Dear Patients,

You are reading the privacy statement of ICU 3D Pregnancy Ultrasound Scan Studio (from herein “ICU Studio”) that sets out how we handle your personal information we need to collect if you wish to draw on our services. Please note, that both “personal information”, “personal data” personal records” and “medical records” have the same meaning in the context of this Privacy Statement.

The ICU Studio is governed by an ethic of privacy and confidentiality. Our approach is consistent with the Medical Council guidelines and the privacy principles of the Data Protection Regulations. It is not possible to undertake medical care without collecting and processing personal data and data concerning health. In fact, to do so would be in breach of the Medical Council’s ‘Guide to Professional Conduct and Ethics for Doctors’.

This statement is about advising you of our policies and practices on dealing with your personal information. Any staff member of the ICU Studio who is involved in the collection, storage or processing of personal data has responsibilities under legislation:

  • to obtain and process personal data fairly,
  • to keep such data only for explicit and lawful purposes,
  • to disclose such data only in ways compatible with these purposes,
  • to keep such data safe and secure,
  • to keep such data accurate, complete and up-to-date,
  • to ensure that such data is adequate, relevant and not excessive,
  • to retain such data for no longer than is necessary for the explicit purpose,
  • to give, on request (known as an Access Request), a copy of the data to the individual to whom they relate.

We do our best to be clear and transparent about the information we collect and what we do with that information. Please make sure that you have read and understood our privacy policy that sets out the following;

  1. who we are,
  2. what personal data we collect and process about you in connection with your relationship with,
  3. where we obtain your personal data from,
  4. what we do with your personal data,
  5. how we store your personal information,
  6. who we transfer/disclose your personal information data to,
  7. how we deal with your data protection rights,
  8. and how we comply with the data protection regulations.

1. Who we are

  • The ICU Studio (also referred to as “we”, “us”, or “our” in this policy) primarily refers to the general practice of Dr. Virág Fehér who is registered with the Data Protection Commissioner’s Office (registration number 12826/A) as “Data Controller” of all personal information collected for the purposes of provisioning primary medical care and advice according to the relevant Irish and EU regulations (including the General Data Protection Regulation 2016/679).
  • Our designated Data Protection Compliance Officer (DPCO) for the ICU Studio is Dr. Zsolt Fabian.
  • As business name, the ICU Studio is registered in Ireland with registration number 553265. Registered office is located at Castlelawn Heights, Coolough Road, Galway, Co. Galway, 91 YR1X, Republic of Ireland. We can be contacted at either the above address or the following contacts: telephone: +353 91 458 543; fax: +353 91 458 547; e-mail: “manager@theheightsmedicalcentre.ie”.

 2. The type of personal information we collect

The ICU Studio collects, stores and processes personal information of patients to provide them primary health care services and to meet related legal, statutory and contractual obligations. These include “special category data” that are sensitive personal information to provide medical treatment to the data subject. Personal data we collect, store and process include;

  • personal information for unambiguous identification of the given patient, including his/her full name, date of birth, postal address(es), medical card number, medical card expiry date, , phone numbers, email addresses;
  • special category personal information on gender, nationality and primary language,
  • payment information including PPS number, card type, card numbers, CVV number, name on card and card expiry date;
  • special category personal information on past medical conditions (medical history) and/or pathology details including former diagnoses, medication and medical interventions patients provide us on the ICU Studio’s “New Patient Questionnaire” form;
  • special category personal information on past prescribed medications,
  • personal information on medical conditions of family members (family history) including former diagnoses, medication and medical interventions patients provide us on the ICU Studio “New Patient Questionnaire” form;
  • personal information generated in the ICU Studio during patient’s visit(s) and appointment(s), that may include written notes, photos, sound and video recordings;
  • personal information that third parties share with us including those from application forms or databases;
  • personal information on referral source (e.g. consultant, GP or physiotherapist details).
  • CCTV footage inside the premises of the ICU Studio

3. How we collect your personal information

The ICU Studio collects personal information of patients as follows;

  • we collect personal information directly from the patients when they complete our “New Patient Questionnaire” form;
  • we collect personal information directly from individuals acting as parent/guardian when they complete our “New Patient Questionnaire” form on behalf of underage patients or those under guardianship.
  • we collect personal information when you provide it to us by filling out additional documents, surveys, or forms, or when by sending us communication;
  • We collect personal information directly upon your visit(s) of the ICU Studio by medical examinations
  • CCTV footages are taken directly inside the premises of the Heights Medical Centre
  • On occasion, we also collect your personal information from other sources, in particular, other health care providers and government or non-government organizations.
  • We collect information from other third party sources whereby we receive additional information about patients (to the extent permitted by applicable law) including fraud warnings from health care service providers.

4. How we use your personal information

  • We take data privacy very seriously and will never disclose, share or sell personal data without consent, unless required to do so by law. We only ask for and keep information that is necessary and explain the need for any information we ask for if you are not sure why it is needed. All persons in the practice (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.
  • We attempt to keep it as accurate and up to-date as possible. To do so, we ask you to inform us about any relevant changes that we should know about including any new treatments or investigations being carried out that we are not aware of. Please also inform us of change of address and phone numbers. Patient information collected by the ICU Studio may be used for the following purposes:
  • verifying your identity
  • for the purposes of providing health care services including medical assessment, medical diagnosis and the provision of treatment;
  • for internal assessment, diagnosis and treatment training purposes in a generic format in case histories
  • as part of a relevant filing system;
  • contacting you in relation to the health care services provided: we send you communications about the services you have asked for and any changes to such services. These communications are not made for marketing purposes and cannot be opted-out of;
  • credit or other payment card verification: we use your payment information for accounting, billing and audit purposes and to detect and/or prevent any fraudulent activities;
  • administrative or legal purposes;
  • to transfer personal data to third parties for medical referral purposes for further medical investigation,
  • security, health, administrative, crime prevention/detection; CCTV footages are used for security purposes of our staff, premises and property. Personal information may be passed to government authorities or enforcement bodies for compliance with legal requirements;
  • customer services communications: we use your data to manage our relationship with you (e.g. managing your appointments or responding to your comments or queries);
  • providing tailored services: we use your data to provide you information we believe is of interest to you (e.g. availability of winter vaccines);
  • to comply with a legal obligation (e.g. responding to requests by government, a court of law, or law enforcement authorities conducting an investigation or social, immigration or customs requirements);
  • when you have consented to us using your personal data (e.g. for professional studies);
  • to protect your vital interests or those of another person (e.g. in case of a medical emergency);
  • managing our legal and operational affairs.

      How long we keep your personal information

  • The ICU Studio retains medical records in-line with the HSE ‘National Hospitals Office, Code of Practice for Healthcare Records Management”, recommendations of Medical Indemnity Agencies and the Health Information and Quality Authority (HIQA). These are the followings:
Type of Healthcare Record Retention Period
General adult records 8 years after last contact, unless in the interest of

the Data Subject to retain

Children and young people Retain until the patient’s 25th birthday or 26th if young person was 17 at the conclusion of treatment, or 8 years after death.
Maternity-related data (all obstetric and midwifery records, including those of episodes of maternity care that end in still birth or where the child later dies) 25 years after the birth of the last child
Records of mentally disordered patients (as per Mental Health Acts 1945 to 2001) 20 years after the date of last contact between the patient/client/ service user and any healthcare professional employed by the mental health provider, or 8 years after the death of the patient/client/service user if sooner
Records of deceased patients 8 years after death
  • CCTV footages taken inside the premises of the Heights Medical Centre are kept for 90 days.

      Who can access your personal information

  • Access to patient records is regulated to ensure that they are used only to the extent necessary to enable the secretary or manager to perform their tasks for the proper functioning of the practice. In this regard, patients should understand that practice staff may have access to their records for:
  • typing referral letters to hospital consultants or allied health professionals such as physiotherapists, occupational therapists, psychologists and dieticians.
  • opening letters from hospitals and consultants. The letters could be appended to a patient’s paper file or scanned into their electronic patient record.
  • scanning clinical letters, radiology reports and any other documents not available in electronic format.
  • downloading laboratory results and out-of-hours coop reports and performing integration of these results into the electronic patient record.
  • photocopying or printing documents for referral to consultants, attendance at an antenatal clinic or when a patient is changing GP.
  • when a patient makes contact with a practice, checking if they are due for any preventative services, such, ante natal visit, contraceptive pill check, cervical smear test, etc.
  • handling, printing, photocopying and postage of medico-legal and life assurance reports, and of associated documents.
  • sending and receiving information via the secure clinical email system “Healthmail”.
  • and other activities related to the support of care appropriate for practice support staff.

 5. Security of your personal data

  • We follow strict security procedures in the storage and disclosure of your personal data and to protect it against accidental loss, destruction or damage. We regularly review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to our systems.
  • The ICU Studio collects and stores patient information both in digital and printed forms.
  • Printed personal information is stored securely on-site.
  • All digital patient information is protected by industry-standard, server-level encryption to make sure that only approved staff can access data. Encryption renders data useless if it is compromised by nefarious means such as ransomware or other potential hacks. Digitally stored personal information is protected by security and access controls, including username-password or biometric authentication, where appropriate.
  • Digital data backed up real-time to server-independent storage devices are also encrypted and only accessible to the Data Controller and Data Protection Compliance Officer.
  • All our digital storage devices are protected by daily-updated industry-leading antivirus and anti-malware software.
  • Operating systems of our storage devices are updated daily.
  • Card payment details are transmitted over internet using Secure Socket Layer (SSL) technology. SSL is the industry standard method of encrypting personal information across dedicated network infrastructure (Multiprotocol Label Switching-MPLS) and stored by third party service provider who is in compliance with Payment Card Industry Data Security Standards (PCI DSS).
  • Digitally stored personal data are only transmitted via the Healthlink and Healthmail messaging systems dedicated to secure patient data transfer in Ireland.

6. Who we transfer or disclose your personal information to

  • In general, we restrict access to personal information solely to the ICU Studio’s employees who have appropriate authorization from the Data Controller. Failure of the ICU Studio’s staff to access or process personal data in compliance with this policy may result in disciplinary proceedings.
  • We may need to disclose personal information to third-party health and social care professionals including doctors/consultants, the GMS Payments Board, the Health Board, the Department of Social and Family Affairs etc. in order to provide data subject health and/or social care services. However, in all cases, only the relevant part of personal information is released. These other professionals are also legally bound to treat personal information with the same duty of care and confidentiality that we do.
  • The law provides that in certain instances, for example in the case of infectious diseases, personal information (including health information) can be disclosed.
  • We may also disclose personal information to third-party professionals e.g. employers, insurance companies, solicitors etc. in relation to medico-legal issues on the written request of data subject. Work-related medical certificates only provide a confirmation that you are unfit for work with an indication of the date of resume work. Any additional information might be necessary is released with your consent only with the exception of sickness certificates issued to the Department of Social Protection for work that must include the medical reason for unfit to work.
  • Where you give us your consent, we may disclose personal information to regulators and government authorities in connection with our compliance procedures and obligations, a third-party to respond to requests relating to a criminal investigation or alleged or suspected illegal activity, a third party, in order to enforce or defend our rights, or to address financial or reputational risks, a rights holder in relation to an allegation of intellectual property infringement or any other infringement; and other recipients where we are authorized or required by law to do so.
  • We may also disclose personal information for training, teaching and quality assurance. Doctors have to discuss patient case histories from time to time as part of their continuing medical education or for the purpose of training doctors and/or medical students. However, the identity of the patient concerned will never be revealed unless it may be beneficial for other doctors within the practice to be aware of patients with particular conditions. In such cases, the Medical Centre would only communicate the information necessary to provide the highest level of care to the patient.
  • We may also disclose patient information for research and audit in order to improve services and standards of practice. Doctors on the specialist register of the Medical Council are required to perform yearly clinical audits. Information used for such purposes is done in an anonymized or pseudonymized manner with all personal identifying information removed. If it were proposed to use your information in a way where it would not be anonymous or the ICU Studio was involved in external research, written-informed consent of the data subject is to be obtained.

7. How we deal with your data protection rights

  • Data Subjects have the right to access any personal information that the ICU Studio processes and to request information about:
  • what personal data we hold about a data subject
  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients to whom the personal data has/will be disclosed
  • how long we intend to store your personal data for
  • if we did not collect the data directly from the data subject, information about the source
  • Data Subjects rights include the right of access, rectification, erasure, restriction as well as the right to transfer of their data, the right to object to some processing and automated decision making, including profiling. These rights may be exercised freely and at no cost.
  • If you believe that we hold any incomplete or inaccurate personal data, the data subject has the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified. Please contact our DPCO. We will promptly correct any information found to be incorrect.
  • The Data Subject also has the right to request erasure of their personal data or to restrict processing in accordance with data protection laws.
  • If we receive a request from a data subject to exercise any of the above rights, we may ask that person to verify their identity before acting on the relevant request; this is to ensure that Data Subjects data is protected and kept secure.

          Data Subject Access Requests

  • Data Subjects have the right of access to all the personal information processed by the ICU Studio. In most cases, the quickest way to access personal data is to review the information in records with the doctor providing health care to the patient.
  • Data Subjects can also make a formal written access request to the ICU Studio on the “Data Access Request” form. Where a formal request is submitted by a Data Subject in relation to the data we hold, such a request gives rise to Access Rights in favor of the Data Subject. These requests are forwarded to the Data Protection Compliance Officer in a timely manner that raises the request to the Data Controller. Requests are processed as quickly and efficiently as possible, but within not more than 30 days from receipt of the request free of charge.

          Right to Data Portability

  • Upon transfer to another practice, the ICU Studio facilitates that transfer by making available a copy of personal data to the new doctor on receipt of signed “MEDICAL RECORD TRANSFER REQUEST” form. For medico-legal reasons, the Medical Centre retains a copy of records for an appropriate period of time which may exceed eight years.

          Other Rights

  • Data Subjects have additional rights in relation to transfer of data to a third country, the right to rectification or erasure and restriction of processing. Further information on these rights in the context of general practice can be found at http://www.icgp.ie/data.

8. How we comply with the data protection regulations

  • The following actions are undertaken to ensure that ICU Studio complies with the GDPR:
  • The legal basis for processing information is clear and unambiguous
  • All staff involved in handling personal data has been informed on their responsibilities for following good data protection practice.
  • Rules regarding consent are followed.
  • Data Subjects are allowed to exercise their rights regarding personal data and such enquiries are handled effectively
  • Regular reviews of procedures involving personal data are carried out
  • Privacy by design is adopted for all new or changed systems and processes.

9. Changes to our privacy notice

  • The ICU Studio continuously reviews and, if necessary, updates this policy. Changes will be posted both on-site and electronically on our web pages. We advise you to check back here frequently to review the most current version of this document.
  • This version of ICU Studio’s Privacy statement (termed “version 2018.1”) is effective from the 25th of May, 2018.

10. Breach notification

  • It is ICU Studio’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be notified within 72 hours. This will be managed in accordance with section 9 of our “Personal Data Processing Policy” which sets out the overall process of handling information security incidents.

11. Lodging a complaint

  • The ICU Studio only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however, you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint to our DPCO or the supervisory authority:

Data Protection Commissioner,

Canal House, Station Road,

Portarlington, Co. Laois,

Ireland, R32 AP23,

Telephone: +353 57 868 4800

E-mail: info@dataprotection.ie.