Data Protection Commissioner

[text version]
Applying for Registration under the Data Protection Acts 1988 and 2003 - Guidance Notes for Doctors

Section 16 of the Data Protection Act, 1988, requires persons to register with the Office of the Data Protection Commissioner if they record details on computer relating to the physical or mental health of identifiable individuals. Most doctors are covered under this category, to the extent that they record their patients' medical details on computer. Any doctor who does not keep such computer records would not be required to register.

Registration is a simple, inexpensive and straightforward process, which has the effect of putting into the public domain some general information about the types of personal data which you process, and your purposes for doing so. You should be aware that processing personal data in ways inconsistent with your register entry may  involve the commission of an offence. Failure to register, if required to do so, is also an offence.

LINK»  more details about registering with the Commissioner
  more about offences and penalties under the Data Protection Act

Completing the Registration Application Form

Although the registration application form is largely self-explanatory, the following notes indicate the level of detail, of particular relevance to doctors, that is required to enable your application to be speedily processed. Please note that the suggested answers to particular sections of the form are provided for illustrative purposes only, and you will need to amend and/or supplement them to fit the particular circumstances of your practice.

You should also note that not all of the details which you provide in your application form will be made publicly available as part of the public register. Only the responses to section 1 to 6 (inclusive) form part of the public register; the other details are required for the purposes of the Office of the Data Protection Commissioner, and will be treated as confidential. For clarity, each section below includes an indication of whether the information under that section forms part of the public register.

LINK»  click here to download a registration form in PDF format or click here to apply on-line


Section 1: Name & Address - This information forms part of the public register

You should give the name of the practice or person carrying on business. In the case 
of a partnership, you should list each of the partners.

Note: You must keep this Office informed of any change of address. Failure to do so is an offence under section 19 of the Acts.


Section 2: Contact Person - This information forms part of the public register

You should identify the person to whom members of the public may address any applications for access to their personal data under section 4 of the Acts. It is sufficient to identify the contact person by title or position, e.g. 'Doctor, practice manager, secretary', if you wish.

LINK»  more about dealing with access requests


Section 3: Purpose(s) - This information forms part of the public register

Usually the purpose might be described as, 'Provision of medical care and advice'. This may be expanded on if you specialise in a particular area of medicine.

The requirement to set out publicly your purpose for holding personal data makes an important contribution towards meeting your requirement under section 2 of the Data Protection Acts to keep and use personal data 'only for one or more specified and lawful purposes'. This is a requirement which applies to all data controllers, not just those who are obliged to register.

Note: Keeping or using personal data for a purpose, other than the purpose or purposes described in the entry, may involve an offence under section 19 of the Act.

LINK»  more about the requirement to keep data for a specified and lawful purpose

Section 4: Description - This information forms part of the public register

This section is divided into 'Applications' and 'Description of Personal Data'. You are 
required to identify the various applications, i.e. distinct areas or aspects of your work, for which personal data are held and to detail the types of personal data kept in respect of each such application.

Personal data held for applications which are ancillary to your primary purpose, such 
as personnel and payroll data, should be recorded as separate applications.

Example: The following illustrative examples indicate how some of the applications of personal data might be listed for a doctor -

 

Application:

Description of Personal Data:

(a) Patient records

 

(b) Appointments system

(c) Accounts records

Name, address, contact details, date of birth, occupation, religion, gender, PPS number, medical card number, GMS number, name and contact details of next of kin, vaccination details, medication details, allergy details, patient and family medical history.

Name, time and date of appointment.

Name, address, contact details, billing/payment records.

(d) Staff records ( personnel/payroll)

Name, home address, home contact details, date of birth, absence records, personnel/payroll number, PPS number, salary and pension details, annual and sick leave records, details of next of kin, current and previous employment records, CV/qualifications, bank details.

Note: Keeping personal data of any description other than that specified in the register entry may involve an offence under section 19 of the Acts.


Section 5: Disclosures - This information forms part of the public register

Section 2 of the Acts requires inter alia that any disclosure of the data must be compatible with your specified purpose (as stated in section 3 above) for holding the data. You should list in this section any third parties to whom you make such disclosures. You should also note that the inclusion of a particular disclosee in your registration does not, of itself, make disclosures to that person legitimate.

You do not need to include transfers of personal data to your employees or agents, to the extent that such transfers are necessary to enable them to carry out their duties. Such transfers do not fall within the definition of 'disclosures' under the Acts. Similarly, you do not need to list disclosures which are permitted under section 8 of the Acts, including disclosures which are:

  • made to the data subject himself or herself, or to a person acting on 
    his/her behalf

  • made with the consent of the data subject

  • required by or under any enactment or rule of law or court order

  • required urgently to protect someone's health or property

  • required for the purposes of preventing, detecting or investigating 
    offences, or assessing or collecting taxes.

In case of doubt, it is advisable to list the disclosure in any event.

Example: Possible disclosures for doctors are given below for illustrative purposes. Note that it is sufficient to identify each application by the letter assigned to it in section 4.

LINK»  more about the restrictions on disclosure of personal data 

Application:

Disclosees:

(a)

GMS Payments Board, other doctors/consultants, Health Board, Dept. of Social and Family Affairs.

Note: Knowingly to disclose personal data to a person who is not described in the entry, other than a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of the Acts, may involve an offence under section 19 of the Acts.

Section 6: Transfers abroad - This information forms part of the public register

This section relates only to personal data when transferred abroad in automated form and is unlikely to apply to doctors.

Note: Transferring personal data, directly or indirectly, to a place outside the State other than one named or described in the entry may involve an offence under section 19 of the Acts.

Section 7: Sensitive data - This information DOES NOT form part of the public register

'Sensitive data' means any data of the types listed in section 16(1)(c) of the Data Protection Act 1988. Where such sensitive types of personal data are held (as will normally be the case for doctors who are required to register), this section must be completed. The obvious category for selection is 'physical or mental health', however, it is also likely that doctors could hold data on 'racial origin', 'religious beliefs', 'other beliefs' or 'sexual life'.

Under heading (ii) of this section, you should state for which of the applications, listed under section 4, the 'sensitive data' are held.

Security Measures
You should also indicate the measures you have taken to protect the privacy of the individuals about whom you keep sensitive data. You should note, in this regard, your legal obligation to use security measures that are appropriate to the sensitivity of the personal data in question. The Commissioner is precluded under section 17(3) of the Data Protection Acts from accepting an application unless he is satisfied that adequate safeguards are in place.

LINK»  more about the requirement to keep personal data secure

Example: Minimum security arrangements would normally include the following -

Physical Safeguards - 'Access to computers is restricted to authorised personnel only and screens are positioned out of public view, premises alarmed and secure when not occupied'.

Technical Safeguards - 'Access to computer system is password protected, PC workstation is subject to password protected lock-out after period of inactivity, anti-virus software is in use, a firewall is used to protect systems connected to the internet.' [Note: for especially sensitive data, it is also advisable to use additional technical safeguards, such as routine encryption of files and multi-level access control.]


Section 8: Data Processors - This information DOES NOT form part of the public register

This section is not usually applicable to doctors - so the 'No' box should be ticked.

Section 9: Compliance Person - This information DOES NOT form part of the public register

You should give the name and/or job status of the individual in your practice who will supervise the application of the Acts within the practice, and the person to whom this Office will address correspondence relating to your application.


Finally,
you should note that the Office of the Data Protection Commissioner is happy to respond to any questions or queries you may have, and to provide assistance in completing your registration application form.

LINK»  click here for details about contacting the office






» Permanent Link