Privacy Statement / Fair Processing Notice

Under the General Data Protection Regulation (GDPR) we are obliged to have a fair processing notice for personal data. This is often referred to as a Privacy Notice. It provides information about the ways in which we process (collect, store and use) your personal data as a patient in this hospital. 

Everyone working within healthcare has a legal duty to keep patient information confidential.

“Personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller – The Coombe Hospital.

Personal data will be obtained in a lawful, fair and transparent manner for a specified purpose and will not be disclosed to any third party, except in a manner compatible with that purpose, referred to in this Privacy Statement.

All medical information under GDPR is deemed a special category of personal information and as a hospital we will endeavour to ensure your information is treated with the utmost respect and confidentiality.

The Coombe Hospital is the Data Controller for your personal data.

1. Data Protection Legislation

All personal data we gather will be “processed” in accordance with all applicable data protection laws and principles, including the General Data Protection Regulation (EU) 2016/679 and the applicable Irish Data Protection Acts 2018.

For more information on GDPR we recommend the Data Commissioners website: https://www.dataprotection.ie/en/individuals

2. How do we collect your information?

Your information is collected in a number of different ways. This might be from a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you - in person, over the telephone or on a form you have completed. There may also be times when information is collected from your relatives or next of kin – e.g. if you are treated in our emergency room (ER) but you are very unwell and unable to communicate. During your treatment, health specific data will be collected by the doctors, midwives/nurses and healthcare staff taking care of you and will be held in your patient chart (This can be paper and/or electronic)

3. What information do we collect?

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin

  • Any contact we have had with you through appointments and hospital attendances

  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions

  • Results of diagnostic tests, e.g.  x-rays, scans, blood tests  

  • Financial and health insurance information

  • Other relevant information from people who care for you and know you well, e.g. health professionals, relatives and carers.

  • We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).

  • CCTV and security information.

4. Why do we collect information about you?

To make sure you get the best care.  Doctors, midwives/nurses and the team of healthcare staff caring for you keep records about your health and any care or treatment you may receive from us. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual need.

5. How do we store your personal data?

Under GDPR, strict principles govern our use of personal data and our duty to ensure it is kept safe and secure. Your data may be stored within electronic or paper records, or a combination of both. All our records have restricted access controls, so that only those individuals who have a need to know the information can get access. This might be through the use of computer passwords, audit trails and physical safeguards e.g. security controlled access.

6. How do we use your information and why is this important?

We use your information to manage and deliver your care (Direct Care) to ensure that:

  • The right decisions are made about your care

  • Your treatment is safe and effective; and

  • We can coordinate with other organisations that may be involved in your care.

This is important because having accurate and up-to-date information will assist us in providing you with the best possible care.

In addition to using the data to provide for your care, this data is also routinely used to improve services and plan for the future (Indirect Care), therefore, your data may be used in:

  • Evaluating and improving patient safety

  • Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care. This can be carried out by multiple quality improvement methods e.g. clinical audit.

  • Training healthcare professionals

  • Ensuring that our services can be planned to meet the future demand. e.g. analysing peak times, staffing levels etc.

  • Preparing statistics on hospital performance and monitoring how we spend public money

  • Supporting the health of the general public e.g. Influenza, winter vomiting bug.


The activities listed above are part of normal delivery of care and under GDPR your consent is not required. However, we recognise our duty to always keep your data secure and confidential and where appropriate we anonymise your data when using it for improvement.

Using the data to understand and develop new treatments and techniques (Research)

Research in healthcare is vital in helping develop understanding about health risks and causes to develop new treatments. It is usual for patient information to be used for research.

Your consent will be sought prior to being asked to participate in a research study or to have your personal data used in a research study. In some circumstances, consent exemptions may be granted by the Health Research Board Consent Declaration Committee (HRBCDC). You will not be identified in any published results without your prior agreement.

7. What is the legal basis for processing?

Category

Legal Basis under General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018

To manage and deliver your care

(Direct Care)

  • GDPR Article 6(1)(c) “processing necessary for performance of contract” with the data subject, or Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or Article 6(1)(f) – processing is necessary for the purposes of legitimate interests.

  • GDPR Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ or Article 9(2)(i) – ‘processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care…’

  • Data Protection Act 2018, Section 52(1)(a)for the purposes of preventative or occupational medicine’, Section 52(1) (d)’ for the provision of medical care, treatment or social care’ and/or Section 52(1)(e) for the management of health or social care systems and services’ which allows patient information to be used for clinical audit provided that appropriate measures are taken to safeguard the fundamental rights of the data subject.

  • Data Protection Act 2018, Section 53(b) – ‘ensuring high standards of quality and safety of health care

  • To improve services and plan for the future (Indirect Care)

  • To understand and develop new treatments and techniques (Research)

Where we rely on consent as the legal basis for processing, you can withdraw your consent at any time; this follows GDPR Art 6(1) (a),the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and Art 9(2) (a)the data subject has given explicit consent to the processing of those personal data for one or more specified purposes...”

In some circumstances, consent exemptions may be granted by the Health Research BN ….HRBCDC (Health Research Regulations 2018).

Legal

  • GDPR Article 9 (2) (f)processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”

8. Who do we share your personal data with?

We only disclose personal data provided by you to external third parties in connection with specific purposes and compliance, including:

  • Other health care organisations that are involved in your care, services such as Public Health, GPs, community services

  • Third parties who provide services to us

  • Authorities and bodies where required or permitted by law, e.g. HIQA, National Cancer Registry Ireland, Health and Safety Authority

  • National organisations e.g. National Office of Clinical Audit (NOCA)

  • General Registrar’s Office - as part of the birth notification process the hospital is required by law to generate a birth notification to the Civil Registration Service.   This notification allows for the baby’s birth to be registered subsequently by the baby’s parent(s) / guardian(s).   The data collected for the birth notification process contains not just your personal information but also medical information on you and your baby.

  • We may also disclose your contact details for the purposes of inviting you to take part in National Patient Experience Surveys. National Surveys are managed by the Health Information Quality Authority (HIQA) and the Health Services Executive (HSE), the surveys help to improve services and plan for the future.

9. Do we transfer your data outside of Ireland?

In some circumstances, the need to transfer your personal data outside of Ireland may arise in order to provide the best care and services possible.   Any data transfer undertaken will be protected by Data Sharing Agreements and contracts.

10. How long do we hold onto your personal data?

We will retain your information for as long as necessary to provide you with services, and to comply with our legal and regulatory obligations.

We are committed to protecting your personal data to the very best of our ability and take the appropriate steps to do so in collecting, storing and destroying your data.

11. What are my rights relating to personal data?

You have the following rights under the GDPR in relation to your personal data.

  • Right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.

  • Right to rectification- you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.

  • Right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.  

  • Right to restriction of processing or to object to processing – you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.

  • Right to data portability – you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.

Some of these rights only apply in certain circumstances; they are not guaranteed or an absolute right. Please contact our Data Protection Officer if you have any questions or concerns about your rights. If you make a request, we have one month to respond to you.

12. Video conferencing

The COVID-19 pandemic presents significant challenges for the delivery of health services; both in terms of the continuity of standard care and in the provision of services specifically tailored to address the pandemic.

Given the emphasis placed on ensuring social distancing where possible, and as part of efforts to reduce the transmission of the coronavirus to healthcare workers, solutions to allow clinical consultations take place remotely using videoconferencing are required.

The Coombe Hospital COVID-19 Executive Committee has approved the use of video conferencing to be made available during the pandemic.      

Solutions for video conferencing, online meetings, screen share and webinars provides for controlled ‘room’ access and this may be suited to clinical consultation and larger meetings.

13. Surveillance cameras (CCTV)

We employ surveillance cameras on and around the Hospital site in order to:

  • protect staff, patients, visitors and Hospital property

  • help provide a safer environment for our staff

  • monitor operational and safety related incidents

We will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (serious or criminal incidents) we may need to disclose CCTV data for legal reasons.

14. Cookies

The Coombe Hospital owns and runs it’s website.   We need to collect and use certain information about you when you visit our website.   We are committed to protecting your privacy and takes the security of your information very seriously.

Cookies are small files that are created and saved on your phone, tablet or computer when you visit a website. The term cookies can refer to cookies set in your web browser (e.g. Chrome, Safari, Edge, Firefox or Brave) as well as a number of similar technologies including tracking pixels/web beacons, local shared objects/flash cookies and access to device information.

They store information about how you use the website, such as the pages you visit on our website and how you interact with the content on some of those pages. If you use the social media buttons on our website and allow the cookies from the companies that own these platforms then they will collect information about you.

Cookies are not viruses or computer programs.   They are very small so do not take up much space.

For more information view our Cookie Policy.

15. How to make a complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. To make a complaint directly to the hospital see the contact information for the Data Protection Officer below.

You also have the right to make a complaint to the Data Protection Commission (DPC) by emailing info@dataprotection.ie

16.  Who to contact if you have any queries about your personal data?

You have the right to request access to your personal data without the need to refer to Data Protection legislation.   This can be done in writing / by email to the Record Request Office (see below).

Accessing your records

Data Governance Dept.

The Coombe Hospital,

Dublin 8

D08 XW7X

E: dataprotection@coombe.ie

T: 01 4085316 / 4085681

Making a complaint re Data Protection

Data protection Officer

Data Governance Dept.

The Coombe Hospital

Dublin 8

D08 XW7X

E: dataprotection@coombe.ie

T: 01 4085489

Data Protection Officer

Data Protection Officer

Data Governance Dept.

The Coombe Hospital

Dublin 8

D08 XW7X

E: dataprotection@coombe.ie

T: 01 4085489

Last Updated : October 2023