1. Purpose
Cheeverstown House must comply with the Data Protection Acts 1988-2018 and the General Data Protection Regulations (GDPR). We respect your right to privacy and to the protection of your personal information. The purpose of this privacy notice is to explain how we collect and use personal information for the provision of our services and the day to day running of our social care services.
2. The information processed
The data we collect on our Service Users enables us to provide services and supports to you, we collect and process various categories of personal information.
Information we collect may include:
• Personal details about you, such as name, date of birth, a photo to identify you, your address, employment status, next of kin, contact details (mobile phone number) family address.
Information relating to your treatment and care; medication notes and reports about your diagnosis and health which assist our staff in providing care and treatment to you; results of investigations, such as x-rays and blood tests.
• Relevant information from other health and social care professionals, other healthcare agencies and your carers and relatives
• Financial information, medical card, health insurance, public services card, passport.
• Categories of certain special categories of information, which may include racial or ethnic origin, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a person.
• Service Users participation in social activities’ either via our Website, Utube channel or Facebook group may also be posted. Service users reserve the right to opt out of engaging in these online activities and forums. Service users can request that their images are not uploaded to these groups.
• CCTV monitoring for the purpose of security.
3. Legal basis for processing
Cheeverstown House has lawful basis for processing special categories of personal data under Section 52 of Data protection Act 2018 which outlines the processing of special categories of personal data for purposes of Article 9(2)(h) 52. (1) Subject to subsection (2) and to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary— (a) for the purposes of preventative or occupational medicine, (b) for the assessment of the working capacity of an employee, (c) for medical diagnosis, (d) for the provision of medical care, treatment or social care, (e) for the management of health or social care systems and services, or (f) pursuant to a contract with a health practitioner. (2) Processing shall be lawful in accordance with subsection (1) where it is undertaken by or under the responsibility of— (a) a health practitioner, or (b) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner. (3) In this section, “health practitioner” has the same meaning as it has in the Health Identifiers Act 2014.
Special categories of data are defined by the GDPR and include things like racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life details and sexual orientation.
We will only process special categories of personal data where it is necessary:
• For the purposes of preventative or occupational medicine.
• For medical diagnosis.
• For the provision of healthcare, treatment, or social care.
• For the management of health or social care systems and reporting to the Health Service Executive pursuant to our Service level agreement.
Processing is lawful where it is undertaken by or under the responsibility of
• A health practitioner, or
• A person who in the circumstances owes a duty of confidentiality under their employment contract to the data subject that is equivalent to that which would exist if that person were a health practitioner such as a Medical Consultant, Pharmacist, Social Worker.
• For example, the clinic secretary, receptionist, system administrators and those involved in the creations and monitoring of personal care plans.
• If the purpose of the processing is for a reason other than the reasons outlined above, we will seek explicit consent to process your sensitive personal data (referred to as ‘special categories’ of data under the GDPR.
4. How Cheeverstown House obtains your information
We may obtain your information from a variety of sources, including information from you your next of kin or your previous provider as part of our admissions process. Health specific data such as assessment and care plans will be collected by social care staff, nurses and other healthcare professionals taking care of you and will be held in your patient/client folder (this can be paper and/or electronic). We may also receive your personal information from third parties, for example your consultant, GP, dentist, social worker, or pharmacist. There may also be times when information is collected from your relatives or next of kin e.g. if you are taken to an Emergency Department (A&E) and are unwell and unable to communicate.
5. Your rights
You have certain legal rights concerning your information and the way we process it.
This includes:
• A right to get access to your personal information.
• A right to request us to correct inaccurate information or update incomplete information.
• A right to request that we restrict the processing of your information in certain circumstances.
• A right to request the deletion of personal information excluding medical records.
• A right to receive the personal information you provided to us in a portable format.
• A right to object to us processing your personal information in certain circumstances; and
• A right to lodge a complaint with the Data Protection Commission.
Some of these rights only apply in certain circumstances and so are not guaranteed or absolute rights. Please contact your local dpo@cheeverstown.ie if you have any queries or concerns about your rights.
6. Access to your records
You can access your records by making a subject access request (SAR) in writing to Cheeverstown House requesting access to the data required. It is important that you provide evidence of identification and a detailed description of the information you require.
7. Who is the data controller?
The data controller in most instances is Cheeverstown House. However, when services are funded by the Health Service Executive, they could also be a dual data controller.
8. How do we use your information?
We use your information to manage and deliver your care and treatment to ensure that the treatment is safe and effective, that the right decisions are made about your care and so that we can co-ordinate with other organisations that may also be involved in your care. Your information may be used to:
• Review the care and treatment provided to ensure it is of the highest standard possible and to evaluate and improve the safety of our services.
• To assist in quality improvement methods e.g., accreditation, HIQA audits, clinical audit, patient experience, and satisfaction surveys.
• To investigate complaints, legal claims and serious incidents which are reported to the National Incident Management System (NIMS).
• To comply with reporting commitments between Cheeverstown House and Community Health Care Organisation (CH07) who are joint controllers of Service User data held on the National Ability Support System (NASS). (The NASS system contains data on Service Users To plan for current and future demand in the social care services.)
• Preparing financial statistics on provider performance and monitoring how we spend public money. Invoicing, billing and authorisation and account management of Service User funds where Cheeverstown has been appointed as an agent to collect disability payments and disburse Service User funds appropriately.
• To adhere to public health guidelines e. g. Influenza, COVID 19 vaccination status, winter, screenings and COVID-19 test and trace.
• To provide training and development to health professionals.
• To communicate with you or your family via text of any service updates.
• To provides statistical information to other organisations such as the Heath Research Board. The data provided for research purposes is an anonymised information.
9. CCTV
If Cheeverstown House uses camera surveillance systems (commonly referred to as CCTV) throughout its facilities for the purpose of maintaining the safety and security of its staff, service users, visitors, and members of the public. Cheeverstown is aware that footage or images containing identifiable individuals captured by CCTV systems are personal data for the purposes of data protection law. Cheeverstown House CCTV systems may, but will not always, collect and store personal information. Cheeverstown House will comply with the GDPR and this privacy notice in respect of any personal information collected via its CCTV systems.
10. Sharing Information internally
Cheeverstown clinical information collected by a healthcare professional or staff member who are authorised to process and administer your data is not passed on to others within the Cheeverstown House, unless it is considered necessary for your health or social care needs or for one of the other reasons set out above (where possible, the personal information is anonymised or pseudonymised).
11. Sharing information with third parties
You may also be receiving health or social care from providers outside of the Cheeverstown, i.e., private, or voluntary hospitals, specialists etc. To assist in this process, we may make referrals on your behalf requiring the need to share your personal information with those providers. We will only do so if there is a genuine need to ensure the highest quality of care is provided to you. We are careful only to share the information that is necessary for this purpose. Anyone who receives this information is also bound by confidentiality and the data protection laws. In certain situations, we may have to disclose your personal information to other agencies, in accordance with legal requirements, i.e., Dept. of Social Welfare, Department of Health, Garda, the Courts etc., or in an emergency to prevent injury to you or to other persons.
12. How do we keep your records secure and confidential
We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have several security precautions in place to prevent the loss, misuse, or alteration of your information. All staff working for Cheeverstown House have are expected to complete GDPR awareness training and have a duty to keep information about you strictly confidential. Information security policies and procedures are in place to ensure that information about you is safe, whether it is held in paper or electronic format.
13. Retention period
We will only retain information for as long as necessary. Records are maintained in line with the recommendations of the HSE and HIQA and other statutory bodies for details of our retention policy please refer to our 14b Record retention and disposal policy. Contact details Please contact our Data Protection Office at dpo@cheeverstown.ie The current acting Data Protection Officer is Sean Corcoran. If you have any queries in relation to Data Protection or other issues around the security of your personal information. For more information about your rights, including the circumstances in which you can exercise them and how to exercise them. If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter. We hope that we can address any questions or concerns you may have pertaining to your data.