be made of their data. Section 2(b)(vii) allows for the processing of sensitive data for medical purposes by health professionals.  In addition, you will need to obtain clear consent for some uses of personal data which might not be obvious to the patient (see below), and be for a non-medical purpose.

Can I pass patient details on to another health professional for clinical purposes?

If you are passing patient data on to a person or body acting in an agency capacity for you - such as a clinical laboratory - then this is not a "disclosure" under the Data Protection Act, and the Commissioner does not insist on specific patient consent in such cases. However, you should inform the patient in advance that their data will be used in this way.

If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the consent of the patient in advance, except in cases of urgent need.

Can I pass patient data to the HSE or other bodies for administrative purposes?

You can pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data.

What if I need to disclose patient data, and I don't have the time to obtain consent?

If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Acts makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.

Back to menu

Can I use patient data for research or statistical purposes?

Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Acts provide that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual. More detailed guidance is available here. 

Can I disclose patient data to others for research or statistical purposes?

You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.

Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister for Health or any body or agency for the purpose of compiling a list of people who may be invited to participate in a cancer screening programme which is authorised by the Minister.

If I may only disclose anonymised data for research purposes, how can the researchers avoid duplication of data in respect of the same individual?

Researchers who obtain anonymised patient data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual, received from different sources. To address this problem, it may be permissible for a data controller (such as a doctor) to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher. For example, a data controller might "code" a unique data-set using a patient's initials and date-of-birth. The essential point is that the researcher should not be in a position to associate the data-set with an identifiable individual.

Do I need to register with the Data Protection Commissioner?

If you keep personal details on computer relating to people's health or medical care, then yes, you do need to register. Registration is a straightforward process, intended to make your data-handling practices transparent.

Do my patients have a right to see their medical records?

Yes they do. An individual is entitled to see a copy of any records which you keep relating to him or her on computer or on paper.  This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual.

Some Case Studies relevant to the medical and health sector

The following Case Studies, which have appeared in Annual Reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

  • CASE STUDY 9/04 - Inadvertent disclosure of client data by the Midland Health Board to a research body
  • CASE STUDY 7/99 - debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build database of debtors
  • CASE STUDY 1/97 - hospital patient's data disclosed for research – data not obtained fairly for this purpose

  • CASE STUDY 6/96 - inadequate security – position of computer screen in public area

Back to menu