Data Protection & FOI

DP button foi button

Data Protection

The Medical Council adheres to the Data Protection Act 2018 (available here) and the General Data Protection Regulation ((EU) 2016/679) ('GDPR') (available here).
The Medical Council is also subject to the Freedom of Information Act 2014. Please find further information here. 

More Information

Medical Council and the GDPR

The Medical Council and the General Data Protection Regulation (‘GDPR’)

The Law: A new European Union (‘EU’) wide regulation known as the General Data Protection Regulation (‘GDPR’) came into force across the EU on 25 May 2018. The accompanying Data Protection Act 2018 was signed into law in Ireland on 24 May 2018. This legislation replaced the previous data protection legal framework. Under Irish legislation, the Data Protection Commission (‘DPC’) (previously the Data Protection Commissioner) is responsible for supervising data protection in Ireland.

A Data Controller is anyone who keeps or processes information about living people, and may be individuals or "legal persons" such as private companies or public bodies. In the context of medical practitioners examples of data controllers include private hospitals, public hospitals and General Practitioners.

The Medical Council as a data controller: The Medical Council is a data controller in relation to the personal information that it holds about medical practitioners who are registered, complainants, our employees and other parties as required, so that we can meet our responsibilities as outlined in the Medical Practitioners Act 2007. It is the Regulatory Body for registered Medical Practitioners in Ireland. It has a statutory role in protecting the public by promoting the highest professional standards amongst doctors practising in the Republic of Ireland, including publishing the Guide to Professional Conduct & Ethics for Registered Medical Practitioners. These are principles based guidelines rather than a legal code.

What we can do: The Medical Council is not an advisory, representative or membership Body. Our scope is explicitly determined from the Medical Practitioners Act 2007. We are not experts in data protection legislation and how it may apply in your particular environment. We therefore cannot provide advice on specific data protection matters.

Regarding guidance for the health sector, the DPC “recognises that it would be preferable for comprehensive and carefully thought-through guidelines to be designed by the appropriate representative bodies in this sector, by way of statutory codes of practice.” We recommend that where appropriate you contact your representative body for advice on data protection.

The Medical Council will continue to provide guidelines within the Guide to Professional Conduct & Ethics for Registered Medical Practitioners. We will also maintain a webpage specifically related to Data Protection and Freedom of Information with published guidelines and resources that may be of assistance regarding any Data Protection or Freedom of Information matters.

Doctors working in a public body (such as a public hospital)
Identify your Data Protection Officer (‘DPO’): From May 25 2018 all public bodies are required to have a Data Protection Officer (‘DPO’). Public bodies include public hospitals. If you are a doctor in a public hospital, the hospital is the data controller. Therefore please contact the DPO in your hospital with any specific data protection queries regarding your work. In addition the HSE has published the following information on GDPR: https://www.hse.ie/eng/gdpr/gdpr-faq/. The HSE has also published an updated Data Protection Policy which is applicable to all HSE staff https://www.hse.ie/eng/services/list/3/acutehospitals/hospitals/ulh/staff/resources/pppgs/dp/dp.html

Doctors employed by a private organisation (such as a private hospital)
If you are a doctor practising in a private hospital, the hospital is the data controller. Since May 25 2018 all data controllers who carry out large-scale processing are required to have a DPO. The GDPR does not define large-scale processing however the DPC states that ‘processing of patient data in the regular course of business by a hospital’ is an example of large-scale processing. However if your hospital does not have a DPO then we suggest that data protection issues are escalated to the appropriate person who deals with information governance in the hospital in which you work.

General practitioners (GPs)
If you are a GP and you are the Data Controller, please refer to the guidance published by the Irish College of General Practitioners, available here: https://www.icgp.ie/go/in_the_practice/data_protection 

For further resources, please click here.

Data Protection for Registered Medical Practitioners

If you are a medical practitioner registered with the Medical Council, and wish to find out more about the main ways in which we may use your personal information, please read below.

Your Registration
In accordance with Section 56 (1) of the Medical Practitioner’s Act, 2007, (‘MPA’) the Council shall ensure that the register is published in the prescribed manner, and in accordance with Section 56 (2) of the Act, residential addresses, telephone numbers, email addresses or similar details will not be published.

In order for the Council to assess an application for registration under Section 47(1) (f), such an application would be submitted to a medical Postgraduate Training Body approved under Section 89 of the MPA to be assessed to determine eligibility for the Specialist Division.

Your Education & Training
The Medical Council may request information from relevant bodies in relation to doctors in training and/or doctors providing training for the purposes of basic and specialist medical education and training. This is to assist in our evaluation and ongoing monitoring of our accreditation and inspection activity of Medical Schools, Clinical Sites and Postgraduate Training Bodies, pursuant to Part 10 of the MPA.

Your Professional Competence
In accordance with Section 91 of the MPA, the Medical Council may provide your Medical Council registration details to the Postgraduate Training Bodies or your employers to assist our monitoring of your maintenance of professional competence.

Communications
A number of times a year the Medical Council will send you an e-zine/email newsletter which will highlight important and useful information relevant to the role of the Medical Council, patient safety, useful information and guidance and other information relating to your role as a registered medical practitioner. This email letter will only contain relevant information and you will always have the opportunity to unsubscribe from these newsletters via the ‘unsubscribe’ option on the email.

Rights of data subjects

Data subjects have certain rights under the GDPR. One of these rights is to access any personal data that an organisation holds on them, subject to certain exemptions. If you wish to access your personal data please complete the Subject Access Request form

The Medical Council adheres to the Data Protection Act 2018 (available here) and the General Data Protection Regulation ((EU) 2016/679) ('GDPR') (available here).

The GDPR provides the following rights for individuals:

The right of access

Individuals can submit subject access requests, which oblige organisations to provide a copy of any personal data concerning the individual. Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.  If you wish to access your personal data please complete the Subject Access Request Form.

The right to be informed

Organisations need to tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.

The right to rectification

If the individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right to access, organisations have one month to do this, and the same exceptions apply.

The right to erasure

(also known as ‘the right to be forgotten’): Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.

The right to restrict processing

Individuals can request that organisations limit the way an organisation uses personal data. It’s an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their personal data or when the individual no longer needs the information but the organisation requires it to establish, exercise or defend a legal claim.

The right to data portability

Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.

The right to object

Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.

The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.

Data Protection and Freedom of Information

The right of access to information under data protection and freedom of information legislation is similar, however data protection legislation does not apply to records of individuals that are deceased. Under data protection legislation you may request your own personal data, however under freedom of information legislation you may request information other than your own personal data. There are exemptions provided for under both sets of legislation so there are circumstances under which information may not be released but the reasons for not releasing information will be outlined in our response to you.

For more information on the differences between Freedom of Information and Data Protection, please click here.

Information on Freedom of Information is available here.

Personal data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.