Introduction - Ensuring privacy
This privacy notice sets out how Children’s Health Ireland processes personal identifiable information that it generates and holds in the course of its work.
- the Data Controller
- why CHI Collects personal information
- what personal information CHI collect as a data controller on data subjects
- how CHI use that data
- who CHI shares that data with
- the security in place to protect that data
- how to access your information;
- accessing your information as a data subject
- how to make a complaint
- the Data Protection Officer (DPO)
- It also sets out the privacy rights that data subjects have under the General Data Protection Regulation (GDPR) and Irish data protection legislation.
To assist in safeguarding a data subject’s information, CHI has developed a set of fundamental information governance principles and policies to ensure that it minimises the amount of personal data it collects, that it uses personal data only for the purpose it was obtained and in accordance with its legal obligations.
CHI promotes good information governance practices among its staff. CHI continually monitors and improves internal policies, procedures and information communications technology (ICT) security tools to ensure that all personal data is protected against theft, accidental loss, unauthorised access or alteration, erasure, use or disclosure.
Children’s Health Ireland was established under the Children’s Health Act 2018. All personal data we gather will be processed in accordance with all applicable data protection laws and principles, including the EU General Data Protection Regulation 2018 and the applicable Irish Data Protection Acts.
Why CHI collects personal information
CHI was established under the Children’s Health Act 2018 to improve, promote and protect the health, mental health and well-being of children in a manner that embodies the values of child-centred, compassionate and progressive care provided with respect, excellence and integrity.
It does this through the following functions:
(a) to plan, conduct, maintain, manage, provide and develop paediatric services in the hospital; (b) to provide for patient safety and quality of patient care in the hospital;
(c) to promote excellence in the practice and provision of paediatric services and provide leadership in the advancement, development, organisation and delivery of paediatric services in an integrated clinical network for paediatric services;
(d) to facilitate, foster and promote, through educational and other programmes, the personal and professional development of its employees and to provide paediatric medical, nursing and health and social care professional training and education;
(e) to facilitate, foster, promote and carry out research and innovation aimed at improving paediatric services and advancing medical and scientific knowledge relating to paediatric services through research and scientific investigation and inquiry;
(f) to provide information, advice, advocacy, and assistance in relation to paediatric services to the Minister, the Executive, the Health Information and Quality Authority, and such other persons who have involvement in the provision of paediatric services, as may be necessary;
(g) to advocate on behalf of children and young people about healthcare issues;
(h) to engage in or support fundraising and philanthropy in relation to Children’s Health Ireland and the provision of paediatric services in the hospital in pursuit of the object of Children’s Health Ireland;
(i) to carry out such other functions as are necessary to provide paediatric services in the hospital.
Personal information is a key resource for CHI to enable us to make evidence-based decisions that are reasonably necessary to provide health care services, for the purpose of assisting or recording developments in your treatment, and are necessary to:
- carry out our statutory functions and regulatory duties
- support quality improvement initiatives within CHI
- carry out audits, risk and claims management
- patient experience and satisfaction survey
- send you standard reminders, for example for appointments and follow-up care, by text message, email or address which provided to us
- staff education and training
- carry out research activities
- compile statistics
- manage and support our staff
CHI aim to ensure all personal information is processed and stored in line with data protection principles and legislation. This means that personal information is:
- processed fairly and lawfully;
- processed for specific purposes only, and not in any manner incompatible with those purposes
- adequate and relevant
- retained no longer than is necessary
- processed in line with your rights
- kept securely
What information we collect, why we collect it and on what basis we process it?
As a healthcare provider CHI need to collect various categories of personal data about our patients, the majority of which is sensitive in nature. While the type of personal data we process may change occasionally, we believe it is important that you are aware of the types of personal data we gather and use.
Your treatment in CHI will be provided by a multi-disciplinary team of health professionals working together and your personal information will only be disclosed to those health care workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose.
The following is a non-exhaustive list of various categories and types of personal data we use to perform our duties. CHI will collect personal information that is reasonably necessary for assessing your suitability for health care services at a CHI.
CHI will collect personal information that is reasonably necessary to provide health care services and for the purpose of assisting or recording developments in your diagnosis and treatment, this information may include for example:
- information related to your health history
- your family history
- your ethnic background
- your current lifestyle
- details of referring party/ GP details
- laboratory information
- information for research purposes (with your consent)
- Patient feedback, enquiries received, log of calls received, log of complaints received, adverse occurrence forms submitted and
- image information from areas such as Radiology and Endoscopy.
- CHI normally collect this health information directly from children, young people and their parents / guardians but may also collect information about you from other third parties (such as another health service provider or a medical supplier for the purpose of ordering specific products, certain pharmaceutical treatments or other medical implantable products as part of your treatment).
- CHI may collect information from you as part of a clinical trial or a research project, but will only do so with your explicit consent
- CHI may collect information for administrative and internal business purposes related to your attendance at CHI at Crumlin, CHI at Temple Street, CHI at Tallaght or CHI at Connolly.
- CHI may collect personal information belonging to staff and contractors. This personal information is also processed and stored in line with any legal or contractual obligations that CHI must follow as an employer.
- CHI may send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission in line with medical practice and is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by them
- In certain circumstances, CHI may disclose your information to prevent or lessen a serious and/or imminent threat to somebody’s life, health or safety or to public health or public safety
- CHI may disclose your information related to the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenue
- CHI will, in all cases, manage personal information in accordance with the General Data Protection Regulation and this Privacy Statement. CHI have put in place appropriate policies and procedures to ensure that our staff only collect information that is necessary; to ensure it is treated as highly confidential; and is stored in a secure manner.
Camera surveillance systems
Video and camera usage
CHI may use photographs in certain circumstances to assist in the treatment of patients, where we do this we will let you know. CHI may use video cameras in certain circumstances to record sessions with patients, where we do this we will let you know.
How long we store personal information for?
CHI only keep personal information for a period that is deemed necessary to carry out the function and operational purpose for which it was originally collected, unless it is specifically required by law to keep your information for longer. All personal information is subject to a specified retention period in line with the HSE Standards and Recommended Practices for Health Records Management and is securely destroyed once no longer needed.
Your Rights as a Data Subjects
CHI ensure that all data subjects’ rights are upheld to ensure complete transparency when it comes to how we manage, process and retain personal information. As a data subject, you have the right to:
- access and receive a copy of your personal data;
- seek to rectify or update any inaccurate personal information held;
- seek to have data deleted;
- object to the processing of data;
- right to withdraw consent;
- right to request restriction.
A summary of these rights is set out here
Access and receive a copy of your personal data
You are entitled to know if CHI holds any personal information belonging to you and to receive a copy of this information free of charge. While some restrictions may apply to your right of access, we will ensure that this is explained accordingly.
Rectification and accuracy of data
CHI ensures all personal information is accurate and up to date. In certain circumstances, you are entitled to have rectified any personal information belonging to you if it is incorrect or out of date.
Deletion of data
Under certain circumstances, such as if the data collected is no longer needed by CHI, you may request the deletion of your personal data. CHI will ensure that all personal information has a specified retention period and is deleted in line with these retention periods.
Objecting to the processing of data
Where possible, you can object to CHI processing your personal information, such as objecting to receiving CHI’s email and text messaging communications. CHI may refuse your right to object if it affects CHI carrying out its statutory functions under the Children’s Health Act 2018.
Request restriction of processing of your personal data.
This enables you to ask us to suspend the processing of your personal data in the following scenarios:
(a) if you want us to establish the data's accuracy;
(b) where our use of the data is unlawful, but you do not want us to erase it;
(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
(d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Withdraw consent at any time
You can withdraw your consent where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. This only applies if consent is the basis on which we process your data.
In order to protect your privacy rights, CHI:
- takes due care to protect personal information it holds from any loss, unauthorised access, modification, unauthorised use, disclosure and disposal
- ensures accountability and transparency by maintaining a data inventory of all personal information processed within the organisation
- retains personal information for a necessary and defined period of time
- has secure on-site and off-site storage facilities to manage your data
- carries out regular information governance compliance audits to monitor compliance with CHI’s policies in relation to data protection matters
- has in place appropriate policies and procedures to protect your data
- has in place appropriate staff training to ensure that all staff are aware of their responsibilities in relation to the gathering, using, storing and disposing of your personal information.
Accessing you information
How long will a request take to complete?
Upon receipt of a request, we will have 30 days to provide a response, with an extension of two further months if required. If we require more time to deal with your request, we will notify you of the delay, and the factors responsible for the delay, within 30 days of the receipt of the request.
If we refuse your request, we will notify you within 30 days of the receipt of the request accompanied by the reason for refusal.
Making a complaint or providing us with feedback
We hope you have found this privacy notice useful and we are always happy to hear your feedback. However, if you want to provide us feedback in relation to any aspect of how CHI has handled your personal information and would like to make a complaint, you can contact our Data Protection Officers by post, email or phone through the contact details below.
If you are unhappy with the outcome of a review of your complaint by our Data Protection Officer, you also have the right to make a complaint to the Data Protection Commission directly by:
Calling: 1890 25 22 31
Data Protection Commission,
Data Protection Officer
CHI has appointed a Data Protection Officer (DPO) to oversee CHI’s compliance with its data protection obligations. If you have questions regarding CHI’s data protection practices, please do not hesitate to contact us as follows:
CHI at Crumlin
Site Data Protection Officer
Telephone: +353 1 409 6100
CHI at Temple Street
Site Data Protection Officer
Telephone: +353 1 878 4200
CHI at Tallaght
CHI Data Protection Officer
Telephone: +353 1 409 6100
CHI at Connolly
CHI Data Protection Officer
Telephone: +353 1 878 4200