Updated Privacy Rights (GDPR)

This General Practice is in partnership with Centric Health and wants to ensure the highest
standard of medical care for our patients. We understand that a General Practice is a trusted
community governed by an ethic of privacy and confidentiality. Our practices conform with the Medical Council guidelines and the privacy principles of the Data Protection Legislation. This Privacy Statement is about making your consent meaningful by advising you of our policies and practices on dealing with your medical information.

Legal basis for processing your data

Vital Interest & Contract:

The processing of personal data in general practice is necessary in order to protect the Vital interests of the patient and for the provision of health care and public health.

Consent:

Patient Consent will be requested for all third-party queries.

Legitimate Interest:

Legitimate interest will be the legal basis applied for:

• General Corporate Operations and Due Diligence.
• Internal analysis of patients and customers in order to plan strategy and growth.
• Sharing information with other members of the corporate group. Data will be anonymised
• Producing aggregate analytics reports to third parties.
• Producing analytics and profiling for business intelligence – to create aggregate trend reports (a) understand how patients and customers arrive at a website (b) understand how patients and customers use Centric Health apps (c) gaging the responses to feedback and NPS campaigns (d)Understanding what are the most effective  channels and messages to patients and customers.

Centric Health understand that by using legitimate interest as a legal basis, the data processing should be relevant, adequate and limited to what is necessary for its purpose. The public and private interests served by such diligence meet the legitimate interest requirements as long as the interests or the fundamental rights and freedoms of the individual are not overriding. Patients and Customers have the right to object to the processing of their data. In the instances where legitimate interest is the legal basis, patients and customers will be provided with specific e-mail address to object to the processing . Patients and customers can also contact DPO@centrichealth to lodge the request.

Managing your information

• To provide for your care we need to collect and keep information about you and your health on our records. The type of information we need to collect from you includes your name, address, personal phone number, date of birth, marital status, nationality, PPS number, medical card number, family history, ethnic background, current lifestyle, next of kin/emergency contact details and details regarding previous medical history.
• Upon receipt of a signed Registration Form we use this data to communicate with you in the interests of your own healthcare but will not forward it to anyone else without your expressed consent. With your consent we can send you appointment reminders and test results.
• We may also contact you regarding relevant information or services to assist you in your
  healthcare needs such as ECG, 24hr Blood Pressure Monitoring, flu vaccines or medical
  assessments.
• We retain your information securely using digital technology however we do not Process or
  transfer any Data outside the European Economic Area (“EEA”).
• We will only ask for and keep information that is necessary. We will attempt to keep it as accurate and up to-date as possible. We will explain the need for any information we ask for if you are not sure why it is needed.
• Please advise us if it has been longer than 5 years since you attended this Practice so we can retrieve your medical record. Unless you have asked us to delete your record we mark your record as ‘In-Active’ which means your record is electronically archived but not visible.
• Please inform us about any relevant changes that we should know about, such as change of address, phone numbers, family circumstances, any new treatments or investigations being carried out that we are not aware of. For all contact information see: https://www.centricgp.ie/contact-us/
• All persons in the practice (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.
• Access to patient records is regulated to ensure that they are used only to the extent necessary to enable the Clinicians and or Admin team to perform their tasks for the proper functioning of the practice. In this regard, patients should understand that practice staff may have access to their records for:
  » Identifying and printing repeat prescriptions for patients. These are then reviewed and signed by the GP.
  » Generating a social welfare certificate for the patient.
  » Typing referral letters to hospital consultants or allied health professionals such as
  physiotherapists, occupational therapists, psychologists and dieticians.
  » Opening letters from hospitals and consultants. The letters could be appended to a patient’s paper file or scanned into their electronic patient record.
  » Scanning clinical letters, radiology reports and any other documents not available in
  » electronic format.
  » Dealing with patient complaints.
  » Downloading laboratory results and Out of Hours Coop reports and performing integration of these results into the electronic patient record.
  » Photocopying or printing documents for referral to consultants, attending an antenatal clinic or when a patient is changing GP.
  » Checking for a patient if a hospital or consultant letter is back or if a laboratory or radiology result is back, in order to schedule a conversation with the GP.
  » When a patient makes contact with a practice, checking if they are due for any preventative services, such as vaccination, ante natal visit, contraceptive pill check, cervical smear test, etc.
  » Handling, printing, photocopying and postage of medico legal and life assurance reports, and of associated documents.
  » The practice is committed to guarding against accidental disclosures of confidential patientinformation. Before disclosing identifiable information about patients, the practice will:
• Take into consideration Freedom of Information and Data Protection principles.
• Be clear about the purpose for disclosure.
• Have the patient’s consent for third party requests. A legal basis of Vital Interest and Contract for processing personal Data
• Have considered using anonymised information and be certain it is necessary to use identifiable information.
• Be satisfied that we are disclosing the minimum information to the minimum amount of people necessary.
• Be satisfied that the intended recipient is aware the information is confidential and that they have their own duty of confidentiality.

Consent for Minors

Where we are required to gather the personal information of a minor (defined as a person aged under 18 years of age*), we will require the attendance and consent of a parent or guardian, and will only acquire and store such data with their permission, as well as the awareness of the minor themselves.

* In the medical area, the Non-Fatal Offences Against the Person Act, 1997 (Section 23) provides that a minor who has reached the age of 16 can give consent to medical treatment and/or processing of their medical data.

Where the parents of the minor are not in a position to provide such consent, the support and of a recognized body will act ‘in loco parentis’ – for example, the family GP, school principal, social worker or Gardai will be consulted in order to ensure that any such processing of personal data is being done in the vital interests of the minor. As much as possible, the minor will be made aware of the processing activity and its purposes.

Disclosure of information to other health and social professionals

We may need to pass some of this information to other health and social care professionals to provide you with the treatment and services you need. Only the relevant part of your record will be released. These other professionals are also legally bound to treat your information with the same duty of care and confidence that we do.

Disclosures Required or Permitted Under Law

The law provides that in certain instances personal information (including health information) can be disclosed in the following circumstances:

• Infectious diseases Under Health Act 1947 and 1953 plus amendments and Infectious Diseases Regs 1981 plus amendment Regs 2016, there is a list of diseases we are obliged to report e.g. Measles, Anthrax, Lyme, Zika, COVID-19. For a full list please see www.hspc.ie/notifiablediseases
• Work related Medical Certificates from your GP will only provide a confirmation that you are unfit for work with an indication of when you will be fit to resume work. Where it is considered necessary to provide additional information we will discuss that with you. However, Social Welfare Certificates of Incapacity for work must include the medical reason you are unfit to work.
• Disclosures to insurance companies or requests made by solicitors for your records we will only release the information with your signed consent.

Data Retention Periods

For clarity our data retention policies adhere to the Data Protection Legislation including Article 5
guidelines on (GDPR) General Privacy Data Regulations effective form 25th May 2018.
For existing Patients whose records are dormant, their records will be retained and marked ‘in-active’ as an electronic archive after [5] years. For a comprehensive description of our retention Principles please reference: https://www.hiqa.ie/system/files/Guidance-on-information-governance.pdf. Centric Health policy is in support of HSE guidelines.

Use of Anonymised information for training, teaching and quality assurance

To provide the highest level of care to the patient, Clinical staff may access clinical information for training, audit or consultation. This may be regarding Patient Case Histories or Patients with specific conditions and in such cases this practice would only communicate the information necessary. Our practice is involved in the clinical training of Undergraduate and Postgraduate health professionals GPs and is affiliated with University Clinical Schools and the Irish College of General Practitioners.

Use of Anonymised information for research, audit and quality assurance

We maintain and improve the quality of the patient service provided by training, teaching, audit
and research. It is usual for patient information to be used for these purposes to improve services and standards of practice. GPs on the specialist GP register of the Medical Council are now required to perform audits. Information used for such purposes is done in a manner with all personal identifying information removed.

Right to Rectification

You have the right to have your information corrected, erased, restricted to specified individuals or object to it being processed. For clarity, this process is outlined on the Centric Health Website in the section on Privacy and Subject Access Requests.

Your right of access to your health information

You have the right of access to all the personal information held about you by this practice. If you wish to see your records in most cases it is the quickest to discuss this with your doctor who will outline the information in the record with you. You can make a formal written access request to the practice and the matter can be dealt with formally within 30 days. https://www.centricgp.ie/subject-access-requests/.

Transferring to another practice

If you decide at any time and for whatever reason to transfer to another practice, we will facilitate
that decision by making available to your new doctor a copy of your records on receipt of your signed consent from your new doctor For medico-legal reasons we will also retain a copy of your records in this practice for an appropriate period of time which may exceed eight years. However, we mark your medical record ‘in-active’ and therefore it is ‘archived’ and not visible to the GP Practice team.

CCTV

For security reasons, the General Practice may have CCTV cameras at the different access points in the building in order to prevent intruders or individuals who could damage property of the General Practice or remove goods or information from the General Practice without authorisation. As a member of the public or staff of the General Practice your image will be captured on such CCTV cameras, however the General Practice will only disclose such CCTV footage to other parties where necessary to investigate a break in or other unauthorised access to the General Practice

Text Messages

You may receive a text message confirming appointment and or receiving some test results. During the COVID 19 pandemic you will receive a text message if you receive a negative result. In order to account for parents receiving text messages for children and careers receiving text messages for those in care, we will use the first name of the patient in question for ease of identification. This identifying piece of data will only be used for this specific COVID 10 negative result purpose.

Making a complaint

If the General Practice does not agree to provide you with access to your personal information or you have a complaint about our information handling practices you have a right to lodge a complaint with our Data Protection Officer by email at DPO@Centrichealth.ie or you can contact the Office of the Data Protection Commission by visiting https://www.dataprotection.ie/docs/complaints/1592.htm

Questions

We hope this statement has explained any issues that might arise. If you have any queries about this Privacy Statement, please email DPO@Centrichealth.ie.

Frequently asked questions relating to remote Doctor services (telephone or video) for  COVID19:

Centric Health want to assure you that during this time of unprecedented need for medical attention, your personal and medical data remains an absolute priority. Please see some Frequently Asked Questions, which should address any concerns you may have. If you have a question not covered, please contact our Data Protection Officer at DPO@centrichealth.ie

Q  I am a patient of a particular Centric Health practice – How will my data be processed?

A  Your data is processed under Vital Interest and Public Interest.

Vital Interest is the legal basis under The GDPR which applies in an emergency situation.  

Public Interest applies where there are serious cross-border threats to health.

Q  I am a patient of a particular Centric Health Practice, but I receive a call from a Doctor from another Centric Health practice. How has my medical data been processed, and will this Doctor have access to my full medical history?

A  As above your medical data has been processed under Vital Interest and Public Interest. The secondary Doctor will not have access to your full medical history. The Doctor will have access to your online form, where you will have provided some personal and medical details. You will also have specified if you have any underlying medical conditions. Details regarding the consultation, if you were requested to take a test, and the results of that test will subsequently be available by a secure link to your own Centric Health GP.

Q  I am not a patient of Centric but with another GP, how will my medical data be processed and w

A  As above your medical data has been processed under Vital Interest and Public Interest. The Centric Health Doctor will not have access to your full medical history. The Doctor will have access to your online form, where you will have provided some personal and medical details. You will also have specified if you have any underlying medical conditions. Details regarding the consultation, if you were requested to take a test, and the results of that test will subsequently be available on request to your own GP. If you have an underlying medical condition you may be asked to reattend your own GP should further aftercare be required.

Q  I have no GP but I have used Centric Health for this remote consultation, how will my medical data be processed and what will happen to my results?

A  As above your medical data has been processed under Vital Interest and Public Interest. The Centric Health Doctor will not have access to your full medical history. The Doctor will have access to your online form, where you will have provided some personal and medical details. You will also have specified if you have any underlying medical conditions. Details regarding the consultation, if you were requested to take a test, and the results of that test will be registered by Centric Health. Should you obtain a GP in the future, your consultation notes and results can be forwarded to that GP.

Q  Is there any difference in the processing of my medical data if I am a public or private patient?

A  No, your medical will be treated in exactly the same manner.

Q  I will need assistance of another person during the consultation. Can this occur?

A  Yes, we understand that some people may be sick and incapable of making the call themselves. We will need to carry out our standard security checks and ensure you are happy to continue with the consultation. Any consultation notes will be placed on the patient’s own file and will not be shared with another individual unless Centric Health receive the patient’s consent to do so.

 Frequently Asked Questions relating to The Coronavirus Programme Remote Monitoring

 Q         What is the aim of this Remote Monitoring Programme?

A          During this uncertain time and where travel to your local GP or Nurse may prove difficult, we will be able to remotely monitor and communicate with you via our app. Our aim is to support your health and be alerted if there is a deterioration in any coronavirus related symptoms. Our Nurses can then focus on the right patients at the right time.

Our remote monitoring system will provide you with a solution that monitors your health during this pandemic and gives you access to our team of nurses to support you if you experience any symptoms of coronavirus infection.

Q         I am a Centric Health patient, how will I be contacted regarding this Corona Virus Programme.

A          You will receive an information only text message from your practice. This information only text message will introduce you to link to the programme, You can choose not to partake in the programme. It is completely your choice if you wish to participate or not.

Q         How are you processing my data?

A          We will ask you to consent to the processing of your personal and medical data.

Q         What does consent mean under GDPR?

Under GDPR two articles determine the definition of consent – Article 4(11) and Article 7.

Consent must be freely given and for a specific purpose specific. You must be clearly informed as to what data is being collected, for what purpose and for how long. You will have the right to withdraw your consent at any time. This withdrawal of consent can be communicated within the app to the clinical team or by e-mail to support@luscii.com.

Q         How does this Remote Monitoring system work?

A          You will be enrolled with your direct consent. You will be asked to download an app called Luscii Vitals. The use of this App allows us to submit your vital health measurements for clinical review.

These key symptom readings are analysed by ourteam of Nursesand, where relevant, you will be contacted by our team. If required, you may be asked to contact your own GP directly. At all times we will follow the most up to date HSE guidelines in delivering this care.

You can also view your own measurement history within the app.

To facilitate this remote monitoring system, the App will be using technology created by Luscii.

Q         Who is Luscii and what is their connection to Centric Health?

A          Luscii is a company based in the Netherlands which works in the Dutch health and social care sector. To date its software has supported thousands of patients across dozens of Dutch hospitals. Centric Health have a contractual arrangement with Luscii. This ensures the protection of your personal and medical data. Centric Health believes in the Luscii product & knows this will benefit our patients. It can be supported and set up quickly and efficiently offering immediate and already tested methods and results. For details on how Luscii protects your data, please visit the Luscii privacy policy https://luscii.com/privacy-policy/

For complete Data Protection Risk assessment please see attached:

https://www.centricgp.ie/media/1471/dpia-luscii-vitals-and-centric-health-30th-march-2020-ag.pdf

Q         Why is this being offered to you ?

A          As there is a current global pandemic with rapidly escalating numbers of cases in Ireland and Europe, a rapid response is required. We have identified the need for a solution to support the community management of patients with milder disease. In particular, such a system needs to support safe self-management, limit unnecessary contact with health care professionals and hospital systems, and embed (and improve) automated triggers to identify early markers of deterioration and rapid notification to clinicians.

A cloud based Remote Patient Monitoring software solution allows remote diagnosis, assessment and monitoring of patients with COVID-19 or suspected COVID-19 or at-risk of COVID-19 infection, supported by a nurse team delivering support and advice to patients.

Patients access the software via an application form on each of our practice websites on www.centricgp.ie or through www.coronavirusprogramme.ie.  Our Nurse team invites eligible patients to download the app. Once downloaded, patients will enter their symptoms on a daily basis.

That information is immediately available for review by the clinical team Alerts are automatically triggered if outside of a clinically acceptable range. In such a case, clinical intervention will be provided with clear instructions to contact your own GP. 

If you are accepted as a patient, full details as to how we process your data, who we share it with and for how long can be accessed through the above DPIA at https://www.centricgp.ie/media/1471/dpia-luscii-vitals-and-centric-health-30th-march-2020-ag.pdf and by examining Centric Health Privacy Policy and Luscii Privacy Policy ,  Laya Privacy Policy https://www.layahealthcare.ie/privacypolicy/ and Irish Life Privacy Policy https://www.irishlifehealth.ie/privacy-and-legal/data-privacy-notice

If you are not accepted your data will not be retained and immediately deleted by Centric Health and Luscii.

Q         How can I become part of the Corona Virus Programme if I am a member of Laya Health care?

A          You will receive electronic communication from Laya Healthcare . Within this communication you will be alerted http://coronavirusprogramme.ie/?laya   which will bring you directly into the programme . You will then be asked to consent to the processing of your personal and medical data.  Please see above Q&A relating to consent.

Q         How can I become part of the Corona Virus Programme if I am a member of Irish Life Health ?

A          You will receive electronic communication from Irish Life Health. Within this communication you will be alerted to   http://coronavirusprogramme.ie/?irishlifehealth  which will bring you directly into the programme . You will then be asked to consent to the processing of your personal and medical data.  Please see above Q&A relating to consent.

Q         What data is being shared between Luscii , Centric Health and Insurance Companies.

A          Anonymised Aggregated Data will only be shared. Aggregated data is information gathered and expressed in a summary form, for purposes such as statistical analysis. There is no sharing of any data that may identify you (identified and or identifiable data).

Q         Is my data being shared with the HSE?.

A          Anonymised data will be shared for the purpose of collecting Epidemiological data. There is no sharing of any data that may identify you (identified and or identifiable data).