GDPR Compliance Wexford Ultrasound
2018-05-29
Revised 04/01/2022

GDPR became active on 25th May 2018. Prior to it’s implementation, a data controller was appointed by the group partners to review and enhance their organisation’s risk management processes, and ensure compliance.

Data Protection Impact Assessment (DPIA)

An inventory of all personal data held was examined The following data is stored on password and Firewall secured PC’s in Suite 8, Redmond Medical Centre and backup storage on an external optical disk Hard Drive:

  • Patient name, date of birth, date of ultrasound scan.
  • Official radiologist report of ultrasound examination in write-protected word document.
  • DICOM and JPEG copies of images acquired which are archived for reference and comparison for follow up or if imaging is requested by the patient for use in another health institution.
  • Data was obtained following receipt of request from qualified medical doctor to perform the scan, and following appointment being made directly with the patient, either by telephone or standard mail.
  • Consent has always been implied, once the patient consents to the examination being ordered, it is presumed they agree to the images and report being forwarded to the referring doctor, and being securely stored to allow the patient themselves, or their designated consultant or doctor to access same at a later date, but only with the patient’s consent.
  • Data is stored indefinitely to facilitate access to their medical records for their lifespan.
  • PCs are password protected with up-to-date antivirus and firewall software. Referral and reports are electronically received and sent on secure encrypted Healthlink, healthmail platforms, or by secure GP practice email confidential standard mail.
  • Images and reports are occasionally burnt at the direct request of the patient when requiring same for referrals to other health service providers, and only given directly to the patient themselves.
  • Credit card slips are temporarily stored in locked filing cabinet for accounting and taxation purposes before being shredded at the end of the financial year.

Communicating with Staff and Service Users
Wexford Ultrasound webpage is being updated to reflect privacy policy and current consent practices as well as how and why patient data is recorded. Patient’s attention is drawn to this at the time of consultation. All staff have been made aware of company policy in this regard and the necessity to protect individual service users data.
As per current legislation requirements we notify our customers of our identity, our reasons for gathering the data, the uses it will be put to, who it will be disclosed to, and that it will not be transferred outside the EU if specifically requested by the patient.
Under GDPR, our website is updated to reflect the fact that we are required on medicolegal basis to store personal data relating only to the relevant medical ultrasound examination, the reasons for requiring a potentially indefinite retention period, and the fact that the service user has the right of complaint if they are unhappy with our implementation of any of these criteria, whether their data will be subject to automated decision making and their individual rights under the GDPR.

Personal Privacy Rights
We acknowledge the patient’s rights to:
Access their imaging report and copies of ultrasound scan if required
have inaccuracies corrected
have information erased
to restrict the processing of their information
a copy of their personal data (data portability)
Any request from a data subject wishing to exercise their rights under the GDPR will be dealt with by the Data Controller who will locate, access (and correct or delete) the data from all locations where it is stored upon written request by the patient (identity to be confirmed by state photo ID). Data can be saved on CD to allow data portability or sent via encrypted email if required electronically by the patient. Reports are saved as write-protected Microsoft Word documents, and images in DICOM and JPEG format to allow ease of access.
Request will be dealt with promptly and well within the calendar month.

Legal Basis
To defend the practice Radiologists from future medicolegal proceedings, and to protect the service users rights to their data for health or medicolegal purposes, personal data processes will be designated as having a legal basis and not just reliant on consumer consent as justification. This is outlined in our privacy notice on the company webpage.
Amount of personal data gathered is kept to an absolute minimum.

Using customer consent as a grounds to process data
Customer consent is implied when the patient agrees to undergo the imaging procedure. Formally seeking, obtaining and recording that consent in every individual case is not practical and not routinely performed. Patients are directed to the privacy policy on the website www.wexfordultrasound.ie when appointment is being made.

 

Processing Children’s Data
Minors are always accompanied by a parent or guardian who verify individual ages and give verbal consent.

Reporting data breaches
Procedures are in place to detect, report and investigate a personal data breach. Any potential data breech is reported to the Data Controller who notifies the Data Protection Commissioners office immediately, and coordinates appropriate steps to mitigate or resolve.
All breaches will be reported to the DPC, typically within 72 hours, and will also be reported to the individuals concerned.

 

Data Protection Officers
Dr Tadhg Gleeson has been appointed on an interim basis as designate Data Controller and Data Protection Officer (DPO).
I have read and am in agreement with the above compliance statement
signed
______________
Dr Tadhg Gleeson

_______________
Dr Richard Deignan

_______________
Dr John Morris

_______________
Jacinta Ryan

______________
Ruth Deignan