St James’s Hospital in its role as an academic teaching hospital, holds a great deal of information about the people who attend and work here.
The way in which we manage this personal information is governed by the Data Protection Acts 1988 to 2018 and the European General Data Protection Regulation, 2016 (GDPR). We are committed to the principles of transparency, accountability and security set out in the legislation.
The hospital’s commitment to managing personal data in accordance with legislation is underpinned by the hospital’s data protection policy.
The General Data Protection Regulation (GDPR) came into force across the European Union on the 25th of May, 2018. It standardises and strengthens the right of all European citizens to data privacy. GDPR emphasises transparency, security and accountability for organisations that collect, use, share and store personal data. At the centre of the regulation is the requirement for organisations to be fully transparent about how they are using and safeguarding personal data and to be able to demonstrate accountability for their data processing activities.
While many of the main concepts and principles of GDPR are much the same as those in the previous Data Protection Acts, GDPR introduced new elements and significant enhancements which St James’s Hospital is required to comply with.
St James’s Hospital processes significant amounts of personal data and special category personal data relating to our patients, staff, students, and other individuals. People are increasingly aware of their rights and expect organisations to protect their personal data.
The GDPR places obligations and responsibilities on how the hospital collects, uses and protects personal data. At the centre of the regulation is the requirement for the hospital to be fully transparent about how we are using and safeguarding personal data and to be able to demonstrate accountability for data processing activities.
The GDPR applies to the processing of personal data*. The definition of personal data however, specifically includes information such as identification (ID) numbers and internet protocol (IP) addresses that can be used to identify a person online. In practice, any data about a living person who can be identified from the data available (or potentially available) will count as personal data.
Stronger safeguards and requirements are required for sensitive personal data (referred to as ‘special categories of data’ under the GDPR). This refers to data falling under the following categories:
Personal data falling under these categories can be processed only under specific circumstances which are described in Article 9(2) of the GDPR.
*Personal data is defined as:
“Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The GDPR provides the following rights for individuals:
The Data Protection Commissioner has a useful Guide to the Rights of Individuals under the General Data Protection Regulation (GDPR) available here
You can request a copy of any personal data the hospital holds on you. This is known as a subject access request (SAR). These requests are processed by the Access to Information Office.
Requests must be received in writing either by email or post and must be accompanied by proof of identity. The SAR form will be emailed to you upon request.
Yes, St James’s Hospital has a data protection officer. Our data protection officer monitors how we collect, use, share and protect information to ensure data subject rights are fulfilled. You can contact our data protection officer at contact details listed above.