GDPR and its implications

The Winter 2017 edition of On-Call included a general overview of the GDPR and its implications.  That overview and a suite of template documents are available on our website. This article deals with a number of frequently asked questions arising under the GDPR. 

What lawful basis am I relying on to process data in general practice?

The GDPR applies to two categories of information:

  1. Personal data - any information relating to an identified or identifiable living individual. It does not include information about deceased persons or legal entities. 
  2. Special category personal data (“SCPD”)– i.e. more sensitive personal data and it includes data concerning health. It includes personal data relating to a living individual’s physical or mental health and data which reveals something about that individual’s health status.

Providing safe and appropriate medical care will involve collecting and processing both personal data and special category personal data.  It is important to prepare an inventory of data processed in the practice and doing this involves identify the lawful basis for each processing activity.

Under GDPR, to process data lawfully, a Data Controller must show that the processing was necessary on a lawful basis.  GDPR provides several different lawful bases for processing personal data and special category personal data.  It is important to consider all the lawful bases which are available by familiarising yourself with the terms of the GDPR[1] and to choose the most appropriate basis to rely on.

The following are the lawful bases likely to be primarily relied on by practitioners to justify processing data for the purposes of providing medical care in general practice:

Personal data

Article 6.1 (c)

Processing is necessary for compliance with a legal obligation to which the Data Controller is subject. You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation.  It does not include contractual obligations.


Article 6.1 (d)

Processing is necessary in order to protect the vital interests of the data subject or of another natural person.  You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life in an urgent situation.

The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply.  You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.

Special category personal data, which includes data concerning health.

Article 9.2 (h)

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of the health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional  and subject to the conditions and safeguards referred to in [Article 9.3 GDPR].


Article 9.2 (c)

Processing is necessary in order to protect the vital interests of the data subject or of another natural person.  You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life in an urgent situation. (See the commentary above re Article 6.1(d) for more detail).


Article 9.2 (i)

Processing necessary for reasons of public health


Data Protection Officers

Does our practice need a DPO?

GDPR says that where a Data Controller’s core activities involve large scale processing of special categories of data, they shall appoint a Data Protection Officer (“DPO”).  Therefore, in certain circumstances, having a DPO is mandatory.   It is always open to a Data Controller to appoint a DPO on a voluntary basis.

The core activity of a GP practice is to provide healthcare.  However, a GP practice cannot provide healthcare safely and effectively without processing health data, such as patients’ records which are special category data.  Therefore, processing health data is linked to the practice’s core activity and if it were on this criterion alone, a GP practice must appoint a DPO.

However, GDPR also refers to “large scale”.  It is not clear what the threshold for “large scale” is.  Guidance issued by the Article 29 Working Party confirms that a hospital must appoint a DPO but that an individual Physician, for example, need not.

If your practice is large enough to warrant the appointment of a practice manager, it seems to us that a DPO may be indicated.  A practice with multiple GPs and practice sites may also need to appoint a DPO.  Practitioners may wish to seek guidance from the Data Protection Commissioner’s Office. 

The practice must abide by Data Protection legislation and may face serious potential consequences for failing to do so.  A DPO will play a key role in fostering data protection awareness within the practice.  If faced with a data breach, a complaint to or data audit by the DPC, civil proceedings or Medical Council complaint, having appointed a DPO may assist to show that the practice took its data protection obligations seriously. 


GDPR requires the Data controller to publish the contact details of an appointed DPO and to communicate the contact details to the DPC.  This is to ensure that data subjects and the DPC can easily and confidentially contact the DPO. GDPR does not require that the published contact details should include the name of the DPO. 


The DPO has to be involved in all issues which relate to data protection and must be supported and resourced in carrying out the role and maintaining his/her expertise.  This means that a DPO should have adequate and appropriate training and should keep his/her knowledge up to date.  The DPO will carry out his/her role independently and report to the highest level of management.

Personal liability?

Under GDPR, the responsibility for and obligation to prove compliance rests with the Data Controller, not the DPO.  The DPO cannot be dismissed or penalised by the Data Controller for carrying out his / her duties. 

Age of consent to medical treatment and to processing of personal data

Consent to treatment

GDPR does not affect the legal age at which patients can consent to medical treatment.  A minor aged 16 can consent to medical treatment[2]. Patients over 18 are entitled to consent to psychiatric treatment[3], organ or tissue donation or participation in medical research.

PPS Numbers and GDPR

Is the practice entitled to ask for and keep PPS numbers?

Entities such as the Department of Social Protection or the HSE are permitted to seek the PPSN when providing certain services which are listed in the Social Welfare Acts.  Some examples of the services include the Drug Payment Scheme, Long Term Illness Scheme, Diabetic Screening, Cervical Smear Screening etc.  A GP will need a patient’s PPSN to complete some of the necessary paperwork on their behalf.

Any processing of personal data must be necessary.  It is not appropriate to request a patient’s PPSN as a routine part of patient registration, or on a “just in case basis”.  A patient’s PPS number should only be requested when required and only be used for the specified and explicit purpose for which informed consent was obtained. 

For so long as the requirement to know the PPS number continues, a GP is justified in capturing and holding this information on practice software system, which must be appropriately secured.  

It is advisable to have a system in place which prompts you to review at regular intervals whether it continues to be appropriate to hold a PPS number and if not, to act accordingly.  Use of a PPSN beyond what is required by the HSE may expose a GP to legal action under Social Welfare legislation and/or GDPR.

Scope of Medisec Professional Indemnity Cover for Breaches of GDPR

Allianz and Medisec are satisfied that, subject to the terms and conditions of the Medisec master professional indemnity policy, underwritten by Allianz plc, there is scope for cover under the definition of Malpractice for potential exposure for breaches of GDPR in respect of “unauthorised use of confidential information of a patient of the Practice or other breach of professional confidentiality in respect of a patient of the Practice.”

However, we would point out Exclusion 20 in the Policy. “Liability caused by or arising from the loss or alternation of or damage to or reduction in the functionality, availability or operation of a computer-system, hardware, programme, software, data, information-repository microchip- integrated circuit or similar device in computer-equipment or non-computer-equipment that results from the malicious or negligent transfer (electronic or otherwise) of a computer-programme that contains any malicious or damaging code including but not limited to computer-virus worm logic-bomb or trojan-horse”.

In view of the above exclusion, members are advised to consult with their insurance brokers and IT and legal advisors and to take advice in relation to whether they require separate indemnity cover for potential cyber liability exposure.


[1] The Data Protection Commissioner of Ireland and the Information Commissioner in the UK both have helpful explanatory guidance on their respective websites. The ICGP has also published “Processing of Patient Personal Data: A Guideline for General Practitioners”.

[2] Section 23 of the Non-Fatal Offences against the Person Act 1997

[3] The Mental Health Act 2001

Share this article: