This privacy notice sets out how CHI processes personal identifiable information that it generates and holds in the course of its work. It explains:
- the role of the Data Controller;
- why CHI collects personal information;
- what personal information CHI collect as a data controller on data subjects;
- how CHI use that data;
- who CHI shares that data with;
- the security measures in place to protect that data;
- how to access your information;
- accessing your personal information as a data subject;
- how to make a complaint;
- the role Data Protection Officer (DPO);
- It also sets out the privacy rights that data subjects have under the General Data Protection Regulation (GDPR) and Irish data protection legislation.
To assist in safeguarding a data subject’s information, CHI has developed a set of fundamental information governance principles and policies to ensure that it minimises the amount of personal data it collects, that it uses personal data only for the purpose it was obtained and in accordance with its legal obligations.
CHI promotes good information governance practices among its staff. CHI continually monitors and improves internal policies, procedures and information communications technology (ICT) security tools to ensure that all personal data is protected against theft, accidental loss, unauthorised access or alteration, erasure, use or disclosure.
Children’s Health Ireland was established under the Children’s Health Act 2018.
All personal data we gather will be processed in accordance with all applicable data protection laws and principles, including the EU General Data Protection Regulation 2018 and the applicable Irish Data Protection Acts.
Children’s Health Ireland (CHI) is the Data Controller for all personal data which is collected and used by the following websites.
A Data Controller is the legal entity which determines how and why personal data is collected and used. Children’s Health Ireland Corporate Offices are located at Herberton, St James’s Walk, Rialto, Dublin D08 HP97, Ireland
CHI was established under the Children’s Health Act 2018 to improve, promote and protect the health, mental health and well-being of children in a manner that embodies the values of child-centred, compassionate and progressive care provided with respect, excellence and integrity.
It does this through the following functions:
(a) to plan, conduct, maintain, manage, provide and develop paediatric services in the hospital;
(b) to provide for patient safety and quality of patient care in the hospital;
(c) to promote excellence in the practice and provision of paediatric services and provide leadership in the advancement, development, organisation and delivery of paediatric services in an integrated clinical network for paediatric services;
(d) to facilitate, foster and promote, through educational and other programmes, the personal and professional development of its employees and to provide paediatric medical, nursing and health and social care professional training and education;
(e) to facilitate, foster, promote and carry out research and innovation aimed at improving paediatric services and advancing medical and scientific knowledge relating to paediatric services through research and scientific investigation and inquiry;
(f) to provide information, advice, advocacy, and assistance in relation to paediatric services to the Minister, the Executive, the Health Information and Quality Authority, and such other persons who have involvement in the provision of paediatric services, as may be necessary;
(g) to advocate on behalf of children and young people about healthcare issues;
(h) to engage in or support fundraising and philanthropy in relation to Children’s Health Ireland and the provision of paediatric services in the hospital in pursuit of the object of Children’s Health Ireland;
(i) to carry out such other functions as are necessary to provide paediatric services in the hospital.
Personal information is a key resource for CHI to enable us to make evidence-based decisions that arereasonably necessary to provide health care services, for the purpose of assisting or recording developments in your treatment, and are necessary to:
- carry out our statutory functions and regulatory duties;
- support quality improvement initiatives within CHI;
- carry out audits, risk and claims management;
- patient experience and satisfaction survey;
- send you standard reminders, for example for appointments and follow-up care, by text message, email or address which provided to us;
- staff education and training;
- carry out research activities;
- compile statistics;
- manage and support our staff.
CHI aim to ensure all personal information is processed and stored in line with data protection principles and legislation. This means that personal information is:
- processed fairly and lawfully;
- processed for specific purposes only, and not in any manner incompatible with those purposes;
- adequate and relevant;
- retained no longer than is necessary;
- processed in line with your rights;
- kept securely.
What information we collect, why we collect it, on what basis we process it and who we might share it with?
As a healthcare provider CHI needs to collect various categories of personal data about our patients, the majority of which is sensitive in nature. While the type of personal data we process may change occasionally, we believe it is important that you are aware of the types of personal data we gather and use.
Your treatment in CHI will be provided by multi-disciplinary teams of health professionals working together and your personal information will only be disclosed to those healthcare workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose and these health professionals may share your personal information as part of the process of providing your treatment.
The following is a non-exhaustive list of various categories and types of personal data we use in carrying out our services. CHI will collect personal information that is reasonably necessary for assessing your suitability for healthcare services at a CHI.
CHI will collect personal information that is reasonably necessary for assessing your suitability in order to provide health care services and for the purpose of assisting or recording developments in your diagnosis and treatment.
This information may include for example:
o information related to your health history;
o your family history;
o your ethnic background;
o your current lifestyle;
o details of referring party / GP;
o laboratory information;
o information for research purposes (with your consent);
o Patient feedback, enquiries received, log of calls received, log of complaints received, adverse occurrence forms submitted; and
o image information from areas such as Radiology and Endoscopy.
- CHI normally collect health information directly from children, young people and their parents/guardians but may also collect information from other third parties (such as another health service provider, a medical supplier to ordering specific products, certain pharmaceutical treatments or other medical implantable products as part of your treatment).
- CHI may collect information from you as part of a clinical trial or a research project, but will only do so with your explicit consent;
- CHI may collect information for administrative and internal business purposes related to your attendance at CHI at Crumlin, CHI at Temple Street, CHI at Tallaght or CHI at Connolly.
- CHI may send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission in line with medical practice and is intended to inform your Doctor in relation to information that may be relevant to any ongoing care or treatment provided by them.
- CHI may disclose your information related to the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenue.
- CHI may in certain circumstances disclose your information to prevent or lessen a serious and/or imminent threat to somebody’s life, health, safety, to public health or public safety;
- CHI may be required to send patient details as necessary to health insurers in order to make a payment claim.
- CHI may collect personal information belonging to staff and contractors. This personal information is also processed and stored in line with any legal or contractual obligations that CHI must follow as an employer.
- CHI may, for the purposes of investigation of a complaint under the Data Protection Acts, be required by the Data Protection Commission to provide any documentation it considers necessary.
- CHI may, for the purposes of investigation be required by the Health Information and Quality Authority to provide any documentation it considers necessary.
CHI will, in all cases, manage personal information in accordance with the General Data Protection Regulation and this Privacy Statement. CHI have put in place appropriate policies and procedures to ensure that our staff only collect information that is necessary; to ensure it is treated as highly confidential; and is stored in a secure manner.
CHI may use photographs in certain circumstances to assist in the treatment of patients, where we do this we will let you know.
CHI may use video cameras in certain circumstances to record sessions with patients, where we do this we will let you know.
CHI only keep personal information for a period that is deemed necessary to carry out the function and operational purpose for which it was originally collected, unless it is specifically required by law to keep your information for longer.
All personal information is subject to a specified retention period in line with the HSE Standards and Recommended Practices for Health Records Management and is securely destroyed once no longer needed.
CHI may enter into arrangements with third parties outside of the EEA to:
- store data we collect;
- to access the data to provide services and this data may include personal information.
CHI will take reasonable steps to ensure that third parties do not breach the GDPR requirements.
Where such arrangements are entered into, CHI will put in place privacy protection obligations and will require that such third parties I have in place information security measures acceptable to CHI.
CHI ensure that all data subjects’ rights are upheld to ensure complete transparency when it comes to how we manage, process and retain personal information. As a data subject, you have the right to:
- access and receive a copy of your personal data;
- seek to rectify or update any inaccurate personal information held;
- seek to have data deleted;
- object to the processing of data;
- right to withdraw consent;
- right to request restriction.
Access and receive a copy of your personal data
You are entitled to know if CHI holds any personal information belonging to you and to receive a copy of this information. While some restrictions may apply to your right of access, we will ensure that this is explained to you.
CHI may recover reasonable costs associated with supplying you with information provided to you.
Rectification and accuracy of data
CHI ensures all personal information is accurate and up to date. You are entitled to request changes to data we hold about you unless there is a reason under the GDPR to make the requested changes. Where CHI does not agree to change personal information you request, we will allow you to make a statement of the requested changes and we will add this to the personal information we hold.
Deletion of data
Under certain circumstances, such as if the data collected is no longer needed by CHI, you may request the deletion of your personal data. CHI will ensure that all personal information has a specified retention period and is deleted in line with these retention periods.
Objecting to the processing of data
Where possible, you can object to CHI processing your personal information, such as objecting to receiving CHI’s email and text messaging communications. CHI may refuse your right to object if it affects CHI carrying out its statutory functions under the Children’s Health Act 2018.
Request restriction of processing of your personal data.
This enables you to ask us to suspend the processing of your personal data in the following scenarios:
(a) if you want us to establish the data's accuracy;
(b) where our use of the data is unlawful, but you do not want us to erase it;
(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
(d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Withdraw consent at any time
You can withdraw your consent where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. This only applies if consent is the basis on which we process your data.
- takes due care to protect personal data it holds from any loss, unauthorised access, modification, unauthorised use, disclosure and disposal;
- ensures accountability and transparency by maintaining a data inventory of all personal information processed within the organisation;
- retains personal information for a necessary and defined period of time;
- has secure on-site and off-site storage facilities to manage your data;
- carries out regular information governance compliance audits to monitor compliance with CHI’s policies in relation to data protection matters;
- has in place appropriate policies and procedures to protect your data;
- has in place appropriate staff training to ensure that all staff are aware of their responsibilities in relation to the gathering, using, storing and disposing of your personal data.
How long will a request take to complete?
Upon receipt of a request, we will have 30 days to provide a response, with an extension of two further months if required. If we require more time to deal with your request, we will notify you of the delay, and the factors responsible for the delay, within 30 days of the receipt of the request.
If we refuse your request, we will notify you within 30 days of the receipt of the request accompanied by the reason for refusal.
Making a complaint or providing us with feedback
We hope you have found this privacy notice useful and we are always happy to hear your feedback. However, if you want to provide us feedback in relation to any aspect of how CHI has handled your personal information and would like to make a complaint, you can contact our Data Protection Officers by post, email or phone through the contact details below.
If you are unhappy with the outcome of a review of your complaint by our Data Protection Officer, you also have the right to make a complaint to the Data Protection Commission directly by:
Calling: 1890 25 22 31
Posting: Data Protection Commission,
CHI has appointed a Data Protection Officer (DPO) to oversee CHI’s compliance with its data protection obligations. If you have questions regarding CHI’s data protection practices, please do not hesitate to contact us as follows:
|CHI at Crumlin||CHI at Temple Street||CHI at Tallaght||CHI at Connolly|
|Letter||Data Protection Officer
Children’s Health Ireland at Crumlin,
|Data Protection Officer
Children’s Health Ireland at Temple Street,
Data Protection Officer
Children’s Health Ireland at Tallaght
Tallaght University Hospital, Tallaght, Dublin
24 D24 NR0A
Data Protection Officer
Children’s Health Ireland at Temple Street,
|Telephone||+353 01 4096100||+353 (0) 1 878 4200||+353 076 695 9171||+353 01 428 2857|