Privacy Statement

Introduction

We are Saint John of God Community Services clg (hereinafter referred to as the “SJOGCS”) with an address at Granada, Stillorgan Road, Stillorgan, Co. Dublin. We are part of the Saint John of God Hospitaller Services Group clg. SJOGCS is the legal entity which determines the purposes and means of the processing of personal data for Community Mental Health Services and Intellectual Disability Services.

We take our obligations under data protection legislation seriously. This statement describes the way we handle and use the personal information that we obtain from all the different interactions you may have with us, including when you visit SJOGCS, social media pages, website or when you contact us. For the purpose of the General Data Protection Regulation (the GDPR), in respect of the personal data that we process to provide our services. Saint John of God Community Services clg, is the data controller.

The SJOGCS Data Protection Officer (DPO) can be contacted at dpocs@sjog.ie

Definitions

CCTV Means closed-circuit television and is commonly known as video surveillance. “Closed-circuit” means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike “regular” TV, which is broadcast to the public at large. .
Compliance with a legal obligation This is one of the lawful bases that an organisation may rely on when processing personal data. For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare Act 2005 and as a result, are legally required to process your personal data.
Consent This is one of the lawful bases that an organisation may rely on when processing personal data. Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data.
Cookies Cookies are text files stored on your web browser containing small pieces of data — like a username and password — that are used to identify your computer as you use a computer network.
Data Controller Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Processor Agreement Means a specific data processing agreement or contract that data controllers are obliged to have in place with any data processors / service providers they engage with and share personal data with.
Data Protection Laws Means the relevant data protection legislations applicable to SJOGCS such as the Irish Data Protection Act 2018 and the General Data Protection Regulation (EU) (2016/679).
Data Sharing Agreement Means a specific data sharing agreement or contract that data controllers are obliged to put in place with other entities that are not data processors, but whom they share personal data with.
General Data Protection Regulation (GDPR) The General Data Protection Regulation is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law.
International Data Transfers Means data transfers that take place outside the European Economic Area and non-adequate countries that have not been recognised as having similar data protection legislations to that of the European Economic Area.
Legitimate Interest This is one of the lawful bases that an organisation may rely on when processing personal data as long as they ensure that the data protection rights and freedoms of those individuals are not seriously impacted.
Performance of a Contract This is one of the lawful bases that an organisation may rely on when processing personal data. It means that if data processing is necessary for a contract, it can be done so for the purposes of fulfilling the contract. For example: an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee personal data in an employment context.
Personal Data Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Safeguards Means the different technical and organisational measures controls and processes an organisation must put in place to protect personal data.
Saint John of God Community Services clg (SJOCS) Also referred to as SJOGCS, is the legal entity which determines the purposes and means of the processing of personal data for Adult Mental Health Services, Child and Adolescent Mental Health Services, and Intellectual Disabilities Services.
Special Category Data Means certain types of sensitive personal data which are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The following are examples of special category data: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation
Vital Interest This is one of the lawful bases that an organisation may rely on when processing personal data. It means interests that are essential for someone’s life which generally only apply to matters of life and death. It is likely to be particularly relevant for emergency medical care, when there is a need to process personal data for medical purposes, but the individual is incapable of giving consent to the processing.
Pseudonymisation of Data The replacement of identifying information with a pseudonym, code or number where it is possible to re-identify individuals
Anonymisation of Data Anonymised data means information that has had all identifiers removed and re-identification of individuals is not possible.

 

Information we collect from you.

The information we collect from you is as follows:

  • Information that you give us when you enquire about services at SJOGCS or become a recipient of our services such as your name, address, contact details (including email address and phone number), gender, and health information.
  • The name and contact details (including phone number) of your next of kin or relatives;
  • Any information you include in correspondence you send to us or in forms you submit to us at SJOGCS;
  • Details of your medical history such as details and records of treatment and care, notes, and reports about your health, including any allergies or health conditions including information relating to any clinic visits and medicines administered;
  • Information relating to your health including mental health, diagnosis information, medication details; medical records; services provided by us; admission/discharge to SJOGCS and other services, laboratory tests and results, clinical consultation recordings, current/future residential/day service provision and history, and multidisciplinary team reports.
  • In some circumstances, individuals may disclose data relating to their relatives and other third parties.
  • Information relating to your religious beliefs; and
  • Details of your sexual orientation where you inform within the provision of healthcare services.
  • Financial information such as your payment card details and, in relation to certain refunds and your bank account details;
  • Other relevant information from people who care for you and know you well, e.g., health professions, relatives, and carers. Identification when exercising the rights that you have in relation to our processing of your personal information.
  • Footage captured from our CCTV operation which is in use at our facilities for health, safety, and security purposes;
  • Information about complaints and incidents.
  • Information obtained from surveys that you have taken part in;
  • Information that you give us when you submit a question/comment in relation to our services or website;
  • Information you give us when you apply for a job with us (CV, cover letter, contact details);
  • Information you give us when you publish public comments on our social media pages e.g. Facebook

 

 

What Information do we collect about you from others?

We receive information from our patients on third persons in the procurement of healthcare services or complaints.

When you use our healthcare services, we may obtain the following categories of personal data from others: Name, Address, Date of birth, Phone number, Gender, Medical records, Reasons for referral, Medical/Psychiatric history, Collateral history, Community pharmacy, name and contact details Medications/treatment received to date Next-of-kin details.

 

How we use your Personal Data and the Legal Basis for Processing under the GDPR

The Irish Data Protection Act 2018 and the GDPR (Regulation EU 2016/679) requires that processing of personal data shall meet certain justifiable criteria to allow for processing of personal health data. Health data falls under the banner of special categories of personal data. This means that SJOGCS shall outline in explicit terms the justification for processing of personal data relating to staff, service users, visitors, vendors, and contractors.

The table below illustrates the types of data SJOGCS processes and the legal basis for processing that data as required by the General Data Protection Regulation, Regulation (EU) 2016/679.

 

Type of Data Purpose of processing Lawful Basis for Processing

 
Service user Data  

includes (but is not limited to) the following: name, address, DOB, contact details (phone, mobile, email), dates of appointment, medical records, and health data.

 ·       Necessary to support the administration of service user, treatment care and support in SJOGCS.

 

·       To provide you with health-related services. To help in decision making about your care and ensure that your treatment is safe and effective.

 

·       To work effectively with other organisations who may be involved in your care.

 

·       Activities such as quality assurance processes, accreditation, audits, risk and claims management, service user experience and satisfaction surveys and staff education and training.

 

·       Health Research – SJOGCS promotes research and there are strict regulations surrounding research and how it may be conducted. Suitable participants will be given full information about the research/trial and may be asked to provide their consent to participate.

 

·       the purpose of sending you standard reminders, for example for appointments and follow-up care, by text message or email to the number or address which you have provided to us; and

 

·       We may anonymise or aggregate the personal information that we collect for the purpose of service management, monitoring, planning, and development.

 

 ·       GDRP Article 9.2(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 

·       GDPR Article 9.2(g) – Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

 

·       GDPR Article 9.2(f) – For the establishment, exercise, or defence of legal claims.

 

·       GDPR Article 6.1(c) – For compliance with certain legal obligations to which we are subject to.

 

·       GDPR Article 9.2(j) – For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

 

·       GDPR Article 6.1(a) – Consent

 

·       GDPR Article 9.2(a) – Explicit Consent

 

·       GDPR Article 9.2(c) – processing is necessary to protect the vital interests of the data subject.

 

·       Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018).
Employee data

includes the following: name, address, DOB, contact details (phone, mobile, email), HR records, PPSN, bank details, P60, grievances, performance reviews, sick notes, medical leave.

 Necessary to support the administration of employee records in SJOGCS.

 

Allows SJOGCS to manage the employment relationship between staff and SJOGCS.

 ·       GDPR Article 6.1(b) – Performance of a Contract.

 

·       GDPR Article 9.2(b) – Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

 

·       GDPR Article 9.2(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis.

 

·       GDPR Article 6.1(c) – Compliance with a Legal Obligation.
Students and Trainee Data

SJOGCS supports the placement of students and trainees.

 SJOGCS collects personal information of students or trainees on placement for the primary purposes of providing the placement and facilitating assessment.

The purposes for which SJOGCS uses personal information of students or trainees include:

·       managing the individual’s placement.

·       ensuring the quality and safety of clinical care provided to service users.

·       insurance purposes.

·       to ensure SJOGCS holds relevant contact information; and

·       satisfying its legal obligations including obligations under any placement agreement.

 ·       GDPR Article 6.1(b) – Performance of a Contract.

 

 
Financial data

includes the following: invoicing, billing, and account management.

 Required for providing a service and invoicing, billing, and account management, including storage of provider details on SJOGCS billing systems, transmission to Insurers and processing by billing companies.

 

 

 ·       GDPR Article 6.1(b) – Performance of a Contract.

 

·       GDPR Article 6.1(c) – Compliance with a Legal Obligation.
CCTV Images SJOGCS uses CCTV for the purpose of maintaining the safety and security of its staff, service users, visitors, and other attendees.

 

CCTV may also be requested by Law Enforcement Agencies, such as An Garda Siochana, for “preventing, detecting, investigating or prosecuting criminal offences”.

 ·       GDPR Article 6.1(c) – Compliance with a Legal Obligation – Safety, Health, and Welfare Act 2005.

 

·       GDPR Article 6.1(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

 

·       Section 41 (b) of the Irish Data Protection Act 2018 for “preventing, detecting, investigating or prosecuting criminal offences”.

 

Who do we share your personal data with?

We may disclose your personal information outside SJOGCS in limited circumstances. If we do, we will put in place appropriate controls and data sharing agreements that require recipients to protect your personal information, unless we are legally required to share that information. Any contractors or recipients that work for us will be obliged to follow our instructions. We do not sell your personal information to third parties.

 

Your information can be disclosed to our third-party service providers, agents, and subcontractors (Suppliers) for the purposes of providing services to us or directly to you on our behalf. We take steps to ensure that any third-party providers who handle your information comply with data protection legislation and protect your information to the same extent that we do. We only disclose personal information which is necessary for them to provide the service they are undertaking on our behalf. We will aim to anonymise your information or use aggregated non-specific data sets where possible.

We may also disclose your personal information to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property or safety of our service users or others.

The table below illustrates the categories of third parties we share personal data with:

Categories of Third Party Description of Purpose Lawful Basis for Processing

 
Your Private Health Insurer To confirm your insurance is valid and that your policy covers SJOGCS with your nominated insurance provider.

 

To secure payment for your care where it is covered by your private health insurance policy.

 ·       GDPR Article 6.1(a) – Consent

 

·       GDPR Article 9.2(a) – Explicit Consent

 

·       GDPR Article 6.1(c) – For compliance with certain legal obligations to which we are subject to.

 
Relatives, personal carers and/or significant other(s) We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, legal representative, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person. ·       GDPR Article 6.1(a) – Consent

 

·       GDPR Article 6.1(c) – Compliance with a Legal Obligation.

o   Power of Attorney / Enduring Power of Attorney.

o   Legal Guardian.

o   Assisted Decision Making (Capacity) Act 2005.

 

·       GDPR Article 9.2(a) – Explicit Consent

 
Other Health Service Providers If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or health care facility provided this request is processed in the correct manner and with your consent. ·       GDPR Article 6.1(a) – Consent

 

·       GDPR Article 9.2(a) – Explicit Consent

 

·       GDPR Article 9.2(c) – processing is necessary to protect the vital interests of the data subject.

 
Your Doctor (GP) Sometimes your doctor will contact SJOGCS for additional information about your treatment. In this situation, we will only release information to the doctor whom you have specified as your doctor on your admission form, with your consent ·       GDPR Article 6.1(a) – Consent

 

·       GDPR Article 9.2(a) – Explicit Consent

 
Regulatory Bodies Provision of personal data as required to satisfy recurring obligations, audit, and mandatory reporting purposes with bodies such as HIQA, HSE, TUSLA, The National Treasury Management Agency, The State Claims Agency, the Mental Health Commission and the Health, and Safety Authority. ·       GDPR Article 6.1(b) – Performance of a Contract.

 

·       GDPR Article 6.1(b) – Performance of a Contract.

 

 

 

 
Outsourced Service Providers The external processing of personal data to external providers where SJOGCS does not have either the expertise, capacity, or demand to provide the processing required. ·       GDPR Article 6.1(b) – Performance of a Contract.

 

·       GDRP Article 9.2(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 
Legal/Professional Advisors The provision of business consulting, audit, and legal services including access to and analysis of personal data as part of SJOGCS initiatives, statutory audits, legal claims, and ad-hoc consultancy advice. ·       GDPR Article 6.1(b) – Performance of a Contract.

 

·       GDRP Article 9.2(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 

·       GDPR Article 9.2(f) – For the establishment, exercise, or defence of legal claims.

Where we use your data for health research purposes

At Saint John of God Community Services clg, we conduct research projects aimed to improve the lives of people affected by mental illness, both as a patient or as a carer or medical staff. The suitability of any project is assessed and validated by management and the Data Protection Officer before being signed off by the Research Ethics Committee before the project starts.

The data controller for these health research projects is Saint John of God Community Services clg. Granada, Stillorgan, Co. Dublin.

In most instances SJOGCS will rely on Article 6(1) (a) – Consent and Article 9(2) (a) –  Explicit Consent, or Article 6(1) (f) – Legitimate Interest and Article 9(2) (j) – Scientific Research of the GDPR when we use your information for research. All applications for undertaking health research study must be approved by the Saint John of God Research Ethics Committee. All health research in Ireland is governed by the Health Research Regulations 2018 (HRR) and the amended regulations 2021. The HRR’s make explicit consent the default position for processing personal data for health research. Certain SJOGCS personnel meeting criteria set out in the Amended Health Research Regulations 2021 may access service user health records for pre-screening purposes to determine whether an individual (prospective research participant) is suitable or eligible for inclusion in the study and/or for retrospective chart reviews.

It is within our legitimate interests to conduct health care research for the benefit of our patients, for improvement to our service delivery, for the involvement of our patients, and to increase the knowledge base and for the academic education and continuous professional development of healthcare staff and students.

Your data, or the anonymous data derived from it, will not be transferred to a third country or international organisation outside the European Economic Area. Anonymous electronic data used for a study will be retained for 10 years. After 10 years, data will be securely destroyed by the ICT Department of SJOGCS.

You have the right to refuse for your data to be included in a research study. You have the right to access, rectification, erasure, restriction, objection, and data portability for your own personal data under GDPR. Where we have collected your consent for a research project, you have the right to withdraw that consent at any time. You will have received an Information Leaflet when your consent was sought. You can withdraw your consent by contacting the Principal Investigator whose contact details are on the Information Leaflet presented to you.

Withdrawing your consent will bear no impact on the quality of services you are entitled to and will be provided with by SJOGCS. The anonymous data derived from the personal data is not considered personal data under the GDPR therefore does not attract the same rights as personal data.

As research studies are conducted under the amended Health Research Regulations, your consent may not be sought at all times. Any proposed research will be first reviewed and must be approved by a Research Ethics Committee prior to commencement of a study. The Research Ethics Committee is a body independent from SJOGCS.

How long do we retain your data for?

We are obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate operational purposes. Other information will be retained for no longer than is necessary for the purpose for which it was obtained by us or as required or permitted for legal, regulatory, fraud prevention, and legitimate operational purposes.

We will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which we collected it.

 

International Data Transfers

We do not transfer your personal information outside of Europe. All information you provide to us is stored on our secure servers which are located within the European Economic Area (EEA).

If at any time we transfer your personal information to, or store it in, countries located outside of the EEA we will amend this policy and notify you of the changes. We will also ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law. This is because some countries outside of the EEA do not have adequate data protection laws equivalent to those in the EEA.

 

Do we use automated decision making and profiling?

No.  SJOGCS do not use automated decision-making and profiling.

 

What are your rights in regard to your personal data?

You have the right of access to your personal data which has been collected, and to exercise that right easily and at reasonable intervals, to be aware of and verify the lawfulness of the processing. This includes the right for you to have access to data concerning your health, for example, the data in your medical records containing information such as diagnoses, examination results, and assessments by treating physicians and any treatment or interventions provided. The GDPR entitles you to the following rights in relation to your personal data:

  • The right to access a copy of the personal data we hold about you.
  • The right to require us to rectify any inaccurate personal data about you without undue delay.
  • The right to have us erase personal data we hold about you in circumstances such as where it is no longer necessary for us to hold the personal data or, in some circumstances, if you have withdrawn your consent to the processing. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • The right, in certain circumstances, to object to us processing personal data about you.
  • The right to ask us to provide your personal data to you in a portable format or, where technically feasible, for us to port that personal data to another provider, provided it does not result in a disclosure of personal data relating to other people.
  • The right, in certain circumstances, to request a restriction of the processing of your personal data.
  • Where our processing of your personal data is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful.
  • The right to lodge a complaint with the Data Protection Commission if you are dissatisfied with the manner in which your data is being processed. The local Supervisory Authority in Ireland is the Data Protection Commission. You can lodge a complaint by clicking here.

You may exercise any of the above rights by using the contact details in the “How Can You Contact Us” section below. You may be invited to provide us with the following to facilitate your request:

  1. A description of the records, information or time periods that you require.
  2. Provide full personal contact details.
  3. Provide a copy of one form of identification, i.e., passport or driver’s licence in the event that we require confirmation of identity to ensure provision of accurate information.

Data Security

We take the security of your personal information seriously and take reasonable steps based on good industry practice to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We use technology such as firewalls and encryption to keep your data safe. We also have policies and procedures for staff in relation to access control and passwords.

Changes to this privacy statement

This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you use our site or our services. This notice was last updated on 12/07/2023.

How can you Contact Us?

You may exercise any of your rights by contacting the DPO at Saint John of God Community Services clg, Stillorgan, Co Dublin by e-mail: dpocs@sjog.ie.

You may request additional information regarding a research study you are taking part in by contacting the Principal Investigator whose contact details are on the information leaflet.

If you are dissatisfied with the manner in which your personal data is being processed, you may lodge a complaint with the Data Protection Commission. You can do so by clicking here.