Data Protection Statement

This Data Protection Statement provides information about the ways in which Tallaght University Hospital (TUH) collects, stores and uses personal data relating to individuals (data subjects). It relates to personal data received by TUH when carrying out its duties and exercising its functions.

Tallaght University Hospital (TUH)

TUH is one of Ireland’s largest acute teaching hospitals, providing adult, psychiatric and age-related healthcare on one site. Currently, it has 495 adult beds with over 3,000 people on staff. TUH is a provider of local, regional and national specialties. It is a national urology centre, the second largest provider of dialysis services in the country and a regional orthopaedic trauma centre. The hospital also has 67 paediatric beds under the governance of Children’s Health Ireland (CHI) and 52 mental health beds under HSE governance.

TUH is one of the two main teaching hospitals of Trinity College Dublin (TCD) - specialising in the training and professional development of staff in areas such as nursing, health and social care, emergency medicine and surgery, amongst many others. TUH is part of the Dublin Midlands Hospital Group which serves a population of over 1.2 million across seven counties.

The hospital’s Emergency Department catered for 52,398 attendances in 2019. A further 251,455 patients were treated through the hospital’s adult outpatient clinics in 2019. The hospital’s operations are supported by 200 general practitioners in surrounding communities and aligned with CHO7.

Multi-layered approach

This Data Protection Statement has been developed in accordance with a ‘layered policy’ approach. This means that it offers you the opportunity to obtain more or less information about TUH’s information handling practices. By clicking on the links below, you can decide how much you wish to read, what you need to know and how quickly you need to obtain the relevant information.

Key areas of the Data Protection Statement

TUH’s Data Protection Statement is designed to cover a number of key areas. These are as follows:

  • Definitions
  • Legislation
  • Tallaght University Hospital and the GDPR
  • Data Protection and Tallaght University Hospital
  • Processing of personal data by Tallaght University Hospital
  • What personal data does Tallaght University Hospital process?
  • How does Tallaght University Hospital collect personal data?
  • Legislative basis for processing personal data at Tallaght University Hospital
  • Who are the recipients of personal data processed by Tallaght University Hospital?
  • Publication of information
  • How long does Tallaght University Hospital retain personal data?
  • Your data protection rights
  • Restriction of data subjects’ rights in certain circumstances
  • Your right to complain
  • Changes to this Data Protection Statement 

Definitions

For the purposes of this Data Protection Statement, the following definitions apply:

Data subject

An identified or identifiable natural person. It is a person who is living

Personal data

Information from which you (or another person) is identifiable or which relates to you. It does not refer to corporate data

Special categories of personal data

Personal data which are subject to a higher standard of protection under law due to its sensitivity. This includes personal data which reveal:

  • any racial or ethnic origin
  • financial status
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data
  • health data
  • data concerning a person’s sex life or sexual orientation

Data concerning health

Personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his/her health status

Processing

Processing refers to any use of personal data. It includes collection, disclosure, retention and storage

Legislation

Tallaght University Hospital (TUH) is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) regulations and directives. These include, but are not limited to, the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2011.

Tallaght University Hospital and the GDPR

The General Data Protection Regulation (GDPR) was introduced on 25 May 2018 and affects all countries within the EU. It sets out a series of laws concerning how data can be processed and used by organisations within Member States. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality
  • accountability

The GDPR is designed to strengthen and standardise data protection laws for all EU citizens. It increases the obligations and responsibilities for TUH in how it collects, uses and protects personal data. This means that TUH is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.

The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instruction of the Data Controller (a Data Processor). TUH is a Data Controller for personal data collected for the purpose of its core activities. TUH decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, TUH staff, contractors, agents and other third parties are all bound by the rules set out in the GDPR.

You may contact TUH in a number of ways. These are as follows:

By postTallaght University Hospital
Tallaght
Dublin 24
D24 NR07
By telephone01-414 2000

Data protection and Tallaght University Hospital 

The General Data Protection Regulation (GDPR) affects data protection in all EU Member States. The Data Protection Act 2018 gives further effect to the GDPR in Irish law. Collectively, the GDPR and the 2018 Act place enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.

Data Protection Officer (DPO)

Tallaght University Hospital (TUH) has a Data Protection Officer (DPO). Should you have any questions about how our hospital uses your information, or you are concerned about any issue relating to your personal data, you may contact the DPO in any of the following ways:

By postData Protection Officer
Tallaght University Hospital
Tallaght
Dublin 24
D24 NR07
By emaildpo@tuh.ie

Processing of personal data by Tallaght University Hospital 

Tallaght University Hospital (TUH) processes personal data for a number of different purposes which arise from its functions and activities. These are outlined mainly in health legislation and its data protection responsibilities are outlined under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

TUH’s mission is patient focused. In carrying through on this, it strives to:

  • serve the healthcare needs of the community
  • provide care based on best practice
  • enhance our patients’ wellbeing through education and information
  • educate healthcare students in partnership with third level institutions
  • support our staff in lifelong learning
  • undertake and support research for improved patient and public care
  • develop voluntary participation and support

In carrying out these functions, TUH may collect personal data. This may occur in, for example, the following ways:

Provision of core services

Personal data are received directly from data subjects in order to provide healthcare to those individuals

Inquiries

This is where personal data are received directly from data subjects

Queries and concerns

These include personal data received from individuals who have raised queries or concerns with TUH

Service providers and suppliers

This includes personal data obtained from service providers or suppliers engaged by TUH

Job applications

This includes personal data received from persons applying for roles within TUH

Conferences and events

This includes personal data relating to attendees at conferences and events organised by TUH

Training sessions

This includes personal data relating to attendees at events organised by TUH

Complaints handling

This includes personal data received from a data subject directly (or through his/her legal representatives) where the data subject makes a complaint to TUH

What personal data does Tallaght University Hospital process?

Personal data

Tallaght University Hospital (TUH) processes personal data. This includes personal data received by TUH where an individual contacts, or requests information from, TUH directly and personal data received by TUH indirectly. This is under the conditions set out above. The personal data TUH processes may include the following:

Basic personal information

This includes, for example, a data subject’s forename/s and surname, date of birth, etc.

Contact information

This includes, for example, a data subject’s postal address, email address, telephone number, etc.

Any other personal information

This includes any other personal information provided to TUH during the course of the performance of its functions

Special category personal data

TUH processes ‘special category personal data.’ This includes special category personal data received by TUH where an individual contacts and requests information from the hospital directly in addition to special category personal data received by TUH indirectly. According to Article 9 of the GDPR, special category personal data may include personal data relating to

  • health
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning a person’s sex life or sexual orientation

How does Tallaght University Hospital collect personal data?

Phone calls to TUH

Tallaght University Hospital (TUH) does not audio record phone conversations.

Emails

Emails sent to TUH may be logged, forwarded to the relevant section of the hospital and stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter

Please note:

It is the sender’s responsibility to ensure that the content of his/her emails does not infringe the law. Unsolicited and unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities. Further emails from such recipients may be blocked

Post

Post received by the hospital may be logged, scanned and stored for the purpose of the matter to which the post item pertains. Original hard copy versions of post items may be retained for a period set out in the HSE Standards and Recommended Practices for Healthcare Records Management and are confidentially and securely destroyed thereafter.

Social media

TUH receives personal data through its interactions on social media platforms (for example, Twitter, LinkedIn, etc.). TUH operates accounts on these platforms to promote awareness of its role in providing healthcare in Dublin and of its academic partnership with Trinity College Dublin (TCD). Messages and/or posts received by TUH are viewed by its staff but personal data contained in these communicaitons are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by TUH.

Website

TUH’s website is located at www.tuh.ie. It uses third party or persistent cookies. TUH’s Cookies Statement can be accessed here.

Legal basis for processing personal data at Tallaght University Hospital

The legal basis for processing personal data by Tallaght University Hospital (TUH) will depend on the legislative framework that applies and the purpose for which the processing is being carried out.

GDPR

Article 6 of the GDPR sets out six lawful grounds on which personal data may be processed. Where TUH is processing personal data for the purpose of performing its core functions, it will do so on one of these. The six lawful grounds are as follows:

  • Consent
  • Contractual necessity
  • Legal obligation
  • Vital interests
  • Public interest
  • Legitimate interests

Who are the recipients of personal data processed by Tallaght University Hospital?

Disclosure to third parties

Personal data collected by Tallaght University Hospital (TUH) is held confidentially and securely. It is not shared by the hospital with any third parties with the following exceptions:

Where the sharing of personal data is necessary for the performance by TUH of its functions

This may occur, for example, where the hospital enlists the services of a laboratory to carry out testing for the benefit of providing accuracy in diagnoses

For the purposes of co-operation with regulatory authorities

In certain circumstances, the TUH must cooperate with, and assist, regulatory authorities in Ireland. Where this happens, in accordance with the law, TUH may provide personal data to authorities (for example, the Child and Family Agency (Tusla) or the Health and Information Quality Authority (HIQA)). When this happens, however, TUH generally tries to do so on an anonymised basis. If not anonymised, this will be done in order to protect your rights while you are receiving care and treatment

Where there is an issue of concern

In certain circumstances, TUH may request personal data to monitor issues of concern. This may be, for example, to ensure that a service has appropriate systems and procedures in place to address the care needs of a patient

For the purposes of legal proceedings

In certain circumstances, TUH must assist law enforcement authorities. Where this happens, in accordance with the law, TUH may provide personal data to, for example, An Garda Síochána, the Coroner’s Court, etc. Where this happens, TUH takes all steps necessary to ensure such personal data are protected.

In the case of service providers or suppliers to TUH

TUH uses Data Processors to provide certain services to the hospital. It requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing service in accordance with the requirements set out at Article 28.3 of the General Data Protection Regulation (GDPR).

Publication of information

With the exception of Board Members, Senior Management and Consultants, Tallaght University Hospital (TUH) does not publish personal data on its website.

How long does Tallaght University Hospital retain personal data?

The retention periods for personal data are based on the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and on the purpose for which the personal data are collected and processed. The retention periods applied to personal data processed are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action, if applicable.

Your data protection rights

Under data protection legislation, you have designated rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by Tallaght University Hospital (TUH). Your rights are as follows:

  1. The right to be informed about the processing of your personal data
  2. The right to access your personal data
  3. The right to the rectification of your personal data
  4. The right to the erasure of your personal data
  5. The right to data portability
  6. The right to object to the processing of your personal data
  7. The right to restrict the processing of your personal data
  8. Rights in relation to automated decision making (including profiling)

Restriction of data subjects’ rights in certain circumstances

Article 23 of the General Data Protection Regulation (GDPR) allows for data subjects’ rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission (DPC) and are available here

Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of Data Controllers and on the rights of data subjects for important objectives of general public interest.

Your right to complain

If you have any concerns in relation to the manner in which Tallaght University Hospital processes your personal data, you may contact the hospital’s Data Protection Officer (DPO) on dpo@tuh.ie.

Changes to this Data Protection Statement

This Data Protection Statement is kept under regular review and may therefore be subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the Data Protection Officer (DPO) on dpo@tuh.ie.

23rd November 2021