Data Protection & FOI

DP button foi button

Data Protection

The Medical Council adheres to the Data Protection Act 2018 (available here) and the General Data Protection Regulation ((EU) 2016/679) ('GDPR') (available here).

More Information

Medical Council and the GDPR

The Medical Council and the General Data Protection Regulation (‘GDPR’)

The Law: A new European Union (‘EU’) wide regulation known as the General Data Protection Regulation (‘GDPR’) came into force across the EU on 25 May 2018. The accompanying Data Protection Act 2018 was signed into law in Ireland on 24 May 2018. This legislation replaced the previous data protection legal framework. Under Irish legislation, the Data Protection Commission (‘DPC’) (previously the Data Protection Commissioner) is responsible for supervising data protection in Ireland.

A Data Controller is anyone who keeps or processes information about living people, and may be individuals or "legal persons" such as private companies or public bodies. In the context of medical practitioners examples of data controllers include private hospitals, public hospitals and General Practitioners.

The Medical Council as a data controller: The Medical Council is a data controller in relation to the personal information that it holds about medical practitioners who are registered, complainants, our employees and other parties as required, so that we can meet our responsibilities as outlined in the Medical Practitioners Act 2007. It is the Regulatory Body for registered Medical Practitioners in Ireland. It has a statutory role in protecting the public by promoting the highest professional standards amongst doctors practising in the Republic of Ireland, including publishing the Guide to Professional Conduct & Ethics for Registered Medical Practitioners. These are principles based guidelines rather than a legal code.

What we can do: The Medical Council is not an advisory, representative or membership Body. Our scope is explicitly determined from the Medical Practitioners Act 2007. We are not experts in data protection legislation and how it may apply in your particular environment. We therefore cannot provide advice on specific data protection matters.

Regarding guidance for the health sector, the DPC “recognises that it would be preferable for comprehensive and carefully thought-through guidelines to be designed by the appropriate representative bodies in this sector, by way of statutory codes of practice.” We recommend that where appropriate you contact your representative body for advice on data protection.

The Medical Council will continue to provide guidelines within the Guide to Professional Conduct & Ethics for Registered Medical Practitioners. We will also maintain a webpage specifically related to Data Protection and Freedom of Information with published guidelines and resources that may be of assistance regarding any Data Protection or Freedom of Information matters.

Doctors working in a public body (such as a public hospital)
Identify your Data Protection Officer (‘DPO’): From May 25 2018 all public bodies are required to have a Data Protection Officer (‘DPO’). Public bodies include public hospitals. If you are a doctor in a public hospital, the hospital is the data controller. Therefore please contact the DPO in your hospital with any specific data protection queries regarding your work. In addition the HSE has published the following information on GDPR: The HSE has also published an updated Data Protection Policy which is applicable to all HSE staff

Doctors employed by a private organisation (such as a private hospital)
If you are a doctor practising in a private hospital, the hospital is the data controller. Since May 25 2018 all data controllers who carry out large-scale processing are required to have a DPO. The GDPR does not define large-scale processing however the DPC states that ‘processing of patient data in the regular course of business by a hospital’ is an example of large-scale processing. However if your hospital does not have a DPO then we suggest that data protection issues are escalated to the appropriate person who deals with information governance in the hospital in which you work.

General practitioners (GPs)
If you are a GP and you are the Data Controller, please refer to the guidance published by the Irish College of General Practitioners, available here: 

For further resources, please click here.

Data Protection for Registered Medical Practitioners

If you are a medical practitioner registered with the Medical Council, and wish to find out more about the main ways in which we may use your personal information, please read below.

Your Registration
In accordance with Section 56 (1) of the Medical Practitioner’s Act, 2007, (‘MPA’) the Council shall ensure that the register is published in the prescribed manner, and in accordance with Section 56 (2) of the Act, residential addresses, telephone numbers, email addresses or similar details will not be published.

In order for the Council to assess an application for registration under Section 47(1) (f), such an application would be submitted to a medical Postgraduate Training Body approved under Section 89 of the MPA to be assessed to determine eligibility for the Specialist Division.

Your Education & Training
The Medical Council may request information from relevant bodies in relation to doctors in training and/or doctors providing training for the purposes of basic and specialist medical education and training. This is to assist in our evaluation and ongoing monitoring of our accreditation and inspection activity of Medical Schools, Clinical Sites and Postgraduate Training Bodies, pursuant to Part 10 of the MPA.

Your Professional Competence
In accordance with Section 91 of the MPA, the Medical Council may provide your Medical Council registration details to the Postgraduate Training Bodies or your employers to assist our monitoring of your maintenance of professional competence.

A number of times a year the Medical Council will send you an e-zine/email newsletter which will highlight important and useful information relevant to the role of the Medical Council, patient safety, useful information and guidance and other information relating to your role as a registered medical practitioner. This email letter will only contain relevant information and you will always have the opportunity to unsubscribe from these newsletters via the ‘unsubscribe’ option on the email.

Rights of data subjects

Data subjects have certain rights under the GDPR. One of these rights is to access any personal data that an organisation holds on them, subject to certain exemptions. If you wish to access your personal data please complete the Subject Access Request form.

Data Protection and Freedom of Information

The right of access to information under data protection and freedom of information legislation is similar, however data protection legislation does not apply to records of individuals that are deceased. Under data protection legislation you may request your own personal data, however under freedom of information legislation you may request information other than your own personal data. There are exemptions provided for under both sets of legislation so there are circumstances under which information may not be released but the reasons for not releasing information will be outlined in our response to you.

For more information on the differences between Freedom of Information and Data Protection, please click here.

Information on Freedom of Information is available here.

Personal data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


On May 25th of this year the General Data Protection Regulation ((EU) 2016/679) (‘GDPR’) will come into effect across Europe. On February 1st the Irish Government published the Data Protection Bill 2018 which will transpose the GDPR into law. It will be followed by the publication of the Data Protection Act, the effect of which will be to replace the Data Protection Acts 1988 & 2003. It will enhance the rights of individuals (‘data subjects’) regarding their personal data. Personal data is a piece of information by which a person can be identified, such as a name or an email address (although personal data can take many forms). The GDPR will apply to all organisations that process personal data of data subjects who reside in the EU.

For the Medical Council, data subjects generally include members of the public, medical practitioners and employees of the organisation. Ultimately the GDPR will strengthen the rights of individuals and as an organisation, the Medical Council has a responsibility to ensure that these rights are respected. With this in mind the Medical Council will be training its employees, and updating policies and procedures as required, and ensuring that its website is as informative as possible.

For more information, visit the Data Protection Commissioner’s GDPR website.