Privacy Statement

In line with its accountability obligation, RVEEH as a funded Hospital by the HSE is required to comply with provisions under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. For ease of reference, this Online Privacy Statement sets out the Hospital’s position with respect to the processing of patient and other individuals’ personal information. All personal data collected and stored are treated with the highest degree of confidentiality and respect. RVEEH will, in all cases, manage your personal information contained in clinical and administrative data sets in accordance with the General Data Protection Regulation.

Personal data can be defined as any information about an individual being a patient, visitor or employee of the Hospital that that enables such to be identified. Personal data includes obvious information such as name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. If you are a patient, in order to provide you with the required health care services, RVEEH will need to collect and use your personal information for the provision of patient care. For non-patients, in order to enable RVEEH to engage with you for the relevant primary purpose, RVEEH may need to collect and use your personal information. Sometimes we may need to collect information about you from a third party; however, we will only do this where it is not reasonable or practical for us to collect this information directly from you. If you provide incomplete or inaccurate information to us or withhold personal information from us, we may not be able to engage with you as required to meet your specific health needs.

As Controller of personal data, your personal data will be processed by us under at least one of the following justifiable conditions.

• Article 6(1)(c) “Processing is necessary for compliance with a legal obligation to which the Hospital as a Controller of personal data is subject” e.g., compliance with the Health Act, Health and Safety Act, Children First Act etc.
• Article 6(1)(b) GDPR “processing necessary for performance of contract” with the data subject (e.g. in the case of private patients) or Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest (e.g. in the event of a pandemic) or in the exercise of official authority vested in the Hospital as Controller, or Article 6(1)(f) – processing is necessary for the purposes of legitimate interests (e.g. improving patient care).
• Article 9(2)(h) GDPR– ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and service…’ or Article 9(2)(i) – ‘processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standards of quality and safety of health care…’
• Data Protection Act 2018, Section 52(1) (a) – ‘for the purposes of preventative or occupational medicine’, Section 52(1) (d) ‘for the provision of medical care, treatment or social care’ and/or Section 52(1) (e) ‘for the management of health or social care systems and services’ which allows patient information to be used for clinical audit provided that appropriate measures are taken to safeguard the fundamental rights of patients, staff, and visitors.
• Data Protection Act 2018, Section 53(b) – ‘ensuring high standards of quality and safety of health care…’

This includes but may not be limited to;

• Name, Contact Details, Date of Birth, Details of your GP, Details of Next of Kin, etc;
• Where required, we may collect information regarding your family history, ethnic background (where appropriate) or your current lifestyle to assist the health care team in diagnosing and treating your condition;
• For Health insurance purposes, we will collect your financial details, if you have health insurance and wish to avail of private patient care;
• Image data which includes CCTV footage;
• Clinical information which includes x-rays, diagnosis, treatments, prescriptions, procedures, notes and reports about your health etc.;
• Information about those who care for you and know you well e.g. family members, health care professionals etc.

We may obtain your personal information in a number of ways. First, directly from you either in person, over the phone or using a specific form or email you have completed. There may be situations where for example, you are brought to the Hospital’s Emergency Department but being unconscious or unable to communicate, we will need to obtain information from other sources such as family members, carers, GPs, community services or other facilities in order for us develop a full picture regarding your current status and needs.

At RVEEH, we will only collect and process personal information from you that is reasonably necessary to provide you where appropriate with effective patient care as well as administrative and internal business purposes related to your attendance at RVEEH. Often this may include collecting information about your health history. We will usually collect your health information directly from you. Sometimes, we may need to collect information about you from a third party (such as a relative or another health service provider).We will use your personal information in the following ways;

• To assist in making the right decision regarding your care and ensure that your treatment is appropriate, safe and effective,
• To collaboratively work with colleagues and partners in other organisations who may be involved in your care,
• To support the health of the general public,
• To carry out period review of healthcare we provide to you. This is known as an audit and is aimed at provided to improve service quality and ensure future service needs are met,
• As an academic institution, we may use your information to train healthcare professionals e.g. Junior Doctors, Nurses, Researchers etc.
• To provide reports to external agencies as required
• To facilitate and assist health research. In keeping with requirements under the Health Research Regulation, where you consent to your personal data being used for health research, the Hospital undertake to protect your personal information by either pseudonymising (this means partly de-identifying your personal information before it is used or shared) or anonymising (removing all traces of personally identifiable information before it is used or shared. Where this is not possible you will be asked to give your consent before your personal information is used).

As a rule, RVEEH will only use your personal information for the primary purpose for which you have disclosed it to us, unless one of the following applies:

A secondary purpose for processing has arisen and its related to the primary purpose for which you disclosed your personal information to us. For example, we may need to disclose your personal data to other health or public bodies,

You have given us consent to use your personal data for another purpose, e.g. health research,

RVEEH is required or authorised by Union or member state law to disclose your personal data,

Personal data disclosure by RVEEH will prevent or lessen a serious and/or impending threat to life, health or safety of an individual or the public at large (e.g. prevent outbreak of disease),

Personal data disclosure is necessary for the investigation or prevention of crime,

Related secondary purposes may include but not limited to:

• Disclosure of your personal data among health professionals to facilitate effective provision of treatment;
• Recruitment and selection;
• Assessment for provision of health care services;
• Disclosure to your GP (where required) is in accordance with international norms and long-standing medical practice and is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by them. If your nominated general practitioner has changed or your general practitioner’s contact details have changed following a previous admission, you must inform the Hospital as soon as possible;
• Other health service providers may require access to a copy of your record. The Hospital may need to provide information about your health records to another medical practitioner or health facility outside RVEEH without your consent in the event of an emergency where your life or health is at risk,
• Relatives, guardian, close friends or legal representative. The Hospital may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.

Other RVEEH Healthcare Group entities – RVEEH may share your personal information amongst its other Group Hospital’s listed below. For example, this may occur where you are transferred between any of RVEEH’s Healthcare Group hospitals or to coordinate your care. The hospitals include;

• St Vincent’s University Hospital;
• Mater Hospital;
• James’s Hospital;
• Primary Care Centres in the Ireland East catchment area.

Other secondary uses may include review of quality assurance processes, accreditation, audits, risk and claims management, patient experience and satisfaction surveys, staff education and training, invoicing, billing and account management, including storage of provider details on RVEEH billing software. We may also send you standard reminders, for example for appointments and follow-up care, either by text message or email to the contact number or address which you have provided to us.

Where required, we may anonymise or aggregate the personal information that we collect for the purpose of service management; monitoring, planning and development.

Where processing is required for the purpose of health research, we undertake to comply with requirements defined under the Health Research Regulation. Any participation in a trial or research study will require your consent unless such research is public interest based.

The protection of your personal information very important to us. It is a responsibility we take very seriously and as such, we are committed to ensuring that your personal information is kept safe secure with us and with third parties who act on our behalf with whom we may share your information. We have put in place a number of technical security precautions in place to prevent loss, misuse or unauthorised alteration of your information. All staff working for the hospital have a legal duty and responsibility to keep information about you confidential and staff are trained in information security and confidentiality. The Hospital has strict information security policies and procedures in place to ensure that information about you is safe, whether it is held in paper or electronic format. These policies are reviewed periodically to ensure continued fitness for purpose.

There are myriad of reasons why we collect and process your personal data. It may be necessary to retain your personal information in compliance with a contractual or legal obligation. Regardless of the purpose, RVEEH will not keep your personal data for any longer than is necessary in accordance with the purpose(s) for which it was first collected.

Majority of personal data used for day to day healthcare management are stored within the State. Based on the principles of need and purpose, RVEEH may need to store or transfer some or all of your personal data in countries that are outside the European Economic Area (EU member states, including Norway, Iceland, and Liechtenstein). Known as “Third Countries”, these countries may or may not have data protection laws that are as strong as we have in the EEA. Where this happens, RVEEH has taken, and will continue to take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA. We use specific contracts with third parties in Third Countries that are approved by the European Commission for the transfer of personal data to such destinations. These contracts ensure that the same levels of personal data protection safeguards apply under the GDPR extend to these contracts as if the data is located in the EEA.

As a data subject (i.e. someone about whom personal data relates), you have been conferred with specific rights with regards to your personal information. These are;

• The right to establish whether RVEEH stores or holds information about you;
• The right to access your personal data;
• The right to rectification of your personal data where inaccuracies exist;
• The right to erasure of your personal data under certain conditions;
• The right to data portability;
• The right to object to processing of your personal data;
• The right to restrict processing of your personal data;
• Rights in relation to automated decision making, including profiling.

If you want to know what personal data RVEEH has about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). The process for requesting access to a copy of your personal information is known as a “subject access request”.All subject access requests should be made in writing and sent to the email or postal addresses shown in the Contact Us section. The Hospital shall endeavour to respond to your subject access request within the one month defined response threshold. As a default rule, we aim to fully respond to your request including providing you with a copy of your personal data within that timeframe. In some cases, the response may take longer, particularly if the nature of your request is more complex, more time may be required. Response to complex access requests may take a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs.

You have a right to lodge a complaint in the event of your access request being declined. You can lodge a complaint with the Data Protection Complaint using the address below;By Post: Data Protection Commission,
21 Fitzwilliam Square South,
Dublin 2,
D02 RD28.By Email: info@dataprotection.ieOnline: https://forms.dataprotection.ie/contact.
By Telephone: +353 (0761) 104 800

Method of Communication	To Access Your Information	To Lodge a Complaint	Data Protection Officer
Post	Patient Services Department	Quality and Safety Department	Data Protection Officer
	Royal Victoria Eye & Ear Hospital	Royal Victoria Eye & Ear Hospital	Royal Victoria Eye & Ear Hospital
	Adelaide Road	Adelaide Road	Adelaide Road
	Dublin 2	Dublin 2	Dublin 2
	D02 XK51	D02 XK51	D02 XK51
Email	patientservices@rveeh.ie	qualityandsafety@rveeh.ie	dpo@rveeh.ie
Telephone	+353 1 664 4600	+353 1 708 8549

RVEEH reserves the right to amend this without notice to end users at any time, for any reason, and will signal a change by revising the “Last updated” date at the bottom of this page.This page was last updated on 12 November 2019.