1. WHO ARE WE?
We are St John of God Hospital CLG (“SJOGH CLG”) with an address at Granada, Stillorgan Road, Stillorgan, Co. Dublin. We are part of the St John of God Hospitaller Services Group, which has its headquarters in Rome.
St John of God Hospital CLG is the data controller who determines the purposes and means of the processing of personal data for both St John of God Hospital and St Joseph’s Centre Shankill. Personal data may be collected directly by our staff, but in some circumstances by medical consultants, or other healthcare professionals who are involved in your treatment.
SJOGH CLG provides mental health services to private and public patients in Ireland. St Joseph’s Shankill provides person-centred care to our residents living with dementia specific needs, a copy of their privacy notice can be read at St Joseph’s Shankill | Dedicated to dementia care.
This notice sets out the basis on which any personal data we collect from you, or from others, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
For Data Protection related queries, our Data Protection Officer can be contacted by:
Email: [email protected]
Post: Data Protection Officer, St John of God Hospital, Stillorgan, Co. Dublin, A94 FH92
2. WHAT PERSONAL INFORMATION DO WE COLLECT FROM YOU?
We have set out below, the types of personal and special category data which SJOGH CLG may collect.
“Personal data” means any information relating to you which allows us to identify you, such as, your name, contact details, payment details and information about your use of the Hospital’s services. Personal data does not include data where the identity of the individual has been removed, i.e., anonymous data.
“Special category data” refers to more sensitive personal data which requires a higher level of protection, such as data relating to your health, religious beliefs, or political opinions. This sensitive data can only be processed under strict conditions.
Category | Personal Data Processed |
|---|---|
Personal Data | |
Patient Details | When you become a patient of the Hospital and throughout your time as a patient, we will collect:
|
Next of Kin/Visitors Details | If you are one of our patients’ next of kin or a visitor of the Hospital, we may collect:
|
Referrer & General Practitioner Details | Where an individual is referred to our services, we may collect:
|
Financial and Insurance Details | Where you are a patient of the Hospital, we may collect:
|
Website User Details | When you access our website, we may collect:
|
Fundraiser Details | Where you choose to become a donor or fundraiser:
|
Communications Data | Where you correspond with us by phone, e-mail, via our websites, or social media pages, we may collect:
|
Cookie Data | Where you accept cookies on our website, we will collect:
It is never our aim to identify any one individual through the collection of cookie data. |
Job Applicants Details | Where you apply for a position at SJOGH CLG, we will collect:
|
Supplier Details | Where suppliers provide us with services, we will collect:
|
CCTV Data | Where you are a patient, visitor or an employee of the Hospital we may collect:
|
Special Categories of Data | |
We will only collect and process special categories of data where it is necessary to provide you with the services you require and as part of a contract with health professionals. | |
Health & Medical Details | When you become a patient of the Hospital and throughout your time as a patient, we will collect:
|
3. WHAT INFORMATION ABOUT YOU DO WE OBTAIN FROM OTHERS AND WHERE DO WE GET THIS INFORMATION?
When you use our healthcare services, we may obtain some of the above categories of personal data, such as, reasons for referral, medical history and medications information, contact details, etc. from others, including:
Other hospitals and service providers (where you are being referred to us from another hospital or service provider)
Your referring GP or your consultant
Your family members, carers and/or next of kin
4. PURPOSES FOR COLLECTION AND OUR LAWFUL BASES FOR PROCESSING
In most cases, we collect information from you for the primary purpose of providing care and treatment to you and for associated administrative processes, for example, arranging payment for the services. Your personal data will be processed as part of our contract with you to provide you with these services. We are also obliged to record certain patient information under the Mental Health Act 2001 approved centre regulations.
The processing of special category data may also be necessary for reasons of public interest in the area of public health. If the purpose of the processing is for a reason other than the reasons outlined, we will seek explicit consent to process your special category personal data.
Below we have outlined what we do with your personal data, why we do it (the purpose) and our legal basis for processing.
Process | Why We Do It | Personal Data Involved | Our Legal Basis |
|---|---|---|---|
Collect pre-admission information from your GP or consultant in the context of a referral | To carry out the referral process |
| Performance of a Contract |
Add you to our waiting lists | So that we can offer you or your loved one a place as soon as one becomes available. |
| Performance of a Contract |
Contact you in relation to queries and appointments | To ensure your queries are answered and that you are kept up to date about upcoming visits. |
| Performance of a Contract |
Manage admissions and bookings | This is necessary for hospital administration & admission and to provide you with the healthcare you wish to receive. |
| Performance of a Contract Protection of Vital Interests For the provision of Health, Social Care, Treatment, and Management of our Services. |
Insurance and payment | To verify insurance cover with the patient’s insurer or other third party responsible for the payment of treatment. |
| Performance of a Contract |
Generate invoices | Following completion of your treatment, medical records are used to ensure that you are billed correctly. |
| Performance of a Contract |
Manage and deliver your care and treatment | To provide care and treatment to you. |
| Performance of a Contract For the provision of Health, Social Care, Treatment, and Management of our Services. Legal Obligation – Mental Health Act 2001 |
Document your data during your treatment and time as a patient | To maintain up-to-date clinical records regarding each patient’s treatment on our various systems. Our healthcare professionals may use a digital dictation system to facilitate this process. |
| For the provision of Health, Social Care, Treatment, and Management of our Services. |
Generate prescriptions and ordering medication | To accurately prescribe and administer medication required as part of each patient’s treatment. |
| For the provision of Health, Social Care, Treatment, and Management of our Services. |
Handover Sheets | To document patient wellbeing, progress, and status to assist and facilitate handovers among Hospital staff during shift changes. |
| For the provision of Health, Social Care, Treatment, and Management of our Services. |
Conduct multi-disciplinary team meetings | To discuss patient treatments, diagnoses, etc., with healthcare specialists to ensure patient treatment is based on best practice. |
| For the provision of Health, Social Care, Treatment, and Management of our Services. |
Transfers to other or alternative healthcare providers | If you engage with an alternative healthcare provider, we will provide a copy of your clinical record to you or the alternative healthcare provider (on your behalf). |
| For the provision of Health, Social Care, Treatment, and Management of our Services. |
Patient discharge | To draft relevant discharge documentation and communicate with your referring GP or consultant in order to facilitate the provision of ongoing healthcare. |
| For the provision of Health, Social Care, Treatment, and Management of our Services. |
Carry out patient satisfaction surveys | To ensure patient satisfaction or manage areas of dissatisfaction. |
| Our Legitimate Interests |
Manage and investigate complaints | Where you make a formal complaint, we will use your data to investigate the complaint and carry out our formal complaint procedure |
| Our Legitimate Interests |
Carry out health research studies | To help develop understanding about health risks and causes to develop new treatments. | Health & Medical Details | Your Explicit Consent or in accordance with the HRR. |
Carry out Retrospective Chart Review studies | To help develop understanding about health risks and causes to develop new treatments. | Health & Medical Details | Our Legitimate Interests Public Interest, Scientific, Historical Research Purposes |
Conduct clinical audits | To improve and advance treatment and care and to ensure best practice and for quality assurance and improvement purposes. | Health & Medical Details | Our Legitimate Interests |
CCTV recording | For security and health and safety purposes. | CCTV Data | Our Legitimate Interests |
Communicate with you as part of our relationship with you or as per our contract with you as a supplier |
| Supplier Details | Performance of a Contract |
Carry out fundraising and marketing activities | To keep you up to date with events and other news. |
| Your Consent |
Process job applications | To determine if you’re the right fit for an open role. | Job Applicant Details | Our Legitimate Interests |
5. OUR WEBSITE
When visiting our website, we will not attempt to identify you as an individual user or collect personal information from you.
We may sometimes include on our website, links to third party websites. We are not responsible for the content or privacy practices employed by websites that are linked from ours.
With your permission, our website uses certain cookies including analytics cookies. With regard to analytics cookies, we are committed to using this cookie information in the most privacy-centric way possible, meaning that we will never combine analytics cookie data for other purposes such as targeted advertising, marketing, tracking or profiling individuals and/or to track you across devices, browsers, or through your Google account. We have set analytics cookies to the most basic setting which simply allows us to understand basic insights about how individuals interact with our website.
For further information, our cookie policy can be accessed here.
6. WHO DO WE SHARE THIS INFORMATION WITH?
We will only use or share your personal information for the primary purposes for which it was collected, for directly related secondary purposes which you might reasonably expect (or that we have told you), or as required or permitted by law. We may also share your personal data with our selected business associates, suppliers and contractors (data processors) to provide you with our services. This may include, for example:
Medical Professionals including your GP, occupational therapists, dentists, dieticians, opticians and other carers.
Our Pharmacy Partners
Our Catering Services
Our Accounting Software Providers
Our Digital Dictation System Providers
Our Online Psychometric Assessment Providers
Our Electronic Patient Health Record Providers
Our Incident Management Platform
Our Recruitment Platform Providers
Our Web Hosting Providers
Our Analytics Cookie Provider (this information will not identify you).
Our Storage and Archiving/Shredding Providers
Our Professional Advisers, such as legal advisors, insurance advisors, etc.
Your Insurance Company, where you have given us the details to pay for your treatment.
In addition, we may disclose your personal information:
If we are under a duty to disclose your information in order to comply with a legal obligation or where there is a requirement to report to a statutory agency, for example:
To the Mental Health Commission
To HIQA
The Irish Medicines Board
To the Revenue Commissioners
To Tusla
The Gardaí or other law enforcement agencies
As part of a project with other companies in the St John of God Hospitaller Services Group.
Where the healthcare professional reasonably believes the use or disclosure of your personal data is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.
In order to enforce or apply our terms of use and other agreements or to protect our rights, property, or the safety, our customers, or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
If we, or substantially all of our assets are acquired by a third party, information held by us about our customers and service users will be one of the transferred assets.
7. TRANSFERS OUTSIDE OF THE EUROPEAN UNION OR EUROPEAN ECONOMIC AREA
In limited circumstances, we may need to transfer your personal data outside of the European Economic Area (EEA). For example, where the recipients of personal data described in Section 6 are located in countries outside of the EEA.
In such cases, we will ensure that any transfer of your personal data to countries outside the EEA is subject to appropriate safeguards meaning that your personal data will receive the same level of protection as within the EEA and under the principles set out in this Privacy Notice. We willy rely on the following safeguards:
Adequacy Decisions
European Standard Contractual Clauses (“SCCS”)
In limited circumstances, where the transfer is permitted by applicable data protection laws.
The European SCCs are contractual clauses approved by the European Commission that ensure appropriate data protection safeguards when personal information is transferred from the EEA to third countries. They can be viewed here.
8. HOW LONG DO WE KEEP HOLD OF YOUR INFORMATION?
The time periods for which we retain your information depends on the type of information and the purposes for which we use it. We will keep your information for no longer than is required or permitted.
To determine the appropriate retention period for personal data, we firstly consider applicable legal requirements or whether any statutory retention periods apply. We also consider the volume, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of the information, the purposes for which we process the data and whether we can achieve those purposes through other means. Additionally, we have a Policy and Schedule in relation to the Retention of Records that aligns with the HSE 2013 Retention Schedule and other industry standard guidelines.
9. AUTOMATED DECISION–MAKING AND PROFILING
SJOGH CLG does not carry out Automated Decision Making or Profiling activities.
10. WHAT ARE YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA?
You have the following rights:
The right to request a copy of and access the personal data we hold about you.
The right to request us to rectify any inaccurate personal data about you without undue delay.
The right to request that we erase any personal data we hold about you in circumstances, such as, where it is no longer necessary for us to hold the personal data or, in some circumstances, if you have withdrawn your consent to the processing.
The right to object to the processing personal data about you, such as, processing for profiling or direct marketing purposes.
The right to ask us to provide your personal data to you in a portable format or, where technically feasible, for us to port that personal data to another provider provided it does not result in a disclosure of personal data relating to other people.
The right to request a restriction of the processing of your personal data.
The right to withdraw your consent where you have previously provided it for certain purposes. This will not affect the lawfulness of the processing prior to your withdrawal.
You may exercise any of the above rights by contacting the DPO using the details set out at Section 13.
You also have the right to lodge a complaint with your local supervisory authority with respect to our processing of your personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is www.dataprotection.ie
HOW TO MAKE A DATA SUBJECT ACCESS REQUEST
Requests for access to personal data should be made to the Data Protection Officer or the Medical Records Officer. To ensure that we can action your request as quickly as possible, we ask that you include the following information in your request:
Identify the records or information that you require.
Provide full personal contact details.
Provide a copy of one form of identification, i.e., passport or driving licence.
If you are making a request on behalf of another individual, we will require written authority from that individual in order to release their records to you.
11. FUNDRAISING AND MARKETING MESSAGES
If you have opted-in to receive marketing communications from SJOGH CLG, we will use the details you provide to us to send you updates on upcoming events, fundraisers etc., happening at SJOGH.
You have the right to ask us not to process your personal details for such purposes and you can change your mind and ‘opt out’ of receiving marketing updates at any time.
HOW TO OPT-OUT
To do so, simply click the ‘unsubscribe’ button located at the bottom of any email which you receive from us.
Alternatively, send us an email, writing “unsubscribe” in the subject heading to [email protected]
Please note that opting out of marketing messages will not stop service communications.
12. WHAT WILL HAPPEN IF WE CHANGE OUR PRIVACY NOTICE?
This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you visit our website or use our services. This notice was last updated in September 2024.
13. HOW CAN YOU CONTACT US?
For Data Protection related queries, our Data Protection Officer can be contacted by:
Email: [email protected]
Post: Data Protection Officer, St John of God Hospital, Stillorgan, Co. Dublin, A94 FH92
14. CORONAVIRUS AND DATA PROTECTION
All measures taken in response to Coronavirus involving the use of personal data, including health data, will be necessary and proportionate. Where SJOGH Clg. is acting on the guidance or directions of public health authorities, or other relevant authorities, Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including the sharing of limited health data, (e.g. reporting results of Coronavirus testing, personal data in relation to the provision of vaccinations to staff, list of staff vaccinations), once suitable safeguards are implemented. Such safeguards may include limitation on access to the data and strict time limits for erasure.
Employers will also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation, together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.
