Can I use patient data for research or statistical purposes?


Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Acts provide that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.


Can I disclose patient data to others for research or statistical purposes?


You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.


Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister for Health or any body or agency for the purpose of compiling a list of people who may be invited to participate in a cancer screening programme which is authorised by the Minister.


If I may only disclose anonymised data for research purposes, how can the researchers avoid duplication of data in respect of the same individual?


Researchers who obtain anonymised patient data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual, received from different sources. To address this problem, it may be permissible for a data controller (such as a doctor) to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher. For example, a data controller might "code" a unique data-set using a patient’s initials and date-of-birth. The essential point is that the researcher should not be in a position to associate the data-set with an identifiable individual.


Do I need to register with the Data Protection Commissioner?


If you keep personal details on computer relating to people’s health or medical care, then yes, you do need to register. Registration is a straightforward process, intended to make your data-handling practices transparent.


Do my patients have a right to see their medical records?


Yes they do. An individual is entitled to see a copy of any records which you keep relating to him or her on computer or on paper.  This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual.


Some Case Studies relevant to the medical and health sector


The following Case Studies, which have appeared in Annual Reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.


  • CASE STUDY 9/04 - Inadvertent disclosure of client data by the Midland Health Board to a research body
  • CASE STUDY 7/99 — debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build database of debtors


  • CASE STUDY 1/97 — hospital patient’s data disclosed for research – data not obtained fairly for this purpose
  • CASE STUDY 6/96inadequate security – position of computer screen in public area




Office Premises
Synergy House
10, Oakview Drive
Dublin 15

Contact Info

Tel: +353 (0)1 8215189
Mobile: +353 (0)87 2326927

Find Us