2.1 St Vincent’s University Hospital’s Legal Obligations
2.3 Who does St Vincent’s University Hospital collect information from
2.4 What information does St Vincent’s University Hospital collect
2.5 How does St Vincent’s University Hospital store your information
2.6 How does St Vincent’s University Hospital use your information
2.7 Access to and correction of your personal information
5.2 Links to third party websites
We are St. Vincent’s University Hospital (SVUH) and you can find out how to contact us at Section 4 below.
St. Vincent’s University Hospital is committed to ensuring the privacy and confidentiality of your personal information.
St. Vincent’s University Hospital are committed to protecting your privacy. St. Vincent’s University Hospital will use your personal information in accordance with the Data Protection Legislation.
- what personal information St. Vincent’s University Hospital collects;
- why St. Vincent’s University Hospital collects this information;
- how St. Vincent’s University Hospital handles or uses this information;
- how long St. Vincent’s University Hospital will retain this information;
- who St. Vincent’s University Hospital will share this information with;
- your rights in relation to the personal information that St. Vincent’s University Hospital holds, including your rights to access, change, or delete this information; and
- how you can contact St. Vincent’s University Hospital in respect of this information.
If you require more detailed information about St. Vincent’s University Hospital’s information handling practices, then you will need to read this document.
2.HOW ST VINCENT’S UNIVERSITY HOSPITAL HANDLES YOUR PERSONAL INFORMATION
2.1 St Vincent’s University Hospital’s Legal Obligations
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
“Primary purpose” means the specific function or activity for which the information is collected. For the purpose of St. Vincent’s University Hospital, this is the provision of health care services and treatments. Any use or disclosure of personal information for another purpose is known as the “Secondary purpose”.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Special Category Data” means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51.
2.3 Who does St. Vincent’s University Hospital collect information from?
2.3.1 Patients and Research Participants
In order to provide you with the required health care services and treatments, St. Vincent’s University Hospital will need to collect and use your personal information.
2.3.2 Other individuals
In order to enable St. Vincent’s University Hospital to engage with you for the relevant Primary Purpose, St. Vincent’s University Hospital may need to collect and use your personal information. If you provide incomplete or inaccurate information to us or withhold personal information from us we may not be able to engage with you as required to meet that Primary Purpose as discussed further below.
2.4 What information does St Vincent’s University Hospital collect?
2.4.1 Patients and Research Participants
We collect personal information from you that is reasonably necessary to provide you with health care services that is provided for in the contract between you and St. Vincent’s University Hospital and for administrative and internal business purposes related to your attendance at St. Vincent’s University Hospital.
Often this may include collecting information about:
- Personal details about you including but not limited to:
- your name;
- date of birth;
- contact details including email addresses or other contact details used for any method of communication deemed appropriate by St. Vincent’s University Hospital; and
- next of kin
- your health history;
- family history;
- your ethnic background; or
- your current lifestyle
in order to assist the health care team in diagnosing and treating your condition.
We will usually collect your health information directly from you. Sometimes, we may need to collect information about you from a third party (such as a relative or another health service provider).
Where St. Vincent’s University Hospital collect your personal information to fulfill St. Vincent’s University Hospital’s contractual obligations pursuant to a contract between you and St. Vincent’s University Hospital for health care services or treatment, failure by you to provide the above-mentioned personal information may render St. Vincent’s University Hospital unable to provide the health care services being the subject of such contract.
2.4.2 Other individuals
We collect personal information from you that is reasonably necessary to engage with you for the Primary purpose, including the provision of services by St. Vincent’s University Hospital, for St. Vincent’s University Hospital’s functions or activities and for administrative and internal business purposes related to your dealings with St. Vincent’s University Hospital.
We will usually collect your personal information directly from you. Sometimes we may need to collect information about you from a third party; however, we will only do this where it is not reasonable or practical for us to collect this information directly from you and will do so in accordance with the Data Protection Legislation.
2.5 How does St. Vincent’s University Hospital store your information and how long will St. Vincent’s University Hospital retain your information for?
2.5.1 Patients and Research Participants
Storage of personal information may be in physical (paper) form and may also include storage through electronic systems for storage of personal information (including clinical images taken for diagnostic or treatment purposes) on some diagnostic equipment where you have undergone a diagnostic procedure using such equipment in St Vincent’s University Hospital.
2.5.2 Other individuals
Personal information may be stored in various forms including electronic and/or paper systems in accordance with usual practices, and subject to the purposes of your engagement with St. Vincent’s University Hospital.
2.5.3 Data retention
St. Vincent’s University Hospital are required by law to keep your personal information only for as long as is necessary for the purposes for which St. Vincent’s University Hospital are using it. The period for which St. Vincent’s University Hospital keep your personal information will be determined by a number of criteria, including the purposes for which St. Vincent’s University Hospital are using the information, the amount and sensitivity of the information, the potential risk from any unauthorised use or disclosure of the information, and St. Vincent’s University Hospital’s legal and regulatory obligations. St. Vincent’s University Hospital follows the Health Service Executive (HSE) Record Retention Periods Policy guidelines. For more information on St. Vincent’s University Hospital’s data retention practices, please contact St. Vincent’s University Hospital on the contact details set out below.
2.6 How does St Vincent’s University Hospital use your information?
St. Vincent’s University Hospital only uses your personal information for the primary purpose for which you have given the information to us unless one of the following applies:
- The secondary purpose is related (or for Special Category Data, directly related) to the Primary purpose for which you have given us the information and you would reasonably expect, or we have told you, that your information is usually disclosed for another purpose or to other individuals, organisations or agencies (see related Secondary purposes set out below);
- you have explicitly consented for us to use your information for another purpose, for example health research (under the Health Research Regulation 2018. As per the Health Research Regulation (2018), we will seek explicit consent from you to enrol you in any health research initiative related to your care e.g. clinical trial and/or observational study. [Any non-clinical care staff accessing your data for research purposes would be required to have appropriate consent in order to access your data]. If you do not opt to take part in the research your care will not be affected;
- Vincent’s University Hospital is required or authorized by law to disclose your information for another purpose (see related Secondary purposes set out below);
- the disclosure of your information by St. Vincent’s University Hospital will prevent or lessen a serious and/or imminent threat to somebody’s life, health or safety or to public health or public safety; or
- the disclosure of your information by St. Vincent’s University Hospital is reasonably necessary for the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenues.
St. Vincent’s University Hospital may use or disclose your personal information as specified above via electronic processes, where available or relevant.
Related Secondary Purposes
The following is a non-exhaustive list of examples of related Secondary Purposes for which St. Vincent’s University Hospital may use your personal information.
(a) Use among health professionals to provide your treatment as provided for in the contract between you and St. Vincent’s University Hospital:
- Modern health care practices mean that your treatment will be provided by a multi-disciplinary team of health professionals working together.
- You may be referred for diagnostic tests such as pathology or radiology and our staff may consult with senior medical experts when determining your diagnosis or treatment. With developments in technology (e.g. telemedicine) our staff may consult with health professionals and medical experts, both public and private, located remotely, including outside St. Vincent’s University Hospital, in relation to your diagnosis or treatment, including by sending health information and clinical images electronically. Our staff may also refer you to other health service providers, both public and private, for further treatment during and following your admission (for example, to a physiotherapist or outpatient for community health services). We may disclose your personal information to the relevant provider to the extent required for any such referral (including disclosing that information electronically).
- Your personal information will only be disclosed to those health care workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose.
- These health professionals will share your personal information as part of the process of providing your treatment. We will only do this while maintaining the confidentiality of this information and protecting your privacy in accordance with the Data Protection Legislation.
- Your personal information may be used to assess the treatment provided to you as
part of ongoing reviews conducted by St. Vincent’s University Hospital or if your treatment forms the basis of a complaint. Your personal information will be treated
confidentially and St. Vincent’s University Hospital will protect your privacy in line
with the Data Protection Legislation.
- As part of your care, we may be required to disclose your information to third party medical suppliers for the purpose of ordering specific products or to enable appropriate follow up, for example, if you require prosthesis, certain pharmaceutical treatments or other medical implantable products as part of your treatment.
(b) Assessment for provision of health care services:
- Vincent’s University Hospital may collect your personal information for the purpose of assessing your suitability for health care services at a St Vincent’s University Hospital. Where personal information is collected and you do not become a patient of the hospital, your personal information may be retained in line with our data retention practices as outlined above. Where your assessment has been conducted at the request of your GP, St. Vincent’s University Hospital will report the outcome of the assessment to that GP as it may be relevant to any ongoing treatment or care provided to you by them.
- Where you undergo assessment or treatment by a third party provider (for example Radiotherapy in another hospital) during your admission to a St Vincent’s University Hospital for the purpose of transferring your care to that third party, St. Vincent’s University Hospital may disclose your personal information to the third party provider for that purpose.
(c) Your local doctor:
- Vincent’s University Hospital will usually send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission. This is in accordance with international norms and long-standing medical practice and is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by them. This discharge summary may be sent to your referring medical practitioner or general practitioner electronically. If your nominated general practitioner has changed or your general practitioner’s details have changed following a previous admission, you must let us know.
(d) Other health service providers:
- If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or health care facility provided that this request is processed in the correct manner.
- We may provide information about your health records to another medical practitioner or health facility outside St. Vincent’s University Hospital without your consent in the event of an emergency where your life or health is at risk.
(e) Students and trainees:
(f) Relatives, guardian, close friends or legal representative:
- We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.
(g) Other St Vincent’s Healthcare Group entities:
St Vincent’s University Hospital may share your personal information amongst its other Group Hospital’s listed below. For example, this may occur where you are transferred between any of St Vincent’s Healthcare Group hospitals or to coordinate your care.
- St Vincent’s University Hospital;
- St Michael’s Hospital; and
- St Vincent’s Private Hospital.
(h) Other common uses:
In order to provide the best possible environment in which to treat you, we may also use your personal information where necessary for:
- activities such as quality assurance processes, accreditation, audits, risk and claims management, patient experience and satisfaction surveys and staff education and training. In respect of the patient experience and satisfaction surveys these may be provided via email for quality service improvement. These patient experience and satisfaction surveys may be provided by a third party provider engaged by St. Vincent’s University Hospital and bound by the appropriate data protection obligations;
- invoicing, billing and account management, including storage of provider details on St. Vincent’s University Hospital billing software;
- the purpose of complying with any applicable laws – for example, in response to a subpoena or compulsory reporting to State authorities (for example, National Cancer Registry) or complying with the Infection Diseases Regulations, 1981, the Health Acts 1947 and 1953;
- the purpose of sending you standard reminders, for example for appointments and follow-up care, by text message or email to the number or address which you have provided to us; and
- we may anonymise or aggregate the personal information that we collect for the purpose of service management; monitoring, planning and development.
- To identify patients that might be suitable for clinical trials/research. Any participation in a trial or research study will require your explicit consent.
(i) Other uses with your consent:
- With your consent we may also use your information for other purposes such as including sharing your information with your insurance company and research.
Other non-patient specific examples:
(k) Contractors under agreement:
St Vincent’s University Hospital will take reasonable steps to ensure that your personal information which we may collect, use or disclose is accurate, complete, and up-to-date.
St. Vincent’s University Hospital are committed to ensuring that your information is secure with St. Vincent’s University Hospital and with the third parties who act on St. Vincent’s University Hospital’s behalf. St Vincent’s University Hospital will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. St. Vincent’s University Hospital has a number of security precautions in place to prevent the loss, misuse or alteration of your information including the use of technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect your privacy. All staff working for St. Vincent’s University Hospital have a legal duty to keep information about you confidential and all staff are trained in information security and confidentiality. St. Vincent’s University Hospital has strict information security policies and procedures in place to ensure that information about you is safe, whether it is held in paper or electronic format.
St Vincent’s University Hospital may enter into arrangements with third parties to store data we collect or to access the data to provide services (such as data processing), and such data may include personal information, outside of the EEA including countries which do not provide equivalent protection for personal information. St Vincent’s University Hospital will take reasonable steps to ensure that the third parties do not breach the requirements of the Data Protection Legislation and we will implement appropriate measures to ensure that your personal information is adequately protected in accordance with the Data Protection Legislation. The steps St Vincent’s University Hospital will take may generally include:
- Transferring personal information where the recipient has agreed to a European Commission approved data transfer agreement in the form of the standard contractual clauses which will ensure that the third party is bound by privacy protection obligations which are the same (or substantially the same) as those which bind St Vincent’s University Hospital and requiring that the third party has information security measures in place which are of an acceptable standard and approved by St Vincent’s University Hospital;
- Transferring personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission; or;
- Occasionally, we may transfer your personal information in circumstances where there are no adequate safeguards where this is permitted by Data Protection Legislation.
Please contact us using the details below if you want further information on the specific safeguards used by us when transferring your personal information out of the EEA.
You may have various rights under Data Protection Legislation. However, in certain circumstances, these rights may be restricted. In particular, your rights may be restricted where this is necessary: (i) for the prevention, detection, investigation and prosecution of criminal offences; (ii) in contemplation of or for the establishment, exercise or defence of a legal claim or legal proceedings (whether before a court, tribunal, statutory body or an administrative or out-of-court procedure); and/or (iii) for the performance of a task carried out in the public interest. Therefore, St. Vincent’s University Hospital considers that, in most cases, these rights will not apply in connection with the performance of St. Vincent’s University Hospital’s functions in providing health care treatment and services. Subject to the above, your rights under Data Protection Legislation may include (as relevant):
|Your right||What this means||How you can exercise this right||Conditions to exercising this right|
|Right of access||Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a “data subject access request”).||Requests for such information should be made in writing to email@example.com.If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.||
We must be able to verify your identity. We may request that you provide documentation to verify your identity. However, this information is not retained by St. Vincent’s University Hospital.
Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other individuals.
|Right of data portability||Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine-readable format.||Requests should be made in writing to firstname.lastname@example.org.If possible, you should specify the type of information you would like to receive to ensure that our disclosure is meeting your expectations.||The GDPR does not establish a general right to data portability. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. Therefore, it does not, as a rule, apply to personal data that was created by St. Vincent’s University Hospital or supplied to St. Vincent’s University Hospital by any other individual or Service Provider.|
|Rights in relation to inaccurate personal or incomplete data||You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate.||We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. Requests should be made in writing to email@example.com||This right only applies to your own personal data. When exercising this right, please be as specific as possible.|
|Right to object to or restrict our data processing||Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.||Requests should be made in writing to firstname.lastname@example.org.||This right applies only if the processing of your personal data is necessary for the performance of a task carried out in the public interest. Objections must be based on grounds relating to your particular situation. They must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data.|
|Right to have personal data erased||Subject to certain conditions, you are entitled, on certain grounds, to have your personal data erased (also known as the “right to be forgotten”) e.g. where you think that the information we are processing is inaccurate, or the processing is unlawful.||Requests should be made in writing to email@example.com.||There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of bringing legal or defending legal proceedings, or (iii) where retention periods apply by law or under the St. Vincent’s University Hospital’s internal data retention policies.|
|Right to withdrawal of consent||You have the right to withdraw your consent to any processing for which you have previously given that consent.||Requests should be made in writing to firstname.lastname@example.org.||If you withdraw your consent, this will only take effect for the future.|
Article 23 of the General Data Protection Regulation, which is transposed into Irish law by section 60 of the Data Protection Act 2018, sets out the circumstances in which your rights may be restricted.
Our security procedures mean that we may request proof of identity before we are able to disclose your personal information to you or comply with other requests. St Vincent’s University Hospital will provide you with the copy free of charge but please note that we reserve the right to charge a reasonable administrative fee where further copies are requested or the request is manifestly unfounded or excessive.
You also have the right to make a complaint to the Data Protection Commission if you’re not happy with how we’ve handled your personal information. You can do so by the following means:
Data Protection Commission,
21 Fitzwilliam Square South,
|By phone||+353 578 684 800 or +353 761 104 800|
4. HOW TO CONTACT ST VINCENT’S UNIVERSITY HOSPITAL ABOUT PRIVACY ISSUES
4.1 Data Protection Officer
Data Protection Officer,
St Vincent’s University Hospital
|By telephone:||(01) 221 3591/ (01) 221 4000|
- St Vincent’s University Hospital does not agree to provide you with access to your personal information; or
- you have or a complaint about our information handling practices,
You can lodge a complaint with or contact our DPO on the details above or directly with the DPC as also outlined above.
5. HOW ST VINCENT’S UNIVERSITY HOSPITAL HANDLES YOUR PERSONAL INFORMATION WHEN YOU VISIT OUR WEBSITE
When you use our website, we do not attempt to identify you as an individual user and we will not collect personal information about you unless you specifically provide this to us.
Sometimes, we may collect your personal information if you choose to provide this to us via an online form or by email, for example, if you:
- complete your pre-admission form online;
- upload personal information into a St Vincent’s University Hospital App;
- submit a general enquiry via our contacts page;
- register to receive share market reports;
- register for an event or request information; or
- send a written complaint or enquiry to our DPO.
5.2 Links to third party websites
We will only use personal information collected via our website for the purposes for which you have given us this information.
We will not use or disclose your personal information to other organisations or anyone else unless:
- you have consented for us to use or disclose your personal information for this purpose;
- you would reasonably expect or we have told you (including via this policy) that your information is usually or may be used or disclosed to other organisations or persons for a related (or for Special Category Data, a directly related purpose);
- the use or disclosure is required or authorised by law;
- the use or disclosure will prevent or lessen a serious and/or imminent threat to somebody’s life, health or safety or to public health or public safety; or
- the disclosure is reasonably necessary for law enforcement functions or for the protection of public revenue.
If we receive your email address because you sent us an email message, the email will only be used or disclosed for the purpose for which you have provided and we will not add your email address to an emailing list or disclose this to anyone else unless you provide us with consent for this purpose.
If we collect your personal information from our website, we will maintain and update your information as reasonably practical and necessary or when you advise us that your personal information has changed.
St Vincent’s University Hospital is committed to protecting the security of your personal information. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information as outlined above. We will take all reasonable steps to prevent your information from loss, misuse or alteration.
Staff members associated with website maintenance have access to our website’s backend system. This is password protected. Our website service is also password protected.
If you wish to obtain information about how to access or correct your personal information collected via our website, please refer to your rights under Section 3 of this document.