Privacy policy

Personal data means any information that relates to an individual. As a healthcare provider, CHI need to collect various categories of personal data about our patients, their family, carers, job applicants, and members of the public. This data can often be sensitive in nature. Personal data we may process include:

• Name and contact details;
• Next of kin details;
• Health information and genetic data;
• Family history;
• Racial or ethnic origin;
• Lifestyle and dietary requirements;
• Referring party (e.g., GP details);
• Laboratory results;
• Research and audit data;
• Patient feedback, enquiries, log of calls, complaints received, adverse occurrence information;
• Photographs, audio and videos of patients and / or family members;
• Images produced from diagnostic procedures such as radiology and endoscopy imagery;
• Religious affiliation;
• Financial information and health insurance details;
• Employment data, including references and data processed for the purpose of facilitating the recruitment process (e.g., current/past employers, educational institutions).

Some data such as health data, genetic data, racial or ethnic origin are defined as special categories of personal data, requiring additional safeguards to lawfully process them.

CHI regularly reviews its processing activities to ensure that it only collects personal data that is necessary to carry out its purposes, to ensure that confidentiality is maintained and that data is stored in a secure manner.

CHI generally collect information directly from you, but may also collect information about you from other third parties such as:

• Your GP, health professionals and providers, such as other hospitals, external laboratories, dentists and ophthalmologists
• Social services, family support services and healthcare / disability support services.
• From other public bodies and law enforcement authorities, or regulatory agencies.
• Your medical device and software associated with it.
• Your relatives, guardians and/or carers.
• Research collaborators (see the CHI Research Privacy Notice for more information).
• Applicant referees (see the CHI Recruitment Privacy Notice for more information).
• Where someone provides your contact information as a next-of-kin or an emergency contact.

CHI was established under the Children’s Health Act 2018 to improve, promote and protect the health, mental health and well-being of children in a manner that embodies the values of child-centred, compassionate and progressive care provided with respect, excellence and integrity.

It does this through the following functions in the performance of our task in the public interest:

(a) to plan, conduct, maintain, manage, provide and develop paediatric services in the hospital;

(b) to provide for patient safety and quality of patient care in the hospital;

(c) to promote excellence in the practice and provision of paediatric services and provide leadership in the advancement, development, organisation and delivery of paediatric services;

(d) to facilitate, foster and promote, through educational and other programmes, the personal and professional development of its employees and to provide paediatric medical, nursing and health and social care professional training and education;

(e) to facilitate, foster, promote and carry out research and innovation aimed at improving paediatric services and advancing medical and scientific knowledge relating to paediatric services (see the CHI Research Privacy Notice for more information);

(f) to provide information, advice, advocacy, and assistance in relation to paediatric services to the Minister, the Executive, the Health Information and Quality Authority, and such other persons who have involvement in the provision of paediatric services, as may be necessary;

(g) to advocate on behalf of children and young people about healthcare issues;

(h) to engage in or support fundraising and philanthropy in relation to Children’s Health Ireland and the provision of paediatric services in the hospital in pursuit of the object of Children’s Health Ireland;

(i) to carry out such other functions as are necessary to provide paediatric services in the hospital.

Further examples of how we process your information in line with, and outside of our statutory functions include to:

• Assess patient experience and satisfaction;
• Carry out audits and compile statistics;
• Process billing and account management;
• Maintain safety and security across our sites;
• Provide support services to patients and their families, including the provision of multi-disciplinary health and social care and ancillary services;
• Send reminders for appointments and follow-up care;
• Manage your treatment / care outside of appointments and in-patient care;
• Share your information with external parties, including those involved in your care (see section ‘Who we share your information with’);
• Investigate complaints;
• Manage our administration and business functions;
• Plan future service delivery at CHI;
• Defend against any legal claims or action;
• Respond to requests from public bodies, agencies or Gardaí;
• Prevent or lessen a serious and/or imminent threat to somebody’s life, health; or safety or to public health or public safety;
• Process in line with CHI’s legal obligations;
• Process insurance claims;
• Conduct recruitment activities;
• To perform its obligations under staff employment contracts.

Under the GDPR, we must always have a lawful basis for processing personal data. CHI’s lawful basis for processing the personal data of our patients, their family and members of the public are as follows:

As a healthcare provider, CHI process personal data where necessary for the purpose of:

• - preventive or occupational medicine;
• - the assessment of the working capacity of the employee;
• - the provision of health, social care and treatment;
• - the management of health and social care systems;
• - services on the basis of law;
• - services pursuant to a contract with a health professional.

Other legal bases for CHI’s processing activities include:

Processing is necessary for the performance of a task carried out in the public interest. For CHI, these functions are vested in us through the Children’s Health Act 2018.

Processing in compliance with a legal obligation. An example of this is the personal data processed as part of a mandated notification under the Children First Act 2015.

Processing in the legitimate interests of CHI or other parties, where such activities are ancillary to performing our functions under the Children’s Health Act 2018.

Processing is necessary in order to protect the vital interests of an individual. This legal basis is only relied on in limited situations where an individual or their legal guardian is incapable of giving consent.

Processing is necessary for the performance of a contract, an example being the collection of information required to issue an invoice for medical care provided by CHI.

Processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products and medical devices.

Processing is necessary for reasons of substantial public interest.

You or your legal guardian has provided explicit consent. For example, we may be required to obtain your explicit consent to transfer a health record from CHI to another healthcare provider.

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where suitable safeguards are in place.

Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

Processing that relates to personaldata which are manifestly made public.

Processing is necessary for the establishment, exercise or defence of legal claims.

CHI uses video surveillance systems (commonly referred to as CCTV) across all sites and throughout our facilities for the purpose of maintaining the safety and security of staff, patients, visitors and other attendees, traffic management, and to detect, investigate and/or prosecute offences and/or misconduct. CHI will generally store recorded footage for 30 days.

CHI only keep personal information for a period that is deemed necessary to carry out the function and operational purpose for which it was collected as outlined in this privacy notice, unless it is specifically required by law to keep your information for longer. All personal information is subject to a specified retention period in line with the HSE’s Health Service Policy on Record Retention Periods and HSE Standards and Recommended Practices for Health Records Management and is securely destroyed once no longer needed.

CHI may share your information with third parties that assist in the provision of your care, in the course of CHI undertaking its functions, to meet its legal obligations, and in support of CHI operations. These categories of recipients can include:

• - Other healthcare providers and social services e.g., sending discharge summary to your referring medical practitioner following an admission, sending a medical referral or prescription to your pharmacist;
• - Professionals working within CHI as third party contractors and agency workers e.g., locum doctors and nurses;
• - Medical technology and software vendors, such as medical device manufacturers, medical software providers and data backup and recovery providers;
• - Cloud Service & Cloud Storage providers, such as those hosting our research and audit databases;
• - Gardaí, the Office of the Director of Public Prosecutions and governmental agencies including the Child and Family Agency (TUSLA) and the Health Protection Surveillance Centre (HPSC);
• - Professional services to assist CHI across its functions, including legal, HR, insurance, healthcare and financial services, including where:
  • CHI may share your details with a credit management agency engaged under contract for the purpose of debt recovery;
  • CHI may share your information with third parties that provide services to CHI patients, their families and members of the public across our sites, and off-site. For example, this occurs where home-care support is provided under CHI’s instruction and where CHI subcontracts Tallaght University Hospital to provide services to CHI patients, their family and members of the public in CHI at Tallaght.

Third parties that process data on CHI’s behalf are required to enter into a Data Processing Agreement (DPA) with CHI to ensure that data processing is conducted in line with CHI’s instructions and data protection obligations.

As part of the management of a healthcare system and to ensure the effective delivery of services it is necessary for CHI to review the care and treatment provided and occasion to carry out investigations into complaints, adverse incidents and the quality of care provided. These reviews and investigations sometime require sharing of patient and employee personal data. In this context, CHI may share personal data with third parties such as:

• professional service providers who assist with such reviews
• with employees and former employees
• the legal advisors and representatives of those employees/former employees

CHI ensures that personal data is shared with third parties only where necessary and proportionate and in accordance with the principle of data minimisation.

Data sharing with the Health Service Executive
CHI uses certain systems provided by the Health Service Executive (HSE) in the delivery of its services, including several systems that process CHI patient data. In most cases, the HSE provides these systems as a data processor, at the instruction of CHI as the data controller.

CHI is funded by the Health Service Executive through a Service Level Agreement (SLA) under Section 38 of the Health Act 2004. That Act, and CHI’s SLA with the HSE, requires that CHI provide information to the HSE at its request, where the HSE considers that information material to the provision of CHI’s services. Information provided to the HSE may include personal information relating to patients, employees, and any other individual within the scope of the request.

We may transfer, store or otherwise process some or all of your personal data in countries outside of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). Countries outside the EEA are known as “third countries” and may not have data protection laws that are equivalent to those within the EEA. Where personal data is transferred to a third country, CHI will take additional steps in order to ensure that your personal data is provided with an adequate level of protection.

Where a country has not been issued with an adequacy decision by the European Commission, CHI relies on contractual measures with third parties; Standard Contractual Clauses (SCCs) approved by the European Commission. Where SCCs are not used, CHI may rely on another transfer mechanism to facilitate the data transfer.

Under the GDPR, you have the following rights:

a) The right to be informed about our collection and use of your personal data. This privacy notice meets this requirement, but you can always contact us to find out more or to ask any questions using the details below in the section ’Contacting us’.

b) The right to access the personal data we hold about you. The next section ‘how can I access my personal data?’ outlines how to exercise this right.

c) The right to have your personal data rectified if inaccurate or incomplete.

d) The right to be forgottene., the right to request that your personal data are deleted.

e) The right to restrict the processing of your personal data.

f) The right to object to us using your personal data for a particular purpose or purposes.

g) The right to withdraw your consent.

h) The right to data portability – to transmit your personal data to another data controller, where CHI is processing your information under a specific lawful basis.

i) The right not to be subject to a decision based solely on automated processing, including profiling, unless certain conditions are met.

j) The right to make a complaint to the supervisory authority.

We aim to provide a complete response, including a copy of your personal data within one month from the date of receipt of your request. In some cases, particularly if your request is more complex, more time may be required, up to a maximum of three months from the date we receive your request. You will be informed if an extension is required.

These rights are not absolute and may only be exercisable in certain circumstances and / or may be restricted, where permitted by legislation. If you are unhappy with the outcome of your request to exercise your rights in relation to your personal data, you can make a complaint to CHI. Additionally, you also have the right to make a complaint to the Data Protection Commission directly.

To exercise any of your rights or seek details regarding how to make a complaint, please see the contact details outlined in the final section of this notice (Contacting us, making a complaint or submitting feedback).

If you want to access your personal data that CHI holds, an access request may be made through various channels, including by email, phone, post or in person. Requests made in writing can be sent to the relevant email or postal address shown in the final section of this notice, (Contacting us, making a complaint or submitting feedback).

When making a request to access your personal data, please provide sufficient information to allow CHI to locate the data held about you – including your date of birth, your address (including previous addresses where relevant) and state the data you are seeking access to (e.g., a copy of your chart or a copy of x-rays / laboratory reports etc.). Before disclosing any personal information to you, CHI will be required to verify your identity. We aim to provide a complete response, including a copy of your personal data within one month from the date of receipt of your request.

There is generally no charge for exercising your right to access your personal data.

We hope that you have found this privacy notice useful. To provide feedback in relation to any aspect of how CHI has handled your personal information, to exercise your rights, ask questions and/or if you would like to make a complaint, you can contact our data protection office by post, email or phone through the contact details below.

Contact Details

CHI at Crumlin & CHI at Tallaght

Site Data Protection Officer Email: dpo@childrenshealthireland.ie
Telephone: +353 1 409 6100

CHI at Temple Street & CHI at Connolly

Site Data Protection Officer Email: dpo@childrenshealthireland.ie
Telephone: +353 1 878 4200

Supervisory Authority – Data Protection Commission (DPC)

If you are unhappy with the outcome of your complaint or how your request to exercise your rights in relation to your personal data has been processed by CHI, you also have the right to make a complaint to the Data Protection Commission directly.

Email

info@dataprotection.ie

Website

www.dataprotection.ie

Phone

01 7650100 / 1800437 737

Post

Dublin Office:

Data Protection Commission,

21 Fitzwilliam Square South,

Dublin 2,

D02 RD28.

Portarlington Office:

Data Protection Commission, Canal House,

Station Road, Portarlington, R32 AP23,

Co. Laois.