Purpose
The Health Service Executive (HSE) must comply with all applicable data protection, privacy and security laws and regulations in the locations in which we operate. We respect your rights to privacy and to the protection of your personal information. The purpose of this privacy notice is to explain how we collect and use personal information for the provision of our services and the day to day running of the HSE.
The information we process
To allow us to provide our services to you, we collect and process various categories of personal information. Information we collect may include:
- personal details about you, such as date of birth, address, next of kin, contact details (mobile phone number) etc.
- notes and reports about your health needs
We may also process certain special categories of information, which may include racial or ethnic origin, religious or philosophical beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person’s sex life.
Legal basis for processing
The HSE’s lawful basis for processing personal data of service users is as follows:
- The processing is necessary in order to protect the vital interests of the person (referred to as the data subject in Data Protection language). This would apply in emergency situations such as in the Emergency Department when unconscious, sharing information with other emergency services for rescue or relocation in storms etc.
- The processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller; for the HSE this official authority is vested in us through the Health Act 2004 (as amended).
- Special categories of data are defined by the GDPR and include things like racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life details and sexual orientation. We will only process special categories of personal data where it is necessary:
- for the purposes of preventative or occupational medicine,
- for the assessment of the working capacity of an employee,
- for medical diagnosis,
- for the provision of healthcare, treatment or social care,
- for the management of health or social care systems and services, or
- pursuant to a contract with a health professional.
Processing is lawful where it is undertaken by or under the responsibility of
- a health practitioner, or
- a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner. For example the outpatient clinic secretary, Emergency Department Receptionist, Primary Care Centre staff etc.
If the purpose of the processing is for a reason other than the reasons above, we will seek explicit consent to process your sensitive personal data (referred to as ‘special categories’ of data under the GDPR).
How we obtain information
We may obtain your information from a variety of sources, including information you give to us. We may also receive your personal information from third parties, for example your GP, your dentist, your social worker, or pharmacist.
Your rights
You have certain legal rights concerning your information and the manner in which we process it. This includes:
- a right to get access to your personal information;
- a right to request us to correct inaccurate information, or update incomplete information;
- a right to request that we restrict the processing of your information in certain circumstances;
- a right to request the deletion of personal information excluding medical records
- a right to receive the personal information you provided to us in a portable format;
- a right to object to us processing your personal information in certain circumstances; and
- a right to lodge a complaint with the data protection commission.
Access your health records
You can access your health records by making a subject access request (SAR) and forms are available for this purpose at https://www.hse.ie/eng/gdpr. It is also sufficient to write to the hospital, unit or service in question. It is important that you provide satisfactory evidence of identification and a sufficient description of the data that you are looking for.
Who is the data controller?
The data controller in most instances is the HSE.
Your Information may be used to
- review the care we provide for you to ensure it is of the highest standard
- investigate complaints, legal claims or adverse incidents
- protect wider public health interests
- provide information for planning so we can meet future needs for health and social care services
- provide information to prepare statistics on Health Service performance
- carry out health audit
- provide training and development
- remind you of appointments by text
What other use is made of your Information
The HSE provides statistical information to other organisations such as the Department of Health, Universities and other research institutions. The HSE will make sure that you cannot be identified by anonymising the information.
Sharing with third parties
You may also be receiving health or social care from providers outside of the HSE, i.e. private or voluntary hospitals, specialists etc. In order to assist in this process, we may make referrals on your behalf requiring the need to share your personal information with those providers. We will only do so if there is a genuine need in order to ensure the highest quality of care is provided to you. We are careful only to share the information that is necessary for this purpose. Anyone who receives this information is also bound by confidentiality and the data protection laws. The current list of those with whom personal data is shared may be found on our website www.hse.ie/eng/gdpr. In certain situations, we may have to disclose your personal information to other agencies, in accordance with legal requirements, i.e. Dept. of Social Welfare, Department of Health, the Courts etc., or in an emergency situation to prevent injury to other persons.
Transferring information overseas
We may transfer your information to organisations in other countries which is necessary to provide you with health and social care services, on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws. For more information about overseas transfers, please contact us using the contact information provided above.
How do we keep your records secure and confidential?
We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have a number of security precautions in place to prevent the loss, misuse or alteration of your information. All staff working for the HSE have a legal duty to keep information about you confidential and all staff are trained in information security and confidentiality. The HSE has strict information security policies and procedures in place to ensure that information about you is safe, whether it is held in paper or electronic format.
Sharing Information – within the HSE
Within the HSE, the clinical information collected by a doctor or other healthcare professional or staff member authorised to process your data is not passed on to others within the HSE, unless it is considered necessary for your health or social care needs or for one of the other reasons set out above (where possible, the personal information is anonymized or pseudonymised).
Retention period
We will only retain information for as long as necessary. Records are maintained in line with the recommendations of the HSE retention policy, which can be found at https://www.hse.ie/eng/services/yourhealthservice/info/dp/recordretpolicy.pdf
Contact details
Please contact our Data Protection Office:
- if you have any queries in relation to Data Protection or other issues around the security of your personal information
- for more information about the steps we are taking to protect your information
- for more information about your rights, including the circumstances in which you can exercise them and how to exercise them,
- if you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter. We hope that we can address any concerns you may have.