This Data Protection Statement provides information about the ways in which Tallaght University Hospital (TUH) collects, stores and uses personal data relating to individuals (data subjects). It relates to personal data received by TUH when carrying out its duties and exercising its functions.
Tallaght University Hospital (TUH)
TUH is one of Ireland’s largest acute teaching hospitals, providing adult, psychiatric and age-related healthcare on one site. Currently, it has 495 adult beds with over 3,000 people on staff. TUH is a provider of local, regional and national specialties. It is a national urology centre, the second largest provider of dialysis services in the country and a regional orthopaedic trauma centre. The hospital also has 67 paediatric beds under the governance of Children’s Health Ireland (CHI) and 52 mental health beds under HSE governance.
TUH is one of the two main teaching hospitals of Trinity College Dublin (TCD) - specialising in the training and professional development of staff in areas such as nursing, health and social care, emergency medicine and surgery, amongst many others. TUH is part of the Dublin Midlands Hospital Group which serves a population of over 1.2 million across seven counties.
The hospital’s Emergency Department catered for 52,398 attendances in 2019. A further 251,455 patients were treated through the hospital’s adult outpatient clinics in 2019. The hospital’s operations are supported by 200 general practitioners in surrounding communities and aligned with CHO7.
This Data Protection Statement has been developed in accordance with a ‘layered policy’ approach. This means that it offers you the opportunity to obtain more or less information about TUH’s information handling practices. By clicking on the links below, you can decide how much you wish to read, what you need to know and how quickly you need to obtain the relevant information.
Key areas of the Data Protection Statement
TUH’s Data Protection Statement is designed to cover a number of key areas. These are as follows:
- Tallaght University Hospital and the GDPR
- Data Protection and Tallaght University Hospital
- Processing of personal data by Tallaght University Hospital
- What personal data does Tallaght University Hospital process?
- How does Tallaght University Hospital collect personal data?
- Legislative basis for processing personal data at Tallaght University Hospital
- Who are the recipients of personal data processed by Tallaght University Hospital?
- Publication of information
- How long does Tallaght University Hospital retain personal data?
- Your data protection rights
- Restriction of data subjects’ rights in certain circumstances
- Your right to complain
- Changes to this Data Protection Statement
For the purposes of this Data Protection Statement, the following definitions apply:
- any racial or ethnic origin
- financial status
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data concerning a person’s sex life or sexual orientation
Data concerning health
Personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his/her health status
Processing refers to any use of personal data. It includes collection, disclosure, retention and storage
Tallaght University Hospital (TUH) is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) regulations and directives. These include, but are not limited to, the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2011.
Tallaght University Hospital and the GDPR
The General Data Protection Regulation (GDPR) was introduced on 25 May 2018 and affects all countries within the EU. It sets out a series of laws concerning how data can be processed and used by organisations within Member States. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
The GDPR is designed to strengthen and standardise data protection laws for all EU citizens. It increases the obligations and responsibilities for TUH in how it collects, uses and protects personal data. This means that TUH is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.
The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instruction of the Data Controller (a Data Processor). TUH is a Data Controller for personal data collected for the purpose of its core activities. TUH decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, TUH staff, contractors, agents and other third parties are all bound by the rules set out in the GDPR.
You may contact TUH in a number of ways. These are as follows:
|By post||Tallaght University Hospital|
|By telephone||01-414 2000|
Data protection and Tallaght University Hospital
The General Data Protection Regulation (GDPR) affects data protection in all EU Member States. The Data Protection Act 2018 gives further effect to the GDPR in Irish law. Collectively, the GDPR and the 2018 Act place enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.
Data Protection Officer (DPO)
Tallaght University Hospital (TUH) has a Data Protection Officer (DPO). Should you have any questions about how our hospital uses your information, or you are concerned about any issue relating to your personal data, you may contact the DPO in any of the following ways:
|By post||Data Protection Officer|
Tallaght University Hospital
Processing of personal data by Tallaght University Hospital
Tallaght University Hospital (TUH) processes personal data for a number of different purposes which arise from its functions and activities. These are outlined mainly in health legislation and its data protection responsibilities are outlined under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
TUH’s mission is patient focused. In carrying through on this, it strives to:
- serve the healthcare needs of the community
- provide care based on best practice
- enhance our patients’ wellbeing through education and information
- educate healthcare students in partnership with third level institutions
- support our staff in lifelong learning
- undertake and support research for improved patient and public care
- develop voluntary participation and support
In carrying out these functions, TUH may collect personal data. This may occur in, for example, the following ways:
Provision of core services
Personal data are received directly from data subjects in order to provide healthcare to those individuals
This is where personal data are received directly from data subjects
Queries and concerns
These include personal data received from individuals who have raised queries or concerns with TUH
Service providers and suppliers
This includes personal data obtained from service providers or suppliers engaged by TUH
This includes personal data received from persons applying for roles within TUH
Conferences and events
This includes personal data relating to attendees at conferences and events organised by TUH
This includes personal data relating to attendees at events organised by TUH
This includes personal data received from a data subject directly (or through his/her legal representatives) where the data subject makes a complaint to TUH
What personal data does Tallaght University Hospital process?
Tallaght University Hospital (TUH) processes personal data. This includes personal data received by TUH where an individual contacts, or requests information from, TUH directly and personal data received by TUH indirectly. This is under the conditions set out above. The personal data TUH processes may include the following:
Basic personal information
This includes, for example, a data subject’s forename/s and surname, date of birth, etc.
This includes, for example, a data subject’s postal address, email address, telephone number, etc.
Any other personal information
This includes any other personal information provided to TUH during the course of the performance of its functions
Special category personal data
TUH processes ‘special category personal data.’ This includes special category personal data received by TUH where an individual contacts and requests information from the hospital directly in addition to special category personal data received by TUH indirectly. According to Article 9 of the GDPR, special category personal data may include personal data relating to
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning a person’s sex life or sexual orientation
How does Tallaght University Hospital collect personal data?
Phone calls to TUH
Tallaght University Hospital (TUH) does not audio record phone conversations.
Emails sent to TUH may be logged, forwarded to the relevant section of the hospital and stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter
It is the sender’s responsibility to ensure that the content of his/her emails does not infringe the law. Unsolicited and unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities. Further emails from such recipients may be blocked
Post received by the hospital may be logged, scanned and stored for the purpose of the matter to which the post item pertains. Original hard copy versions of post items may be retained for a period set out in the HSE Standards and Recommended Practices for Healthcare Records Management and are confidentially and securely destroyed thereafter.
TUH receives personal data through its interactions on social media platforms (for example, Twitter, LinkedIn, etc.). TUH operates accounts on these platforms to promote awareness of its role in providing healthcare in Dublin and of its academic partnership with Trinity College Dublin (TCD). Messages and/or posts received by TUH are viewed by its staff but personal data contained in these communicaitons are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by TUH.
TUH’s website is located at www.tuh.ie. It uses third party or persistent cookies. TUH’s Cookies Statement can be accessed here.
Legal basis for processing personal data at Tallaght University Hospital
The legal basis for processing personal data by Tallaght University Hospital (TUH) will depend on the legislative framework that applies and the purpose for which the processing is being carried out.
Article 6 of the GDPR sets out six lawful grounds on which personal data may be processed. Where TUH is processing personal data for the purpose of performing its core functions, it will do so on one of these. The six lawful grounds are as follows:
- Contractual necessity
- Legal obligation
- Vital interests
- Public interest
- Legitimate interests
Who are the recipients of personal data processed by Tallaght University Hospital?
Disclosure to third parties
Personal data collected by Tallaght University Hospital (TUH) is held confidentially and securely. It is not shared by the hospital with any third parties with the following exceptions:
Where the sharing of personal data is necessary for the performance by TUH of its functions
This may occur, for example, where the hospital enlists the services of a laboratory to carry out testing for the benefit of providing accuracy in diagnoses
For the purposes of co-operation with regulatory authorities
In certain circumstances, the TUH must cooperate with, and assist, regulatory authorities in Ireland. Where this happens, in accordance with the law, TUH may provide personal data to authorities (for example, the Child and Family Agency (Tusla) or the Health and Information Quality Authority (HIQA)). When this happens, however, TUH generally tries to do so on an anonymised basis. If not anonymised, this will be done in order to protect your rights while you are receiving care and treatment
Where there is an issue of concern
In certain circumstances, TUH may request personal data to monitor issues of concern. This may be, for example, to ensure that a service has appropriate systems and procedures in place to address the care needs of a patient
For the purposes of legal proceedings
In certain circumstances, TUH must assist law enforcement authorities. Where this happens, in accordance with the law, TUH may provide personal data to, for example, An Garda Síochána, the Coroner’s Court, etc. Where this happens, TUH takes all steps necessary to ensure such personal data are protected.
In the case of service providers or suppliers to TUH
TUH uses Data Processors to provide certain services to the hospital. It requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing service in accordance with the requirements set out at Article 28.3 of the General Data Protection Regulation (GDPR).
Publication of information
With the exception of Board Members, Senior Management and Consultants, Tallaght University Hospital (TUH) does not publish personal data on its website.
How long does Tallaght University Hospital retain personal data?
The retention periods for personal data are based on the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and on the purpose for which the personal data are collected and processed. The retention periods applied to personal data processed are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action, if applicable.
Your data protection rights
Under data protection legislation, you have designated rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by Tallaght University Hospital (TUH). Your rights are as follows:
- The right to be informed about the processing of your personal data
- The right to access your personal data
- The right to the rectification of your personal data
- The right to the erasure of your personal data
- The right to data portability
- The right to object to the processing of your personal data
- The right to restrict the processing of your personal data
- Rights in relation to automated decision making (including profiling)
Restriction of data subjects’ rights in certain circumstances
Article 23 of the General Data Protection Regulation (GDPR) allows for data subjects’ rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission (DPC) and are available here.
Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of Data Controllers and on the rights of data subjects for important objectives of general public interest.
Your right to complain
If you have any concerns in relation to the manner in which Tallaght University Hospital processes your personal data, you may contact the hospital’s Data Protection Officer (DPO) on firstname.lastname@example.org.
Changes to this Data Protection Statement
This Data Protection Statement is kept under regular review and may therefore be subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the Data Protection Officer (DPO) on email@example.com.
1 July 2021