Existing Registrants

Guidelines on the implications of GDPR on Clinical / Practice Audit

The Medical Council has reviewed the advice below and confirms that there are no restrictions under General Data Protection Regulation (GDPR) or the Data Protection Act 2018 for Registered Medical Practitioners (RMPs) to complete an audit:

  • All registered medical practitioners are legally required to maintain their professional competence. This means that as part of their CPD activity, they are required to undertake and record a clinical/practice audit annually. Employers are legally required to facilitate the maintenance of professional competence of registered medical practitioners.
  • During the clinical/practice audit process, health data is processed. Even if the health data is anonymised shortly after it is retrieved from patient records for the purpose of clinical/practice audit, that retrieval process in itself amounts to processing. Health data is defined under the GDPR as special category data. Such data can be processed in situations where is it necessary to do so for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of healthcare (Article 9(2) of the GDPR).
  • Medical practitioners can lawfully process special category data for the purposes of clinical/practice audit. However in doing so, they must ensure that they adopt suitable and specific measures to safeguard the fundamental rights and freedoms of the data subjects concerned.
  • Consent is just one of the legal bases upon which data controllers can rely in order to lawfully process special category data.
  • Given the high threshold for consent and the fact that it can be withdrawn at any time, and in circumstances where there is another legal basis available to the practitioner to lawfully process a patient’s special category data (Part 11 of the Medical Practitioners Act 2007), it is not recommended to rely on consent as the legal basis for the processing of special category personal data for the purpose of clinical/practice audit. This means that medical practitioners (and their employers) are not required to seek consent before processing special category data for the purposes of undertaking a clinical/practice audit.
  • However medical practitioners (and employers) should ensure that they are compliant with the transparency obligation in the GDPR Article 5(1)(a) by ensuring that comprehensive privacy notices are provided to their patients. Further details on what privacy notices constitute can be found in the GDPR.
  • Each medical practitioner is either a data controller in their own right, or is employed by a data controller (for example a hospital). Every data controller is responsible for ensuring that they are compliant with the GDPR. The Medical Council can only give guidance in this regard.
  • If a medical practitioner has queries regarding this issue or is uncertain about how data protection affects their ability to conduct an audit, they should liaise with their indemnifiers or Data Protection Officer at their place of work.
  • Further information and resources on data protection is available at https://www.medicalcouncil.ie/FOI-Data-Protection/

About Us

The Medical Council regulates medical doctors in Ireland. The Council’s purpose is to protect the public by promoting and better ensuring high standards of professional conduct, education, training, and competence among doctors.