Data Protection Information Notice – HSE Live chat bot
Introduction
The purpose of this privacy notice is to explain how the HSE Live Chat Bot works, what data is collected, who has access to that data and the purposes for which the data is used. This notice also provides you with information about your data protection rights under data protection law, including under the EU General Data Protection Regulation (EU Regulation 679/2016) (‘the GDPR’).
The chat bot is available on pages within the HSE website (www.hse.ie) relevant to the current Covid Vaccination programme. Use of the chat bot is completely voluntary – it is your choice to access services available through the chat bot support channel.
The Data Controller
The Health Service Executive (HSE) is the Data Controller for the chat bot. It has decided the means and purposes for the processing of personal data on using of the bot. The HSE is therefore responsible for your personal data and for compliance with obligations under data protection laws.
The Data Protection Officer
You can contact the HSE Data Protection Officer for data protection information in relation to the chat bot.
HSE Data Protection Officer
Email: DPO@HSE.ie
Phone: +35316350359
What the HSE Live Chat Bot does
The HSE Live Chat bot is designed to support the public with questions or specific support requests relating to the Covid Vaccination programmes.
It is available on Covid Vaccination section of the HSE website www.hse.ie . When launched it automatically provides general Covid Vaccination information, in a question and answer format. You can navigate this information anonymously.
If the information does not answer your query the chat bot will provide the option for you to transfer to a HSE Live agent to access support via live chat.
On choosing to transfer to chat with HSE live agent you will be requested to provide some personal information. The HSE collects your information and processes it for the purposes of:
- Allowing the HSE Live chat agents to identity and verify you, the service user, requesting support via the chat channel
- Creating a support case that captures your request/query details and live chat transcript with the agent. This will give a full history of support requested by you throughout your vaccination journey
- Associating the support case with an existing registered account if there is a one to one match with personal details provided.
- Facilitating OTP security control (proving that the client has access to email and mobile provided)
- Improving the service, quality improvement and staff training
How the HSE Live Chat works
The HSE Live chat bot uses the Einstein Bot component of Salesforce and is connected to the HSE Vaccine Information system.
On launching the HSE Live Chat Bot you must complete a reCaptcha before proceeding to interact with the chat bot. You can anonymously browse relevant Q&A information related to the current stage of the Covid Vaccination programme. The history of this interaction is retained for a short time and is not associated with your account on the HSE Vaccine Information System.
You are provided with an option to transfer to chat with a HSE Live agent should you require future assistance. If you chose this option you will be requested to provide the following personal information:
- Your first name
- Your last name
- Your contact email address
- Your mobile number
For security purposes we will need to verify your identity before we connect your chat to a HSE Live agent. You will receive a One Time Code (OTC) text to the mobile number you used when registering for your Covid Vaccination.
- If this mobile number is no longer in use, you can ring 1800 7070 for assistance.
- If you are not registered for the Covid 19 Vaccination, the OTC will be sent to the mobile number entered in the chat session.
As soon as a HSE Live agent is available they will respond to your chat request. At this point your personal details are saved in a support case on the HSE Vaccine Information system.
- If there is a one to one match of the details provided with an existing registered account on system the support case will be associated with it.
- The agent will first verify your personal identity and will then proceed to assist you with your support request or quest.
- You can exit the chat at any time.
When your chat session ends with the HSE Live agent a chat transcript is generated and transferred to the HSE Vaccine Information System. It is associated with the support case created and linked with your account. This transcript will include a history of interaction with the HSE Live chat bot and a record of your chat session with the agent.
What Chat bot metrics are collected
Metrics are collected and available to the HSE to understand the use of the chat bot. This aggregated data includes information such as:
- Frequently accessed Question and Answers in the available general information
- The average length of a chat bot interaction
- Use of the option to transfer to chat with a HSE Live agent
As the metric data does not identify you it is not associated with your information on the HSE Vaccine Information System.
What data is collected and processed
If you use the HSE Live chat bot to simply browse of the available Question and Answers to address your query then limited data is collected and processed. Your IP address is processed for geolocation restriction security purposes, this data will not be stored on the HSE Vaccine Information System. A full history of interaction with the chat bot including navigation of the general information and any data inputted to the search field is collected. This data is stored for a short period time and is not associated with your information on the HSE Vaccine Information System.
Should you choose the option to transfer to chat with a HSE Live agent the following information will be collected:
- Your first name
- Your last name
- Your contact email address
- Your mobile number
- Query description
In order to confirm your identity when you are connected to an available HSE Live chat agent, you will be asked to provide the answer to one of the following questions:
- Your date of birth, and
- Your Address Line 1 or
- Your PPSN or
- Your GP name
A support case that includes this data and a transcript of your interaction with chat bot prior to transfer to agent and including all chat with the agent will be associated with your information on the HSE Vaccine Information System.
The legal basis for data processing
The HSE’s lawful basis under the General Data Protection Regulation for processing personal data relating to the vaccine programme is as follows:
The processing of personal health data is necessary for a task carried out in the public interest vested in the HSE (Article 6(1)(e) of the GDPR) and substantial public interest for the processing of special categories of personal health related data (Article 9(2)(g) of the GDPR). This is supported by s53 of the Data Protection Act 2018.
The processing of the personal data using HSE Live chat bot, call recording and the HSE Live service is in the legitimate interests of the HSE. The legitimate interests are the purposes of improving the service, quality improvement and staff training. The HSE has minimised the amount of personal data processed via the HSE Live chat bot and implemented appropriate safeguards to keep the data confidential. The HSE provides other ways in which people can obtain similar information.
Security measures
There are a range of security processes and technologies in place to prevent unauthorised access to the data while it is stored on the HSE Vaccine Information system, including data encryption, modern firewalls and intrusion prevention.
One Time Code Authentication – we have added OTC (One Time Code) validation in order to start the chat with an agent, to provide additional security.
Your Identification/Verification - HSELive chat agents will follow an approved client identification & verification process prior to engaging with your request. The HSELive chat agent will confirm your Firstname, Surname, Date of Birth, and PPSN(Optional) , or Address Line 1 (Optional), or the client’s GP name (Optional). This conforms to the same identification and verification process being used by HSELive in a phone based interaction.
Data Residency – The HSE Vaccine Information System (of which Einstein Bot is a native component) is hosted on the secure Salesforce Cloud and within Salesforce data centres within the European Economic Area (EEA).
Who processes your data
The HSE is the data controller and responsible for the HSE Live chat bot support channel technical solution that is integrated with the HSE Vaccine Information system.
Data processors
The following are data processors of the HSE Live chat bot data:
- IBM: who is responsible for initial implementation and configuration of the Einstein Bot component to integrate with the HSE Vaccine Information System, including HSE Service Console application, in addition to ongoing technical support.
- Service Providers working on behalf of HSE Live (• Capita Customer Solutions • Abtran • Rigney Dolphin • Covalen). These providers receive, manage and process chat channel inquiries and support requests routed from the Einstein Bot to the HSE Vaccine Information system.
Data sub-processors who are involved in this activity include:
Salesforce: works in conjunction with IBM to implement and host the system (and data)
Amazon Web Services (AWS): who is contracted by Salesforce at the following locations -
1) AWS - Frankfurt, DE hosting HSE Salesforce Org on EU 40 instance
2) AWS - Dublin, Ireland (hosting Salesforce Einstein Bot Runtime server)
How long your information will be kept
A history of your interaction with the HSE Live chat bot navigating Questions and Answers information and inputs to the search field, and where you do not subsequently transfer to chat with a HSE Live agent, is retained for 7 days.
If you choose the option to transfer to chat with a HSE Live agent your data will be retained on the HSE Vaccine Information system for a 2 year period from the end of the first phase of the vaccination programme. This retention policy will be reviewed again at end of the 2 year period. The same retention policy applied to the HSE Live [TGCL1] metrics on chat bot interaction.
Your rights
You have certain legal rights concerning your information and the manner in which we process it. These include:
- a right to get access to your personal information;
- a right to request us to correct inaccurate information, or update incomplete information;
- a right to request that we restrict the processing of your information in certain circumstances;
- a right to request the deletion of personal information, excluding medical records;
- a right to receive the personal information you provided to us in a portable format;
- a right to object to us processing your personal information in certain circumstances; and
- a right to lodge a complaint with the Data Protection Commission.
You can access your health records by making a subject access request (SAR) and forms are available for this on the Data Requests page.