We take the protection of your personal data seriously. Here you'll find information on your data protection rights, and policies and practices regarding our collection and use of your personal data.
St Patrick's Mental Health Services Privacy Notice
St Patrick's Mental Health Services Privacy Notice
St Patrick’s Mental Health Services (SPMHS) is an independent, not-for-profit organisation that provides quality mental health care, promotes mental health awareness, and protects the rights and integrity of those suffering from mental illness. We are regulated by the Mental Health Commission.
All personal data in possession of SPMHS is processed in accordance with but not limited to the obligations of the European Union (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018 which gives further effect to the GDPR in Ireland. SPMHS also processes personal data in accordance with the 2011 “e-Privacy Regulations” (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks And Services) (Privacy And Electronic Communications) Regulations 2011).
We understand that you are aware of and care about your own personal privacy interests, and we take that very seriously. This Privacy Notice describes SPMHS policies and practices regarding our collection and use of your personal data and sets forth your fundamental rights. We recognise that data protection is an ongoing responsibility, and so, from time to time, we will update this Privacy Notice as we undertake new personal data practices or adopt new data protection policies.
Terms used in this privacy notice
In this privacy notice, certain terms have the following meaning;
Personal information/data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data means processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Primary purpose means the specific function or activity for which the information is collected. For the hospital, this is the provision of healthcare. Any use or disclosure of the personal information for another purpose is known as the secondary purpose.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Controller means the natural (living person) or legal person (e.g. company), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Protection Officer
We have appointed an internal Data Protection Officer (DPO) for you to contact if you have any questions or concerns about our personal data protection policies or practices. Our DPO's name is John Woods and you can contact him at St Patrick's Mental Health Services, James Street, Dublin 8, by calling +353 1 2493216 or by emailing email@example.com.
Purpose of Privacy Notice
This privacy notice is a statement of our commitment to protect the fundamental freedoms and rights of individuals in accordance with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and other relevant legislation.
The purpose of our privacy notice is to be fully transparent to you on how SPMHS processes (handles) your personal information. It is hoped that by reading the privacy notice you will have a clear understanding of the type of personal information that SPMHS holds about you and the way in which your information is processed.
How we collect and use your personal information
1. Provision of quality mental healthcare to our service users
Personal and sensitive information of our service users is collected by us for the primary purpose of ensuring that service users receive quality mental health treatment whilst under our care. As a service user, we collect information regarding your demographics, health history, family history, lifestyle, cultural or ethnic background and test results to assist in providing mental health care to you.
This information is collected by means of a GP referral, on admission to our services, Dean Clinic Electronic Referral, telephone call to our Support and Information Service, phone enquiries to our health professionals or staff, Prompt Assessment of Mental Health Needs Service telephone call to referred service users from our Referral and Assessment staff members and family members/carer/next of kin.
We collect information from you for the primary purpose of providing care and treatment to you. When your personal data is used for your care and administrative purposes related to your care, your data is being processed for the purposes of the legitimate interests pursued by SPMHS. We are obliged to record certain patient information under the Mental Health Act 2001 approved centre regulations. Where SPMHS processes special categories of personal data (such as health data), we will do so pursuant to GDPR article 9(2)(h) – provision and management of healthcare.
- Use among health professionals to provide your treatment
Your treatment will be provided by a multi-disciplinary team of health professionals working together. SPMHS staff may also refer you to other health service providers, for further treatment following your admission (for example, to local community mental health services). We may disclose your personal information with your consent to the relevant provider to the extent required for any such referral (including disclosing that information electronically). Your personal information will only be disclosed to those health care workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose. These health professionals will share your personal information as part of the process of providing your treatment. SPMHS will only do this while maintaining confidentiality of this information and protecting your privacy in accordance with the law.
- Assessment for provision of health care services
SPMHS may collect your personal information for the purpose of assessing your suitability for SPMHS health care services. Where personal information is collected, and you do not become a patient of SPMHS, your personal information will be retained in line with our hospital retention policy. Where your assessment has been conducted at the request of your GP, the hospital will report the outcome of the assessment to that GP as it may be relevant to any ongoing treatment or care provided to you by them.
- Your local doctor
SPMHS will usually with your consent send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission. This is in accordance with international norms and long-standing medical practice and is intended to inform your Doctor of Information that may be relevant to any ongoing care or treatment provided by your general practitioner. This discharge summary may be sent to your referring medical practitioner or general practitioner electronically. If your nominated general practitioner has changed or your general practitioner’s details have changed following a previous admission, you must let us know.
- Other health service providers
If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or health care facility provided we have your explicit consent. We may provide information about your health records to another medical practitioner or health facility outside the hospital without your consent in the event of an emergency where your life or health is at risk.
- Students and trainees
St Patrick's University Hospital is a teaching hospital and it supports the placement of students and trainees. These students and trainees may have access to your personal information for the purpose of the placement. Students and trainees on placement at the Hospital are required to comply with the GDPR, Data Protection Act 2018 (and other relevant legislation).
- Relatives, guardian, close friends or legal representative
We may obtain or provide information about you to your specified individuals and only where you provide your explicit consent to do so.
If you are employed by SPMHS or if you have applied for a position at one of our facilities, we will collect information about your work history, contact details, referees and any other information that you submit in your job application. We collect similar background information about contractors, vendors, suppliers and health professionals who provide services to SPMHS and about students and volunteers that attend our facilities. All employees of SPMHS are required to obtain Garda Vetting clearance, and information from pre-employment medical screenings is also collected.
We collect, use and disclose personal information about our staff in order to perform our obligations as an employer and as required by Irish employment law. Our lawful basis for processing of employee personal data by our Human Resources Department is based under GDPR Article 6(1)(b) – Contract and under GDPR Article 9(2)(B) - Employment for the processing of sensitive data concerning employees (for example, medical certs). The processing of employee personal data by our Finance Department for the purpose of payroll is done under the legal basis of GDPR Article 6(1)(c) – legal obligation.
- Garda Vetting Data Processing
We keep Garda Vetting information for the duration of the relationship with the Garda Vetting applicant and may be kept for longer in line with any statutory requirements if applicable. Where we are responsible for processing Garda Vetting, the personal data requested in the Garda Invitation Form is provided along with supporting identification documents. The personal data requested in the Garda Vetting form includes; name, date of birth, email address, contact number, role being vetted for, current address, Eircode/postcode, name of organisation (if external).
The Garda Vetting disclosure document that we receive from the National Garda Vetting Bureau includes the individual's name, address, date of birth and, where applicable, any records held by the National Garda Vetting Bureau.
In the case of service providers who process Garda Vetting for their personnel, we must have an agreement whereby an employee of the contractor is not permitted on our sites without them first confirming receipt of a Garda Vetting nil disclosure for them. Alternatively, if an employee of the contractor receives a disclosure noting any records held by the National Garda Vetting Bureau, we must be able to, by way of viewing the disclosure document in question, satisfy ourselves that the record is not relevant to the position that the individual will hold with us in order to permit them to be on site.
The purpose of collecting this personal data is to comply with the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016. We are required by law to seek a Vetting Disclosure from the Bureau on any persons undertaking relevant work or activities under the Act, where there is access to or contact with vulnerable persons or children.
The data will be used to determine if any records are held by the National Garda Vetting Bureau which may be incompatible with the duties and responsibilities an individual is required to undertake for us.
All Garda Vetting documentation is securely stored in SPMHS with restricted access only to relevant Human Resources (HR) personnel. All applications for Garda Vetting are logged and managed by our HR Department.
3. Students, Volunteers and Job Applicants
We also collect personal information of job applicants, students and volunteers for the primary purpose of assessing their suitability for employment or undertaking work experience or clinical placement or providing other relevant assistance, as the case may be. Other purposes which we may use personal information about those individuals include to contact them, for insurance purposes, and to satisfy our legal obligations. Our legal basis for the collection of this data is under GDPR Article 6(1)(b) – Contract.
4. Health Professionals, Contractors and Suppliers
We collect personal information about contractors, suppliers and health professionals that provide services to us for the primary purpose of assessing and engaging their services or expertise and for other purposes where legally required. Our lawful basis for this processing is based under GDPR Article 6(1)(b) – Contract.
5. St Patrick’s Mental Health Services Website
We will send communications in relation to but not limited to our services and developments, upcoming events, campaigns, education material, service user engagement opportunities, advocacy updates, press releases and so on, that are not directly related to our service users' direct care. These communications are disseminated via email or post through our various mailing lists that an individual has subscribed to. We will always give the subscriber within each communication the option to opt out of receiving any further communications. Our lawful basis for sending communications to our subscribers is based under GDPR Article 6(1)(a) – Consent.
7. Video management systems
We use Video Management Systems (VMS), commonly referred to as CCTV, throughout our organisation for the purpose of maintaining the safety and security of our staff, service users, visitors and other attendees. Our CCTV systems may, but will not always, collect and store personal information. We will comply with our CCTV policy and the Data Protection Act 2018 in respect of any personal information collected via our CCTV systems.
8. Service User IT Support (SUITS)
Our SUITS team provides information technology (IT) support to our service users. The SUITS team members will provide IT support to service users who require assistance in registering or logging on to the service user portal. They will also provide IT support to service users who may encounter issues accessing our technology mediated services. The personal data collected by the SUITS team in order to provide this support includes; name, email address, phone number. The service user email address is required for service user access to their portal and video appointments on Microsoft Teams. The phone number is required to contact person in support of their query. The lawful basis for this processing is based under GDPR Article 6(1)(f) - Legitimate Interest.
9. Covid-19 Personal Data Processing
SPMHS are currently collecting personal data and special categories of personal data from visitors to the hospital, our service users and staff members in regards to Covid-19 information. Demographic information such as name, address, contact number is collected along with details on Covid-19 in relation to the individual. It is collected by means of a questionnaire and destroyed when no longer required. A thermal image scanner is located on entrance to the hospital and a scanned image with temperature reading is taken of person entering the hospital. The image and readings are automatically deleted after 7 days. This information is accessed by designated staff on a need to know basis only and a data protection impact assessment was implemented by SPMHS. This processing is being carried out under lawful basis of GDPR Article 6(1)(c) - legal obligation and GDPR Article 9(2)(i) - Public Interest in the area of public health and GDPR Article 9(2)(h) - provision and management of health for special categories of personal data. SPMHS have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005.
10. Covid-19 Vaccine Data Processing
SPMHS collect personal data and special categories of personal data (health data) from our staff when they provide SPMHS with a copy of their vaccine certificates. SPMHS collect this personal data for the purpose of staff planning in regard to infection control measures. The hospital has a duty of care to its employees. This data processing is necessary for SPMHS to comply with its legal obligation to ensure the health and safety of employees under the Safety, Health and Welfare at Work Act 2005. The information collected will only be shared with strictly minimal authorised staff members on a need to know basis. The information will be securely stored and only held for as long as necessary to ensure the health and safety of employees. SPMHS have carried out a data protection impact assessment for this processing. This data processing is being carried out under lawful basis of GDPR Article 6(1)(c) - legal obligation and GDPR Article 9(2)(i) - Public Interest in the area of public health and GDPR Article 9(2)(h) - provision and management of health for special categories of personal data.
11. Health Research Purposes
In most instances SPMHS will rely on Article 6(1)(f) - Legitimate Interest and Article 9(2)(j) - Scientific Research of the GDPR if and when we use your information for research. All applications for undertaking health research study must be approved by the SPMHS Research Ethics Committee. All health research in Ireland is governed by the Health Research Regulations 2018 (HRR) and the amended regulations 2021. The HRR's make explicit consent the default position for processing personal data for health research. Authorised SPMHS personnel meeting criteria set out in the amended health research regulations 2021 may access service user health records for pre-screening purposes to determine whether an individual (prospective research participant) is suitable or eligible for inclusion in the study and/or for retrospective chart reviews. Click here to view the research page on our website for more information.
We will only use or disclose your personal information for the primary purposes for which it was collected or for directly related secondary purposes which you would reasonably expect (or that we have told you) or as permitted or required by law. If there is any doubt about this expectation, then we will obtain your consent before using or disclosing your personal information for a secondary purpose.
Personal data can be used or disclosed for some other purpose only where:
- The individual concerned has given explicit consent to the proposed use or disclosure.
- When information is to be communicated to other health care professionals involved in your care.
- For the purposes of medical teaching.
- There is a requirement to report to a statutory agency (such as an incident to the Mental Health Commission, a death to the coroner, an adverse drug reaction to the Irish Medicines Board).
- The healthcare professional reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.
- Certain communicable diseases are notifiable by statute. Such notifications should preferably be made with the informed consent of the service user. In cases where informed consent is not provided, reporting should be to the relevant authority but should observe the service user’s confidentiality in all other respects.
- The use or disclosure is required or authorised by law.
- The information concerns a service user who does not have capacity and is normally a Ward of Court. Once appropriate documentation supporting this has been accepted by the DPO, information can be disclosed to a person responsible for the service user to enable appropriate care or treatment to be provided to the service user once adequate legal documentation supporting this has been accepted.
- Any disclosure to a third party should be limited to that which is either authorised or required in order to achieve the desired statutory and organisational objective.
- Personal data can be transferred to an individual or organisation outside the EU only with your explicit consent. Our DPO will ensure that you fully understand the risks to your data at the time of obtaining your explicit consent to data transfer.
- Anonymised information, which cannot be traced back to the service user, is used in clinical audits within SPMHS and is sent to other health care agencies such as the Mental Health Commission, the Health Research Board (HRB), Economic and Social Research Institute (ESRI), Irish Medicines Board, and the Coroner’s Office. This information is provided for regulatory, clinical audit and data analysis purposes and is regulated by statute.
- Clinical records are sometimes shared with our legal counsel for obtaining legal advice when reviewing clinical records for release to data subjects in response to a data subject access request. Our lawful basis for this processing is made under section 47 of the Data Protection Act 2018.
Overall responsibility for ensuring compliance with the GDPR and the Irish Data Protection Act 2018 rests with SPMHS as the Data Controller. All employees and data processors of SPMHS who separately collect, control or process the content and use of personal data are individually responsible for compliance with the GDPR and Data Protection Act 2018.
Procedures and guidelines
We are firmly committed to ensuring personal privacy and compliance with the Data Protection Act 2018, including the provision of best practice guidelines and procedures in relation to all aspects of data protection.
How we share and store your information
We record and maintain a record of your care and treatment, which may be held in manual form and/or in electronic format called an Electronic Health Record (EHR). All information collected and processed by SPMHS is treated with the strictest confidentiality and only shared with authorised personnel. Click here to view our EHR video or access our EHR booklet with answers to FAQs.
Your Portal is our service user portal, which aims to empower our service users by giving you online access to record and share your own health-related information and to contribute to your mental health care and treatment planning at SPMHS. Its purpose is to improve the journey of your mental health recovery, both during and after your care and treatment.
Service users register to access the portal and view key information uploaded to the portal by their care team. Your Portal is built to keep your information private and very secure. Only you, your care team at SPMHS, and anyone you choose to invite to it – such as a family member or GP - can access your record.
Your Portal is hosted by Patients Know Best (PKB), which is one of the leading suppliers of personal health records in the United Kingdom and the Netherlands. PKB holds all data in an accredited data centre in the Netherlands, which protects your information behind a secure firewall. Your information is encrypted whether at rest in the portal or being sent to and from the portal. None of your portal information is processed outside of this secure PKB infrastructure.
Our lawful basis for processing of personal data on the portal is made under GDPR article 6(1)(f) - Legitimate Interest. GDPR Article 9(2)(h) applies for the provision and management of health data on the portal.
The Data Protection Act 2018 and the GDPR provide certain rights for data subjects. A good explanation of them is available on the website of the Office of the Data Protection Commissioner. You are not obliged to provide personal data to SPMHS; however not doing so may have an impact on the most appropriate services that can be offered to you.
The right to be informed (Article 13 & 14 of the GDPR)
If you wish to confirm that SPMHS is processing your personal data or to have access to the personal data SPMHS may have about you, please contact us at firstname.lastname@example.org.
You may also request, in writing to our DPO, information about:
- the purpose of the processing
- the categories of personal data concerned
- who else outside SPMHS might have received the data from SPMHS
- what the source of the information was (if you didn’t provide it directly to SPMHS)
- and how long it will be stored.
The right to access information (Article 15 of the GDPR)
You have a right to have access to the personal information that we hold about you (for service users, this includes health information contained in your health record). Requests are called Data Subject Access Requests. We will provide you with a copy of your information within one calendar month of receiving the request, unless the request is complex, or the hospital has received a number of requests from you. That period of providing a copy of personal information may be extended by two further months where necessary, taking into account the complexity and number of the requests. SPMHS shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. When we receive requests for health related data, we are obliged to consult with the appropriate health practitioner (normally, your treating clinician) to ensure providing the data to you will not result in serious harm to your physical or mental health.
There is no fee for making a Data Subject Access Request. However, where the request is manifestly unfounded or excessive you may be charged a reasonable fee for the administrative costs of complying with the request. A fee may also be charged if an individual requests further copies of their data following a request. The fee will be based on the administrative costs of providing further copies. If for some reason access is denied, we will provide an explanation as to why access has been denied. Where we allow access, the DPO will arrange to give you access to your personal information in the manner you have requested, if it is reasonable or practicable to do so. Requests for access and amendment can be made by email, post, or fax. View our policy for data subject access requests.
The right to rectification (Articles 16 & 19 of the GDPR)
You can also request an amendment (rectify) to personal information that we hold about you should you believe that it contains inaccurate information. The request will be reviewed with the relevant parties. The hospital will make the requested changes unless there is a reason under the GDPR or other relevant law to refuse such access or refuse to make the requested changes. If SPMHS do not agree to change your personal information in accordance with your request, it will permit you to make a statement of the requested changes and it will enclose this with your personal information. Should you wish to obtain access to or request changes to your personal information held by SPMHS please contact our Data Protection department at email@example.com
The Right to be Forgotten (Articles 17 & 19 of the GDPR)
You may ask SPMHS to delete your personal information. However, such requests will be dealt with on a case by case basis as the right of erasure is not an absolute right and restrictions may apply. We will be unable to fulfill an erasure request if the personal data is required for the treatment of an active patient. We will also not be able to delete data which is being held in the public interest, such as for protecting against cross-border threats or ensuring high standards of quality and safety of healthcare. Please be aware that in certain circumstances we may need to retain some information to ensure your preferences are respected in the completion of our duties. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, your preference not to receive marketing material would be erased.
The Right of Restriction (Article 18 of the GDPR)
You have a limited right to the restriction of processing of your personal data. Where processing of your data is restricted, it can be stored by SPMHS, but most other processing actions will require your permission. You may request that your medical record be locked or archived so that further processing of, or changes to, the record do not occur. Any such requests must be in writing, signed by the patient and sent to the SPMHS Data Protection Officer (firstname.lastname@example.org) together with identification as continuing medical care cannot take place while the medical record is locked. These requests will be dealt with on a case by case basis.
The Right to Data Portability (Article 20 of the GDPR)
In limited circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing. This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means, and where you have either consented to processing, or where processing is conducted on the basis of a contract between you and hospital.
Although this is not the case for most healthcare providers, you can request a copy of your medical record in a format that allows you to transmit the data to another health care provider or general practitioner. The protocol for transfer of medical records is for the receiving provider/practice to provide a signed patient consent form for the transfer of medical records from the original or sending practice. SPMHS will only send the records via a secure format.
The Right to Object (Article 21 of the GDPR)
You have the right to object to certain types of processing. The right to object only applies in certain circumstances. You have an absolute right to object to processing of your personal data where the processing relates to direct marketing, where such processing must be immediately stopped upon your request.
The Right to object to automated processing, including profiling (Article 22 of the GDPR)
You shall have the right not to be subject to a decision based solely on automated processing (processing operation that is performed without any human intervention), including profiling, which produces legal effects concerning you or similarly significantly affects you.
SPMHS does not make any decisions through fully automated decision-making.
We take reasonable steps to ensure that the personal information that we collect and hold is accurate, complete and up-to-date. We maintain and update the personal information we hold as necessary or when you have advised us that your personal information has changed.
Protecting your data
We take very seriously our obligations to protect the personal information we hold against interference, misuse, loss and unauthorised access. We implement rigorous organisational and technical measures, including administrative, physical and technical access restrictions to records containing personal information, with only authorised people able to access records on a need-to-know basis. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.
Data retention and disposal
When personal information is no longer required, it will be destroyed, deleted or de-identified securely in line with our data retention and destruction policy and accepted document disposal schedules. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our DPO.
Queries, concerns and complaints
If you have any queries or concerns about your privacy or wish to make a complaint regarding an impingement on your privacy, please contact our DPO. Your complaint should be in writing and you should provide sufficient details, together with any supporting material regarding your complaint.
On receipt of your complaint, the DPO will take steps to investigate the issue and will notify you of the outcome. We will endeavor to respond to your complaint within a reasonable period. If you are not satisfied with our response, you can contact us to discuss your concerns further or make a complaint to the Office of the Data Protection Commissioner.
Privacy Notice review
The SPMHS Privacy Notice will be reviewed regularly in light of any legislative or other relevant developments. We reserve the right to change this Privacy Notice from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Statement.
We encourage you to regularly review this Privacy Notice to make sure you are aware of any changes and how your information may be used.
This Privacy Notice was last amended on 25 August 2021.