For COVID-19 information, updates & support, visit our Clinical Hub »
05 December 2019
print version

Q. GDPR was enacted in the EU in May 2018. Has there been smooth adoption from general practice in Ireland?

For many practices, the transition has been a relatively smooth process as we come to terms with the subtle working differences. The ICGP document: Processing Personal Patient Data: A Guide for General Practitioners has been endorsed by the office of the Data Commissioner and is a robust reference for practices. The document has recently been updated to version 2.3. For any practices struggling with the concept, it's an excellent time to address the main issues and steps needed to be GDPR compliant.

As we store and share patient information both electronically and on paper, we have a responsibility to ensure this is done so securely. This makes us, the GPs, the data controllers. We have to be able to show that we have data protection agreements with anyone who can access the patients' information. This includes not just the surgery staff, but also GP software companies, Healthlink, the practice computer maintenance person, visiting medical students, trainees and practice interns.

We must appoint someone within the practice to be the data officer, the person responsible for ensuring all GDPR documentation is stored in a folder that can be assessed by the Data Commissioner in the event of a breach. Any breach to your data must be reported to the Data Commissioners office within 72 hours of discovery. In practice, the violations will occur most likely with ransomware attacks, but could include anyone accessing patients' notes illicitly. It is our responsibility to ensure the patient records are stored as securely as possible. If your practice is unfortunate enough to be investigated and the proper security safeguards are not in place, you could be fined and potentially sued by affected patients. Ensure this checklist is complete:

  • If not done so already, assign a staff member to be data officer for your practice
  • Has your data officer read Processing Personal Patient Data: A Guide for General Practitioners?
  • Do you have a folder in place with security and backup protocols, all data-sharing agreements and confidentiality documents signed by all parties accessing patient data?
  • If you back up your data on tape drives, do you have a log showing who does the backup and when?
  • Does your practice have a privacy statement that is easily accessible to your patients in a public area such as the waiting room?
  • Do you have a protocol on steps to take in the event of a data breach?
  • Only use secure email (eg. Healthmail) for the transfer of patient information
  • It is good practice to check with a patient that it's okay before sending notes to third parties such as solicitors or insurance companies, as the patient may not understand they are releasing all their data when they signing the confidentiality release notice.

For more information see