MUH is committed to protecting and respecting your privacy. MUH values confidentiality as a core personal right of every citizen. MUH take our obligation to protect our patients’ and employees’ privacy very seriously. All patient information, whether oral, written, or electronic, is handled sensitively and confidentially, in accordance with the General Data Protection Regulation, Regulation (EU) 2016/679 and the Irish Data Protection Act 2018, Professional Codes of Practice and all other relevant legislation.
This Privacy Statement explains why and how MUH will use the personal information that MUH have obtained from you or others, with whom the hospital share it and the rights you have in connection with the information MUH use. Please read the following carefully.
2. Glossary of Terms and Definitions
CCTV | Means closed-circuit television and is commonly known as video surveillance. “Closed-circuit” means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike “regular” TV, which is broadcast to the public at large. CCTV networks are commonly used to detect and deter criminal activities, and record traffic infractions, but they have other uses. |
Compliance with a Legal Obligation | Is one of the lawful basis that MUH may rely on when processing personal data. For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare Act 2005. |
Consent | Is one of the lawful basis that MUH may rely on when processing personal data. Means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
Cookies | Cookies are small text files that are placed on your computer by the MUH website that you visit. They are used in order to make the website work, or work more efficiently, as well as to provide information to MUH. |
Covert Surveillance | Means a discrete form of monitoring practice that involves the use of CCTV. |
Data Controller | Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. |
Data Processor | Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. |
Data Processor Agreement | Means a specific data sharing agreement that data controllers are obliged to have in place with any data processors they engage with. |
Data Protection Laws | Means the relevant data protection legislations applicable to MUH such as the Irish Data Protection Acts 1988 – 2018 and the General Data Protection Regulation 2016/679 (GDPR) (see below). |
Data Sharing Agreement | Means the other forms of data sharing agreements that data controllers may put in place with other entities who are not data processors. |
General Data Protection Regulation 2016/679 (GDPR) | Is also known as the GDPR. The GDPR is a new set of rules designed to give EU citizens more control over their personal data. |
Health Research Regulation 2018 | The Irish Health Research Regulations, formally called the Irish Data Protection Act 2018 (Section 36 (2)) (Health Research) Regulations 2018, provide for “suitable and specific measures” for the processing of personal data for the purpose of health research, to protect the rights and freedoms of research participants. |
International Data Transfers | Means data transfers that take place outside the EU, EEA and non- adequate countries that have been recognised as having similar data protection legislations as that of the EU/EEA. |
Legitimate Interest | Is one of the lawful basis that MUH may rely on when processing personal data. Legitimate interest covers a wide range of interests such as the organisation, third party, commercial or for wider societal reasons. |
Mercy University Hospital (MUH) | Also referred to as MUH, is the hospital responsible for the management of your personal data. |
Performance of a Contract | Is one of the lawful basis that MUH may rely on when processing personal data. For example: an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee data in an employment context. |
Personal Data | Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person |
Safeguards | Means the different controls and processes MUH may put in place to protect your data. |
Special Category Data | Means Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The following are examples of special category data:
|
Vital Interest | Is one of the lawful basis that MUH may rely on when processing personal data. Means interests that are essential for someone’s life and generally only apply to matters of life and death. |
3. Personal Information MUH Collect About You
- Information that you give us when you enquire about services at MUH or become a patient of ours such as your name, address, contact details (including email address and phone number);
- The name and contact details (including phone number) of your next of kin or relatives;
- Any information you include in correspondence you send to us or in forms you submit to us at MUH;
- Details of your medical history such as details and records of treatment and care, notes, and reports about your health, including any allergies or health conditionsincluding information relating to clinic and hospital visits and medicines administered;
- Results of diagnostic tests, e.g., x-rays, scans, blood tests
- Financial information such as your payment card details and, in relation to certain refunds, your bank account details;
- Other relevant information from people who care for you and know you well, e.g., health professions, relatives, and careers.
- Your identification information when exercising the rights that you have in relation to our processing of your personal information (see further “Your Rights” in relation to your personal information);
- Footage captured from our CCTV operation which is in use at our facilities for health, safety, and security purposes;
- Information about complaints and incidents;
- Information obtained from patient surveys that you have taken part in;
- Information that you give us when you submit a question/comment in relation to our services or website;
- Information you give us when you apply for a job with us (CV, cover letter, contact details);
- Information you give us when you publish public comments on our social media pages e.g. Facebook Twitter, LinkedIn
- Details of your use of its site namely traffic data, weblogs, and statistical data, including where and when you clicked on certain parts of our Site and details of the webpage from which you visited it;
- The date and time you used the MUH Site;
- The pages you visited on the MUH Site and how long you visited us for;
- The website address from which you accessed the MUH website;
- Cookie, pixels, and beacon identification information (for more information please see ourCookie Policy).
- Your GP, other medical professionals including the HSE, other hospitals and health professionals when you transfer or are referred to our service;
- Independent consultants who carry out procedures at MUH;
- Your line manager if you are referred by them for medical assessment and/or treatment.
4. Use of Personal Data
- Photography / Video Consent Form
- General Procedure Consent Form
- Research Projects
- Surveys You may withdraw your consent at any time. Please see the ‘Your Rights section’ below for further details.
- To keep a record relating to the exercise of any of your rights.
- To take any actions in relation to health and safety incidents, matters of concern required by law.
- To handle and resolve any complaints MUH receive relating to the services we provide.
- MUH may be obliged to comply with Law Enforcement Requests.
- Processing necessary for us to support you with your enquiries;
- To identify and record when you have received, opened, or engaged with its site or social media or other electronic communications (please see our Cookie Policy for more information);
- To respond to correspondence you send to us and fulfil the requests you make;
- Processing is necessary for us to operate the administrative and technical aspects of MUH efficiently and effectively;
- To administer the MUH Site, and its social media pages and for internal operations, including troubleshooting, testing, and statistical purposes;
- For the prevention of fraud and other criminal activities; • To verify the accuracy of data that MUH hold about you and create a better understanding of you as a patient;
- For network and information security in order for us to take steps to protect your information against loss or damage, theft, or unauthorised access;
- To comply with a request from you in connection with the exercise of your rights;
- For efficiency, accuracy or other improvements of our databases and systems;
- To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings;
- For other general administration including managing your queries, complaints, or claims, and to send service messages to you.
5. Legal Basis for Processing
Type of Personal Data Processed | Purpose of Processing | Lawfulness of Processing |
Audits | To review care provided to improve service quality and ensure services meet future needs |
|
CCTV/ Covert Surveillance | MUH uses CCTV for the purpose of maintaining the safety and security of its staff, patients, visitors, and other attendees. CCTV may also be requested by Law EnforcementAgencies, such as An Garda Siochana, for “preventing, detecting, investigating or prosecuting criminal offences”. |
|
Contractors | MUHmay provide or allow access to personal information for the provision of professional services to MUH. |
|
Employee Data (Pre-Employment and Employment Data) | MUH will collect personal data from all employees in order to keep records of employment as required by employment law, and to facilitate the operation of the Hospital. This data is collected from you when you initially apply for a position at MUH and, subsequently, throughout the term of your employment here. Most information will be collected directly from you, your manager, or by a member of the human resources or finance departments. In the case of job applications made through external agencies, MUH will initially collect data from the relevant agency. During the recruitment process, we may contact references or stated previous workplaces, to verify the information provided. |
|
Financial Data | Required for providing a service and billing. Also required for submission of reimbursement claims to the HSE Primary Care Reimbursement Service. Staff payroll. |
|
Health / Clinical Research Data | To identify patients who might be suitable for clinical trials/research. MUH promotes research and there are strict regulations surrounding research and how it may be conducted. Suitable participants will be given full information about the research/trial and may be asked to provide their consent to participate. To identify patients that might be suitable for clinical trials/research. Any participation in a trial or research study will require your consent. |
|
Health Data | Necessary to provide patient care in MUH; Review the care provided by audit or service evaluation; To help in decision making about your care and ensure that your treatment is safe and effective; To work effectively with other organisations who may be involved in your health care; | Special Categories data are processed under Article 9 of the GDPR:
|
National Systems | Mercy University Hospital utilises National Systems as provided by the Health Services Executive (HSE). | The HSE Privacy Statement can be found on the HSE website for more information. |
Other Uses | In order to provide the best possible environment in which to treat you, MUH may also use your personal information where necessary for:
| |
Patient Data | Necessary to support the administration of patient care in MUH. |
|
Students and Trainees Data | MUH supports the placement of students and trainees at MUH. MUH collects personal information of students or trainees on placement for the primary purposes of providing the placement and facilitating assessment. The purposes for which MUH uses personal information of students or trainees include:
|
|
6. Employee Data
Process | Description | Type of Data Processed | Lawful Basis for Processing |
Assessing Training Needs | Employee skills, experience and performance data may be used by MUH in order for the organisation to assess employee training needs. | Legitimate Interest | |
Employee Relations | To carry out functions such as grievance, disciplinary and associated employee relations. | For the Performance of a Contract | |
Employment Termination | On termination of employment, the termination ofemployment is recorded. | Legitimate Interest | |
Internal Reporting | Employee performance and sick-leave information may be used for internal reporting purposes. |
| Legitimate Interest |
Issuing References | On request, MUH issue employment references to other entities. |
| Consent |
Payroll | Once employed, MUH provide the payroll team with your details for MUH to process your salary payments each month. |
| For the Performance of a Contract |
Pension | As an employee or previous employee, if applicable MUH shall use pension details to discharge your pension. |
| For the Performance of a Contract |
Recruitment | During the recruitment process MUH obtain your personal profile and work experience details through online forms, CVs submitted, references, external agencies and any details provided in cover letters. This data is then used by MUH to assess your suitability for the role being applied for throughout the recruitment process. This may include checks with past employers or references. |
| Legitimate Interest Compliance with a Legal Obligation |
Scheduling Leave | Leave requests is scheduled across rosters and to determine leave days granted to staff. | Legitimate Interest | |
Staff ID Cards | Once employed, MUH shall issue you with an official ID card. | Legitimate Interest |
- Any party which you have given us permission to speak with (family, friends or otherwise)
- Health insurance providers
- Legal representatives, if necessary
- Statutory bodies as required by EU and Irish law
- Pension service providers if and when applicable
- Payroll service providers MUH take steps to ensure that any third-party partners who handle your information comply with data protection legislation and protect your information just as MUH do. MUH only disclose personal information that is necessary for them to provide the service that they are undertaking on our behalf. MUH will aim to anonymize your information or use aggregated non-specific data sets where possible.
- The law requires us to hold your personal information for a longer period, or delete it sooner;
- You exercise your right to have the information erased (where applicable) and MUH do not need to hold it in connection with any of the reasons permitted or required under the law.
7. Disclosure of Your Personal Information By Us
- Health insurers to secure payment for your treatment where it is covered by your private health insurance policy;
- Health professionals, independent consultants and other hospitals that require your personal data as part of the provision of medical treatment;
IT service providers that either host or have access to our data as part of their product offering; - Regulatory bodies such as HIQA, the Health and Safety Authority, where MUH are obliged to make data available as required;
- Manufacturers of medical devices and equipment for patient safety purposes, to allow for any necessary follow up post treatment;
- Outsourced service providers such as the use of external laboratories;
- Any party which you have given us permission to speak with (family, friends or otherwise) regarding your treatment,;
- Your next of kin/relevant person, where you are not in a situation to grant us permission
- GPs and other healthcare professionals involved in your treatment;
- Healthcare specialists whose opinion may aid us in effective medical diagnosis and / or treatment;
- Healthcare providers engaged to assist with your treatment (certain providers have facilities which assist us in providing you with efficient and effective treatment);
- Billing agencies engaged by your consultant or other healthcare professionals involved in your treatment;
- Legal representatives, as necessary;
- Statutory bodies and health boards as required by EU and Irish law.;
- Clinical audit to measure compliance with hospital policy and accreditation standards;
- Quality improvement is used to improve the way care is delivered to MUH patients. Improving quality is about making healthcare safe, effective, patient-centred, timely, efficient, and equitable. In order to achieve improvements processes are defined, measured, analysed, with improvements implemented and then controlled;
- Service evaluation is used as an internal evaluation of a service provided to a patient in order to identify issues or good practices and implement appropriate changes if necessary. The purpose is to assess how functional MUH services are for patients and adjust these services to meet the needs of patients when required;
- Representation from an Elected Representative: Elected representatives may, during the course of their activities, be asked to make representations to, and on behalf of, an individual. From time to time, MUH may receive a request from an elected representative making representations on behalf of their constituents.When people contact their elected representative wanting representations to be made on their behalf, they are asking for assistance and expect that the elected representative will be able to respond effectively and efficiently to their concerns. Sections 40(1) and (2) of the Data Protection Act 2018 provide an elected representative with a legislative basis for the processing of the personal data (including special categories of personal data) of individual constituents in order to perform their functions. The processing of personal data by an elected representative is permitted under Section 40 where:(i)the elected representative either receives a request or representation directly from the da-ta subject, or where (ii) the elected representativereceives a request or representation from another person on behalf of the data subject and the elected representative is able to demonstrate that they are compliant with the principles of data protection.
Category of Third Party | Description of Service Provided | Lawful Basis for Processing |
IT Service Providers | System based processing of personal and/or medical details as part of patient treatment and/or organisational/ operational requirements. e.g. cloud hosting services; application development and support services; IT Infrastructure services; email services; call recording services. | Performance of a Contract Legitimate Interest |
Law Enforcement Agencies | To assist law enforcement agencies in their efforts of preventing, detecting, investigating, or prosecuting criminal offences. | Compliance with a legal obligation |
Legal/Professional Advisors | The provision of business consulting, audit and legal services including access to and analysis of personal data as part of business initiatives, statutory audits, legal claims, and ad-hoc consultancy advice. | Performance of a Contract Legitimate Interest |
Other Health Service Providers | If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, MUH will provide a copy of your record to that medical practitioner or health care facility provided this request is processed in the correct manner and with your knowledge. | Consent Vital Interest |
Outsourced Service Providers | The external processing of personal data to external providers where Mercy University Hospital does not have either the expertise, capacity, or demand to provide the processing required. E.g. test/analysis by external laboratories | Performance of a Contract |
Regulatory Bodies | Provision of personal data as required to satisfy recurring obligations, audit, and mandatory reporting purposes with bodies such as HIQA, TUSLA, Health, and Safety Authority, Health Protection Surveillance (reporting infectious diseases), National Cancer Registry Ireland, National Hemovigilance Office (NHO) etc. | Compliance with a Legal Obligation. |
Relatives, personal carers and/or significant other(s) | MUH may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, legal representative, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person. | Compliance with a Legal Obligation Consent |
Security & Maintenance | CCTV Cameras and security personnel are in operation both inside and outside MUH premises in order to protect our staff, patients,visitors, and property. | Compliance with a legal obligation Legitimate Interest |
Transport, Storage & Shredding | The provision of courier services for the transportation of physical documents to and from suppliers, insurers and referring corporate/medical partners. Storage and destruction of physical files for operational and regulatory purposes | Performance of a Contract |
Your Local Doctor (GP) | After an admission and upon discharge, MUH send a letter to your local doctor or referring hospital. The letter informs them of your time at MUH, your medication, and any special instructions your doctor needs to know. Sometimes your local doctor will contact MUH for additional information about your treatment. In this situation, MUH will only release information to the doctor whom you have specified as your local doctor on your patient admission form. | Consent |
Your Private Health Insurer & Hospital Insurers | MUH will confirm your insurance is valid and that your policy covers MUH with your nominated insurance provider. | Legitimate Interest Compliance with a Legal Obligation |
8. Transfers of Your Personal Information Outside the EU/EEA
9. Security and Links to Other Websites
MUH take the security of your personal information seriously and use a variety of measures based on good industry practice to keep it secure. Nonetheless, transmissions over the internet and to our website, and our social media pages may not be completely secure, so please exercise caution. When accessing links to other websites, their privacy policies, not ours, will apply to your personal information.
MUH employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction, and damage.
The transmission of information via the internet is not completely secure. Although MUH will do everything possible to protect your personal information, MUH cannot guarantee the security of any personal information during its transmission to us online.
Our Site, and social media pages may contain links to other websites run by other organisations which the hospital do not control. This statement does not apply to those other websites, so MUH encourage you to read their privacy statements. MUH specifically disclaim responsibility for their content, privacy practices and terms of use, and MUH make no endorsements, representations or promises about their accuracy, content, or thoroughness. Your disclosure of personal information to third party websites is at your own risk.
10. How Long Do MUH Retain Your Information For
MUH are obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate operational purposes.
Other information will be retained for no longer than is necessary for the purpose for which it was obtained by us or as required or permitted for legal, regulatory, fraud prevention and legitimate operational purposes.
MUH will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which MUH collected it.
11. Health Research
There are many different types of clinical research studies taking place in Mercy University Hospital, some examples are:
- Clinical Trials: this is a study conducted to test if a new drug/device is effective at treating a specific disease.
- Clinical Research Utilising Patient Samples: some studies involve looking at patient samples in conjunction with the medical data associated with the sample.
- Observational Studies: these studies involve the observation of patients over a period of time and may include the collection of samples.
- Research Using Patient Medical Records (Retrospective Studies): these studies involve looking back at patients medical history with the aim of learning more about the disease or condition, an example would be to determine the number of people with a certain disease or the average age of onset of a particular disease.
11.1. THE PERSONAL DATA PROCESSED FOR RESEARCH
To enable us to perform clinical research, MUH collect and process various categories of personal information. Information MUH collect may include:
- Personal details about you, such as date of birth, medical record number
- Notes and reports about your health needs
- Results of investigations, such as x-rays and laboratory tests
- Relevant information from other health and social care professionals, your carers, or relatives
- Samples (Blood, urine, hair, tissue samples, stored samples)
11.2. WHEN DO MUH PROCESS YOUR PERSONAL DATA?
Following your consent: for clinical trials, clinical research using your samples and observational studies your consent will be sought before proceeding with the research. You will be provided with an information leaflet which will outline the study. If you agree to take part you will give your consent by signing a consent form and agreeing to all aspects of the research on the study consent form.
Pre-screening: pre-screening is the process researchers use to identify patients that may be suitable for the research study they wish to undertake. This involves accessing medical records for the purpose of identifying patients but no data is removed/copied/recorded. This is only done by healthcare practitioners, student healthcare practitioners, MUH authorised persons within MUH and hospital employees who normally have access to medical records. An authorised person must be an employee of either: a university, a registered charity which supports research and education, a practice which provides, manages, or develop healthcare practitioners, be Garda vetted and be under the control and direction of a healthcare practitioner employed by the MUH. The MUH is not required under the Law to seek your consent to access your personal data to conduct Pre-Screening, however, should you be deemed suitable you will be contacted in order to provide you with information about the study and if you feel comfortable and happy, to obtain your consent.
Research using patient medical records (Retrospective studies):is a type of research design in which pre-recorded, patient-centred data collected for the provision of healthcare are used to answer a research question. Consent is not sought for this type of study BUT only when the study meets certain criteria: (i)the data is protected by a unique coding system. This means your name and any other information that could identify you will never be stored with the medical data collected (ii) a risk assessment has concluded that the study is low risk (iii) it is performed by a healthcare practitioner who is an employee of MUH or a student healthcare practitioner (iii) is another employee of MUH who in their normal duties has access to medical records (iv) the data will not be shared unless completely anonymous (v) the published results will not identify any individual and (vi) the Research Ethics Committee must review and approve. If the study does not meet these criteria your consent will be sought.
11.3. WHAT IS A RESEARCH ETHICS COMMITTEE?
A Research Ethics Committee is an independent group of people appointed to formally assess if health research conforms with recognised international ethical standards. It is responsible for protecting the rights of those who take part in the research and the usage of their personal data for health research.
11.4. HOW DO MUH RESEARCHERS PROTECT YOUR DATA?
All patient data collected for clinical research is protected by a process known as pseudonymisation or coding. Your identifiable data, such as your name, medical record number, address, telephone number, full date of birth are kept separate to your medical data. Your identifiable data is given a code and your medical data is given the same code. Your identifiable data and medical data are stored separately in pass-word protected, files on secure computer networks. Therefore your identifiable data can only be linked back to medical data by the researchers. Additionally, MUH researchers minimise the amount of data they collect to only that which is 100% necessary to achieve the objectives of the research study. Therefore in cases where your name, address, telephone number, etc are not required they are not collected. Whenever possible full anonymisation of your data is carried out.
11.5. LEGAL BASIS FOR PROCESSING YOUR DATA
Under GDPR there must be a legal and valid reason for a person/researcher to process data. There are 2 articles within GDPR that set out the legal basis for processing. These include Article 6 which is the legal basis for processing personal data and Article 9 which includes the legal basis for processing sensitive data. Medical data is sensitive personal data and therefore one legal basis from Article 6 and one legal basis from Article 9 is required. Researchers lawfully process personal data in MUH using Article 6 (1)(e) - processing is necessary for the performance of a task carried out in the public interest/ Article 6 (1)(f) - legitimate interest and Article 9 (2)(j) - processing is necessary for scientific research purposes. This means if you withdraw your consent data collected up to the time of withdrawal will continue to be processed.
11.6. HOW LONG DO MUH RETAIN THIS DATA FOR?
Researchers may retain your data for a period of time, as determined by MUH, legislation or by scientific journals. All completed research must be shared with the wider scientific community in order to progress science and medicine beyond the research group. To do this, researcher publish their research in scientific journals. Data published in journals will never identify you. Data may also be irrevocably anonymised (all identifiable information is deleted and there is no way to ever link the medical data to you) and retained indefinitely. If the researchers intend to do this you will be informed and you will give your consent except for retrospective studies.
12. Clinical Audit
13. Your Rights in Relation to Your Personal Information
- By letter: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, DO2 RD28, Ireland
- By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
- By website: https://forms.dataprotection.ie/contact
- By Telephone: +353 (0761) 104 800
14. How Can You Contact Us
14.1 How to Make a Complaint
If a service user/family member/advocate wishes to make a complaint they can:- Tell a staff member
- Ask to speak to the MUH Patient Liaison Officer
- Complete a Feedback form/Comment Card
- Telephone the Quality & Risk Management Department via the Hospital Switchboard on 021 4271971
- Write to the MUH Complaints Officer, Quality & Risk Management Department, Mercy University Hospital, Cork
- Send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
14.2 How You Can Contact Our Data Protection Officer?
Our Data Protection Officer can be contacted by:
By Phone:021 4935646
By Email:This email address is being protected from spambots. You need JavaScript enabled to view it.
By Post: The Data Protection Officer, Mercy University Hospital, Grenville Place, Cork. T12 WE28
15. Changes to Our Privacy Statement
Please check this page regularly for changes to this statement.
You can contact us with your queries in relation to this policy or for any other reason by post, email or by phone.
Please email us at: This email address is being protected from spambots. You need JavaScript enabled to view it..