Privacy Statement
Annagh Medical Centre Privacy Statement
Practice Name: Annagh Medical Centre (hereinafter called "the Practice")
Practice Address: Doctors Rd, Carrownluggaun, Ballyhaunis, Co. Mayo, F35 X932
Practice Phone Number: (094) 963 2232
Data Controllers: Dr Donal Delaney
Data Protection Lead: Dr Donal Delaney
ANNAGH MEDICAL CENTRE PRACTICE PRIVACY STATEMENT
Annagh Medical Centre is committed to providing the highest standard of medical care while protecting the privacy, confidentiality and security of our patients' personal information.
We recognise that General Practice is founded upon trust and confidentiality. Our approach to processing personal information is consistent with the Medical Council's Guide to Professional Conduct and Ethics for Registered Medical Practitioners, the General Data Protection
Regulation (GDPR), the Data Protection Act 2018 and other applicable healthcare legislation.
The provision of medical care requires the collection, use and retention of personal data, including special category data relating to health.
Without such information it would not be possible to provide safe, effective and appropriate healthcare.
This Privacy Statement explains how we collect, use, store, share and protect your personal information.
LEGAL BASIS FOR PROCESSING YOUR DATA
The Practice has voluntarily adopted the Irish College of General Practitioners (ICGP) Data Protection Guidance for General Practice.
The processing of personal information within General Practice is necessary for:
• The provision of healthcare and medical treatment.
• Compliance with legal and regulatory obligations.
• The protection of vital interests.
• Public health requirements.
• Management of healthcare systems and services.
The legal bases relied upon include:
• Article 6(1)(c) GDPR – compliance with a legal obligation.
• Article 6(1)(d) GDPR – protection of vital interests.
• Article 6(1)(e) GDPR – performance of a task carried out in the public interest.
• Article 9(2)(h) GDPR – provision of healthcare and treatment.
• Article 9(2)(i) GDPR – public health purposes.
Further information is available through the ICGP Data Protection Guidance.
In most circumstances medical records are retained until at least eight years after death or eight years after the patient's last contact with the Practice. Certain exceptions apply in accordance with professional guidance and legal requirements.
MANAGING YOUR INFORMATION
In order to provide healthcare services we must collect, store and process information about you and your health.
We retain your information securely and only collect information necessary for the provision of your healthcare and the administration of our services.
We aim to ensure that information held is accurate, complete and up to date. Patients are encouraged to inform us of any changes to contact details, relevant medical information or healthcare providers involved in their care.
We use appropriate technical and organisational security measures to protect personal information against unauthorised access, loss, misuse, disclosure, alteration or destruction.
Access to patient information is restricted to authorised personnel who require access in order to perform their duties.
All members of staff who are not already subject to professional confidentiality obligations are required to sign confidentiality agreements and are trained regarding their responsibilities concerning personal information.
USE OF ARTIFICIAL INTELLIGENCE (AI) TECHNOLOGIES
The Practice may use approved Artificial Intelligence (AI) technologies to support administrative, documentation, communication, educational and clinical support functions.
Examples may include:
• Clinical note generation and transcription services.
• Drafting correspondence and administrative documentation.
• Producing patient education materials.
• Website content creation.
• Appointment management and communication support.
The Practice currently uses Heidi Health, a clinical documentation platform, to assist with medical note generation and record keeping. All AI-generated documentation is reviewed by the treating clinician before being incorporated into the patient's medical record.
Where AI technologies are used:
• Appropriate confidentiality and data protection safeguards are maintained.
• Processing is carried out in accordance with GDPR and applicable healthcare regulations.
• AI-generated documentation is reviewed by an appropriately qualified healthcare professional.
• AI systems support, but do not replace, professional clinical judgement.
• Personal health information is processed only where a lawful basis exists and appropriate safeguards are in place.
Patients may request further information regarding the Practice's use of AI-assisted technologies.
PATIENT RECORD ACCESS BY PRACTICE STAFF
Access to patient records is carefully controlled and limited to activities necessary for the operation of the Practice and the provision of healthcare.
This may include:
• Preparing repeat prescriptions for GP review and signature.
• Preparing sickness certificates for GP review and signature.
• Typing referral letters and healthcare correspondence.
• Processing hospital and consultant communications.
• Scanning and filing clinical documents.
• Downloading and integrating laboratory results.
• Managing Out of Hours reports.
• Facilitating referrals and transfers of care.
• Arranging appointments and follow-up consultations.
• Supporting preventative care programmes.
• Processing medico-legal and insurance documentation.
• Sending and receiving information through secure healthcare communication systems including Healthmail.
• Other activities necessary to support the provision of healthcare services.
DISCLOSURE OF INFORMATION TO OTHER HEALTHCARE PROFESSIONALS
In order to provide appropriate care, it may be necessary to share relevant information with other healthcare professionals and organisations involved in your treatment.
Examples include:
• Hospitals.
• Consultants.
• Community healthcare services.
• Allied health professionals.
• Pharmacies.
• Out-of-Hours services.
Only information necessary for the relevant purpose will be shared.
Recipients are themselves subject to professional confidentiality obligations and data protection requirements.
DISCLOSURES REQUIRED OR PERMITTED BY LAW
In certain circumstances we may be legally required or authorised to disclose information without consent.
Examples include:
• Notification of certain infectious diseases.
• Court orders.
• Statutory reporting requirements.
• Safeguarding concerns.
• Public health emergencies.
DISCLOSURE TO EMPLOYERS, INSURERS AND SOLICITORS
Medical certificates issued for employers generally confirm fitness or unfitness for work without disclosing unnecessary medical information.
Where additional information is requested, this will usually only be disclosed with your consent unless otherwise required by law.
Requests from insurance companies, solicitors or other third parties will generally require your written consent before information is released.
USE OF INFORMATION FOR TRAINING, TEACHING AND QUALITY IMPROVEMENT
General Practice is a teaching and training environment.
Anonymous or pseudonymised information may be used for:
• Continuing medical education.
• GP training.
• Medical student education.
• Clinical supervision.
• Quality improvement activities.
The Practice participates in General Practice training programmes and GP Registrars may be involved in your care under appropriate supervision.
USE OF INFORMATION FOR CLINICAL AUDIT AND RESEARCH
Patient information may be used for clinical audit and quality improvement activities to help maintain and improve standards of care.
Where possible, information used for these purposes will be anonymised or pseudonymised.
Where identifiable information is proposed to be used for research purposes outside normal healthcare delivery, informed consent will normally be sought unless another lawful basis applies.
THIRD-PARTY DATA PROCESSORS
The Practice may engage carefully selected third-party providers to support healthcare delivery and administration.
Examples include:
• Practice management software providers.
• Secure communication providers.
• Medical documentation providers.
• Website hosting providers.
• Cloud service providers.
• Analytics providers.
• Newsletter providers.
All such providers are required to process information in accordance with GDPR and appropriate contractual safeguards.
Examples of Third-Party Service Providers Used by the Practice
The Practice uses a number of carefully selected third-party service providers to support the delivery of healthcare services, administration, communication and website functionality.
Examples may include:
• Socrates Practice Management Software (patient records and practice management)
• Heidi Health (clinical documentation support)
• Healthmail (secure healthcare communications)
• Microsoft 365 (email and document management)
• Wix (website hosting and website services)
• Newsletter and communication providers (where applicable)
All providers are required to comply with applicable data protection legislation and appropriate confidentiality and security requirements.
YOUR RIGHTS
You have the right to:
• Access your personal information.
• Request correction of inaccurate information.
• Request restriction of processing in certain circumstances.
• Object to certain types of processing.
• Request data portability where applicable.
• Request erasure where legally permissible.
Some rights may be restricted where healthcare legislation or professional obligations require information to be retained.
ACCESS TO YOUR HEALTH INFORMATION
You have the right to access personal information held about you.
A written access request may be made to the Practice.
Requests will normally be processed within one month in accordance with GDPR requirements.
TRANSFERRING TO ANOTHER PRACTICE
If you transfer to another healthcare provider, we will facilitate the secure transfer of relevant medical information upon receipt of appropriate authorisation.
The Practice will normally retain a copy of records in accordance with legal and professional record retention requirements.
INTERNATIONAL DATA TRANSFERS
Some service providers used by the Practice may process personal information outside the European Economic Area (EEA).
Where this occurs, appropriate safeguards will be implemented, including Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.
CHILDREN'S PERSONAL DATA
The Practice recognises the importance of protecting children's personal information.
Information relating to children is processed in accordance with applicable healthcare legislation, professional obligations and data protection requirements.
QUESTIONS OR COMPLAINTS
If you have questions regarding this Privacy Statement or how your information is processed, please contact the Practice.
You also have the right to lodge a complaint with the Data Protection Commission.
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Website: www.dataprotection.ie
WEBSITE PRIVACY NOTICE
This Website Privacy Notice governs the manner in which Annagh Medical Centre ("the Practice") collects, uses, stores and discloses information collected from users ("Users") of this website ("the Site").
This Website Privacy Notice applies only to the Site and the online services offered through the Site.
While every effort is made to ensure that information published on the Site remains accurate and up to date, information contained on the Site is intended as general information only and may be updated, amended or withdrawn at any time without notice.
Users should contact the Practice directly if they require specific medical or administrative information.
IMPORTANT NOTICE
This website is not intended for the communication of urgent medical concerns.
If you require urgent medical advice or treatment, please contact the Practice directly, contact your local emergency services or attend the nearest Emergency Department as appropriate.
Users are requested not to submit detailed or urgent medical information through website contact forms unless specifically requested to do so by the Practice.
INFORMATION WE COLLECT
When visitors use the Site, we may collect one or both of the following categories of information.
Statistical and Analytical Information
We may collect statistical and analytical information regarding website usage on an aggregated and anonymous basis.
Examples may include:
• Number of website visitors.
• Pages visited.
• Time spent on the website.
• General navigation patterns.
• Device and browser information.
• Geographic region of access.
This information does not normally identify individual users and is used to help improve website performance, content and user experience.
Personal Information
Personal information may be collected where a User voluntarily provides information through the Site.
Examples include:
• Contact forms.
• Appointment request forms.
• Newsletter subscription forms.
• Email communications.
• Patient enquiry forms.
• Other online services provided through the Site.
Users will normally be aware when personal information is being collected and the purpose for which it is being collected.
HOW WE USE YOUR INFORMATION
The Practice may use information collected through the Site for the following purposes:
• Responding to enquiries.
• Managing appointment requests.
• Providing requested services.
• Sending administrative communications.
• Sending newsletters and health information updates where consent has been provided.
• Improving website performance and user experience.
• Monitoring website security.
• Complying with legal and regulatory obligations.
• Managing and administering healthcare services.
Personal information will only be used for the purposes for which it was collected or for compatible purposes permitted by law.
CONTACT FORMS AND ONLINE ENQUIRIES
Information submitted through website contact forms or online enquiries will only be used for the purpose of responding to the enquiry or providing the requested service.
Users should avoid including unnecessary sensitive medical information when using website contact forms.
Where sensitive health information is required, the Practice may request that communication take place through secure approved channels.
ONLINE APPOINTMENT REQUESTS
Where online appointment request facilities are available, information provided will be used solely for the administration of appointments and patient care.
Submission of an appointment request does not guarantee an appointment until confirmation has been provided by the Practice.
NEWSLETTERS AND MARKETING COMMUNICATIONS
Where a User has provided consent, the Practice may send newsletters, health information updates, practice announcements and other relevant communications.
Users may withdraw consent and unsubscribe at any time by:
• Using the unsubscribe link included in communications.
• Contacting the Practice directly.
Withdrawal of consent will not affect communications necessary for the provision of healthcare services.
COOKIES
The Site uses cookies and similar technologies to improve website functionality, user experience and performance.
Cookies are small text files stored on a user's device by their web browser.
The Site may use:
Essential Cookies
These cookies are necessary for the operation of the Site and cannot be disabled through our systems.
Analytics Cookies
These cookies help us understand how visitors interact with the Site by collecting anonymous information about website usage.
Preference Cookies
These cookies remember choices made by users to improve website functionality and user experience.
Marketing Cookies
Where applicable, these cookies may be used to measure the effectiveness of communications and website content.
COOKIE CONSENT
Where required by law, non-essential cookies will only be placed on a user's device following consent.
Users may:
• Accept cookies.
• Reject non-essential cookies.
• Modify cookie preferences.
Cookie preferences may be changed at any time through the website's cookie management settings.
Disabling cookies may affect the functionality of certain areas of the Site.
WEBSITE ANALYTICS
The Practice may use website analytics services to understand how visitors use the Site and to improve website performance.
Analytics information is generally collected in aggregated or pseudonymised form and is used solely for legitimate business and service improvement purposes.
HOW WE PROTECT YOUR INFORMATION
The Practice uses appropriate technical and organisational measures to protect information collected through the Site.
These measures may include:
• Secure website hosting.
• SSL/TLS encrypted connections.
• Access controls and authentication measures.
• Secure cloud-based systems.
• Staff confidentiality obligations.
• Regular security updates and monitoring.
While reasonable measures are taken to protect information transmitted through the internet, no method of transmission or storage can be guaranteed to be completely secure.
THIRD-PARTY SERVICE PROVIDERS
The Practice may use carefully selected third-party service providers to assist in operating the Practice and the Site.
Examples may include:
• Website hosting providers.
• Practice management software providers.
• Online booking providers.
• Email communication providers.
• Medical documentation providers.
• Newsletter providers.
• Analytics providers.
• Cloud service providers.
These providers act as Data Processors on behalf of the Practice and are required to comply with GDPR and applicable confidentiality obligations.
INTERNATIONAL DATA TRANSFERS
Some service providers used by the Practice may process information outside the European Economic Area (EEA).
Where this occurs, the Practice will ensure that appropriate safeguards are implemented, including:
• European Commission Standard Contractual Clauses.
• Adequacy decisions.
• Other lawful transfer mechanisms recognised under GDPR.
ARTIFICIAL INTELLIGENCE (AI) TECHNOLOGIES
The Practice may use approved Artificial Intelligence (AI) technologies to support website administration, content creation, communication and healthcare administration.
Where AI-assisted technologies are used:
• Appropriate safeguards are maintained.
• Personal information is processed only where lawful and appropriate.
• Human oversight is maintained.
• AI technologies support, but do not replace, professional judgement.
CHILDREN'S PRIVACY
The Practice recognises the importance of protecting children's personal information.
Information relating to children is processed in accordance with applicable legislation, professional obligations and data protection requirements.
Parents and guardians are encouraged to supervise children's use of online services.
THIRD-PARTY WEBSITES
The Site may contain links to third-party websites.
The Practice is not responsible for the privacy practices, content or policies of external websites.
Users should review the privacy policies of any third-party websites they visit.
DATA RETENTION
Information submitted through the Site will be retained only for as long as necessary to fulfil the purpose for which it was collected and to comply with legal, professional and regulatory obligations. Where website enquiries form part of a patient's healthcare record, they may be retained in accordance with applicable medical record retention requirements.
CHANGES TO THIS PRIVACY NOTICE
The Practice reserves the right to update this Website Privacy Notice from time to time.
Any changes will be published on this page and will become effective upon publication.
Users are encouraged to review this Privacy Notice periodically.
YOUR RIGHTS
Under GDPR, you may have rights including:
• Right of access.
• Right to rectification.
• Right to erasure.
• Right to restriction of processing.
• Right to object.
• Right to data portability.
• Right to lodge a complaint with the Data Protection Commission.
CONTACT DETAILS
If you have any questions regarding this Website Privacy Notice or the processing of your personal information, please contact:
Data Protection Contact
Dr Donal Delaney
Annagh Medical Centre
Doctors Road
Carrownluggaun
Ballyhaunis
Co. Mayo
F35 X932
Telephone: (094) 963 2232
Email: reception@annaghmedicalcentre.com
Last Updated: 05 June 2026