Global menu

Our global pages


Your health records how private are they

  • Ireland
  • Health and life sciences


Ensuring records remain confidential
Data Protection refers to a set of rules relating to the obtaining, use and destruction of data. Irish data protection law is governed by the Data Protection Acts, which are designed to protect the privacy of the individual as regards processing of personal data. Aisling Gannon examines how Data Protection impacts on the healthcare sector.

The main parties to be considered in the context of data protection are the data controller, the data processor and the data subject. The data controller is a person/organisation who, either alone or with others, controls the content and use of the data. The data processor is a person/organisation that processes data on behalf of the data controller. Public and private hospitals, general practitioners and consultants may come within the definition of data controllers and/or data processors, but the definition of controller does not extend to an employee of a hospital acting in the course of their employment. The data subject is the individual who is the subject of the personal data. Patients are data subjects.

Data Protection and Healthcare
One of the most significant obligations on a healthcare practitioner, in their role as data controller, is the requirement to keep information safe and secure. Recently, there have been several highly publicised instances of alleged data protection breaches.

Data controllers need to ensure that healthcare records are stored in well designed, secure areas, with limited and restricted access. Patient records should be kept in a format capable of being assessed and reviewed (where possible as a ‘complete’ set of records) detailing the patient’s history so as to assist in providing informed care.

A core data protection principle is that personal/sensitive personal data should not be held for longer than is necessary to achieve the legitimate purpose for which the data was originally obtained. Medical records should be retained by hospitals and medical practitioners for as long as is deemed necessary to provide treatment for the individual concerned, or as required for the conduct of actual or apprehended litigation.

At the very least, it is recommended that individual patient medical records be retained for a minimum of eight years from the date of last contact or for any period prescribed by law. In the case of children, their records should be kept for a period of eight years, which runs from the time they reach the age of 18. It is worth noting that no statute of limitation period applies to a person with a mental disability.

For hospitals ‘medical records’ include patient notes and reports (electronic or paper), radiology, pathology, etc. Hospitals should have a formal data retention policy detailing the type of information held and the length of time that each type of data, making up the ‘complete’ patient record, should be held for.

In May 2011 the Health Service Executive (HSE) published its guidelines in this area, ‘Standards and Recommended Practices for Healthcare Records Management’. This is a useful guide which details the standards that the HSE expects in the healthcare sector.

The Data Protection Commissioner recently emphasised the importance of a transparent and balanced approach to collecting and using patient data. With regard to retrieval of patient records, such records should be available as and when a patient attends for admission/consultation. Each hospital should set out local policies, procedures and guidelines on the acceptable timelines for the retrieval of healthcare records.

Finally, any policies adopted by healthcare professionals should encompass the guidelines set out above. Data protection is a complex area which applies equally to public and private healthcare service providers. Healthcare professionals need to be familiar with the fundamental principles of data protection and with the guidelines as pertinent to the healthcare sector.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings