Privacy Policy

This privacy statement sets out how Sláintedoc t/a “Midoc” uses and protects any information that you provide to us whether by phone, email, communications via our website, and in consultation with GPs, Nurses or call takers, or in writing.

Introduction
By law, you have the right to expect that we will utilise your information exclusively for the purposes related to the services we offer. This means that the information we maintain will be accurate, securely stored, and retained only for as long as necessary. After you’ve completed your phone or in-person consultation, the information we collect during your patient journey with our service will be shared with your personal GP.

Midoc is fully committed to safeguarding your privacy. If we ever request specific information that can identify you, rest assured that it will be handled strictly in accordance with the guidelines outlined in this privacy policy statement.

By using our services and not advising Midoc to the contrary, you consent to Midoc using the data in the way set out in this policy.

When you contact our service, you furnish Midoc with personal details that enable us to address your inquiry. This information may encompass your name, gender, company affiliation, job title, phone number, email address, as well as sensitive medical information either pertaining to you or to the individual on whose behalf you are reaching out to us (typically a family member or close friend who is unwell). We will exclusively employ the information you provide to us for the purpose of responding to your request, directly related to the nature of your contact. We are committed to maintaining the confidentiality of this information within the Midoc organisation; however, we will share your medical information and comprehensive case records with your designated GP, whom you will be requested to designate when contacting us.

1. Categories of Recipients Whom We Share Personal Data
   These are broken down into four categories as shown in the table below: sharing data in relation to the provision of medical care, sharing data with data processors where a contract is required, sharing data under legal arrangements, and sharing data for public health purposes.

Recipients with whom we share personal data:
Healthcare relies on a foundation of trust. Every healthcare provider adheres to ethical standards and confidentiality regulations established by their professional governing body, such as the Medical Council or the Nursing and Midwifery Board of Ireland. When a patient contacts our services, all medical records related to that interaction—whether it concludes with guidance from one of our triage nurses or results from a consultation with one of our GPs or center nurses—will be forwarded to the patient’s designated GP. This information encompasses all data collected during the patient’s journey through our system, including name, address, telephone number, age, and the presenting medical condition.

The medical notes from the attending nurses and GPs, including details of examinations, diagnoses, and treatment, will be included in the information shared with the patient’s GP. Additionally, the company’s medical directors may access patient information concerning feedback from the patient’s GP, the patient themselves, or other medical professionals who may bring forth these case notes for investigation regarding service quality or any other consultation-related concerns.

Throughout the process of transmitting these notes, administrative staff may have access to patient records solely for the purpose of transmission, and they are bound by the same confidentiality rules as the patient’s GP or any other healthcare professional.

2. The transmission of personal data concerning health is part of the referral process and part of the practice of medicine. It does not need a separate signed patient consent form.
   When sharing patient personal data with other data controllers in their own right, such as the HSE or Voluntary Hospitals, the responsibility for compliance with data protection regulations, including subject rights, falls to that party, for example, the Voluntary Hospital.
   There is a requirement to have appropriate governance arrangements in place where each entity understands their respective responsibilities. Concerning health is part of the referral process and part of the practice of medicine. It does not need a separate signed patient consent form.
   When sharing patient personal data with other data controllers in their own right, such as the HSE or Voluntary Hospitals, the responsibility for compliance with data protection regulations, including subject rights, falls to that party, for example, the Voluntary Hospital.
3. Time Limits
   Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
   The retention periods for medical records are taken from the HSE ‘National Hospitals Office, Code of Practice for Healthcare Records Management”. These periods are also in line with the recommendations of Medical Indemnity Agencies and the Health Information and
   Quality Authority (HIQA).
4. Security measures in place by Midoc
   Midoc commissions regular information security audits to ensure that the appropriate measures are in place to secure patient data. These audits cover:
   • Our operating systems and security patches.
   • Our computer hardware.
   • Our networks, including our Wi-Fi, firewalls, encryption software is across all networks.
   • Our anti-virus and anti-malware programs.
   • Our data backup.
   • Access controls
   • Our Appropriate news of the Internet policies
5. Your individual rights
   You have a right to access a copy of your patient medical record. This right is specified under article 15 of the GDPR regulations. We undertake to answer your request and provide the information within 30 days of your request. There is no fee for providing a copy of your medical record. It is a requirement that such a request will be made in writing by yourself, your legal Guardian. Parents and legal guardians can make a request for the patient record of a child. However, once a child is capable of understanding the rights to privacy and data protection, the child should normally decide for themselves whether to request access to the data and make the request in their own name. This is not age-dependent.
6. Right to Erasure
   Under article 17 of GDPR the right to erasure is not an absolute right and restrictions may apply. This would need to be examined on a case-by-case basis. This is governed under section 33 of guide to professional conduct and ethics for registered medical practitioners and in the medical Council rules to keep medical records and also have a right to defend medical legal claims, under section 23.1 (G)
7. Right to Restriction of processing.
   For the continuity of consistent and safe medical care the GP cannot lock or archive the medical record so that further processing of, or changes to, the record does not occur. Request from patients to restrict processing should be in writing and signed.
8. Right to Data Portability
   As a patient you are entitled to receive a copy of your medical record in a format that allows you to transmit the data to another healthcare provider or GP which includes written or electronic format were technically feasible or in a format that could be used by other GPs.
   There are protocols in place for the transfer of medical records including that the receiving practice must provide us with a patient consent form for the transfer of medical records. Ideally the records will be sent using a known secure conduit such as health mail or an alternative secure clinical email account.
9. Right to Object
   Individuals have a right to object at any time to processing of personal data for direct
   marketing purposes, in which case the personal data shall no longer be processed for such
   purposes. Other objections must be dealt with on a case-by-case basis.
10. Personal Data Breach Handling
    “Personal Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
    Example of typical Data Breaches are:
    • Loss or theft of data or equipment on which data is stored;
    • Loss or theft of documents/folders;
    • Unforeseen circumstances such as a flood or fire which destroys information;
    • Inappropriate access controls allowing unauthorised use;
    • A hacking/cyber-attack (such as ransomware);
    • Obtaining information from the Practice by deception;
    • Misaddressing of e-mails/human error (sending a copy of a report to a wrong patient or person not connected to Midoc or an unintended recipient.
    Breaches also include the accidental loss of personal data (e.g. Fire causing the loss of paper files). In addition, statistics indicate that most breaches are internal in nature and due to non-malicious user behaviour (e.g. loss of unencrypted laptop or USB, files etc.)
11. Notifying the Data Protection Commission
    In the case of a personal data breach, Midoc shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Commissioner, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
12. Notifying the Data Subject
    When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Midoc Data controller will communicate the personal data breach to the data subject without undue delay. The notification will describe in clear and plain language the nature of the personal data breach and contain at least:
    • Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    • Description of the likely consequences of the personal data Breach.
    • Description of the measures taken or proposed to be taken by Midoc to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13. Cookies
    The Midoc website may use cookies to track repeat visitors for the purpose of examining aggregate behaviour on the web site. (Cookies are small files stored on your computer which allow pages to be personalised according to your preferences.)
    Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
    You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
14. IP Addresses
    The Midoc Website logs IP addresses (the location of your computer on the Internet) for systems administration and troubleshooting. The sequence of pages visited may be used to improve the site structure and layout.
15. Mailings
    Midoc may occasionally send you customer survey forms about the service we offer and your experience when using our services. If at any time you no longer wish to receive such mailings, you can opt out by contacting the Data Controller (details below).
16. Data Security
    The Internet is not a secure medium and we cannot guarantee the security of data transmitted to our website. However, to prevent unauthorised access, maintain data accuracy and ensure the appropriate use of information, we have put in place procedures to protect the information we collect online.
17. Sharing Information
    Midoc does not share the personal information it gathers with advertisers or other third parties not related to your specific medical cases. We will not release personal information about you as an individual to third parties, unless we are required to do so by law or we in good faith believe that such action is necessary to comply with the law.
18. External Sites
    Midoc is not responsible for the content or the privacy policies of any websites to which it may link and cannot be responsible for the protection and privacy of any information which users have provided while visiting such websites.
    We recommend that users exercise caution and read the privacy policy applicable to the website in question.
19. Requesting, Removing and Correcting Personal Information
    If you believe that any information that Midoc holds about you is incorrect or incomplete, you should write to the Data Controller (details below). Any information which is found to be incorrect will be corrected or removed as soon as possible.
20. Changing this policy
    Midoc may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective.
21. About this policy
    If you have any queries about this policy, please contact the Data Protection Officer (details below) before providing your information.
22. The Data Protection Officer for Midoc is:
    Ms Fiona O’Reilly
    3-4 Pembroke Street Upper
    Dublin 2
    D02 VN24
    Tel: +353 1 9011306
    Email: fiona@slaintedoc.com

---

The Data Protection Principles
The following key principles are enshrined in the Irish legislation and are fundamental to Midoc’s Data Protection policy.
In its capacity as Data Controller, Midoc ensures that all data shall:

1. Be obtained and processed fairly and lawfully.
For data to be obtained fairly, the data subject will, at the time the data are being collected, be made aware of:
• The identity of the Data Controller (Midoc)
• The purpose(s) for which the data is being collected
• The person(s) to whom the data may be disclosed by the Data Controller
• Any other information that is necessary so that the processing may be fair.
Midoc will meet this obligation in the following way.
• Where possible, the informed consent of the Data Subject will be sought before their data is processed;
• Where it is not possible to seek consent, Midoc will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.;
• Where Midoc intends to record activity on CCTV or video, a Fair Processing Notice will be posted in full view;
• Processing of the personal data will be carried out only as part of Midoc’s lawful activities, and Midoc will safeguard the rights and freedoms of the Data Subject;
• The Data Subject’s data will not be disclosed to a third party other than to a party contracted to Midoc and operating on its behalf.

2. Be obtained only for one or more specified, legitimate purposes.
Midoc will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which Midoc holds their data, and Midoc will be able to clearly state that purpose or purposes.

3. Not be further processed in a manner incompatible with the specified purpose(s).
Any use of the data by Midoc will be compatible with the purposes for which the data was acquired.

4. Be kept accurate, complete and up-to-date where necessary.
Midoc will:
• ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
• conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. Midoc conducts a review of sample data every six months to ensure accuracy; Staff contact details and details on next-of-kin are reviewed and updated every two years.
• conduct regular assessments in order to establish the need to keep certain Personal Data.

5. Be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed.
Midoc will ensure that the data it processes in relation to Data Subjects are relevant to the purposes for which those data are collected. Data which are not relevant to such processing will not be acquired or maintained.

6. Be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them.
Midoc has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the legislation.

Data Subject Access Requests
As part of our organisation’s routine operations, Midoc’s staff routinely interact with individuals whose data we hold. When a Data Subject formally requests access to their data held by Midoc, this request grants them certain access rights.

Specific timeframes govern Midoc’s response to such requests, with the details provided in the attached Subject Access Request process document. Our staff will take the necessary steps to ensure that these requests are promptly relayed to the Data Protection Officer and processed as swiftly and efficiently as possible, always adhering to a maximum response time of 40 days from the date of receiving the request.

Implementation
As a Data Controller, Midoc ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation.
Failure of a Data Processor to manage Midoc’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts.
Failure of Midoc’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.

Definitions
For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy

Data This includes both automated and manual data. Automated data means data held on computer, or stored with the intention that it is processed on computer. Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.

Personal Data Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller. (If in doubt, Midoc refers to the definition issued by the Article 29 Working Party, and updated from time to time.)

Sensitive Personal Data A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation, information in relation to commission of a crime and information relating to conviction for a criminal offence.

Data Controller A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed.

Data Subject A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly.

Data Processor A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment.

Data Protection Officer A person appointed by Midoc to monitor compliance with the appropriate

Data Protection legislation, to deal with Subject Access Requests, and to respond to Data Protection queries from staff members and service recipients

Relevant Filing System Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.