About this Notice
St James’s Hospital is committed to ensuring the privacy and confidentiality of your personal information.
St James’s Hospital must comply with the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 and 2018. The 1988 Act was amended by the Data Protection (Amendment) Act 2003. The 2003 Amendment Act brought our law into line with the EU Data Protection Directive 95/46/EC. The Data Protection Act 2018 brought consequential amendments of certain other enactments and provided for any related matters.
These legal frameworks ensure that the hospital handles your personal information (including but not limited to patient health information).
The purpose of this privacy notice is to clearly communicate to you how St James’s Hospital handles your personal information. It will give you a better and more complete understanding of the type of personal information that the hospital holds about you and the way we handle that information.
This privacy notice has been developed in accordance with a ‘layered notice’. This means that it offers you the ability to obtain more or less detail about St James’s Hospital’s information handling practices – depending on how much you wish to read, what you need to know and how quickly you need to obtain the relevant information.
If you only require basic information about St James’s Hospital’s information handling practices, you can view our ‘condensed’ privacy notice. This is a summary of how St James’s Hospital collects, uses and discloses your personal information and how you can contact St James’s Hospital if you would like to access or request a correction to any personal information which St James’s Hospital holds about you.
If you require more detailed information about St James’s Hospital’s information handling practices, then you will need to read this document in full.
This privacy notice was last updated in August 2018 and may change from time to time. The most up-to-date copy will be published here or it can be obtained by contacting us on the details set out at the end of this notice.
As mentioned in part one of this privacy notice, St James’s Hospital is required to comply with the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988, 2003 (as amended) and 2018. As part of this, we are regulated by the Data Protection Commissioner (DPC) which acts as a supervisory authority to the hospital.
Data Protection Commission
21 Fitzwilliam Square South
The DPC is an independent public authority which regulates how St James’s Hospital may collect, use, disclose and store personal information and how individuals may access and correct personal information which the hospital holds about them. For ease of reference, this privacy notice sets out the hospital’s position with respect to patient and other individuals’ personal information separately but we treat each group equally.
In this privacy nolicy, we use the terms:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person:
“Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
“Primary purpose” means the specific function or activity for which the information is collected. Any use or disclosure of the personal information for another purpose is known as the “secondary purpose”.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Binding corporate rules” means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
“Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51.
This privacy notice applies to St James’s Hospital’s collection and use of personal information from patients, visitors, next-of-kin, nominated support persons, referring doctors, all staff both clinical and support services such as accredited health professionals, contracted health professionals, trainees (including medical professionals including registrars, fellows and advanced trainees), approved researchers, students undertaking training placements in our facilities, contractors, suppliers, and service providers engaged by us, medical representatives attending our facilities and other individuals engaged by or providing services to the hospital.
In order to provide you with the required health care services St James’s Hospital will need to collect and use your personal information.
In order to enable St James’s Hospital to engage with you for the relevant primary purpose, St James’s Hospital may need to collect and use your personal information. If you provide incomplete or inaccurate information to us or withhold personal information from us we may not be able to engage with you as required to meet that primary purpose.
We collect personal information from you that is reasonably necessary to provide you with health care services and for administrative and internal business purposes related to your attendance at St James's Hospital.
Often this may include collecting information about your health history, family history, your ethnic background or your current lifestyle to assist the health care team in diagnosing and treating your condition.
We will usually collect your health information directly from you. Sometimes we may need to collect information about you from a third party (such as a relative or another health service provider)
Your personal information wich may include diagnostic data will be taken during your engagement with the hospital for the purpose of assisting or recording developments in your treatment. This data may take many forms for example standard laboratory information, sleep studies, image information from areas such as radiology and endoscopy. St James's Hospital will, in all cases, manage your personal information contained in these clinical images in accordance with the General Data Protection Regulation and this privacy notice.
We collect personal information from you that is reasonably necessary to engage with you for the primary purpose, including the provision of services by St James's Hospital, for St James's Hospital's functions or activities and for administrative and internal business purposes related to your dealings with St James's Hospital.
We will usually collect your personal information directly from you. Sometimes we may need to collect information about you from a third party, however we will only do this where it is not reasonable or practical for us to collect this information directly from you.
St James's Hospital may store the personal information we collect from you in various forms. St James's Hospital will comply with the GDPR, and this privacy notice, in respect of your personal information in whatever form that information is stored by us.
Storage of personal information maybe in physical (paper) form and may also include storage through electronic systems for storage of personal information (including clinical images taken for diagnostic or treatment purposes) on some diagnostic equipment where you have undergone a diagnostic precedure using such equipment in St James's Hospital.
Personal information may be stored in various forms including electronic and/or paper systems in accordance with usual practices, and subject to the purposes of your engagement with St James's Hospital.
St James’s Hospital only uses your personal information for the primary purpose for which you have given the information to us, unless one of the following applies:
The secondary purpose is related (or for sensitive information, directly related) to the primary purpose for which you have given us the information and you would reasonably expect, or we have told you, that your information is usually disclosed for another purpose or to other individuals, organisations or agencies (see related secondary purposes set out below);
you have consented for us to use your information for another purpose, for example research;
St James’s Hospital is required or authorised by law to disclose your information for another purpose (see related secondary purposes set out below);
the disclosure of your information by St James’s Hospital will prevent or lessen a serious and/or imminent threat to somebody’s life, health or safety or to public health or public safety; or
the disclosure of your information by St James’s Hospital is reasonably necessary for the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenue.
St James’s Hospital may use or disclose your personal information as specified above via electronic processes, where available or relevant.
Related secondary purposes include:
The following is a list of examples of related secondary purposes for which St James’s Hospital may use your personal information, but it is not an exhaustive list.
Patient specific examples:
(a) Use among health professionals to provide your treatment
Modern health care practices mean that your treatment will be provided by a multi-disciplinary team of health professionals working together.
You may be referred for diagnostic tests such as pathology or radiology and our staff may consult with senior medical experts when determining your diagnosis or treatment. With developments in technology (e.g. telemedicine) our staff may consult with health professionals and medical experts, both public and private, located remotely, including outside St James’s Hospital, in relation to your diagnosis or treatment, including by sending health information and clinical images electronically. Our staff may also refer you to other health service providers, both public and private, for further treatment during and following your admission (for example, to a physiotherapist or outpatient for community health services). We may disclose your personal information to the relevant provider to the extent required for any such referral (including disclosing that information electronically).
Your personal information will only be disclosed to those health care workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose.
These health professionals will share your personal information as part of the process of providing your treatment.
We will only do this while maintaining confidentiality of this information and protecting your privacy in accordance with the law.
As part of your care, we may be required to disclose your information to third party medical suppliers for the purpose of ordering specific products or to enable appropriate follow up, for example, if you require prosthesis, certain pharmaceutical treatments or other medical implantable products as part of your treatment.
(b) Assessment for provision of health care services
St James’s Hospital may collect your personal information for the purpose of assessing your suitability for health care services at a St James’s Hospital. Where personal information is collected and you do not become a patient of the hospital, your personal information may be retained. Where your assessment has been conducted at the request of your GP, St James’s Hospital will report the outcome of the assessment to that GP as it may be relevant to any ongoing treatment or care provided to you by them.
Where you undergo assessment or treatment by a third party provider (for example Radiotherapy in St Luke’s Hospital) during your admission to a St James’s Hospital for the purpose of transferring your care to that third party, St James’s Hospital may disclose your personal information to the third party provider for that purpose.
(c) Your local doctor
St James’s Hospital will usually send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission. This is in accordance with international norms and long-standing medical practice and is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by them. This discharge summary may be sent to your referring medical practitioner or general practitioner electronically.
If your nominated general practitioner has changed or your general practitioner’s details have changed following a previous admission, you must let us know.
(d) Other health service providers
If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or health care facility provide this request is processed in the correct manner.
We may provide information about your health records to another medical practitioner or health facility outside St James’s Hospital without your consent in the event of an emergency where your life or health is at risk.
(e) Students and trainees
(f) Relatives, guardian, close friends or legal representative
We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.
(g) Other common uses
In order to provide the best possible environment in which to treat you, we may also use your personal information where necessary for:
activities such as quality assurance processes and service evaluations to assess standards of care, accreditation, clinical audits, risk and claims management, patient experience and satisfaction surveys and staff education and training;
invoicing, billing and account management, including storage of provider details on St James’s Hospital billing software;
the purpose of complying with any applicable laws – for example, in response to a subpoena or compulsory reporting to State authorities (for example, National Cancer Registry);
the purpose of sending you standard reminders, for example for appointments and follow-up care, by text message or email to the number or address which you have provided to us; and
we may anonymise or aggregate the personal information that we collect for the purpose of service management; monitoring, planning and development.
(h) Other uses with your consent
To identify patients who might be suitable for clinical trials/research. While the primary purpose of the hospital is the treatment of patients, the hospital is also an institute of learning and innovation for clinical staff and conducts research in support of the continued development of future health treatments. There are strict regulations surrounding research and how it may be conducted. Suitable participants will be given full information about the research/trial and asked for consent to participate as per Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018.
Research using patient medical records (Known as Retrospective Chart Reviews)
Research using patient medical records is only conducted by healthcare professionals. Medical records are reviewed but no direct patient contact is required. You will not be asked to give your explicit consent. Your personal information will be protected by being fully anonymised or given a unique code so that your name does not appear alongside the information or in any of the results of the research.
Other non-patient specific examples:
St James’s Hospital does use camera surveillance systems (commonly referred to as CCTV) throughout our organisation for the purpose of maintaining the safety and security of its staff, patients, visitors and other attendees. St James’s Hospital’s CCTV systems may, but will not always, collect and store personal information. St James’s Hospital will comply with the GDPR and this privacy notice in respect of any personal information collected via its CCTV systems.
(j) Contractors under agreement
St James’s Hospital may provide, or allow access to, personal information to contractors engaged to provide professional services to St James’s Hospital’s (e.g. Information Communication Technology providers) or to contractors to whom aspects of our services are outsourced. Where we outsource any of our services or hire contractors to perform professional services within our hospitals this will be done as part of a Service Provider Agreement which contains a Data sharing component that complies with the GDPR and where applicable our privacy notice.
(k) Application for accreditation by health professionals
St James’s Hospital collects personal information from health professionals seeking accreditation and submitting to the credentialing process. Personal information provided by health professionals in this context is collected, used, stored and disclosed by St James’s Hospital for the purposes of fulfilling its obligations in connection with the accreditation sought.
(l) Job applications
St James’s Hospital collects personal information of job applicants who have responded to an advertised position for the primary purpose of assessing and (if successful) engaging applicants. The purpose for which St James’s Hospital uses personal information of job applicants includes:
managing the individual’s employment, engagement or placement;
insurance purposes; and
ensuring that it holds relevant contact information.
St James’s Hospital may also store information provided by job applicants who were unsuccessful for the purposes of future recruitment or employment opportunities.
(m) Students / Trainees
St James’s Hospital collects personal information of students or trainees on placement for the primary purposes of providing the placement and facilitating assessment. The purposes for which St James’s Hospital uses personal information of students or trainees include:
St James’s Hospital may also store information provided by students or trainees following placement for the purpose of future recruitment or employment opportunities.
(n) Education and community engagement
St James’s Hospital may offer opportunities for health practitioners to participate in educational events or seminars for the purpose of continuing professional development or community engagement. When you register for or attend an event, St James’s Hospital may collect your personal information for the purpose of providing the service and recording your attendance.
St James’s Hospital may disclose your personal information to third parties for the purpose of confirming your attendance at the event including the provision of attendance records or certification.
(o) Clinical Audit
Clinical audit is a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change.
Aspects of the structure, process and outcomes of care are selected and systematically evaluated against specific criteria. Where indicated, changes are implemented at an individual, team or service level, and further monitoring is used to confirm improvement in healthcare delivery. This is described as the audit loop. The key component of clinical audit is that performance is reviewed (or audited) to ensure that what should be done is being done, and if not it provides a framework to enable improvements to be made. Clinical audit is NOT research.
Clinical audit is at the heart of clinical governance.
Will you tell me if my information is being used in clinical audit?
You will not be contacted directly and you do not need to give your consent if we use your healthcare information for a clinical audit.
This is because your name and personal details are either not used or kept confidential and are not included in the audit findings and audit report.
Sometimes a clinical audit involves patients taking an active part in the audit process and your personal details are an important part of the audit. In this type of audit you will be asked to give your consent.
You have the right to have access to the personal information that we hold about you (for patients, this includes health information contained in your health record). You can also request an amendment to personal information that we hold about you should you believe that it contains inaccurate information. The request will be reviewed with the relevant parties.
St James's Hospital will allow access or make the requested changes unless there is a reason under the GDPR or other relevant law to refuse such access or refuse to make the requested changes.
If we do not agree to change your personal information in accordance with your request, we will permit you to make a statement of the requested changes and we will enclose this with your personal information.
Should you wish to obtain access to or request changes to your personal information held by St James's Hospital, please contact the Data Protection Office at firstname.lastname@example.org You can complete a subject access request (SAR) form
St James's Hospital will take reasonable steps to ensure that your personal information which we may collect, use or disclose is accurate, complete and up-to-date.
St James's Hospital will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We use technologies and processs such as access control procedures, network firewalls, encryption and physical security to protect your privacy.
St James's Hospital may enter into arrangements with third parties to store data we collect or to access the data to provide services (such as data processing), and such data may include personal information, outside of the EEA. St James's Hospital will take reasonable steps to ensure that the third parties do not break the GDPR requirements. The steps St James's Hospital will take may include ensuring the third party is bound by privacy protection obligations which are the same (or substantially the same) as those which bind St James's Hospital and requiring that the third party has information security measures in place which are of an acceptable standard and approved by St James's Hospital.
1. St James's Hospital does not agree to provide you with access to your personal information, or
2. You have a complaint about our information handling processes,
you can lodge a complaint with or contact our Data Protection Officer on the details above or directly with the Data Protection Commission. Full contact details can be found in section 2.1 above or on their website www.dataprotection.ie.
This section of our privacy notice explains how we handle your personal information which is collected from our website: www.stjames.ie (collectively website hereafter)
When you use our website, we do not attempt to identify you as an individual user and we will not collect personal information about you unless you specficially provide this to us.
Sometimes, we may collect your personal information if you choose to provide this to us via an online form or by email, for example if you:
A "cookie" is a small bit of data our server sends to your browser that allows our server to identify and interact more effectively with your computer. Cookies do not identify individual users, but they do identify your internet service provider (ISP) and your browser type.
This website uses temporary cookies. This means that upon closing your browser, the temporary cookie assigned to you will be destroyed and no personal information is maintained which will identify you at a later date.
Personal information such as your email address is not collected unless you provide it to us. We do not disclose domain names or aggregate information to third parties other than agents who assist us with this website and who are under obligations of confidentiality. You can configure your browser to accept or reject all cookies and to notify you when a cookie is used. We suggest that you refer to your browser instructions or help screens to learn more about these functions. However, please note that if you configure your browser so as not to receive any cookies, a certain level of functionality of the St James's Hospital website and other websites may be lost.
We may create links to third party websites. We are not responsible for the content or privacy practices employed by websites that are linked from our website.
We will only use personal information collected via our website for the purposes for which you have given us this information.
We will not use or disclose your personal information to other organisatoins or anyone else unless:
If we receive your email address because you sent us an email message, the email will only be used or disclosed for the purpose for which you have provided and we will not add your email address to an emailing list or disclose this to anyone else unless your provide us with consent for this purpose.
If we collect your personal information from our website, we will maintain and update your informaton as reasonably practical and necessary or when you advise us that your personal information has changed.
St James's Hospital is committed to protecting the security of your personal information. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. We will take all reasonable steps to prevent your information from loss, misuse and alteration.
Health records at St James's Hospital are held in accordance with the 2013 Health Service Policy issuesd by the HSE. This policy should be read in conjunction with the HSE's Standards and Recommended Practices for Healthcare Records Management and the HSE's National Financial Regulation Rentention of Financial Records. Together, these policies help ensure that St James's Hospital is maintaining necessary records for an appropriate length of time. This is a controlled document by the HSE and is subject to change at any time.
Primary purpose - clinical (direct) care.
When personal data is used for care and administrative purposes, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Hospital (GDPR Article 6(1)(e)).
In circumstances where the hospital processes special categories of personal data (including health data), this processing is necessary for the following reasons (GDPR Article 9(2)(h)&(i)).
Where personal data and/or special categories of personal data (including health data) is used to deliver emergency care, for example an individual presents to the emergency department, processing of data may also be necessary in order to protect the vital interests of the individual (data subject) or of another natural person (Article 9(2)(c).
Secondary purpose - clinical purposes (indirect)
When there is a legal requirement that we provide specified data to the HSE or to other regulatory bodies such as HIQA, we rely on Article 6(1)(c) of the GDPR processing is necessary for compliance with a legal obligation to which the hospital is subject.
When personal data is used for an unrelated purpose for which the data was originally processed, we will only process this data with consent. Article 6(1)(a) of the GDPR, the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
In most instances we will rely on Article 6(1)(e) as above and Article 9(2)(j) of the GDPR if and when we use information for research. Individuals will be formally consented to take part in research, this will satisfy the duty of confidentiality.
Where we rely on consent as the legal basis for processing, you can withdraw your consent at any time; this follows GDPR Art 6(1)(a), “the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and Art 9(2)(a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
In some circumstances, consent exemptions may be granted by the Health Research Consent Declaration Committee (Health Research Regulations 2018).
Processing of personal data in most cases is necessary for the formation of a contract or processing is necessary for compliance with a legal obligation to which the hospital is subject (GDPR Article 6(1)(b)&(c).