OccDoc

info@occdoc.ie

021-7355499

Facebook Twitter Youtube Pinterest
Book a Consultation

OccDoc is committed to best practice compliance with the Data Protection Acts 1988-2018 including General Data Protection Regulations (GDPR) 2018. It is important that you know exactly what we do with the information you provide to us, why we gather it and what it means to you. Please take the time to read this notice carefully. If you have any questions about how we use your information, please contact us.

By engaging with our services or visiting OccDoc.ie website, you are accepting the terms of Data Protection and Privacy Policy. We are not responsible for the content or the privacy policies of external websites. If you are not satisfied with the terms of this policy you should discontinue use of this website and inform the team at OccDoc immediately, as this may affect how we engage with you as an individual and/or the provision of our services. Our Data Protection Officer is John Crowley, who can be contacted at admin@YourDoctor.ie

Any personal data that you volunteer to us, if retained, will be held on our secure server within the EU . We do not guarantee or warrant the security of any information you transmit to us via the Internet. No data transmission over the Internet can be guaranteed to be 100% secure. We take all reasonable steps to protect your personal data as per best practice.

Purpose for processing your data:

It is not possible to undertake medical care without collecting and processing personal data and data concerning health. In fact, to do so would be in breach of the Medical Council’s ‘Guide to Professional Conduct and Ethics for Doctors’. As per GDPR, it is necessary to have a lawful basis for the processing of data. The legal basis for processing of data by doctors is provided by the following articles in GDPR: Article 6.1(c), 6.1(d), 6.1(e) and Article 9.2(h) and 9.2(i) The relevant sections of Article 6 and 9 are set out below:

  • Article 6.1(c) in relation to the lawfulness of processing states: ‘processing is necessary for compliance with a legal obligation’, for example for accounts and reimbursement claims.
  • Article 6.1(d) in relation to the lawfulness of processing, states: ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’.
  • Article 6.1(e): in relation to the lawfulness of processing, states: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. This includes the use of PPS numbers by GPs.
  • Article 9.2(h) in relation to the processing of special categories of personal data, states: ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’;
  • Paragraph 3 relates to the processing of data concerning health by medical practitioners subject to professional confidentiality under the regulation of the Irish Medical Council.
  • Article 9.2(i) relates to processing necessary for reasons of public health.
  • Section 45 of the Bill: processing data concerning health for the purpose of an insurance policy, health insurance and/or occupational pension;

Article 6 and Article 9 need to work in conjunction with one another. So for instance a doctor will rely upon a combination of Article 6 to process non sensitive data and Article 9 conditions to process special categories of data.

What information do we collect about you?

When you attend the practice for an occupational health consultation, or if your company has sent you to us for a pre-employment medical/Management referral/Health  Surveillance/Pensions/Insurance, we collect the personal details & special category/sensitive information :  (i) you have given us; (ii) information provided to us by third parties with your prior informed consent. 

Website

Each time you visit OccDoc.ie, we may collect personal information, which is personal or particular to a specific visitor. The information is collected by specific request so you will be fully aware when you are providing this information to us. OccDoc cannot guarantee the security of your personal information transmitted to our website. Transmission of your personal information is at your own risk. Once we receive your personal information, we will use appropriate security measures to seek to prevent unauthorised access or disclosure. 

OccDoc does not gather statistical and analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact you

OccDoc reserves the right to amend this policy at any time, at its discretion. You are encouraged to review this policy from time to time. We will notify you of any changes to this policy when we are required to do so. 

Categories of information: Special category / Sensitive information includes data concerning health including lifestyle information which may include details about religion, marital status, family status and medical information such as relevant medical history, diagnostic information, test results, imaging, or medical photography. In this policy, any reference to personal data includes sensitive data

How we use your information

OccDoc are controllers of the data concerning health that we utilise to manage patient care. We process the information in the practice, using the practice software system, and share the patient’s personal data and data concerning health with recipients such as hospitals &/or consultants, with your consent. The hospitals and consultants with whom OccDoc shares patient data concerning health, are also data controllers.

We only share relevant (in terms of fitness to work) data we collect about you with your Employer or prospective Employer. This will include routine health surveillance information including routine testing and reports and our opinion regarding your fitness for work, potential work and/or meetings.

Means of data collection include:

  • The employee completing on-line registration with OccDoc and completion of online assessment forms
  • The employer completing on-line registration with OccDoc and completion of online employee referral forms
  • Email from either the employer or employee to admin@YourDoctor.ie
  • Postal of any referral forms from the employee or employer
  • Correspondence from your treating doctor to OccDoc is recorded in your medical file.

We use and share your data for the following: 

  • For the purpose of occupational medicine, for the assessment of the working capacity of the employee on a fitness to work or review basis and pre employment medicals.
  • Processing is necessary for the purpose of carrying out obligations or rights of the data controller or the data subject in the field of employment law. 
  • Defend or bring legal claims and address any complaints regarding our services. 
  • Help us to understand trends with in the employment sector. 
  • There are specific processing conditions where consent is required, particularly when disclosing of personal data to recipients unrelated to the provision of medical or social care. Occupational health need to obtain explicit consent for these disclosures for example, sharing with Insurance Companies or Solicitors or Employers, and for other purposes which might not be obvious to the patient. Occupational health must be able to demonstrate that the data subject has consented to this processing, and this consent must be informed, freely given, and provided in a clear and transparent manner. Specifically, where the lawfulness of processing requires explicit consent, there shall be procedures for collecting this consent. The Occupational health Provider must also monitor all requests for removal or withdrawals of consent, document such requests in the patient record and ensure that all removals are completed without undue delay.
  • When providing services to you, we may share your information with: 
  • Authorised representatives; such as your Human Resource Department. 
  • Third parties, whom you have consented us to share your information with. i.e your GP or onward referrals such as a specialist or for an x-ray.
  • Service providers who provide us with support services. 
  • Statutory and regulatory bodies.
  • Healthcare and medical consultants. 
  • Laboratories when it is necessary and appropriate for your treatment and care.
  •  When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists– i.e. when we control and process your data in the course of providing a report or occupational medical advice requested by you or a third party acting on your behalf, we are the Data Controller and we will be happy to provide you with a copy of your information upon request in compliance with your rights under Data Protection Law.
  • Retention of medical records
  • The retention duration of medical records varies according to the type of medical information in question. We will retain your medical records on an ongoing basis, and we will delete your personal data once it is no longer required for these purposes. The retention periods for medical records are taken from the HSE ‘National Hospitals Office, Code of Practice for Healthcare Records Management”. These periods are also in line with the recommendations of Medical Indemnity Agencies and the Health Information and Quality Authority (HIQA).
  • Retention periods are as follows:
  • Management referral information will be held for 7 years after the cessation of employment (if notification of your perspective employer) or 7 years after last entry or from last entry.
  • Medical Records associate with Health Surveillance will be held for 7 years after the cessation of employment (if notification of your perspective employer) or 7 years after last entry or from last entry.
  • Audiograms and related medical records will be held for 15 years after the cessation of employment (if notification of your perspective employer) or 15 years after last entry or from last entry.
  • Pre- placement medicals will be discarded after 1 years if the employee doesn’t take up the offer of the job (on notification of your perspective employer). If the job is taken up it will be treated with the management referral information and retained for the same length of time.
  • 10- 40 years in relation to Health Surveillance Record as required by the Health and Safety Authority (HSA) or up to 75th Birthday.
  • Financial records are held for 7 years.
  • What are your rights relating to personal data?
  • You are entitled to provided Access Requests for Medical Reports in writing. These will then be provided by OccDoc
  • Right to Access
  • Under Article 15 of GDPR, the patient, has a right to access a copy of their medical record. The request or authorisation form to satisfy these individual rights should be in writing or by email and should be signed by the Data Subject or legal guardian. The right to access may be restricted, as per Section 60 (5) of the Data Protection Act 2018, if the disclosure of the record to the patient ‘would be likely to cause serious harm to the physical or mental health of the data subject’. In any situation where access is denied, the doctor must advise the patient of the reason invoked for the restriction either at the time access is denied or as soon as is advisable thereafter. In addition, only the part of the medical record likely to cause harm can be withheld, the rest of the medical record should be released in the usual way. The patient has a right to appeal the restriction to the Data Protection Commissioner
  • Right to Rectification
  • Under Article 16 of GDPR, the patient has the right to obtain rectification of inaccurate patient data which is factually inaccurate. However, this is not an unqualified right and depends on the circumstances of each case (reference Irish Data Protection Commissioner case study 1 of 2007). A relevant dispute resolution may be addressed by the addition of a supplementary statement in the patient record. Inaccurate patient data should be noted as such.
  • Right to Erasure
  • Article 17 of GDPR deals with the right to erasure. Because the GP has a requirement (Section 33 of Guide to Professional Conduct and Ethics for Registered Medical Practitioners, 8th Edition 2016) under Medical Council rules to keep medical records and also has a right to defend medico-legal claims, under Article 23.1(g) the right to erasure of medical records is not an absolute right and restrictions may apply. This would need to be examined on a caseby-case basis
  • Right to Restriction of Processing
  • Article 18 of GDPR deals with the right to restriction of processing.
  • Right to Data Portability
  • The right to data portability, under Article 20 of GDPR, relates to circumstances where the processing is based on consent or a contract. The patient is entitled to receive a copy of their medical record in a format that allows them to transmit the data to another health care provider. GPs should facilitate patients moving to another practice by providing their medical record in an electronic format where technically feasible or in a format which could be used by other health care providers. The protocol for transfer of medical records is for the receiving provider to provide a signed patient consent form for the transfer of medical records from the original or sending practice. The records should be transferred securely, for example using Healthmail, secure clinical email.
  • Right to Object
  • Individuals have a right to object at any time to processing of personal data.
  • Automated Individual Decision-making, Including Profiling
  • OccDoc do not base decisions solely on automated processing, and the point of view of the patient is central to any decision making in the provision of medical care.
  • How to contact us or relevant authority
  • If you wish to exercise any rights set out above, make a complaint or have further enquires –  please contact us at
  • John Crowley
  • Data Protection officer
  • OccDoc
  • Salutem Clinic,
  • Barnagore,
  • Ovens,
  • Co. Cork,
  • P31 XD54
  • If you wish to contact the supervisory authority in relation to data protection : Please visit the Data Protection Commissions’ website at www. dataprotection.ie