How we protect and manage personal data

About data protection

Data protection is the safeguarding of the privacy rights of individuals in relation to the use of personal data. All staff working across the six HSE Departments of Public Health must use personal data about service users, employees, suppliers and other people lawfully and fairly.

All staff working in the HSE Departments of Public Health are legally required under EU GDPR and Irish legislation to ensure the security and confidentiality of all personal data they collect and use on behalf of service users and employees. Data Protection rights apply whether the personal data is held in electronic format or in a manual or paper-based form. Staff breaches of data protection regulation may result in disciplinary action.

The information we are legally obliged to collect about you

One of our main roles is to investigate and control serious infectious diseases to protect you, your family and your community – in fact the whole population. Public Health staff keep records about the investigations carried out by the Department of Public Health team.  These include medical records, which help to ensure that you receive the best possible protection of your health.  Information is written down in paper or electronic records and kept safely.   

How we protect and manage your personal data

There are very strict regulations controlling access to the data you supply to us. All Department of Public Health staff are bound by confidentiality and are only granted access to your data on a need to know basis in the performance of their duties under the Health Acts 1947, 1953 and 2004 and under the Infectious Diseases Regulations 1981.  We may also collect data under the Health (Duties of Officers) Order 1949.

• Our staff are trained on good information governance and complete mandatory GDPR and Information security training.
• We maintain and update annually a Record of Processing Activity across each Department (ROPA). There is more information available at https://healthservice.hse.ie/staff/procedures-guidelines/data-protection/record-of-processing-activities-ropa/
• A log is maintained on all data protection incidents and breaches are reported to the Deputy Data Protection Officer in line with GDPR regulations.

Public Health investigation - what do we need from you?

In the event of an infectious disease investigation, staff from the HSE’s Departments of Public Health may need to seek access to relevant personal data on staff, students, children, employees or other individuals in direct contact with your facility under Medical Officer of Health legislation.

Why do we need to access personal data?

Investigation, prevention of spread and control of notifiable infectious diseases are statutory functions and we need information to carry out these functions. A list of the diseases notifiable by law is available at www.hpsc.ie.

The legal basis for Public Health requests 

There is a statutory duty for persons to provide such information to MOHs or staff working with them under Regulation 19 of the Infectious Diseases Regulations 1981.  

Article 6.1(c, d & e) and Article 9.2(i) of GDPR allow for processing data necessary for reasons of public health (Article text available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679)

What personal information may be required?

Names, addresses, dates of birth, GP details and contact details such as mobile and telephone numbers.

In the case of children, parents’ contact details are also required, and any other data that is necessary or desirable for the investigation and control of the infectious disease.

Who sees the information?

There are very strict regulations controlling access to the data you supply to us. All HSE staff are bound by confidentiality and are only granted access to health data on a need-to-know basis.  In addition, data acquired under MOH legislation are only accessed by those working under MOH legislation.

Are the personal data shared with others?

The data you provide to us are not shared with anyone other than the public health investigation team, unless it is essential for your health protection or that of others. Clinical referrals to other healthcare practitioners can be made in compliance with GDPR without the need for consent.

Under statutory obligations anonymised data are notified to the HSE's Health Protection Surveillance Centre (HPSC).

Will the data be secure and confidential?

All information you send to us regarding your facility will be held securely. The HSE, as an organisation, is registered with the Data Protection Commissioner and is governed by General Data Protection Regulation (GPDR) 2018.

How long do we hold the personal data you send us?

The personal data you send us will be incorporated into a new medical record which must adhere to the HSE Standards & Practices for Medical Healthcare Records & retention periods.

The length of time we hold onto this medical record can vary depending on the type of disease under investigation.

Where can you find further information about GDPR in the HSE? 

For further information on GDPR in the HSE, visit www.hse.ie/eng/gdpr/

How do you make a Subject Access Request?

For information on making a Subject Access Request, visit www.hse.ie/eng/gdpr/data-requests/

Page created on 19th March 2024 and updated on 08th April 2024