Home Privacy Statement

Privacy Statement

image of laptop on table and hands typing with screen showing a Privacy Policy

General Practice Data Protection Statement

What is a Data Protection Statement?

A Data Protection Statement lets you know what happens to any personal data that you may give us or that we may collect from you or about you (as a patient, family member, carer or visitor). This statement is issued by Centric Health as a primary care healthcare provider based in Ireland and covers the information we hold about our patient, their families and other individuals who may use our services.

Who are we and what do we do?

Centric Health is a high-quality Primary Care group with a growing network of family GP practices and patients across Ireland. The company was founded in 2004 by two doctors, Dr Maurice Cox (CEO) and Dr Ray Power (Medical Director). Centric Health was established to provide healthcare in a community setting, centered on the needs of our patients. We are constantly evolving and striving to ensure that we provide world-class care. 

Why have we issued this Privacy notice for our patients, families, and others?

We are committed to being open about the information we collect about you, how we use this information, with whom we share it, and how we store and secure it. We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with relevant laws, regulations, and guidance
Under the General Data Protection Regulation (GDPR) Centric Health has a legal duty to ensure patient data, supplied as part of the patient process within Centric Health, is kept secure and safe.
Personal data will be obtained in a lawful, fair and transparent manner for a specified purpose and will not be disclosed to any third party, except in a manner compatible with that purpose.
“Personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller (“Centric Health”);
All medical information is seen as “sensitive personal information” and we will endeavor to ensure your information is treated with the utmost respect and confidentiality.
Our practices conform with the Medical Council guidelines and the privacy principles of the Data Protection Legislation. This Privacy Statement is about making your consent meaningful by advising you of our policies and practices on dealing with your medical information.

Who controls the use of your personal data?

Centric Health, whose registered address is Centric Health , Floor 7, RSA House, Dundrum Town Centre, Sandyford Road, Dundrum, Dublin 16, D16 FC92 is the company that controls and is responsible for personal data that is collected about your healthcare. If you have any queries about the processing of your data, we have appointed a data protection officer that you can contact as follows: by post at:
Data Protection Officer, Floor 7 , RSA House, Dundrum Town Centre, Sandyford Road, Dundrum, Dublin 16, D16 FC92 or by email at DPO@centrichealth.ie

Managing your Information

  • To provide for your care we need to collect and keep information about you and your health on our records. The type of information we need to collect from you includes your name, address, personal phone number, date of birth, marital status, nationality, PPS number, medical card number, family history, ethnic background, current lifestyle, next of kin/emergency contact details and details regarding previous medical history.
  • Upon receipt of a signed Registration Form we use this data to communicate with you in the interests of your own healthcare but will not forward it to anyone else without your expressed consent.
  • If we need to bulk contact our patients via post e.g. when a new GP practice joins Centric Health or if we want to share some important information with you, Centric Health will outsource the issue of letters and share name and address only. This information will be shared securely and under the guidance of the Data Protection Officer. A contract will be established in advance. 
  • We may also contact you regarding relevant information or services to assist you in your healthcare needs such as ECG, 24hr Blood Pressure Monitoring, flu vaccines or medical assessments.
    We will only ask for and keep necessary information. We will attempt to keep it as accurate and up-to-date as possible. We will explain the need for any information we ask for if you are not sure why it is needed.
  • Please inform us about any relevant changes that we should know about, such as change of address, phone numbers, family circumstances, any new treatments or investigations being carried out that we are not aware of.
  • All persons in the practice (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.
  • Access to patient records is regulated to ensure that they are used only to the extent necessary to enable the Clinicians and or Admin team to perform their tasks for the proper functioning of the practice. In this regard, patients should understand that practice staff may have access to their records for:
    • Identifying and printing repeat prescriptions for patients. These are then reviewed and signed by the GP.
    • Generating a social welfare certificate for the patient.
    • Typing referral letters to hospital consultants or allied health professionals such as physiotherapists, occupational therapists, psychologists and dieticians.
    • Opening letters from other GP Practices, Hospitals and consultants. The letters could be appended to a patient’s paper file or scanned into their electronic patient record.
    • Scanning clinical letters, radiology reports and any other documents not available in electronic format.
    • Dealing with patient complaints.
    • Checking for a patient if a hospital or consultant letter is back or if a laboratory or radiology result is back, in order to schedule an appointment or conversation with the GP .
    • Handling, printing, photocopying and postage of medico legal and life assurance reports, and of associated documents.
    • The practice is committed to guarding against accidental disclosures of confidential patient information. Before disclosing identifiable information about patients, the practice will:
    • Take into consideration Freedom of Information and Data Protection principles.
    • Be clear about the purpose of disclosure.
    • Be satisfied that we are disclosing the minimum information to the minimum amount of people necessary.
    • Be satisfied that the intended recipient is aware the information is confidential and that they have their own duty of confidentiality.

    What personal data is collected?

    In order to provide our services to you we need to process certain personal data in relation to you, which includes:

        • Biographical data - We collect the following biographical data: name, assumed names, address, phone number, email address, gender, family relationships (e.g. spouse, children), date of birth, PPS number, GMS Number.
        • Payment data - If you pay by direct debit or receive payments through electronic funds transfers, we will collect the IBAN, BIC and the name of your bank/building society or your credit card details where relevant.
        • Interactions with us - If you interact with us, we will record details of those interactions (e.g. phone calls and logs of phone calls, email correspondence and hard copy correspondence). If you make a complaint, we will process details in relation to that complaint.
        • Online services - When you interact with us online (by computer, tablet or smartphone), you will often provide personal data to us, which you will be aware of when using the services or for which you give consent. We also automatically collect data about your use of our services, such as the type of device you are using and its IP address, and how you interact with the services. Further details are available in the cookies policy that accompanies the relevant service.

    Categories of Personal Data

     

     

    Category of data

     

    Purpose of Processing

     

    Lawful of processing

     

    Administrative:

    name, address, contact details (phone, mobile, e

    mail), dates of appointment

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Medical Record:

    Individual Health identifier,

    GMS number, PPSN, date of birth, religion, sexual orientation, gender, family members, family history, contact details of next of kin, contact details of carers, vaccination details, medication details, allergy details,

    current and past medical and surgical history, genetic data, laboratory test results, imaging test results, near patient test results, ECGs, Ultrasound scan images, and other data required to provide medical care

     

    Necessary to support the administration of patient care in general practice.

     

    Necessary to issue bulk generic communication to patients informing them of the onboarding of new GP or information on the program that may be of benefit.

     

     

     

     

     

    Necessary to provide patient care in general practice

     

    The PPS number is

    needed for specific schemes such as sickness certification (Department of Social Protection), childhood immunisation

    programme, mother and child scheme, cervical screening, etc.

     

    Article 61.(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

     

    Article 6.1(e): processing is necessary for the performance of a task

    carried out in the public interest or in the exercise of official authority vested in the controller;

     

     

    Article 6.1(d): processing is necessary in order to protect the vital interests of the data subject or of another natural person;

     

     

    Special Categories are processed under the derogations in Articles 9.2(h) and 9.2(i).  

     

    Account Details:

    record of billable services provided, patient

    name, address, contact details, billing and payment records for GMS and private patients

     

    Required for providing a service and billing. Also required for submission of reimbursement claims to the HSE Primary Care Reimbursement Service

     

     

    Article 6.1(c): processing is necessary for compliance

    with a legal obligation to which the controller is subject(Revenue, Medical and Legal Obligations)

    , and Article 6.1(b) in relation to getting paid for providing a service to private patients

    Recipients with whom we share personal data

    Categories of Recipient

    Description

    Health   and   Social   Care

    Providers

     

    Other GPs, Health Service  Executive,  Voluntary  Hospitals,

    Private     Hospitals     and     Clinics,  Private     Consultants, Physiotherapists,   Occupational   Therapists, Speech   and Language    Therapists,   Social    Workers, Palliative    Care

    Services, Out   of   Hours   Services, Pharmacies, Nursing

    Homes, Counselling Services, Diagnostic  Imaging  Services, Hospital  Laboratories, Practice  Support  Staff,  GP  Locums and other health care providers

    Data  Processors with  a

    contract

     

     GP   Practice   Software [Socrates  https://www.socrates.ie/privacy-statement/ ] 

    Prescriptions & referrals [Healthmail  https://www2.hse.ie/privacy-statement/

    Payments [Payzone   https://www.payzone.ie/privacy].

    Care Connect [ https://care-connect.ie/ for the provision of managed care services for patients with a range of health conditions in order to improve clinical outcomes whilst also reducing the cost of providing their care].

    Backup Data Storage [N-Able (COVE) https://www.n-able.com/legal/privacy]

     Medical equipment provider (Promed) https://promedmail.org/privacy-policy/]

    Storage, processing, and scanning of medical files and issuing of generic and informational bulk letters. [Sentry Consulting ltd T/A   Datascan https://datascan.ie/privacy-policy/]

    Legal Arrangements

    Coroner, Revenue, Social Protection, Medical Council

    Public Health

    Infectious   disease   notifications,  influenza   surveillance, the National Cancer Registry, and other National Registries

    Third Parties, with

    explicit patient consent

     

    Solicitors, Insurance Companies, Health Insurance Companies, Banks

    How we use & Process your data

    Centric Health needs to process clinical information about our patients to ensure that all clinical staff have complete information to ensure you get the best treatment while under our care.
    Each patient will have a unique Medical Record and all your details are kept within your unique medical record.
    We process your personal data to provide you with our services and to assist us in the operation of our business. Under data protection law we are required to ensure that there is an appropriate basis for the processing of your personal data, and we are required to let you know what that basis is.

    There are various options under data protection law, but the primary bases that we use are (a) processing necessary for the performance of our contracts with you, (b) processing necessary in order for us to pursue our legitimate interests, (c) processing where we have your and/or your dependents’ consent,  (d) processing that is required under applicable law (e ) Vital Interest.

    Here are further details of our processing of your personal data below, together with the basis for that processing:

    Provide Care

                          • Your information is shared with other health professionals involved in your care; this can include but is not limited to GP practices, other hospitals, other hospital departments who are involved in providing you with your care and community services.
                          • Depending on your circumstances we may also need to share your information with external organisations to provide you with your treatment, drugs or equipment, this can include but is not limited to the voluntary sector, care homes, pharmaceutical companies, private health care providers and external companies who provide specialist equipment.
                          • Centric Health offer a referral service to Spectrum Mental Health. This will be done in conjunction with you and only relevant and appropriate medical information will be securely transferred.

    Insurance companies

    Centric Health is required to send patient details as necessary to the insurance companies in order to get a claim paid. When a patient is registered you are asked to sign the insurance declaration. This will detail what the insurance company will expect to receive. Often an insurance company will request an audit of claims paid. The Centric Health will supply only the information for that claim once received in writing from the insurance company.

    Research

    Centric Health may conduct clinical research on data sets. In this instance, we will do so using your explicit consent. To enhance the quality and effectiveness of our services, we may establish collaborations with other clinicians hospitals, and academic Institutions These partnerships allow us to combine our knowledge, expertise, and resources to deliver comprehensive and advanced healthcare solutions.

     We need to inform you that these collaborations may involve the sharing of your personal health information with other healthcare providers and academic institutions. We understand the sensitivity and confidentiality of your medical data. In compliance with privacy regulations and to ensure transparency, we will only share and collaborate with clinicians hospitals, and academic Institutions under your explicit consent. 

    In this instance, you would have been invited to participate in a research program. You will receive all information about this research program. All parties involved in this collaboration, including the clinicians hospitals, and academic Institutions, are bound by strict confidentiality and privacy obligations. Your personal health information will be handled with the utmost care and will only be used to improve the quality of your healthcare. 

    Analysis of data 

    As part of our data analysis processes, we may employ the techniques of anonymization and pseudonymization to ensure the utmost privacy and security of your data. 
    Anonymization is a process where any identifying information is removed from the dataset, ensuring that the data can no longer be linked back to a specific individual. This allows us to conduct comprehensive analyses while preserving the privacy of our data subjects. 
    Pseudonymization, on the other hand, involves replacing or encrypting identifying information with pseudonyms or unique identifiers, making it extremely difficult to trace the data back to the original individuals. 
    By employing these techniques, we can ensure that your personal data is effectively safeguarded and protected from unauthorized access or misuse. 
    The use of anonymized or pseudonymized data also allows us to derive meaningful insights and conduct research without compromising your privacy.
    Our data analysis procedures are conducted by qualified professionals who are bound by confidentiality obligations. Rest assured that any data used for analysis purposes will be handled with the utmost care and in compliance with applicable data protection laws and regulations. If you have any concerns or questions regarding the anonymization or pseudonymization of your data, or any other aspect of our privacy practices, please do not hesitate to reach out to us. 

    Legal requirements

    In certain circumstances, we are required by law to report information to the appropriate authorities. This information is often provided after authority has been given by a qualified health professional. For example:
    •    Where we encounter infectious diseases, which may endanger the safety of others e.g. COVID 19, meningitis or measles
    •    Where a formal court order has been issued
    •    Section 7(1)(a) of the Ombudsman Act 1980 provides the Ombudsman with powers to acquire information or documents for the purpose of a preliminary examination or investigation by him or her under the Act.
    •    Ombudsman for Children: Section 14 of the Ombudsman for Children Act 2002 provides the Ombudsman for Children with the power to acquire information.

    The Data Protection Commissioner may, for the purposes of the investigation of a complaint under the Data Protection Acts, require the Centric Health to provide any documentation as is considered necessary information or documents for the purpose of a preliminary examination or investigation.

    Transfers outside of the European Economic Area (EEA)

    Currently, all Centric Health data is processed and stored within the EEA. 

    If we were to transfer your data outside of the EEA, please rest assured that we will ensure that appropriate measures are in place to protect your personal data and comply with our obligations under applicable data protection law. This may mean that we enter into contracts in the form approved by the European Commission, or we ensure that the company to which we transfer your personal data has agreed to abide by an approved transfer mechanism, such Standard Contractual Clause Agreement.

    Your Rights

    Under GDPR, you have rights regarding the use of your personal details and Centric Health as controller of that data has a responsibility in how we handle this information.
    You have the right to data protection when your details are:
    •    held on a computer.
    •    held on paper or other manual form as part of a filing system; and
    •    images of your data, e.g. XRAY

    What is the aim of these rights?

    With Data protection rights we help you to make sure that the information stored with us about you is:
    •    Accurate and up to date.
    •    Only available to those who should have it.
    •    Only used for stated purposes.
    •    Stored securely

    What should you expect?

    •    Expect fair treatment from Centric Health and our staff in the way we obtain keep, use and share your information.
    •    That you have the right to be fully informed in why we are collecting your information and how we are using it.
    •    That you have the right to object to Centric Health using your details for a particular purpose.
    •    That you have the right to ensure inaccurate information about you is corrected when it is safe to do so.
    •    Request to see a copy of all information kept about you unless exceptional circumstances apply
    •    Complain to the Data Protection Commissioner if you feel your data protection rights are being infringed.

    What Centric Health must do?

    Centric Health will comply with the Principles of GDPR

    •    To obtain information lawfully, fairly and transparently.
    •    Collect only data necessary for a specific purpose(s) and only use this data for set purpose
    •    Ensure the information is accurate and up to date. We will need your help for this, so please inform us if you have changed any contact or next of kin details.
    •    Data is stored as long as necessary to provide excellent care
    •    We will endeavor to keep your data safe and secure.

    Right to obtain a copy of your information


    Under GDPR, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation.
    A request for access, release or copy of personal data can only be made by the patient or any third party (registered next-of-kin or solicitors authorised by patients, Patient Legal Guardian or Power of Attorney) it must be: sent in writing to your GP practice which you last attended or to Data Protection Officer, Floor 7,
    RSA House, Dundrum Town Centre, Sandyford Road, Dundrum, Dublin 16, D16 FC92 or by email at DPO@centrichealth.ie. Please confirm the GP Practice you last attended.
    Please provide details of the last Doctor or practice you visited.
    •    Supply relevant information to locate records
    •    Include legal name, date of birth and date of service, and Medical record number (if possible)
    •    Be accompanied by appropriate identification example Current Irish Driver’s License, Valid Passport and Proof of address example a current utility bill. This is to make sure that personal information is not given to the wrong person.

    Once you have made your request, you must be given the information within 30 calendar days and free of charge. A charge will only apply if the request is deemed to be excessive or repetitive in nature. If there are to be any delays the GP practice in question will contact, you and keep you up to date.

    Can access be refused?
    Access can be refused to some or all of the patient’s personal health information, only, if providing access is likely to cause serious harm to the physical or mental health of the requester or providing access would disclose the personal data of another person without their consent or would disclose a confidential expression of opinion about the requester.

    Delivery
    The recommended method of delivery of the request is by

    •    Registered post via An Post service.
    •    The copy may be collected by hand – but proof of identification may be required.
    •    Emailed using an agreed password and confirming receipt.
    •    Faxed following from confirmation of fax number and confirmation of receipt .


    Retention of personal data

    Centric Health will retain your personal data in accordance with our record retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it. It is also kept in accordance with any legal requirements that are imposed on us. This means that the retention period for your personal data will vary depending on the type of personal data. For further information about the criteria that we apply to determine retention periods please see below:

    •    Statutory and regulatory obligations - As we work in a highly regulated industry, we have certain statutory and regulatory obligations to retain personal data for set periods of time.
    •    Managing legal claims - When we assess how long we keep personal data we take into account whether that data may be required in order to defend any legal claims which may be made. If such data is required, we may keep it until the statute of limitations runs out in relation to the type of claim that can be made.
    •    Business requirements - As we only collect personal data for defined purposes, we assess how long we need to keep personal data for in order to meet our reasonable business purposes.


    Transferring to another GP Practice

    If you decide at any time and for whatever reason to transfer to another GP Practice, we will facilitate that decision by making available to your new doctor a copy of your records upon receipt of your signed consent. These records will be transferred via Healthmail, which is a secure portal used by GP’s. For medico-legal reasons, we will also retain a copy of your records. However, we mark your medical record ‘in-active’ and therefore it is ‘archived’
    Consent for Minors
    Where we are required to gather the personal information of a minor (defined as a person aged under 18 years of age*), we will require the attendance and consent of a parent or guardian, and will only acquire and store such data with their permission, as well as the awareness of the minor themselves.

    * In the medical area, the Non-Fatal Offences Against the Person Act, 1997 (Section 23) provides that a minor who has reached the age of 16 can give consent to medical treatment and/or processing of their medical data.

    Where the parents of the minor are not in a position to provide such consent, the support and of a recognized body will act ‘in loco parentis’ – for example, the family GP, school principal, social worker or Gardai will be consulted in order to ensure that any such processing of personal data is being done in the vital interests of the minor. As much as possible, the minor will be made aware of the processing activity and its purposes.

    CCTV

    For security reasons, some of our General Practice locations may have CCTV cameras at the different access points in and outside the building to prevent intruders or individuals who could damage the property of the General Practice or remove goods or information from the General Practice without authorisation. As a member of the public or staff of the General Practice your image will be captured on such CCTV cameras, however, the General Practice will only disclose such CCTV footage to other parties and An Garda where necessary to investigate a break-in or other unauthorised access to the General Practice.

    Useful Links

    Data Protection Commission: https://dataprotection.ie/
    A guide to Data Protection and what it means for you http://gdprandyou.ie/

    Changes to this statement

    This statement is kept under review and is subject to change. We recommend that you regularly visit Centric Health’s  website to ensure that you are consulting the latest version of the statement. You can find a reference to the date of the last update on the top of this statement.

    Data Protection Officer

    If you have any questions about your data protection, you may contact Centric Health’s Data Protection Officer:
    Greta Cronin
    Email: DPO@centrichealth.ie Phone: 01 299 3500
    Letter: Greta Cronin, Centric Health , Floor 7, RSA House, Dundrum Town Centre, Sandyford Road, Dundrum, Dublin 16, D16 FC92

Production