01 22 34 500
Covering North East Wicklow, Dun Laoghaire (DL Doc) and East Doc Dublin
E Doc Service CLG PRIVACY Policy
This privacy statement sets out how E Doc Services uses and protects any information that you provide to us whether by phone, email, communications via our website, and in consultation with GPs, Nurses or call takers, or in writing.
1. Introduction
You are entitled by law that we only use your information in relation to the services we provide; that the information we hold is accurate; held securely; and only for as long as is necessary. The information we gather from you when you call and during your patient journey with our service is passed to your own GP following completion of your consultation on the phone and in person.
E Doc Services is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy policy statement.
By using our services and not advising E Doc Services to the contrary, you consent to E Doc Services using the data in the way set out in this policy.
Information Type | How we use it / Purpose | Lawful Basis |
---|---|---|
Personal contact information including name, address, telephone number, age. | We process your call and respond to you in a way that we can give you the best service possible and to ensure the information we are collecting relates to you or the relevant patient party | Explicit consent, article 9 GDPR |
Special category personal data – medical data – short medical history, medications, current medical query. Medical Record: Individual Health identifier, GMS number, date of birth, religion, sexual orientation, gender, family members, family history, contact details of next of kin, contact details of carers, vaccination details, medication details, allergy details, current and past medical and surgical history, genetic data, laboratory test results, imaging test results, near patient test results, ECGs, Ultrasound scan images, and other data required to provide medical care. | In order to provide a safe and suitable medical advice and/or consultation necessary to provide patient care in general Practice. | Article 6.1(d): processing is necessary in order to protect the vital interests of the data subject or of another natural person; Special Categories are processed under the derogations in Articles 9.2(h) and 9.2(i). |
Account Details: record of billable services provided, patient name, address, contact details, billing and payment records for GMS and private patients. | Required for providing a service and billing. Also required for submission of reimbursement claims to the HSE Primary Care Reimbursement Service. | Article 6.1(c): processing is necessary for compliance with a legal obligation to which the controller is subject (Revenue, Medical and Legal Obligations), and Article 6.1(b) in relation to getting paid for providing a service to Service to private patients. |
When you contact our service, you provide E Doc Services with personal information that allows us to respond to your request. This may include your name, gender, company, position, phone number, and email address, and personal sensitive medical information of your own or that of the person on whose behalf you are contacting us (typically a sick relative or close friend). We will only use the information you give us to respond to you in relation to the reason you contacted us. We will not share any of this information outside of the E Doc organisation however we will share your medical information and complete case files with your own GP whom you will be asked to nominate when you contact us.
3. Categories of Recipients Whom We Share Personal Data
These are broken down into four categories as shown in the table below: sharing data in relation to the provision of medical care, sharing data with data processors where a contract is required, sharing data under legal arrangements, and sharing data for public health purposes.
Categories of recipients | Description |
---|---|
Health and Social Care | Other GPs, Health Service Executive, Voluntary Hospitals, Private hospitals and clinics, private consultants, social workers, palliative care services, treatment centre nurses, triage nurse services, pharmacies, nursing homes, hospital laboratories, GP locums, your own GP, and other healthcare providers. |
Data processors, with the contract | Healthlink, GP practice software vendors, Nurse triage providers, online data backup companies. |
Legal arrangements | The coroner, revenue, social protection, the medical Council. |
Public Health | Infectious diseases notifications, influenza surveillance, national cancer registry and other national registries. |
Third parties with explicit patient consent | Solicitors, insurance companies, health insurance companies, banks. |
Recipients with whom we share personal data:
Healthcare is a community of trust. Each individual healthcare provider is subject to privacy and confidentiality ethics and rules overseen by their professional regulator, for example the medical Council or the nursing and midwifery Board of Ireland. When a patient Contacts our services the medical notes relating to that contact (whether concluding with advice from one of our triage nurses or whether in a consultation with one of our GPs are centre nurses) will be sent to the patient’s own GP. This information will include all the data collected during the patient’s journey through our system (name address and telephone number age and presenting medical condition. The attending nurses and the attending GPs medical notes in terms of examination diagnosis and treatment will be included in the information passed to the patient’s own GP. The company’s medical directors may also access patient information in relation to feedback from the attending GP, the patient themselves, or other medical personnel who may bring these case notes that her attention for investigation regarding the quality of the service provided or any other issue with regard to the consultation. In the course of the transmission of these notes administrative staff may have access to the patient notes purely for the purposes of the transmission itself and are subject to the same rules of confidentiality as would the patient’s GP or other medical professional.
4. The transmission of personal data concerning health is part of the referral process and part of the practice of medicine. It does not need a separate signed patient consent form.
When sharing patient personal data with other data controllers in their own right, such as the HSE or Voluntary Hospitals, the responsibility for compliance with data protection regulations, including subject rights, falls to that party, for example, the Voluntary Hospital.
There is a requirement to have appropriate governance arrangements in place where each entity understands their respective responsibilities. Concerning health is part of the referral process and part of the practice of medicine. It does not need a separate signed patient consent form.
When sharing patient personal data with other data controllers in their own right, such as the HSE or Voluntary Hospitals, the responsibility for compliance with data protection regulations, including subject rights, falls to that party, for example, the Voluntary Hospital.
5. Time Limits
Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
The retention periods for medical records are taken from the HSE ‘National Hospitals Office, Code of Practice for Healthcare Records Management”. These periods are also in line with the recommendations of Medical Indemnity Agencies and the Health Information and
Quality Authority (HIQA).
6. Security measures in place by E Doc Services CLG
E Doc commissions regular information security audits to ensure that the appropriate measures are in place to secure patient data. These audits cover:
- Our operating systems and security patches.
- Our computer hardware.
- Our networks, including our Wi-Fi, firewalls, encryption software is across all networks.
- Our anti-virus and anti-malware programs.
- Our data backup.
- Access controls
- Our Appropriate news of the Internet policies
7. Your individual rights
You have a right to access a copy of your patient medical record. This right is specified under article 15 of the GDPR regulations. We undertake to answer your request and provide the information within 30 days of your request. There is no fee for providing a copy of your medical record. It is a requirement that such a request will be made in writing by yourself, your legal Guardian. Parents and legal guardians can make a request for the patient record of a child. However, once a child is capable of understanding the rights to privacy and data protection, the child should normally decide for themselves whether to request access to the data and make the request in their own name. This is not age-dependent.
8. Right to Erasure
Under article 17 of GDPR the right to erasure is not an absolute right and restrictions may apply. This would need to be examined on a case-by-case basis. This is governed under section 33 of guide to professional conduct and ethics for registered medical practitioners and in the medical Council rules to keep medical records and also have a right to defend medical legal claims, under section 23.1 (G)
9. Right to Restriction of processing.
For the continuity of consistent and safe medical care the GP cannot lock our archive the medical record so that further processing of, or changes to, the record does not occur. Request from patients to restrict processing should be in writing and signed.
10. Right to Data Portability
As a patient you are entitled to receive a copy of your medical record in a format that allows you to transmit the data to another healthcare provider or GP which includes written or electronic format were technically feasible or in a format that could be used by other GPs.
There are protocols in place for the transfer of medical records including that the receiving practice must provide us with a patient consent form for the transfer of medical records. Ideally the records will be sent using a known secure conduit such as health mail or an alternative secure clinical email account.
11. Right to Object
Individuals have a right to object at any time to processing of personal data for direct
marketing purposes, in which case the personal data shall no longer be processed for such
purposes. Other objections must be dealt with on a case-by-case basis.
12. Personal Data Breach Handling
“Personal Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Example of typical Data Breaches are:
- Loss or theft of data or equipment on which data is stored;
- Loss or theft of documents/folders;
- Unforeseen circumstances such as a flood or fire which destroys information;
- Inappropriate access controls allowing unauthorised use;
- A hacking/cyber-attack (such as ransomware);
- Obtaining information from the Practice by deception;
- Misaddressing of e-mails/human error (sending a copy of a report to a wrong patient or person not connected to E Doc or an unintended recipient.
Breaches also include the accidental loss of personal data (e.g. Fire causing the loss of paper files). In addition, statistics indicate that most breaches are internal in nature and due to non-malicious user behaviour (e.g. loss of unencrypted laptop or USB, files etc.)
13. Notifying the Data Protection Commission
In the case of a personal data breach, E Doc shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Commissioner, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
14. Notifying the Data Subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the E Doc Data controller will communicate the personal data breach to the data subject without undue delay. The notification will describe in clear and plain language the nature of the personal data breach and contain at least:
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Description of the likely consequences of the personal data Breach.
- Description of the measures taken or proposed to be taken by E Doc to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
15. Cookies
The E Doc Services website may use cookies to track repeat visitors for the purpose of examining aggregate behaviour on the web site. (Cookies are small files stored on your computer which allow pages to be personalised according to your preferences.)
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
16. IP Addresses
The E Doc Services Website logs IP addresses (the location of your computer on the Internet) for systems administration and troubleshooting. The sequence of pages visited may be used to improve the site structure and layout.
17. Mailings
E Doc Services may occasionally send you customer survey forms about the service we offer and your experience when using our services . If at any time you no longer wish to receive such mailings, you can opt out by contacting the Data Controller (details below).
18. Data Security
The Internet is not a secure medium and we cannot guarantee the security of data transmitted to our website. However, to prevent unauthorised access, maintain data accuracy and ensure the appropriate use of information, we have put in place procedures to protect the information we collect online.
19. Sharing Information
E Doc Services does not share the personal information it gathers with advertisers or other third parties not related to your specific medical cases. We will not release personal information about you as an individual to third parties, unless we are required to do so by law or we in good faith believe that such action is necessary to comply with the law.
20. External Sites
E Doc Services is not responsible for the content or the privacy policies of any websites to which it may link and cannot be responsible for the protection and privacy of any information which users have provided while visiting such websites.
We recommend that users exercise caution and read the privacy policy applicable to the website in question.
21. Requesting, Removing and Correcting Personal Information
If you believe that any information that E Doc Services holds about you is incorrect or incomplete, you should write to the Data Controller (details below). Any information which is found to be incorrect will be corrected or removed as soon as possible.
22. Changing this policy
E Doc Services may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective.
23. About this policy
If you have any queries about this policy, please contact the Data Controller (details below) before providing your information.
24. The Data Controller for E Doc is:
Mr Liam Quinn
Northdoc Medical Services CLG Trading as E Doc
Unit 211 The Capel Building,
St Mary’s Abbey
Dublin D07 DP44
Tel: +353 1 8378415
Email: Liam.Quinn@EDoc.ie
The Data Protection Principles
The following key principles are enshrined in the Irish legislation and are fundamental to E Doc’s Data Protection policy. In its capacity as Data Controller, E Doc ensures that all data shall: 1. be obtained and processed fairly and lawfully. For data to be obtained fairly, the data subject will, at the time the data are being collected, be made aware of:
- The identity of the Data Controller (E Doc)
- The purpose(s) for which the data is being collected
- The person(s) to whom the data may be disclosed by the Data Controller
- Any other information that is necessary so that the processing may be fair.
E Doc will meet this obligation in the following way.
- Where possible, the informed consent of the Data Subject will be sought before their data is processed;
- Where it is not possible to seek consent, E Doc will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.;
- Where E Doc intends to record activity on CCTV or video, a Fair Processing Notice will be posted in full view;
- Processing of the personal data will be carried out only as part of E Doc’s lawful activities, and E Doc will safeguard the rights and freedoms of the Data Subject;
- The Data Subject’s data will not be disclosed to a third party other than to a party contracted to E Doc and operating on its behalf.
2. be obtained only for one or more specified, legitimate purposes. E Doc will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which E Doc holds their data, and E Doc will be able to clearly state that purpose or purposes. 3. not be further processed in a manner incompatible with the specified purpose(s). Any use of the data by E Doc will be compatible with the purposes for which the data was acquired. 4. be kept safe and secure. E Doc will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by E Doc in its capacity as Data Controller. Access to and management of staff and customer records is limited to those staff members who have appropriate authorisation and password access. 5. be kept accurate, complete and up-to-date where necessary. E Doc will:
- ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
- conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. E Doc conducts a review of sample data every six months to ensure accuracy; Staff contact details and details on next-of-kin are reviewed and updated every two years.
- conduct regular assessments in order to establish the need to keep certain Personal Data.
6. be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed. E Doc will ensure that the data it processes in relation to Data Subjects are relevant to the purposes for which those data are collected. Data which are not relevant to such processing will not be acquired or maintained. 7. not be kept for longer than is necessary to satisfy the specified purpose(s). E Doc has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format. Once the respective retention period has elapsed, E Doc undertakes to destroy, erase or otherwise put this data beyond use. 8. be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them. E Doc has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the legislation.
Data Subject Access Requests
As part of the day-to-day operation of the organisation, E Doc’s staff engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by E Doc, such a request gives rise to access rights in favour of the Data Subject. There are specific time-lines within which E Doc must respond to the Data Subject, depending on the nature and extent of the request. These are outlined in the attached Subject Access Request process document. E Doc’s staff will ensure that, where necessary, such requests are forwarded to the Data Protection Officer in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than 40 days from receipt of the request.
Implementation
As a Data Controller, E Doc ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation. Failure of a Data Processor to manage E Doc’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts. Failure of E Doc’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.
Definitions
For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy.
Data | This includes both automated and manual data. Automated data means data held on computer, or stored with the intention that it is processed on computer. Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system. |
Personal Data | Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller. (If in doubt, E Doc refers to the definition issued by the Article 29 Working Party, and updated from time to time.) |
Sensitive Personal Data | A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation, information in relation to commission of a crime and information relating to conviction for a criminal offence. |
Data Controller | A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed. |
Data Subject | A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly. |
Data Processor | A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment. |
If you need medical advice from 6pm to 8am Monday to Friday or at any time (24 Hours) during weekends
please call 01 22 34 500