St Patrick’s Mental Health Services Privacy Notice

The meanings of certain terms used in this Privacy Notice are outlined below. 

• Consent

  Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

• Data concerning health

  Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

• Data controller

  Data controller means the natural (living person) or legal person (such as a company), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• Personal data breach

  Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• Personal information/data

  Personal information/data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Primary purpose

  Primary purpose means the specific function or activity for which the information is collected. For SPMHS, this is the provision of healthcare. Any use or disclosure of the personal information for another purpose is known as the secondary purpose.

• Processing

  Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Processor

  Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

• Special categories of personal data

  Special categories of personal data means processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. 

• Communications

  We will send communications in relation to but not limited to our services and developments; upcoming events and campaigns; education material; service user engagement opportunities; advocacy updates; press releases and so on, that are not directly related to our service users' direct care. These communications are shared by email or post through our various mailing lists that an individual has subscribed to.

  Within each communication, we will always give the subscriber the option to opt out of receiving any further communications.

  Our lawful basis for sending communications to our subscribers is based under GDPR Article 6(1)(a) – Consent.

• COVID-19 personal data processing

  We are currently collecting personal data and special categories of personal data from visitors to the hospital, our service users and staff members in regards to COVID-19 information.

  Demographic information, such as name, address, and contact number, is collected, along with details on COVID-19 in relation to the person. It is collected by means of a questionnaire and destroyed when no longer required.

  This processing is being carried out under lawful basis of GDPR Article 6(1)(c) - Legal obligation, GDPR Article 9(2)(i) - Public interest in the area of public health and GDPR Article 9(2)(h) - Provision and management of health for special categories of personal data. We have a legal obligation to protect our employees under the Safety, Health and Welfare at Work Act 2005.

• COVID-19 vaccine data processing

  We collect personal data and special categories of personal data (health data) from our staff when they provide us with a copy of their vaccine certificates. We collect this personal data for the purpose of staff planning in regard to infection control measures. We have a duty of care to our employees.

  This data processing is necessary for us to comply with our legal obligation to ensure the health and safety of employees under the Safety, Health and Welfare at Work Act 2005. The information collected will only be shared with strictly minimal, authorised staff members on a need-to-know basis. The information will be securely stored and only held for as long as necessary to ensure the health and safety of employees.

  We have carried out a data protection impact assessment for this processing. This data processing is being carried out under lawful basis of GDPR Article 6(1)(c) - Legal obligation, GDPR Article 9(2)(i) - Public Interest in the area of public health and GDPR Article 9(2)(h) - Provision and management of health for special categories of personal data.

• Employees

  If you are employed by SPMHS or if you have applied for a position at one of our facilities, we will collect information about your work history, contact details, referees and any other information that you submit in your job application.

  We collect similar background information about contractors, vendors, suppliers and health professionals who provide services to us and about students and volunteers who attend our facilities. All our employees are required to obtain Garda Vetting clearance, and information from pre-employment medical screenings is also collected.

  We collect, use and disclose personal information about our staff in order to perform our obligations as an employer and as required by Irish employment law. Our lawful basis for processing of employee personal data by our Human Resources (HR) Department and Administration Department is based under GDPR Article 6(1)(b) – Contract and under GDPR Article 9(2)(B) - Employment for the processing of sensitive data concerning employees (for example, medical certs). The processing of employee personal data by our Finance Department for the purpose of payroll is done under the legal basis of GDPR Article 6(1)(c) – Legal obligation.

  Garda Vetting processing

  We keep Garda Vetting information for the duration of the relationship with the Garda Vetting applicant. It may be kept for longer in line with any statutory requirements if applicable. Where we are responsible for processing Garda Vetting, the personal data requested in the Garda Invitation Form is provided along with supporting identification documents. The personal data requested in the Garda Vetting form includes the person’s name, date of birth, email address, contact number, role being vetted for, current address, Eircode/postcode, name of organisation (if external).

  The Garda Vetting disclosure document that we receive from the National Garda Vetting Bureau includes the individual's name, address, date of birth and, where applicable, any records held by the National Garda Vetting Bureau.

  In the case of service providers who process Garda Vetting for their personnel, we must have an agreement whereby an employee of the contractor is not permitted on our sites without them first confirming receipt of a Garda Vetting ‘nil’ disclosure for the employee. Alternatively, if an employee of the contractor receives a disclosure noting any records held by the National Garda Vetting Bureau, we must be able to, by way of viewing the disclosure document in question, satisfy ourselves that the record is not relevant to the position that the person will hold with us in order to permit them to be onsite.

  The purpose of collecting this personal data is to comply with the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016. We are required by law to seek a Vetting Disclosure from the National Garda Vetting Bureau on any persons undertaking relevant work or activities under the Act, where there is access to or contact with vulnerable persons or children.

  The data will be used to determine if any records are held by the National Garda Vetting Bureau which may be incompatible with the duties and responsibilities an individual is required to undertake for us.

  All Garda Vetting documentation is securely stored in SPMHS with restricted access only to relevant HR personnel. All applications for Garda Vetting are logged and managed by our HR Department.

• Health professionals, contractors and suppliers

  We collect personal information about contractors, suppliers and health professionals that provide services to us for the primary purpose of assessing and engaging their services or expertise and for other purposes where legally required. Our lawful basis for this processing is based under GDPR Article 6(1)(b) – Contract.

• Health research purposes

  In most instances, we will rely on Article 6(1)(f) - Legitimate Interest and Article 9(2)(j) - Scientific Research of the GDPR if and when we use your information for research.

  All applications for undertaking health research study must be approved by our Research Ethics Committee.

  All health research in Ireland is governed by the Health Research Regulations 2018 (HRR) and the amended regulations 2021. The HRR make explicit consent the default position for processing personal data for health research. Authorised personnel meeting criteria set out in the amended HRR 2021 may access service user health records for pre-screening purposes to determine whether an individual (prospective research participant) is suitable or eligible for inclusion in the study and/or for retrospective chart reviews.

  Click here to view more information about our research.

• Provision of quality mental healthcare to our service users

  Personal and sensitive information of our service users is collected by us for the primary purpose of ensuring that service users receive quality mental health treatment while under our care. As a service user, we collect information regarding your demographics, health history, family history, lifestyle, cultural or ethnic background and test results to assist in providing mental health care to you.

  This information is collected by means of:

  • a general practitioner (GP) referral
  • admission to our services
  • Dean Clinic electronic referral
  • telephone call to our Support and Information Service
  • phone enquiries to our health professionals or staff
  • Prompt Assessment of Needs (PAON) service
  • telephone call to referred service users from our Referral and Assessment Service staff members
  • family members, carers and next of kin.

  We collect information from you for the primary purpose of providing care and treatment to you. When your personal data is used for your care and administrative purposes related to your care, your data is being processed for the purposes of the legitimate interests pursued by SPMHS. We are obliged to record certain patient information under the Mental Health Act 2001 approved centre regulations. 

  We will only process special categories of personal data where it is necessary:

  • for the purposes of preventative or occupational medicine
  • for medical diagnosis
  • for the provision of healthcare, treatment or social care
  • for the management of health or social care systems and services
  • pursuant to a contract with a health professional.

  Processing is lawful where it is undertaken by or under the responsibility of:

  • a health practitioner
  • a person who, in the circumstances, owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner (for example, the outpatient clinic secretary, primary care centre staff, and so on).

  Our processing of special categories of personal data may also be necessary for reasons of public interest in the area of public health. If the purpose of the processing is for a reason other than the reasons outlined, we will seek explicit consent to process your sensitive personal data (referred to as "special categories" of personal data under the GDPR).

  Use among health professionals to provide your treatment

  Your treatment will be provided by a multidisciplinary team of health professionals working together. Our staff may also refer you to other health service providers for further treatment following your admission; for example, to local community mental health services. We may disclose your personal information, with your consent, to the relevant provider to the extent required for any such referral (including disclosing that information electronically).

  Your personal information will only be disclosed to those healthcare workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose. These health professionals will share your personal information as part of the process of providing your treatment. We will only do this while maintaining confidentiality of this information and protecting your privacy in accordance with the law.

  Assessment for provision of healthcare services

  We may collect your personal information for the purpose of assessing your suitability for our mental healthcare services.

  If you are offered and take part in a Prompt Assessment of Needs (PAON) following a referral, we need to record information from this assessment in our electronic health record. We have a leaflet available which outlines your data protection rights in relation to the PAON. See the leaflet on PAON and data protection here.

  Where personal information is collected, and you do not become a service user of SPMHS, your personal information will be retained in line with our hospital retention policy. Where your assessment has been conducted at the request of your GP, we will report the outcome of the assessment to that GP, as it may be relevant to any ongoing treatment or care provided to you by them.

  Provision of services

  When you receive care in SPMHS – whether in our adult or adolescent services – we need to collect information to assist in providing your mental health treatment. This can include information about your demographics, family history, medical history and test results, lifestyle, and more.

  We have published leaflets with information about data protection, legislation and your rights.

  Get the data protection leaflet for adult services here.

  Get the data protection leaflet for adolescent services here.

  Your local doctor

  We are obliged under the Mental Health Commission’s Code of Practice on Admission, Transfer and Discharge to provide a discharge summary report to your referring medical practitioner or nominated GP following an admission. This is in accordance with international norms and long-standing medical practice. it is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by your GP. This discharge summary may be sent to your referring medical practitioner or GP electronically. If your nominated GP has changed or your GP’s details have changed following a previous admission, you must let us know.

  Other health service providers

  If, in the future, you are being treated by a medical practitioner or healthcare facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or healthcare facility, provided we have your explicit consent. We may provide information about your health records to another medical practitioner or health facility outside SPMHS without your consent in the event of an emergency, where your life or health is at risk.

  Students and trainees

  St Patrick's University Hospital is a teaching hospital and it supports the placement of students and trainees. These students and trainees may have access to your personal information for the purpose of the placement. Students and trainees on placement at the hospital are required to comply with the GDPR, Data Protection Act 2018 and other relevant legislation.

  Relatives, guardians, close friends or legal representatives

  We may obtain or provide information about you to your specified individuals and only where you provide your explicit consent to do so.

• Service User IT Support (SUITS)

  Our SUITS team provides information technology (IT) support to our service users. The SUITS team members will provide IT support to service users who require assistance in registering or logging on to Your Portal. They will also provide IT support to service users who may encounter issues accessing our technology-mediated services.

  The personal data collected by the SUITS team in order to provide this support includes; name, email address, phone number. The service user email address is required for service user access to their portal and video appointments on Microsoft Teams. The phone number is required to contact person in support of their query.

  The lawful basis for this processing is based under GDPR Article 6 (1)(f) - Legitimate Interest.

• Students, volunteers and job applicants

  We collect personal information of job applicants, students and volunteers for the primary purpose of assessing their suitability for employment or undertaking work experience or clinical placement or providing other relevant assistance, as the case may be. Other purposes which we may use personal information about those individuals include to contact them, for insurance purposes, and to satisfy our legal obligations. Our legal basis for the collection of this data is under GDPR Article 6(1)(b) – Contract.

• Video management systems

  We use video management systems (commonly referred to as CCTV) throughout our organisation for the purpose of maintaining the safety and security of our staff, service users, visitors and other attendees. Our CCTV systems may, but will not always, collect and store personal information. We will comply with our CCTV policy and the Data Protection Act 2018 in respect of any personal information collected via our CCTV systems. 

• Website

  This section of our Privacy Notice explains how we handle your personal information which is collected from our website, stpatricks.ie (collectively "website" hereafter).

  Collection

  When you use our website, we do not attempt to identify you as an individual user and we will not collect personal information about you, unless you specifically provide this to us.

  Sometimes, we may collect your personal information if you choose to provide this to us through an online form or by email; for example, if you:

  • submit a general enquiry through our Contact page
  • register for an event
  • request information from our Support and Information Service
  • contact SUITS or request to register for Your Portal.

  Links to third party websites

  We may create links to third party websites. We are not responsible for the content or privacy practices employed by websites that are linked from our website.

  Use and disclosure

  We will only use personal information collected through our website for the purposes for which you have given us this information. We will not use or disclose your personal information to other organisations or anyone else, unless you have consented to this disclosure or unless the third party is required to fulfil your order (such as event tickets; in such circumstances, the third party is bound by similar data protection requirements).

  We will disclose your personal data if we believe in good faith that we are required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other statutory requirement.

  Data security

  Your personal data is held on secure servers. The nature of the Internet is such that we cannot guarantee or warrant the security of any information you transmit to us over the Internet. No data transmission over the Internet can be guaranteed to be 100% secure. However, we will take all reasonable steps (including appropriate technical and organisational measures) to protect your personal data.

  Cookies

  Our website uses certain cookies. Our cookie policy can be accessed here. This cookie policy forms part of our overall Privacy Notice.

   

The Data Protection Act 2018 and the GDPR provide certain rights for data subjects. A good explanation of them is available on the website of the Office of the Data Protection Commissioner. You are not obliged to provide personal data to us; however, not doing so may have an impact on the most appropriate services that can be offered to you.

• Right to access information

  Article 15 of the GDPR

  You have a right to have access to the personal information that we hold about you (for service users, this includes health information contained in your health record).

  Requests are called Data Subject Access Requests.

  We will provide you with a copy of your information within one calendar month of receiving the request, unless the request is complex, or we have received a number of requests from you. That period of providing a copy of personal information may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

  When we receive requests for health-related data, we are obliged to consult with the appropriate health practitioner (normally, your treating clinician) to ensure providing the data to you will not result in serious harm to your physical or mental health. 

  Under GDPR and the Data Protection Act 2018, we are obliged to redact any information consisting of an expression of opinion about the service user by another person that was given in confidence to the hospital or on the understanding that it would be treated as confidential. Additionally, any information contained in a service user’s record, which may adversely affect the rights and freedoms of other individuals, will be redacted and not disclosed when releasing a copy of medical records in response to a Data Subject Access Request.

  There is no fee for making a Data Subject Access Request. However, where the request is manifestly unfounded or excessive, you may be charged a reasonable fee for the administrative costs of complying with the request. A fee may also be charged if you request further copies of your data following a request. The fee will be based on the administrative costs of providing further copies.

  If, for some reason, access is denied, we will provide an explanation as to why access has been denied. Where we allow access, the DPO will arrange to give you access to your personal information in the manner you have requested, if it is reasonable or practicable to do so.

  Requests for access and amendment can be made by email, post, or fax.

  View our policy for Data Subject Access Requests here.

• Right to be forgotten

  Articles 17 and 19 of the GDPR

  You may ask us to delete your personal information. However, such requests will be dealt with on a case-by-case basis, as the right of erasure is not an absolute right and restrictions may apply. 

  We will be unable to fulfill an erasure request if the personal data is required for the treatment of an active service user. We will also not be able to delete data which is being held in the public interest, such as for protecting against cross-border threats or ensuring high standards of quality and safety of healthcare.

  Please be aware that, in certain circumstances, we may need to retain some information to ensure your preferences are respected in the completion of our duties. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, your preference not to receive marketing material would be erased.

• Right to be informed

  Article 13 and 14 of the GDPR

  If you wish to confirm that we are processing your personal data or to have access to the personal data we may have about you, please contact us at dpo@stpatricks.ie.
  
  You may also request, in writing to our DPO, information about:

  • the purpose of the processing
  • the categories of personal data concerned
  • who else outside SPMHS might have received data from SPMHS
  • what the source of the information was (if you didn’t provide it directly to us)
  • and how long it will be stored.

• Right to data portability

  Article 20 of the GDPR

  In limited circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing. This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means, and where you have either consented to processing, or where processing is conducted on the basis of a contract between you and the hospital.

  Although this is not the case for most healthcare providers, you can request a copy of your medical record in a format that allows you to transmit the data to another healthcare provider or GP. The protocol for transfer of medical records is for the receiving provider or practice to provide a signed patient consent form for the transfer of medical records from the original or sending practice. We will only send the records via a secure format.

• Right to object

  Article 21 of the GDPR

  You have the right to object to certain types of processing. The right to object only applies in certain circumstances. You have an absolute right to object to processing of your personal data where the processing relates to direct marketing, where such processing must be immediately stopped upon your request.

• Right to object to automated processing, including profiling

  Article 22 of the GDPR

  You shall have the right not to be subject to a decision based solely on automated processing (processing operation that is performed without any human intervention), including profiling, which produces legal effects concerning you or similarly significantly affects you.

  We do not make any decisions through fully automated decision-making.

• Right to rectification

  Articles 16 and 19 of the GDPR

  You can also request an amendment to (or to rectify) personal information that we hold about you, should you believe that it contains inaccurate information. The request will be reviewed with the relevant parties.

  We will make the requested changes unless there is a reason under the GDPR or other relevant law to refuse such access or refuse to make the requested changes.

  If we do not agree to change your personal information in accordance with your request, we will permit you to make a statement of the requested changes and we will enclose this with your personal information.

  Should you wish to obtain access to or request changes to your personal information that we hold, please contact our DPO at dpo@stpatricks.ie.

• Right to restriction

  Article 18 of the GDPR

  You have a limited right to the restriction of processing of your personal data. Where processing of your data is restricted, it can be stored by us, but most other processing actions will require your permission. You may request that your medical record be locked or archived so that further processing of, or changes to, the record do not occur.

  Any such requests must be in writing, signed by the patient and sent to our DPO (dpo@stpatricks.ie) together with identification, as continuing medical care cannot take place while the medical record is locked. These requests will be dealt with on a case-by-case basis.

• Data quality

  We take reasonable steps to ensure that the personal information that we collect and hold is accurate, complete and up-to-date. We maintain and update the personal information we hold as necessary or when you have advised us that your personal information has changed.

• Data retention and disposal

  When personal information is no longer required, it will be destroyed, deleted or de-identified securely in line with our data retention and destruction policy and accepted document disposal schedules. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our DPO.

• Disclosure

  We will only use or disclose your personal information for the primary purposes for which it was collected, for directly related secondary purposes which you would reasonably expect (or that we have told you), or as permitted or required by law.

  If there is any doubt about this expectation, then we will obtain your consent before using or disclosing your personal information for a secondary purpose.

  Personal data can be used or disclosed for some other purpose only:

  • Where the individual concerned has given explicit consent to the proposed use or disclosure
  • When information is to be communicated to other health care professionals involved in the individual’s care
  • For the purposes of medical teaching
  • Where there is a requirement to report to a statutory agency (such as an incident to the Mental Health Commission, a death to the coroner, or an adverse drug reaction to the Irish Medicines Board)
  • Where the healthcare professional reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety
  • When certain communicable diseases are notifiable by statute (such notifications should preferably be made with the informed consent of the individual; in cases where informed consent is not provided, reporting should be to the relevant authority but should observe the individual’s confidentiality in all other respects)
  • When the use or disclosure is required or authorised by law
  • When the information concerns a service user who does not have capacity and is normally a Ward of Court (once appropriate documentation supporting this has been accepted by the DPO, information can be disclosed to a person responsible for the service user to enable appropriate care or treatment to be provided to the service user once adequate legal documentation supporting this has been accepted).

  Equally:

  • Any disclosure to a third party should be limited to that which is either authorised or required in order to achieve the desired statutory and organisational objective
  • Personal data can be transferred to an individual or organisation outside the EU only with your explicit consent; our DPO will ensure that you fully understand the risks to your data at the time of obtaining your explicit consent to the data transfer.
  • Anonymised information, which cannot be traced back to the service user, is used in our clinical audits and is sent to other healthcare agencies, such as the Mental Health Commission, the Health Research Board, Economic and Social Research Institute, Irish Medicines Board, and the Coroner’s Office; this information is provided for regulatory, clinical audit and data analysis purposes and is regulated by statute
  • Clinical records are sometimes shared with our legal counsel for obtaining legal advice when reviewing clinical records for release to data subjects in response to a data subject access request; our lawful basis for this processing is made under section 47 of the Data Protection Act 2018.

• Procedures and guidelines

  We are firmly committed to ensuring personal privacy and compliance with the Data Protection Act 2018, including the provision of best practice guidelines and procedures in relation to all aspects of data protection.

• Protecting your data

  We take very seriously our obligations to protect the personal information we hold against interference, misuse, loss and unauthorised access. We implement rigorous organisational and technical measures, including administrative, physical and technical access restrictions to records containing personal information, with only authorised people able to access records on a need-to-know basis. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.

• Responsibility

  Overall responsibility for ensuring compliance with the GDPR and the Irish Data Protection Act 2018 rests with us at SPMHS as the data controller. All employees and data processors of SPMHS who separately collect, control or process the content and use of personal data are individually responsible for compliance with the GDPR and Data Protection Act 2018.  

• Sharing and storing your information

  We record and maintain a record of your care and treatment, which may be held in manual form and/or in electronic format, called an Electronic Health Record (EHR). All information that we collect and process is treated with the strictest confidentiality and only shared with authorised personnel. 

  Watch our EHR video here.

  Read our EHR booklet with frequently asked questions.

• Your Portal

  Your Portal is our service user portal, which aims to empower our service users by giving them online access to record and share their own health-related information and to contribute to their mental health care and treatment planning. Its purpose is to improve the journey of mental health recovery, both during and after care and treatment.

  Service users register to access the portal and view key information uploaded to the portal by their care team. Your Portal is built to keep information private and very secure. Only the service user, their SPMHS care team, and anyone they choose to invite to it – such as a family member or GP - can access their record.

  Your Portal is hosted by Patients Know Best (PKB), which is one of the leading suppliers of personal health records in the United Kingdom and the Netherlands. PKB holds all data in an accredited data centre in the Netherlands, which protects information behind a secure firewall. Service user information is encrypted whether at rest in the portal or being sent to and from the portal. No service users’ portal information is processed outside of this secure PKB infrastructure.

  Your Portal provides the ability to use two-factor authentication (2FA), which is a two-step login process for online accounts. If you enable 2FA in Your Portal, you will need to enter your portal password, as well as a code from an authenticator app on your personal smartphone in order to log in to Your Portal. Doing so creates an additional layer of security that is commonly used in many online services today.

  Our lawful basis for processing of personal data on the portal is made under GDPR article 6(1)(f) - Legitimate Interest. GDPR Article 9(2)(h) applies for the provision and management of health data on the portal.