General Data Protection Regulation
In order to provide continuity of care, we need to collect and retain relevant information about you and your hearing health under your personal record. This information will only be shared with your GP, ENT consultant, or the Dept.of Social Protection with your approval. It will not be shared with any other third party without your consent.
Contact with you must be maintained to ensure continuous care, and maintenance of any hearing devices. It is not possible to provide hearing healthcare without collecting and processing personal patient data. We must operate a policy for recall and re-assessment, and we request your consent to contact you by letter, email, or by phone. However if you no longer wish to receive information regarding our services you are welcome to opt out at any time.
For O’Gradys Hearing Care, Gerard O’ Grady Managing Director, acts as the controller of data and is responsible for the data activities carried out within the company. Data will only be collected for a specific purpose, (hearing health care). Processing will be transparent to the patient. Data will be adequate, relevant, and limited to what is necessary to comply with legal and regulatory requirements.
Every reasonable effort will be made to ensure that data is accurate and up to date, and conforms to data protection regulations, and that inaccurate data is removed without delay.
All patient data is given freely by the patient or the guardian. Patients for whom we have Audiogram’s or hearing aid details are maintained, other patients details will be maintained with the patient consent, i.e. PPS numbers. Patients for whom we cannot verify the source of the data, or cannot contact, will be removed from the database upon a decision from the managing director.
Third parties with whom we share patient information (Dept. of Social and Family affairs, Doctors, and other medical practitioners, etc.) are Data controllers in their own right.
The time for retention of patient data is the life time of the patient, unless the patient has made a specific request in writing for their data to be removed. Patient data removal must be done on a case-by-case basis, and we must consider the medical device directive requirements, Accounts and Revenue requirements for documentation retention periods as well as Warranty obligations for any instruments or repairs.
The purpose of data processing, is to enable ongoing hearing healthcare, to record possible medical indications and referable conditions and to enable accurate reporting of the history of these conditions.
It is important to note that O’Grady’s Hearing Care are not Medical practitioners, nor do we represent ourselves as such, but we do provide important information that assists in the diagnosis of serious conditions. Indeed we are sometimes the first contact the patient might make with a serious complaint. Our records must show accurate reasons for referral and the progression of a condition over time. Data processing is necessary in order to protect the 'vital interest of the data subject'. In view of our referable conditions, implications of sudden hearing loss, single sided deficit, single sided or 'Pulsatile' tinnitus, The effects on hearing of various conditions and the now proven links between untreated hearing loss and brain health, accurate data processing becomes increasingly important.
Data processing is necessary for legal compliance, for example:
- Records of hearing instruments must be maintained for the lifetime of the instrument according to the medical device directive (Si 252 of 1994).
- Records of financial transactions, invoices etc. must be maintained for 7 years according to the rules from Revenue.
- Records in respect of warranties for any instrument, service or earmould, must be maintained for at least the length of the warranty in question, in addition to the lifetime of the hearing aid.
- EN15927 requires Hearing Professionals to procure and document information on: Type and degree of hearing loss, Communication and hearing difficulties and social consequences, Hearing expectations and individual hearing situations, Relevant medical history which may include allergies and medications, Tinnitus, Dizziness, Hypercusis, as well as previous hearing aid use.
- New regulatory document (Irish Society of Hearing Aid Audiologists best practice protocol) requires that a record contains several items, including indication of cognitive decline, dexterity, general health status, as well as available support systems. (These requirements shall be added to this document when the new document is accepted by the Society).
Measurements of hearing aid performance must be maintained. Data will be shared with third parties only with the consent of the patient, government departments, Insurance companies…
Our data processing activities will include off site back up and security, and patient records must be shared with these facilities in order to ensure security. When making and receiving referrals to and from various branches of the medical profession, each party is subject to their own privacy and confidentiality rules and ethics. All relevant information must be shared in order to provide medical care. It is not possible to make a referral without sending the necessary information. The transmission of data in these cases is part of the referral and should not require separate consent.
O’Grady’s Hearing Care have implemented security measures to ensure a level of security appropriate to the risk, and we maintain copies of confidentiality agreements with all staff members.
O’Grady’s Hearing Care shall display a notice in the patient waiting areas showing:
- Identity of the controller of the Data, and person with responsibility.
- Information being collected
- Purposes of processing
- Period of processing
- Patient rights
- Legal basis of processing
A Patient may have incorrect data corrected. A Patient shall have access to their data upon written request.
This statement will be available to the patient should they request to see it. Patient’s personal data belongs to the patient. A request for personal data of an individual must be received in writing, signed by the individual or their legal guardian. O’Grady’s Hearing Care reserves the right to delete rather than hand out personal data if the Managing Director deems this appropriate. It is important to verify the identity of an individual making a request for personal data to ensure the data is only provided to the subject.
Requests for erasure must be dealt with on a case-by-case basis
Rights of erasure of files is subject to requirements of Revenue/Accounts regulations and the requirements of the Medical device directive.
*Clarification will be sought as to which regulations take precedence, Patient requests or Revenue requirements or medical device directives?
Individuals have a right to object at any time to the use of their data for communications from the company. In which case personal data shall no longer be used for such purposes. However, if any staff member becomes aware of a data breach, they must inform the Managing Director as soon as possible.
As O’Grady’s Hearing Care is a small company, it does not require a Data protection officer. All responsibility relating to data management resides with the Managing Director.
A printed copy of this statement shall be held at reception desks and can be shown to patients upon request. Applies to paper records, electronic records, correspondence, emails and SMS.