A data controller is a person or body who is responsible for keeping and using personal data on computer or in manual or paper files – doctors and hospitals are data controllers.
Personal data is data relating to a living person who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The legislation does not apply to the personal data of a dead person. There are no specific rules about access to the personal data of children. Medical records are among the data which are categorised as sensitive personal data – this data is subject to more stringent standards, especially in relation to consent to their collection and maintenance.
All data controllers must comply with rules about how they collect and use personal data. This means that the data must:
Have been obtained and processed fairly
Be accurate and complete and kept up to date
Be obtained for one or more specified explicit and legitimate purposes, and should not be processed for any other purposes
Be kept for no longer than those purposes require
Be subject to appropriate security measures to ensure that unauthorised access does not occur
You are a data subject for the purposes of the legislation. You have the right to:
Know if someone holds personal data about you
Access that data
Have data deleted if there is no good reason for its retention
Have any inaccuracies corrected or deleted and/or
Have information blocked
Blocking means that information held for a specific purpose may be blocked for use for other purposes. For example, you could specify that your medical records be blocked from use for research purposes.
There are specific rules in relation to access to personal health data. They provide that access to your personal health information may be refused if it would be likely to cause serious harm to your physical or mental health. If the person controlling access is a health professional, then that person may make the decision; if not, then he/she may consult with a health professional.
If the data controller does not comply with the legislation, you may complain to the Data Protection Commissioner and may seek compensation in the courts.
In general, the FOI legislation applies only to public bodies. As a result, it applies to the records held by GPs for their medical card patients, but it does not apply to records that they hold in respect of their private patients. The FOI Acts treat the records of medical card patients as being held by the HSE so, if you are using the FOI procedures, you must apply to the HSE for access to these records.
FOI also applies to all public and voluntary hospitals; to services for people with intellectual disability; and to services for people with physical disability.
The FOI legislation gives you the right, among other things, to access personal information held about you. Personal information means information which would normally be known only to you, your family and friends or information held by a public body about you on the understanding that it would be treated as confidential. It includes, among other things, information about your medical history. (It should be noted that “personal data” under the data protection legislation covers more