Northdoc Service CLG PRIVACY Policy

This privacy statement sets out how Northdoc Services uses and protects any information that you provide to us whether by phone, email, communications via our website, and in consultation with GPs, Nurses or call takers, or in writing.

  1. Introduction

You are entitled by law that we only use your information in relation to the services we provide; that the information we hold is accurate; held securely; and only for as long as is necessary. The information we gather from you when you call and during your patient journey with our service is passed to your own GP following completion of your consultation on the phone and in person.

Northdoc Services is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy policy statement.

By using our services and not advising Northdoc Services to the contrary, you consent to Northdoc Services using the data in the way set out in this policy.

 

 

When you contact our service, you provide Northdoc Services with personal information that allows us to respond to your request. This may include your name, gender, company, position, phone number, and email address, and personal sensitive medical information of your own or that of the person on whose behalf you are contacting us (typically a sick relative or close friend). We will only use the information you give us to respond to you in relation to the reason you contacted us. We will not share any of this information outside of the Northdoc organisation however we will share your medical information and complete case files with your own GP whom you will be asked to nominate when you contact us.

  1. Categories of Recipients Whom We Share Personal Data

These are broken down into four categories as shown in the table below: sharing data in relation to the provision of medical care, sharing data with data processors where a contract is required, sharing data under legal arrangements, and sharing data for public health purposes.

 

Recipients with whom we share personal data:

Healthcare is a community of trust. Each individual healthcare provider is subject to privacy and confidentiality ethics and rules overseen by their professional regulator, for example the medical Council or the nursing and midwifery Board of Ireland. When a patient Contacts our services the medical notes relating to that contact (whether concluding with advice from one of our triage nurses or whether in a consultation with one of our GPs are centre nurses) will be sent to the patient’s own GP. This information will include all the data collected during the patient’s journey through our system (name address and telephone number age and presenting medical condition. The attending nurses and the attending GPs medical notes in terms of examination diagnosis and treatment will be included in the information passed to the patient’s own GP. The company’s medical directors may also access patient information in relation to feedback from the attending GP, the patient themselves, or other medical personnel who may bring these case notes that her attention for investigation regarding the quality of the service provided or any other issue with regard to the consultation. In the course of the transmission of these notes administrative staff may have access to the patient notes purely for the purposes of the transmission itself and are subject to the same rules of confidentiality as would the patient’s GP or other medical professional.

  1. The transmission of personal data concerning health is part of the referral process and part of the practice of medicine. It does not need a separate signed patient consent form.

When sharing patient personal data with other data controllers in their own right, such as  the HSE or Voluntary Hospitals, the responsibility for compliance with data protection regulations, including subject rights, falls to that party, for example, the Voluntary Hospital.

There is a requirement to have appropriate governance arrangements in place where each entity understands their respective responsibilities. Concerning health is part of the referral process and part of the practice of medicine. It does not need a separate signed patient consent form.

When sharing patient personal data with other data controllers in their own right, such as the HSE or Voluntary Hospitals, the responsibility for compliance with data protection regulations, including subject rights, falls to that party, for example, the Voluntary Hospital.

  1. Time Limits

Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

The retention periods for medical records are taken from the HSE ‘National Hospitals Office, Code of Practice for Healthcare Records Management”. These periods are also in line with the recommendations of Medical Indemnity Agencies and the Health Information and

Quality Authority (HIQA).

  1. Security measures in place by Northdoc Services CLG

Northdoc commissions regular information security audits to ensure that the appropriate measures are in place to secure patient data. These audits cover:

  • Our operating systems and security patches.
  • Our computer hardware.
  • Our networks, including our Wi-Fi, firewalls, encryption software is across all networks.
  • Our anti-virus and anti-malware programs.
  • Our data backup.
  • Access controls
  • Our Appropriate news of the Internet policies
  1. Your individual rights

You have a right to access a copy of your patient medical record. This right is specified under article 15 of the GDPR regulations. We undertake to answer your request and provide the information within 30 days of your request. There is no fee for providing a copy of your medical record. It is a requirement that such a request will be made in writing by yourself, your legal Guardian. Parents and legal guardians can make a request for the patient record of a child. However, once a child is capable of understanding the rights to privacy and data protection, the child should normally decide for themselves whether to request access to the data and make the request in their own name. This is not age-dependent.

  1. Right to Erasure

Under article 17 of GDPR the right to erasure is not an absolute right and restrictions may apply. This would need to be examined on a case-by-case basis. This is governed under section 33 of guide to professional conduct and ethics for registered medical practitioners and in the medical Council rules to keep medical records and also have a right to defend medical legal claims, under section 23.1 (G)

  1. Right to Restriction of processing.

For the continuity of consistent and safe medical care the GP cannot lock or archive the medical record so that further processing of, or changes to, the record does not occur. Request from patients to restrict processing should be in writing and signed.

  1. Right to Data Portability

As a patient you are entitled to receive a copy of your medical record in a format that allows you to transmit the data to another healthcare provider or GP which includes written or electronic format were technically feasible or in a format that could be used by other GPs.

There are protocols in place for the transfer of medical records including that the receiving practice must provide us with a patient consent form for the transfer of medical records. Ideally the records will be sent using a known secure conduit such as health mail or an alternative secure clinical email account.

  1. Right to Object

Individuals have a right to object at any time to processing of personal data for direct

marketing purposes, in which case the personal data shall no longer be processed for such

purposes. Other objections must be dealt with on a case-by-case basis.

  1. Personal Data Breach Handling

“Personal Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Example of typical Data Breaches are:

  • Loss or theft of data or equipment on which data is stored;
  • Loss or theft of documents/folders;
  • Unforeseen circumstances such as a flood or fire which destroys information;
  • Inappropriate access controls allowing unauthorised use;
  • A hacking/cyber-attack (such as ransomware);
  • Obtaining information from the Practice by deception;
  • Misaddressing of e-mails/human error (sending a copy of a report to a wrong patient or person not connected to Northdoc or an unintended recipient.

Breaches also include the accidental loss of personal data (e.g. Fire causing the loss of paper files). In addition, statistics indicate that most breaches are internal in nature and due to non-malicious user behaviour (e.g. loss of unencrypted laptop or USB, files etc.)

  1. Notifying the Data Protection Commission

In the case of a personal data breach, Northdoc shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Commissioner, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

  1. Notifying the Data Subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Northdoc Data controller will communicate the personal data breach to the data subject without undue delay. The notification will describe in clear and plain language the nature of the personal data breach and contain at least:

  • Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • Description of the likely consequences of the personal data Breach.
  • Description of the measures taken or proposed to be taken by Northdoc to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  1. Cookies

The Northdoc Services website may use cookies to track repeat visitors for the purpose of examining aggregate behaviour on the web site. (Cookies are small files stored on your computer which allow pages to be personalised according to your preferences.)

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

  1. IP Addresses

The Northdoc Services Website logs IP addresses (the location of your computer on the Internet) for systems administration and troubleshooting. The sequence of pages visited may be used to improve the site structure and layout.

  1. Mailings

Northdoc Services may occasionally send you customer survey forms about the service we offer and your experience when using our services. If at any time you no longer wish to receive such mailings, you can opt out by contacting the Data Controller (details below).

  1. Data Security

The Internet is not a secure medium and we cannot guarantee the security of data transmitted to our website. However, to prevent unauthorised access, maintain data accuracy and ensure the appropriate use of information, we have put in place procedures to protect the information we collect online.

  1. Sharing Information

Northdoc Services does not share the personal information it gathers with advertisers or other third parties not related to your specific medical cases. We will not release personal information about you as an individual to third parties, unless we are required to do so by law or we in good faith believe that such action is necessary to comply with the law.

  1. External Sites

Northdoc Services is not responsible for the content or the privacy policies of any websites to which it may link and cannot be responsible for the protection and privacy of any information which users have provided while visiting such websites.

We recommend that users exercise caution and read the privacy policy applicable to the website in question.

  1. Requesting, Removing and Correcting Personal Information

If you believe that any information that Northdoc Services holds about you is incorrect or incomplete, you should write to the Data Controller (details below). Any information which is found to be incorrect will be corrected or removed as soon as possible.

  1. Changing this policy

Northdoc Services may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective.

  1. About this policy

If you have any queries about this policy, please contact the Data Controller (details below) before providing your information.

  1. The Data Controller for Northdoc is:

Mr Liam Quinn

Northdoc Services CLG

Unit 211 The Capel Building,

St Mary’s Abbey

Dublin D07 DP44

Tel: +353 1 8378415

Email: Liam.Quinn@northdoc.ie

The Data Protection Principles

The following key principles are enshrined in the Irish legislation and are fundamental to Northdoc’s Data Protection policy.

In its capacity as Data Controller, Northdoc ensures that all data shall:

  1. … be obtained and processed fairly and lawfully.

For data to be obtained fairly, the data subject will, at the time the data are being collected, be made aware of:

  • The identity of the Data Controller (Northdoc)
  • The purpose(s) for which the data is being collected
  • The person(s) to whom the data may be disclosed by the Data Controller
  • Any other information that is necessary so that the processing may be fair.

Northdoc will meet this obligation in the following way.

  • Where possible, the informed consent of the Data Subject will be sought before their data is processed;
  • Where it is not possible to seek consent, Northdoc will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.;
  • Where Northdoc intends to record activity on CCTV or video, a Fair Processing Notice will be posted in full view;
  • Processing of the personal data will be carried out only as part of Northdoc’s lawful activities, and Northdoc will safeguard the rights and freedoms of the Data Subject;
  • The Data Subject’s data will not be disclosed to a third party other than to a party contracted to Northdoc and operating on its behalf.
  1. …. be obtained only for one or more specified, legitimate purposes.

Northdoc will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which Northdoc holds their data, and Northdoc will be able to clearly state that purpose or purposes.

  1. ….. not be further processed in a manner incompatible with the specified purpose(s).

Any use of the data by Northdoc will be compatible with the purposes for which the data was acquired.

  1. …. be kept safe and secure.

Northdoc will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by Northdoc in its capacity as Data Controller.

Access to and management of staff and customer records is limited to those staff members who have appropriate authorisation and password access.

  1. … be kept accurate, complete and up-to-date where necessary.

Northdoc will:

  • ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
  • conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. Northdoc conducts a review of sample data every six months to ensure accuracy; Staff contact details and details on next-of-kin are reviewed and updated every two years.
  • conduct regular assessments in order to establish the need to keep certain Personal Data.
  1. … be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed.

Northdoc will ensure that the data it processes in relation to Data Subjects are relevant to the purposes for which those data are collected. Data which are not relevant to such processing will not be acquired or maintained.

  1. … not be kept for longer than is necessary to satisfy the specified purpose(s).

Northdoc has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format.

Once the respective retention period has elapsed, Northdoc undertakes to destroy, erase or otherwise put this data beyond use.

  1. … be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them.

Northdoc has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the legislation.

Data Subject Access Requests

As part of the day-to-day operation of the organisation, Northdoc’s staff engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by Northdoc, such a request gives rise to access rights in favour of the Data Subject.

There are specific time-lines within which Northdoc must respond to the Data Subject, depending on the nature and extent of the request. These are outlined in the attached Subject Access Request process document.

Northdoc’s staff will ensure that, where necessary, such requests are forwarded to the Data Protection Officer in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than 40 days from receipt of the request.

Implementation

As a Data Controller, Northdoc ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation.

Failure of a Data Processor to manage Northdoc’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts.

Failure of Northdoc’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.

Definitions

For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy

Data This includes both automated and manual data. Automated data means data held on computer, or stored with the intention that it is processed on computer. Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.
Personal Data Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller. (If in doubt, Northdoc refers to the definition issued by the Article 29 Working Party, and updated from time to time.)
Sensitive Personal Data A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation, information in relation to commission of a crime and information relating to conviction for a criminal offence.
Data Controller A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed.
Data Subject A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly.
Data Processor A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment.
Data Protection Officer A person appointed by Northdoc to monitor compliance with the appropriate Data Protection legislation, to deal with Subject Access Requests, and to respond to Data Protection queries from staff members and service recipients
Relevant Filing System Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.

 

Updated May 20th 2018 ref LQ1444