General Data Protection Regulation
(GDPR) Frequently Asked Questions
(FAQs)
What is the GDPR?
The General Data Protection Regulation (GDPR) applies from 25 May 2018. It has general
application to the processing of personal data in the EU, setting out more extensive
obligations on data controllers and processors, and providing strengthened protections for
data subjects.
Although the GDPR is directly applicable as a law in all Member States, it allows for certain
issues to be given further effect in national law. In Ireland, the national law, which, amongst
other things, gives further effect to the GDPR, is the Data Protection Act 2018.
What constitutes personal data?
The GDPR defines ‘personal data’ as any information relating to an identifiable person who
can be directly or indirectly identified, in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data,
including name, identification number, location data or online identifier, reflecting changes in
technology and the way organisations collect information about people.
What is a data controller and who is the data controller?
Data controllers are a person or organisation who (alone or with others) determines the
purposes for which and the manner in which any personal data are, or are to be, processed.
A data controller can be the sole data controller or a joint data controller with another person
or organisation. However, when services are provided directly by private hospital, voluntary
hospitals, agencies or private contractors, the private hospital, voluntary hospital, agency or
private contractor may be the data controller.
What is a data processor?
Data processors are those that processes personal data on behalf of the controller. This
does not include an employee of the controller who processes data during the course of their
employment. A data processor can be held liable if they are responsible for a data protection
breach.
What is data processing?
Processing in relation to personal data is any operation or set of operations performed on
personal data including – collecting, recording, organising, structuring, erasing, destroying,
altering, combining, disclosing or sharing the data.
What are the main GDPR principles?
Personal data must be processed in a transparent manner
We must have a specific purpose to collect your data
We may only keep data for as long as needed to fulfil the purpose for which it was
collected. We delete medical records in accordance with our Records Retention
Policy.
Where data is held on computers, we must ensure that those computers and
networks are safe and secure
Where data is in paper format, we are obliged to ensure that it is as safe and secure
as a computer record
What is the HSE’s legal basis for processing?
The HSE’s lawful basis for processing personal data of service users is as follows:
1. The processing is necessary in order to protect the vital interests of the person
(referred to as the data subject in Data Protection language). This would apply in
emergency situations such as in the Emergency Department when unconscious
sharing information with other emergency services for rescue or relocation in storms
etc.
2. The processing is necessary for a task carried out in the public interest or in the
exercise of official authority vested in the controller; for the HSE this official authority
is vested in us through the Health Act 2004 (as amended).
Special categories of data are defined by the GDPR and include things like racial or ethnic
origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life
details and sexual orientation.
We will only process special categories of personal data where it is necessary:
for the purposes of preventative or occupational medicine,
for the assessment of the working capacity of an employee,
for medical diagnosis,
for the provision of healthcare, treatment or social care,
for the management of health or social care systems and services, or
pursuant to a contract with a health professional.
Processing is lawful where it is undertaken by or under the responsibility of
a health practitioner, or
a person who in the circumstances owes a duty of confidentiality to the data subject
that is equivalent to that which would exist if that person were a health practitioner.
For example the outpatient clinic secretary, Emergency Department Receptionist,
Primary Care Centre staff etc.
If the purpose of the processing is for a reason other than the reasons above, we will seek
explicit consent to process your sensitive personal data (referred to as ‘special categories’ of
data under the GDPR).
What is my personal information used for?
For the provision of health and social care to you
Review the care we provide for you to ensure it is of the highest standard
Investigate complaints, legal claims or adverse incidents
Protect wider public health interests
Provide information for planning so we can meet future needs for health and social
care services
Provide information to prepare statistics on Health Service performance
Carry out health audit
Provide training and development
Remind you of appointments by text
What information must be given to individuals whose data has been collected?
All service areas will have a Data Protection Leaflet that will be available in service areas
and websites. It will cover:
Who is collecting the data
Why the data is being collected
The categories of personal data concerned
Who else might receive it
Whether it will be transferred outside the EU
Their right to request a copy of the data
Their right to lodge a complaint
What are my rights?
You have certain legal rights concerning your information and the manner in which we
process it. This includes:
a right to get access to your personal information;
a right to request us to correct inaccurate information, or update incomplete
information;
a right to request that we restrict the processing of your information in certain
circumstances;
a right to request the deletion of personal information excluding medical records
a right to receive the electronic personal information you provided to us in a portable
electronic format;
a right to object to us processing your personal information in certain circumstances;
and
a right to lodge a complaint with the data protection commissioner.
What is a Subject Access Request (SAR)?
A SAR is a request you can make to obtain information regarding the data that we hold on
you and receive a copy of your personal information. If you make a SAR and your personal
information is being processed, you are entitled to receive the following information:
the reasons why your data is being processed;
the description of the personal data concerning you;
anyone who has received or will receive your personal data; and
details of the origin of your data, if it was not collected directly from you.
Please note that the HSE does not hold records for Private or Voluntary hospitals and that
you should apply directly to those hospitals to obtain your records.
The information is provided free of charge unless the request is ‘manifestly unfounded or
excessive’.
How can I make a request to access my personal data?
You can access your health records by making a subject access request (SAR) and forms
are available for this purpose at https://www.hse.ie/eng/gdpr/data-requests. It is also
sufficient to write to the hospital, unit or service in question. It is important that you provide
satisfactory evidence of identification and a sufficient description of the data that you are
looking for.
Can I ask to delete my personal data?
You can submit a request to have your personal data deleted however this right is not an
absolute right. In most cases we will be legally obliged to keep your data for a certain
amount of time. For full details on how long we store each category of data, please see the
HSE Records Retention Policy.
How long can my data be stored for?
The length of time you data can be stored for depends on the type of data. Full details of
how long each type of data can be stored for can be found in the HSE Record Retention
Policy.
Is my personal data safe and secure?
We are committed to ensuring that your information is secure with us and with the
third parties who act on our behalf. We have a number of security precautions in place to
prevent the loss, misuse or alteration of your information. All staff working for the HSE have
a legal duty to keep information about you confidential and all staff are trained in information
security and confidentiality. The HSE has strict information security policies and procedures
in place to ensure that information about you is safe, whether it is held in paper or electronic
format.
Is my data shared with anyone?
Within the HSE, the clinical information collected by a doctor or other healthcare professional
or staff member authorized to process your data is not passed on to others within the HSE,
unless it is considered necessary for your health or social care needs or for one of the other
reasons set out above (where possible, the personal information is anonymized or
pseudonymised).
You may also be receiving health or social care from providers outside of the HSE, i.e.
private or voluntary hospitals, specialists etc. In order to assist in this process, we may make
referrals on your behalf requiring the need to share your personal information with those
providers. We will only do so if there is a genuine need in order to ensure that a quality
service is provided to you. We are careful only to share the information that is necessary for
this purpose. Anyone who receives this information is also bound by confidentiality and the
data protection laws. The current list of those with whom personal data is shared may be
found on our website www.hse.ie/gdpr/disclosees.pdf. In certain situations, we may have to
disclose your personal information to other agencies, in accordance with legal requirements,
i.e. Dept. of Social welfare, Department of Health & Children, the Courts etc., or in an
emergency situation to prevent injury to other persons.
We may transfer your information to organisations in other countries which is necessary to
provide you with health and social care services, on the basis that anyone to whom we pass
it protects it in the same way we would and in accordance with applicable laws. For more
information about overseas transfers, please contact us using the contact information
provided above.
What can I do if I think my rights haven’t been respected?
If you feel your rights have not been upheld you are entitled to lodge a complaint with the
Data Protection Commission (DPC).
Telephone: +353 57 8684800, +353 (0)761 104 800
Lo Call Number: 1890 252 231
Fax: +353 57 868 4757
E-mail: info@dataprotection.ie
Postal Address:
Data Protection Commission
Canal House
Station Road
Portarlington
R32 AP23 Co. Laois
How do I contact the HSE Data Protection Office?
Please contact our Data Protection Office:
If you have any queries in relation to Data Protection or other issues around the
security of your personal information
For more information about the steps we are taking to protect your information
For more information about your rights, including the circumstances in which you can
exercise them and how to exercise them,
If you wish to raise a complaint on how we have handled your personal information,
you can contact our Data Protection Officer who will investigate the matter. We hope
that we can address any concerns you may have.
Deputy Data Protection Officer West, (excluding voluntary agencies)
Consumer Affairs, Merlin Park University Hospital, Galway.
CHO 1 – Cavan, Donegal, Leitrim, Monaghan, Sligo
Community Healthcare West – Galway, Mayo, Roscommon
Mid-West Community Healthcare – Clare, Limerick, North Tipperary.
Saolta Hospital Group
Email: [email protected]
Phone: 091-775 373
Deputy Data Protection Officer Dublin North-East (excluding voluntary
hospitals and agencies)
Consumer Affairs, HSE Dublin North East, Bective St., Kells, Co Meath.
Midlands, Louth, Meath Community Health Organisation
Community Health Organisation Dublin North City & County
CHO 6 – Dublin South East, Dublin South & Wicklow
RCSI Hospital Group
National Children’s Hospital
Deputy Data Protection Officer Dublin mid-Leinster (excluding
voluntary hospitals and agencies)
Consumer Affairs, HSE, Third Floor Scott Building, Midland Regional
Hospital Campus, Arden Road, Tullamore, Co. Offaly.
Dublin Midlands Hospital Group
Ireland East Hospital Group
Community Healthcare Dublin South, Kildare & West Wicklow
Deputy Data Protection Officer South (excluding voluntary hospitals
and agencies)
Consumer Affairs, HSE South, Ground Floor East, Model Business Park,
Model Farm
Road, Cork. Eircode: T12 HT02
Cork & Kerry Community Healthcare
CHO 5 – Carlow, Kilkenny, South Tipperary, Waterford & Wexford
UL Hospital Group
South South-West Hospital Group
National Data Protection Officer
HSE, Dr. Steeven’s Hospital, Steeven’s Lane, Dublin 8.
Email: [email protected]
Useful Links:
HSE GDPR Website: https://www.hse.ie/eng/gdpr/
Data Protection Act: http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/print.html
DPC GDPR Website: http://gdprandyou.ie/
GDPR: https://gdpr-info.eu/
