1. Introduction
Blackrock Health (“BH”) and our hospitals are committed to protecting all personal patient data collected during patient treatment.
This notice sets out the types of data we collect, and how we capture, use and protect all personal data collected and stored during the course of patient treatment. We also want you to be clear as to what rights you can invoke with respect to your information.
To this end, it is important that you read this Privacy Notice and understand our use of your personal data.
Please note, we reserve the right to update this Privacy Notice as required. This is the most recent version of this document.
1.1 Company Information
References to “BH”, “us”, “our” and “we” refer to Blackrock Health, and any associated companies from time to time. More information about Blackrock Health and our Hospitals can be found within this web site.
Our contact details are;
Blackrock Health
Fonthill House,
Old Lucan Road
Dublin 20 D20 RH22
www.blackrockhealth.com
1.2 Legislation
All personal data we gather will be “processed” in accordance with all applicable data protection laws and principles, including the EU General Data Protection Regulation 2018 and the applicable Irish Data Protection Acts.
1.3 Queries and Complaints
If you require further information about the way your personal data will be used, or if you are unhappy with the way we have handled your personal data, and wish to contact us, please submit your concerns to:
Blackrock Health: dpo@blackrockhealth.ie
Blackrock Clinic: dpo@blackrock-clinic.com
Hermitage Clinic: dpo@hermitageclinic.ie
Galway Clinic: dpo@galwayclinic.com
Each mailbox is managed by the DPO function and all correspondence received will be addressed accordingly, including support from the designated Data Protection Officer.
You have the right to lodge a complaint with the Office of the Data Protection Commissioner. To contact the Office of the Data Protection Commissioner, please use the following details:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Telephone: 01 7650100
Telephone: 1800437 737
Email: info@dataprotection.ie
2. How do we collect information?
We collect personal data in order to improve the quality of the services we provide in our clinics. This data may be collected directly by our staff. or by medical consultants, GPs, or other healthcare professionals who refer you to our Hospitals, or who are involved in your treatment
Sometimes we may request that other entities within our group, provide us with data relating to you. This is managed through our clinical governance committees. Additionally, we may receive your data from national or international audit bodies. The data shared with us in this way will be used to improve the quality of service provided to you.
Sometimes we may request that other healthcare providers, such as other hospitals and pharmacies, provide us with data relating to you in order to improve the quality of our service to you.
In cases of emergency, we may receive your data from emergency services, such as the Gardaí, the ambulance services or the fire brigade services. Once again, we receive this data purely for the purpose of ensuring the care we provide to you is of the highest standard.
3. What do we use information for?
Central Activities by Central Group Function
We use your personal data so that we can improve the quality of the healthcare service we provide in our clinics and manage our business operations.
Specifically, we may use the personal data we gather for any or all of the following purposes:
| Process | Description | Lawful Basis for Processing | ||
|---|---|---|---|---|
| CCTV Recording | CCTV cameras are located around the property to have a history of misconduct, theft etc. | The use of the data is in our legitimate interest | ||
| Wi-Fi | We provide a free Wi-Fi service for staff and public use; we collect e-mail addresses from the data subject to sign into the captive portal when providing this service. We may track technical data such as IP address and Wireless and Network Service usage. | The use of the data is permitted by patient consent and the use of the technical data is in our legitimate interest to control our security. | ||
| Reports / reviews for clinical governance | Reports on clinical decision making between Blackrock Healthcare and Clinics are created for patient safety. | The use of the data is necessary to protect the vital interests of the patient or another natural person | ||
| Aggregated data relating to clinical governance statistics | Collecting KPIs in relation to patient safety. | The use of the data is necessary to protect the vital interests of the patient or another natural person | ||
| Individual patient safety incidents | Reports are created to improve patient outcomes and to ensure no avoidable incidents occur. | The use of the data is necessary to protect the vital interests of the patient or another natural person. | ||
| Procedure / Speciality reviews | To assist in the development of strategies around a specific procedure to improve the patient process and outcomes throughout the hospital. | The use of the data is necessary to protect the vital interests of the patient or another natural person. |
Processing carried out at our clinics
We use your personal data so that we can provide past, current and future BH patients with the highest quality of healthcare possible.
We work closely with selected partners who help us to provide you with services which we do not have the capability to provide independently.
Specifically, we may use the personal data we gather for any or all of the following purposes
| Process | Description | Lawful Basis for Processing | ||
|---|---|---|---|---|
| Pre-Admission | We collect data prior to your admission to the hospital directly from your GP or consultant in the context of a referral. We will contact you either via text or telephone to create an appointment. We will also use your data to send you a text reminder of your appointment. | The use of this data is necessary for the provision of health care of treatment pursuant to a contract with a health professional. The use of this data is for the performance of a contract to which the patient is party or to take steps at the request of the patient prior to entering a contract. The use of this data is for the purposes of our legitimate interests to remind patients they have an appointment at the clinic so that time and resources are not wasted for either party. | ||
| Admission and Bookings | We collect data regarding admission to the hospital in the form of admission and general consent forms which you may be requested to complete. The data we collect at this point is necessary for hospital administration and admission and to provide the patient with the healthcare they wish to receive. This data will be used throughout the patient’s treatment in order to book theatres, patient rooms, diagnostics and to facilitate efficient scheduling. | The use of this data is for the performance of a contract to which the patient is party or to take steps at the request of the patient prior to entering a contract. The use of the data is necessary to protect the vital interests of the patient or of another natural person. The use of this data is necessary for the provision of health care of treatment pursuant to a contract with a health professional. | ||
| Insurance and payment details | Patient data collected on admission will be used to verify insurance cover with the patient’s insurer or other third party responsible for the payment of treatment. Patient data may also be shared with third party billing agencies contracted by consultants or other healthcare professionals involved with patient treatment. | The use of this data is for the performance of a contract to which the patient is party or to take steps at the request of the patient prior to entering a contract. | ||
| Document Patient Data During Treatment | We document data regarding each patient’s treatment and progress on our various systems as well as on paper documents which are stored in each patient’s medical record and in other locations. Patient data may also be used for clinical audit and quality purposes. | The use of this data is necessary for medical diagnosis and for the provision of health care of treatment pursuant to a contract with a health professional. | ||
| Generating Prescriptions and Ordering Medication | Patient data is used to accurately prescribe and administer the medication required as part of your treatment. BH is often required to order medication from external providers for this purpose. | The use of the data is necessary for medical diagnosis and for the provision of health care or treatment pursuant to a contract with a health professional. | ||
| Reporting Infectious Diseases | All medical practitioners, including clinical directors of diagnostic laboratories are required to notify the Medical Officer of Health (MOH) / Director of Public Health (DPH) of certain notifiable diseases. The list of notifiable diseases is available on the HPSC website: https://www.hpsc.ie/ . | The use of this data is for the performance of a contract to which the patient is party or to take steps at the request of the patient prior to entering a contract. | ||
| Multi-Disciplinary Team Meetings | Data may be shared with external healthcare specialists who will discuss patient symptoms and ensure patient treatment is based on best practice. | This is necessary for medical diagnosis and for the provision of healthcare or treatment pursuant to a contract with a health professional. In accordance with the Health Act 1997. | ||
| National Cancer Registry Ireland | The date of patients receiving treatment for cancel will be shared with the National Cancer Registry Ireland. | The data is used to monitor trends and outcomes in different cancer types. In accordance with Statutory Instrument 19 of 1991. | ||
| Reporting to the National Haemovigilance Officer (NHO) | Any serious adverse reactions, events or near miss involving blood products is reported to the NHO. | The use of the data is necessary to ensure high standards of quality and safety of health care. In accordance with both EU and Irish legislation. | ||
| Handover Sheets | Notes on patient wellbeing and status are documented to facilitate handovers among BH nursing staff at shift changes | The use of the data is necessary for medical diagnosis and for the provision of health care or treatment pursuant to a contract with a health professional. | ||
| Irish National Orthopaedic Register (INOR) / National Office of Clinical Audit (NOCA) | The data of patients receiving implants will be shared with INOR | The use of this data is for the performance of a task carried out in the public interest. The use of the data is permitted by patient consent. | ||
| Clinical Audit (MEG) | To measure compliance with hospital policy and accreditation standards. | The use of the data is necessary to protect the vital interests of the patient or of another natural person. | ||
| Patient Discharge | Data is recorded on discharge forms including prescriptions and discharge letters. Post-treatment, results and procedural details are sent to the referring healthcare professional to inform them of their patient’s progress and to facilitate the provision of ongoing healthcare. We may also liaise with your next of kin or other designated persons with respect to discharge arrangements, where necessary. | This is necessary for medical diagnosis and for the provision of healthcare or treatment pursuant to a contract with a health professional. The use of the data is necessary to ensure high standards of quality and safety of health care. The use of the data is necessary to protect the vital interests of the patient, where the patient is incapable of giving consent. | ||
| Patient Portal | Patient medical results may be made available to them through the patient portal. | The use of the data is permitted by patient consent. | ||
| Generating Invoices for Treatment | On completion of treatment, patient medical records are used to ensure the patient is accurately billed by BH, consultants and other healthcare professionals for treatment received at the clinic. Third-party billing consultants are engaged in order to generate invoices on behalf of hospital consultants. | The use of this data is for the performance of a contract to which the patient is party or to take steps at the request of the patient prior to entering a contract. | ||
| Patient Satisfaction Survey | On completion of your care at BH, we may contact you using the details which you provided, and request that your complete our patient satisfaction survey. Third party market research consultants are engaged for this purpose. | The use of this data is in our legitimate interests to improve the quality of the healthcare which we provide. | ||
| Ongoing Monitoring of Implanted Devices | Patients will often be asked to return to the clinic in order for us to monitor the patient’s condition post-implantation. Some implanted cardiac devices are remotely monitored from external databases. | The use of the data is necessary for provision of health care or treatment pursuant to a contract with a health professional. The use of the data is necessary to ensure high standards of quality and safety of health care. The use of the data is necessary to protect the vital interests of the patient, where the patient is incapable of giving consent. | ||
| Transfer to an Alternative Healthcare Provider | When a patient engages an alternative healthcare provider, the patient or the healthcare provider (on the patient’s behalf) will be provided with a copy of the patient’s medical record. | The use of the data is necessary for medical diagnosis and for the provision of health care or treatment pursuant to a contract with a health professional. | ||
| Retention of Tissue Samples | Patient tissue samples are labelled with patient data and retained in the clinic laboratory. | The use of the data is necessary to ensure high standards of quality and safety of health care. In accordance with the Terms and Conditions of the National Accreditation Board and the Royal College of Pathologists’ Guidelines. | ||
| Handling Enquiries | General enquiries are received from patients, patients’ relatives, and other members of the public. Patient data will only be disclosed on completion of identity verification. | The use of the data is in our legitimate interest as a healthcare provider. The use of the data is necessary for the management of health services. | ||
| CCTV Footage | CCTV cameras are in operation both inside and outside of the clinic in order to protect our staff, patients and property. | The use of the data is in our legitimate interests as a healthcare provider. | ||
| Contractor Visitor Sign-In | Visitor data is recorded at our reception to keep a log of external parties who are operating within the clinic (e.g. external contractors, students, and medical device representatives). | The use of the data is in our legitimate interests as a healthcare provider. | ||
| Investigate Complaints | Where complaints are received from patients or other members of the public, we will process the necessary data in order to investigate the complaint. | We have a legitimate interest to provide complaint handling services to you The use of the data is necessary to ensure high standards of quality and safety of health care. | ||
| System Maintenance | Sometimes patient data may be accessed during system repairs and updates, as required. Patient data will also be used in order for the Clinic to maintain system back-ups in the event of an IT system failure. | The use of the data is performance of a contract to ensure the quality and service. The use of the data is necessary to ensure high standards of quality and safety of health care. | ||
| Call Recording | Telephone calls made to our enquiries line are sometimes recorded for quality purposes. | The use of the data is in our legitimate interests as a healthcare provider. The use of the data is necessary to ensure high standards of quality and safety of health care. |
4. Who do we share information with?
There are various circumstances in which we may share personal data with other parties. Generally, this includes your representatives, our representatives, and some pre-advised third parties.
Central Group Function
We may occasionally disclose your information to the following categories of companies or organisations to which we handover the responsibility to handle services on our behalf:
- Any entity within the Blackrock Healthcare Group,
- Any party which you have given us permission to speak with (family, friends or otherwise),
- Legal representatives, as necessary,
- Statutory bodies and health boards as required by EU and Irish law.
- Clinical audit to measure compliance with hospital policy and accreditation standards.
Clinic Levels
We may occasionally disclose your information to the following categories of companies or organisations to which we handover the responsibility to handle services on our behalf:
- Any medical consultants involved in your treatment at our Hospitals, ,
- Any party which you have given us permission to speak with (family, friends or otherwise) regarding your treatment,
- Your next of kin, where you are not in a situation to grant us permission,
- GPs and other healthcare professionals involved in your treatment,
- Healthcare specialists whose opinion may aid us in effective medical diagnosis and / or treatment,
- Healthcare providers engaged to assist with your treatment (certain providers have facilities which assist us in providing you with efficient and effective treatment),
- Your health insurer (or their representative) or any other third-party provider with whom you have an agreement to cover the cost of your treatment,
- Billing agencies engaged by your consultant or other healthcare professionals involved in your treatment,
- Legal representatives, as necessary,
- Statutory bodies and health boards as required by EU and Irish law.
- Clinical audit to measure compliance with hospital policy and accreditation standards.
- Any business partners, suppliers and sub-contractors who operate as a processor on our behalf for the performance of any contract we enter into with them or you. Such as our IT system providers, our payment service providers, our recruitment service providers.
We take steps to ensure that any third-party partners who handle your information comply with data protection legislation and protect your information to the same extent that we do. We only disclose personal information which is necessary for them to provide the service they are undertaking on our behalf. We will aim to anonymise your information or use aggregated non-specific data sets where possible.
It may be necessary to transfer your personal information to other group companies or service providers located in countries outside of the European Economic Area (EEA). It may be necessary for us to improve our services for you such as where we have taken your consent, we may work with a partner Clinic outside the EEA to get a second opinion or to use electronic study research where you have given consent to us, In such circumstances. we will ensure that the data is transferred in a secure manner, in accordance with data protection legislation and with your consent.
If you would like more information about the relevant safeguards in place for the transfer of personal data to countries or companies outside the European Economic Area, please contact us using the details outlined in Section 1 above.
5. What type of information is collected?
As a healthcare provider we need to collect many categories of personal data about our patients, the majority of which is highly sensitive in nature
While the type of personal data we process may change occasionally, we believe it is important that you are aware of the types of personal data we gather and use. The following table is a non-exhaustive list of the categories and types of personal data we use to perform our duties.
Please note that the information listed under one category may be used for the performance of a task, or in relation to activities listed under another heading, or as outlined in Section 3 above.
Central Group Function
| Reason | Type of Data Collected | |||
|---|---|---|---|---|
| Create reports / reviews for clinical governance | Medical data, Medical Record Number, Date of Birth, Name, Address. | |||
| Collect KPI’s for patient safety | Medical data, Medical Record Number, Date of Birth, Name, Address. | |||
| Create individual patient safety incident reports | Medical data, Medical Record Number, Name. | |||
| Security | CCTV footage |
Clinic Levels
| Reason | Type of Data Collected | |||
|---|---|---|---|---|
| Admissions | Contact details, date of birth, next of kin details, medical history, reason for admission, family medical history, GP details, health insurance / payment details, nationality and religious beliefs can be volunteered by patient. | |||
| Referrals | Contact details, date of birth, treatment for which patient is being referred, MRN, GP details/details of referring party, family medical history. | |||
| During Medical Diagnosis / Treatment | Medical data relating to current and past treatment. | |||
| Quality Improvement | Patient feedback, enquiries received, log of calls received, log of complaints received, clinical incident forms submitted. | |||
| Clinic Security | CCTV footage, visitor sign-in logs. |
6. How long do we retain information?
We only keep your information for as long as is necessary for the purpose for which it was originally obtained. As a result, the retention periods will differ depending on the purpose of the processing and the types of data involved. Please note that the medical data we use when has reached the end of its legal retention period and is no longer required shall be disposed of securely in accordance with our retention policy and the HSE guidelines. In some cases, retention periods for medical information will be defined based on the individual circumstance of each patient. We will take all necessary steps to ensure that the privacy of information is maintained upon disposal.
7. What are your rights?
You have a number of rights when it comes to your personal data. On receipt of a valid request to invoke one of your rights, we will do our best to adhere to your request as promptly as reasonably possible, however, restrictions may apply in certain situations.
Right of Access
You have a right to know what personal data we hold on you, why we hold the data, and how we are using the data.
When submitting your request, please provide us with information to help us verify your identity and as much detail as possible to help us identify the information you wish to access (i.e. date range, subject of the request).
Identity verification will require a copy of your photographic ID, as well as the provision of three unique identifying factors from your medical record.
If the request is submitted by a third party (such as a solicitor) on your behalf, the request will be required to include written authorisation from you for the provision of a specific data to the third party.
Right to Rectification
You have a right to request that the personal data held in relation to you is up to date and accurate.
Where information is inaccurate or incomplete, we encourage you to contact us to have this information rectified. Upon receipt of your request, we will ensure that the personal data is rectified and as up to date as is reasonably possible.
Right to Erasure
You have the right to seek the erasure of personal data relating to you in the following circumstances:
- The personal data is no longer required for the purposes for which it was obtained.
- Where the use of the data is only lawful based on consent, you withdraw consent to the processing and no other lawful basis exists.
- The personal data is being used unlawfully.
- You object to the use of your personal data and there are no overriding legitimate grounds for the use of the data.
- Your personal data requires deletion in line with legal requirements.
However, we will be unable to fulfil an erasure request if the personal data is required for the treatment of an active patient. We will also not be able to delete data which is being held in the public interest, such as for protecting against cross-border threats or ensuring high standards of quality and safety of healthcare.
Right to Restriction
You have the right to restrict the extent for which your personal data is being used by us in circumstances where:
- You believe the personal data is not accurate (restriction period will exist until we update your information).
- The processing of the personal data is unlawful, but you wish to restrict the use of the data rather than erase it.
- Where the personal data is no longer required by us, but you require the retention of the data for the establishment, exercise, or defence of a legal claim.
- You have a pending objection to the future use of your personal data.
When the use of your data has been restricted, your personal data will only be further used:
- with your consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of other people; or
- for reasons important to public interest, such as for the protecting against cross-border threats or ensuring high standards of quality and safety of health care.
We will contact you to confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.
Right to Data Portability
You have the right to the provision of all personal data, which you provided to us, provided to you in a structured, commonly used and machine-readable format where:
- The lawfulness of the use of your personal data by us is reliant on the basis of a contract.
- The lawfulness of the use of your personal data by us is reliant on the provision of your consent.
- The data is being utilised by fully automated means.
You may also request that we send this personal data to another legal entity where technically feasible.
We will only refuse such a request if the data being requested may adversely affect the rights and freedoms of others.
Right to Object
You have the right to object to the further use of your personal data where:
- The lawfulness of the use of your personal data by us is reliant on the basis of our legitimate interests.
- Where the data is non-sensitive and being used for reasons in the public interest.
- Where the data is being used for direct marketing purposes.
If you wish to object to the use of your data, please contact us with your request. We will then stop using the data or personal data unless it is required for legal proceedings.
Right not to be subject to Automated Decision-Making Profiling
You have a right not to be subject to a decision based solely on automated processing or profiling, where such decisions would have a legal effect or significant impact on you.
Currently, we do not employ any systems which use automated decision making or profiling on data relating to our patients.
Where we (or one of our third-party processors) use profiling, which produces legal effects for you or otherwise significantly affects you, you will have the right to object to such processing.
Where do I send requests?
Please send all requests to the contact details provided in Section 1, with as much detail as possible regarding your requirements to enable us to deal with your request efficiently. To answer your request, we may ask you to provide identification for verification purposes.
How long will a request take to complete?
Upon receipt of a request, we will have 30 days to provide a response, with an extension of two further months if required. If we require more time to deal with your request, we will notify you of the delay, and of the factors responsible for the delay, within 30 days of the receipt of your request. If we refuse your request, we will notify you within 30 days of the receipt of the request accompanied by the reason for refusal.
You are entitled to contact the Office of the Data Protection Commissioner if we refuse your request.
How much does it cost to submit a request?
We will not charge a fee for any requests, provided we do not consider them to be unjustified or excessive. If we do consider these to be unjustified or excessive, we may charge a reasonable fee (also applicable for multiple copies) or refuse the request.
8. Cookies
Blackrock Health and its Hospitals respect the privacy of all visitors to our websites. This website employs cookies in order to operate effectively. More information on how this website uses cookies can be found at: