Privacy Statement

1. Introduction

We are Saint John of God Community Services clg (hereinafter referred to as the “SJOGCS”) with an address at Granada, Stillorgan Road, Stillorgan, Co. Dublin. We are part of the Saint John of God Hospitaller Services Group clg.

SJOGCS is the legal entity which determines the purposes and means of the processing of personal data for Adult Mental Health Services, Child and Adolescent Mental Health Services and Intellectual Disabilities services. Therefore, SJOGCS are a data controller in respect of the personal data that we process to provide our services.

We take your privacy seriously. This Privacy Statement explains why and how we will use the personal information that we have obtained from you or others, with whom we share it and the rights you have in connection with the information we use.

This statement describes the way we handle and use the personal information that we obtain from all the different interactions you may have with us, including when you visit SJOGCS, social media pages, website or when you contact us.

For the purpose of the General Data Protection Regulation (the GDPR), the data controller is Saint John of God Community Services clg.

Our Data Protection Officer (“DPO”) is:

Jade Van Standen, Saint John of God Community Services clg, Hospitaller House Stillorgan Road, Stillorgan, Co Dublin

E-mail: dpocs@sjog.ie

2. Glossary of Terms and Definitions

CCTV Means closed-circuit television and is commonly known as video surveillance. “Closed-circuit” means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike “regular” TV, which is broadcast to the public at large. CCTV networks are commonly used to detect and deter criminal activities, but they have other uses.
Compliance with a Legal Obligation This is one of the lawful bases that an organisation may rely on when processing personal data.

For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare Act 2005 and as a result, are legally required to process your personal data.

Consent This is one of the lawful bases that an organisation may rely on when processing personal data.

Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data.

Cookies

 

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Covert Surveillance Means a discrete form of monitoring practice that involves the use of CCTV.
Data Controller Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Processor Agreement Means a specific data sharing agreement that data controllers are obliged to have in place with any data processors they engage with.
Data Protection Laws Means the relevant data protection legislations applicable to SJOGCS such as the Irish Data Protection Act 2018 and the General Data Protection Regulation (EU) (2016/679) (see below).
Data Sharing Agreement Means the other forms of data sharing agreements that data controllers may put in place with other entities that are not data processors, but to whom they share data.
General Data Protection Regulation 2016/679 (GDPR) Is also known as the GDPR. This is a data privacy regulation applicable to all EU member states.
International Data Transfers Means data transfers that take place outside the EU, EEA and non-adequate countries that have not been recognised as having similar data protection legislations to that of the EU/EEA.
Legitimate Interest This is one of the lawful bases that an organisation may rely on when processing personal data.

Legitimate interest covers a wide range of interests such as the organisation, third party, and commercial or for wider societal reasons.

Performance of a Contract This is one of the lawful bases that an organisation may rely on when processing personal data.

For example: an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee data in an employment context.

Personal Data Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Safeguards Means the different controls and processes an entity may put in place to protect your data while at rest or in transit.
Saint John of God Community Services clg (SJOGCS) Also referred to as SJOGCS, is the legal entity which determines the purposes and means of the processing of personal data for Adult Mental Health Services, Child and Adolescent Mental Health Services, and Intellectual Disabilities Services.
Special Category Data Means certain types of sensitive personal data which are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The following are examples of special category data:

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic data

Biometric data

Health data

Data concerning a natural person’s sex life or sexual orientation

Vital Interest This is one of the lawful bases that an organisation may rely on when processing personal data.

It means interests that are essential for someone’s life and generally only apply to matters of life and death.

3. What Personal Information Do We Collect From You?

The personal data relating to the people we provide services to is gathered by SJOGCS from many sources. You may give us your personal data at the point of admission or when you present to SJOGCS. Personal data may also be provided by family members, a referring GP, a hospital or your consultant. We only collect personal information which we need and that is relevant for the purposes for which we intend to use it. We may hold and use personal data about you as an individual using our services or in any other capacity. Depending on the services you receive from us, this may include special category personal data such as information relating to your health.

4. Information that We Collect

We collect your personal data to provide our services to you. This data may be collected directly by our staff, or by consultants, GPs, or other healthcare professionals who refer you to SJOGCS, or who are involved in your care, treatment, and support.

We may request that other healthcare providers, such as other hospitals and pharmacies, provide us with data relating to you to improve the quality of our service to you.

In cases of emergency, we may receive your data from emergency services, such as An Gardaí Siochana, the ambulance services, or the fire brigade services. Once again, we receive this data purely for the purpose of ensuring the care and support we provide to you is of the highest standard.

The type of information we collect from you is as follows:

  • Information that you give us when you enquire about services at SJOGCS or become a recipient of our services such as your name, address, contact details (including email address and phone number);
  • The name and contact details (including phone number) of your next of kin or relatives;
  • Any information you include in correspondence you send to us or in forms you submit to us at SJOGCS;
  • Details of your medical history such as details and records of treatment and care, notes, and reports about your health, including any allergies or health conditions including information relating to any clinic visits and medicines administered;
  • Information relating to your health including mental health, diagnosis information, medication details; medical records; services provided by us; admission/discharge to SJOGCS and other services; laboratory tests and results; clinical consultation recordings; current/future residential/day service provision and history; multidisciplinary team reports.
  • In some circumstances, individuals may disclose data relating to their relatives and other third parties.
  • Information relating to your religious beliefs; and
  • Details of your sexual orientation where you inform us of same in the course of providing healthcare services.
  • Financial information such as your payment card details and, in relation to certain refunds, your bank account details;
  • Other relevant information from people who care for you and know you well, e.g., health professions, relatives, and carers.
  • Your identification information when exercising the rights that you have in relation to our processing of your personal information;
  • Footage captured from our CCTV operation which is in use at our facilities for health, safety, and security purposes;
  • Information about complaints and incidents;
  • Information obtained from surveys that you have taken part in;
  • Information that you give us when you submit a question/comment in relation to our services or website;
  • Information you give us when you apply for a job with us (CV, cover letter, contact details);
  • Information you give us when you publish public comments on our social media pages e.g. Facebook
  • Details of your use of our site namely traffic data, weblogs, and statistical data, including where and when you clicked on certain parts of our Site and details of the webpage from which you visited it;
  • The date and time you used our Site;
  • The pages you visited on our Site and how long you visited us for;
  • The website address from which you accessed our website;
  • Cookie, pixels, and beacon identification information

5. What Information About You Do We Obtain From Others?

When you use our healthcare services, we may obtain the following categories of personal data from others:

  • Name
  • Address
  • Date of birth
  • Phone number
  • Gender
  • Medical records
  • Reasons for referral
  • Medical/Psychiatric history
  • Collateral history
  • Community pharmacy name and contact details
  • Medications/treatment received to date
  • Next-of-kin details

6. Why Do We Collect This Information?

We collect the information in order to provide you with our services, to conduct research, and to improve our website. We will use this information:

  • To provide you with health and social care services.
  • To anonymise your data so that we can carry out clinical audits. Your data is processed by SJOGCS to improve and advance treatment and care. We conduct clinical audits with the purpose of ensuring best practice and for quality assurance and improvement purposes. If your records and data are to be used for activities such as clinical audit and quality improvement, it will be anonymised i.e., you cannot be identified from the data.
  • To conduct Retrospective Chart Reviews in accordance with international best practice. Research using service user medical records for this purpose is only conducted by healthcare professionals. Medical records are reviewed but no direct individual contact is required. You will not be asked to give your explicit consent. Your personal information will be protected by being fully anonymised or given a unique code so that your name does not appear alongside the information or in any of the results of the research. Any findings from a study that are published will not identify you. Any such study will be reviewed and approved by a research ethics committee prior to commencement.
  • To undertake health research, with your consent or on the basis of a consent declaration from the Health Research Consent Declaration Committee.
  • To publish the results of quality improvement and clinical work subject to our internal governance procedures.
  • To support the placement of students and trainees who may have access to your medical records. All staff are required to comply with the General Data Protection Regulation and other SJOGCS
  • To communicate with you as part of our relationship with you.
  • To administer and improve our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, to keep our site safe and secure. For further information please see our Cookie Policy.
  • To make suggestions and recommendations to you and other users of our website about services that may interest you or them.
  • To deliver information about our services, where you have subscribed or consented to receiving same.
  • To comply with applicable laws and regulations.
  • To carry out satisfaction and experience surveys.

7. Where Do We Get This Information?

We obtain this information from:

  • You directly
  • Your family members/next of kin
  • Your referring GP; and/or
  • Hospitals and service providers (where you are being referred to us from a hospital or service provider)
  • Internal staff, associated providers, contractors, investigators etc. when you are in receipt of their services

8. Use of Your Personal Data

We use your personal information for a variety of reasons. We rely on different grounds to process your personal information, depending on the purposes of our use. We use your personal information in the following ways:

8.1  Where You Have Provided Consent

We may use and process your personal information for the following purposes where you have consented for us to do so, for example:

  • Photography / Video Consent Form
  • Health Research Requests
  • Surveys

You may withdraw your consent at any time. Please refer to section 15, “What Are Your Rights with Respect to Your Personal Data”, for more information.

8.2.  Where Necessary to Comply With Our Legal Obligations

We will use your personal information to comply with our legal obligations:

  • To keep a record of health and social care services provided to you
  • To keep a record relating to the exercise of any of your rights
  • To take any actions in relation to health, safety and safeguarding incidents required by law
  • To handle and resolve any complaints we receive relating to the services we provide
  • To comply with Law Enforcement Requests

8.3.  Where Necessary for Us to Pursue a Legitimate Interest

We may use and process your personal information where it is necessary for us to pursue our legitimate interests for the following purposes:

  • Processing necessary for us to support you with your enquiries;
  • Processing necessary to provide you with health and social care services;
  • To identify and record when you have received, opened, or engaged with our site or social media or other electronic communications;
  • To comply with a request from you in connection with the exercise of your rights;
  • Processing is necessary for us to operate the administrative and technical aspects of SJOGCS efficiently and effectively;
  • To administer our Site, and our social media pages and for internal operations, including troubleshooting, testing, and statistical purposes;
  • For the prevention of fraud and other criminal activities;
  • To verify the accuracy of data that we hold about you and create a better understanding of you as an individual supported by our services;
  • For network and information security in order for us to take steps to protect your information against loss or damage, theft, or unauthorised access;
  • For efficiency, accuracy or other improvements of our databases and systems;
  • To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings;
  • For other general administration including managing your queries, complaints, or claims, and to send service messages to you.

8.4.  Where Necessary for Us to Fulfil Our Contractual Duties

We will use your personal information where this is necessary for us in the performance of our contractual duties.

8.5.  Where Processing Is In Your Vital Interest

We will use your personal information where this is in your vital interest. For example: it may be in a child’s vital interests to process their data and or/that of the parents or family.

9. Legal Basis for Processing

The Irish Data Protection Act 2018 and the GDPR (Regulation EU 2016/679) requires that processing of personal data shall meet certain justifiable criteria to allow for processing of personal health data. Health data falls under the banner of special categories of personal data. This means that SJOGCS shall outline in explicit terms the justification for processing of personal data relating to staff, service users, visitors, vendors, and contractors.

The table below illustrates the types of data SJOGCS processes and the legal basis for processing that data as required by the General Data Protection Regulation, Regulation (EU) 2016/679.

 

Type of Personal Data Processed Purpose of Processing Lawfulness of Processing
Service User Data[1]

 

Necessary to support the administration of service user, treatment care and support in SJOGCS.

To provide you with health related services.

 

·     Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

·       Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

·       For the establishment, exercise, or defence of legal claims.

·       For compliance with certain legal obligations to which we are subject to.

·     For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Employee Data[2] Necessary to support the administration of employee records in SJOGCS.

Allows SJOGCS to manage the employment relationship between staff and SJOGCS.

·     Performance of a Contract[3].

·       Compliance with a Legal Obligation[4].

·       Legitimate Interest[5]

Students and Trainees Data[6] SJOGCS supports the placement of students and trainees. SJOGCS collects personal information of students or trainees on placement for the primary purposes of providing the placement and facilitating assessment. The purposes for which SJOGCS uses personal information of students or trainees include:

  • managing the individual’s placement;
  • ensuring the quality and safety of clinical care provided to service users;
  • insurance purposes;
  • to ensure SJOGCS holds relevant contact information; and
  • Satisfying its legal obligations including obligations under any placement agreement.
·       Performance of a Contract.

·       Legitimate Interest.

Financial Data[7] Required for providing a service and billing.

Staff payroll.

·     Performance of a Contract.

·     Compliance with a Legal Obligation.

Health Data[8] Necessary to provide service user care treatment and support in SJOGCS;

Review the care provided by audit or service evaluation;

To help in decision making about your care and ensure that your treatment is safe and effective;

To work effectively with other organisations who may be involved in your care;

Special Categories[9] data are processed under Article 9 of the GDPR:

·     processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

·     Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Audits To review care, treatment and support provided to improve service quality and ensure services meet future needs ·       Compliance with a Legal Obligation.

·       Legitimate Interest.

CCTV[10]/ Covert Surveillance[11] SJOGCS uses CCTV for the purpose of maintaining the safety and security of its staff, service users, visitors, and other attendees.

CCTV may also be requested by Law Enforcement Agencies, such as An Garda Siochana, for “preventing, detecting, investigating or prosecuting criminal offences”.

·       Safety, Health and Welfare Act 2005.

·       Performance of a Contract.

·       Legitimate Interest.

·       Section 41 (b) of the Irish Data Protection Act 2018.

 

Contractors[12] SJOGCS may provide or allow access to personal information for the provision of professional services to SJOGCS. ·       Performance of a Contract.
Health Research Data To identify service users who might be suitable for clinical trials/research. SJOGCS promotes research and there are strict regulations surrounding research and how it may be conducted. Suitable participants will be given full information about the research/trial and may be asked to provide their consent to participate.

To identify service user that might be suitable for clinical trials/research. Any participation in a trial or research study may require your consent.

·       Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018).

·       Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

·       Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Other Uses In order to provide the best possible environment in which to treat and support you, we may also use your personal information where necessary for:

·       activities such as quality assurance processes, accreditation, audits, risk and claims management, service user experience and satisfaction surveys and staff education and training;

·       Invoicing, billing, and account management, including storage of provider details on SJOGCS billing systems, transmission to Insurers and processing by billing companies.

·       the purpose of complying with any applicable laws – for example, in response to a subpoena or compulsory reporting to State authorities (for example, National Cancer Registry);

·       the purpose of sending you standard reminders, for example for appointments and follow-up care, by text message or email to the number or address which you have provided to us; and

·       We may anonymise or aggregate the personal information that we collect for the purpose of service management; monitoring, planning, and development.

·       Legitimate Interest.

·       Compliance with a Legal Obligation.

 

 

[1]Service user data includes (but is not limited to) the following: name, address, DOB, contact details (phone, mobile, email), dates of appointment, medical records

[2]Employee data includes the following: name, address, DOB, contact details (phone, mobile, email), HR records, PPSN, bank details, P60, grievances, performance reviews, sick notes, medical leave, COVID 19 Vaccination Status etc.

[3] Performance of a contract: Is one of the lawful bases that an organisation may rely on when processing personal data. For example: an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee data in an employment context.

[4] Compliance with a legal obligation: Is one of the lawful bases that an organisation may rely on when processing personal data. For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare at Work Act 2005.

[5] Legitimate interest: Is one of the lawful bases that an organisation may rely on when processing personal data. This will involve a balancing exercise that takes into consideration both the aims and objectives of the SJOGCS and the rights and freedoms of the data subject(s).

[6]Students and Trainees: may have access to your personal information for the purpose of the placement.

[7]Financial data includes the following: invoicing, billing, and account management.

[8]Health Data includes the following: treatments and procedures, diagnosis, notes and reports, lab exams, medications, and imaging.

[9]Special Category Data: Means certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. They include the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data concerning a natural person’s sex life or sexual orientation.

[10] CCTV Operation: Means closed-circuit television and is commonly known as video surveillance. “Closed-circuit” means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike “regular” TV, which is broadcast to the public at large. CCTV networks are commonly used to detect and deter criminal activities, and record traffic infractions, but they have other uses.

[11]Covert Surveillance: Means a form of hidden monitoring practice that involves the use of CCTV.

[12]Contractors: Means third parties engaged by SJOGCS to carry out specific tasks or functions on our behalf.

10. Who Do We Share This Information With?

We may disclose your personal information outside SJOGCS in limited circumstances. If we do, we will put in place appropriate controls and data sharing agreements that require recipients to protect your personal information, unless we are legally required to share that information. Any contractors or recipients that work for us will be obliged to follow our instructions. We do not sell your personal information to third parties.

We may disclose your information to our third-party service providers, agents, and subcontractors (Suppliers) for the purposes of providing services to us or directly to you on our behalf. We may share your personal data with our selected suppliers, and contractors to provide you with our services. For example, these may include:

  • Health insurers to secure payment for your care where it is covered by your private health insurance policy;
  • Health professionals, independent consultants, and other hospitals that require your personal data as part of the provision of medical treatment;
  • IT service providers that either host or have access to our data as part of their product offering;
  • Regulatory bodies such as Mental Health Commission, HIQA, the Revenue Commissioners, the Health and Safety Authority, where we are obliged to make data available as required. This includes exchanging information with other entities and organisations for the purposes of fraud protection and credit risk reduction;
  • Manufacturers of medical devices and equipment for safety purposes, to allow for any necessary follow up post treatment;
  • Outsourced service providers such as the use of external laboratories;
  • Any party which you have given us permission to speak with (family, friends or otherwise) regarding your care treatment and support,
  • Your next of kin/relevant person, where you are not in a situation to grant us permission,
  • GPs and other healthcare professionals involved in your treatment,
  • Healthcare specialists whose opinion may aid us in effective medical diagnosis and / or treatment,
  • Healthcare providers engaged to assist with your treatment (certain providers have facilities which assist us in providing you with efficient and effective treatment),
  • Billing agencies engaged by your consultant or other healthcare professionals involved in your treatment,
  • Legal representatives, as necessary,
  • Statutory bodies and health boards as required by EU and Irish law,
  • Clinical auditors to measure compliance with SJOGCS policy and accreditation standards.

We take steps to ensure that any third-party providers who handle your information comply with data protection legislation and protect your information to the same extent that we do. We only disclose personal information which is necessary for them to provide the service they are undertaking on our behalf. We will aim to anonymise your information or use aggregated non-specific data sets where possible.

 

We may also disclose your personal information to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property or safety of our service users or others.

 

The table below illustrates the categories of third parties we share personal data with:

 

Category of Third Party Description of Service Provided Lawful Basis for Processing
IT Service Providers System based processing of personal and/or medical details as part of the individuals care support and treatment and/or organisational/ operational requirements. E.g. cloud hosting services; the National Incident Management Systems (NIMS), National Ability Support System (NASS) application development and support services; IT Infrastructure services; email services; call recording services.

 

Performance of a Contract.

Legitimate Interest.

Compliance with a Legal Obligation.

Legal/Professional Advisors The provision of business consulting, audit, and legal services including access to and analysis of personal data as part of SJOGCS initiatives, statutory audits, legal claims, and ad-hoc consultancy advice.

 

Performance of a Contract.

Legitimate Interest.

Transport, Storage & Shredding The provision of courier services for the transportation of physical documents to and from suppliers, insurers and referring corporate/medical partners.

 

Storage and destruction of physical files for operational and regulatory purposes.

 

Performance of a Contract.

Compliance with a Legal Obligation.

 

Outsourced Service Providers The external processing of personal data to external providers where SJOGCS does not have either the expertise, capacity, or demand to provide the processing required. Performance of a Contract.

 

Regulatory Bodies Provision of personal data as required to satisfy recurring obligations, audit, and mandatory reporting purposes with bodies such as HIQA, HSE, TUSLA, The National Treasury Management Agency, The State Claims Agency, the Mental Health Commission and the Health, and Safety Authority.

 

Compliance with a Legal Obligation.

Performance of a Contract.

Legitimate Interest.

Security & Maintenance CCTV Cameras are in operation both inside and outside SJOGCS premises in order to protect our staff, the individuals supported by our services, visitors, and property. Compliance with a legal obligation.

The performance of a contract.

Legitimate Interest.

 

Law Enforcement Agencies To assist law enforcement agencies in their efforts of preventing, detecting, investigating, or prosecuting criminal offences. Compliance with a legal obligation.

Section 41 (b) of the Irish Data Protection Act.

 

Your Local Doctor (GP) Sometimes your local doctor will contact SJOGCS for additional information about your treatment. In this situation, we will only release information to the doctor whom you have specified as your local doctor on your admission form.

 

Consent.
Other Health Service Providers If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, we will provide a copy of your record to that medical practitioner or health care facility provided this request is processed in the correct manner and with your knowledge.

 

Consent.

Vital Interest.

Relatives, personal carers and/or significant other(s)

 

We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, legal representative, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.

 

Power of Attorney.

Enduring Power of Attorney.

Legal Guardian.

Assisted Decision Making (Capacity) Act 2005.

Compliance with a Legal Obligation.

Consent.

Your Private Health Insurer We will confirm your insurance is valid and that your policy covers SJOGCS with your nominated insurance provider.

 

 

Legitimate Interest.

Compliance with a Legal Obligation.

11. Where We Use Your Data for Health Research Purposes

At Saint John of God Community Services clg, we conduct research projects aimed to improve the lives of people affected by mental illness, both as a patient or as a carer or medical staff. The suitability of any project is assessed and validated both by management and by the Research Ethics Committee before the project starts.

SJOGCS operates HSE (Health Service Executive) funded services to children and adults with intellectual disability, and to children, adolescents, and adults with health difficulties. As part of Saint John of God Hospitaller Services Group, it supports approximately 8,000 children and adults annually with over 3,000 staff and volunteers. As well as providing this care, SJOGCS has a long history of conducting research to improve outcomes for patients. Research in mental health and intellectual disability has been well supported by the Order of Saint John of God since 1987 when the first planning and management committee was set up. The data controller for these health research projects is Saint John of God Community Services clg. Granada, Stillorgan, Co. Dublin.

In most instances SJOGCS will rely on Article 6(1) (a) – Consent and Article 9(2) (a) – Consent, or Article 6(1) (f) – Legitimate Interest and Article 9(2) (j) – Scientific Research of the GDPR when we use your information for research. All applications for undertaking health research study must be approved by the Saint John of God Research Ethics Committee. All health research in Ireland is governed by the Health Research Regulations 2018 (HRR) and the amended regulations 2021. The HRR’s make explicit consent the default position for processing personal data for health research. Certain SJOGCS personnel meeting criteria set out in the Amended Health Research Regulations 2021 may access service user health records for pre-screening purposes to determine whether an individual (prospective research participant) is suitable or eligible for inclusion in the study and/or for retrospective chart reviews.

In some instances, depending on the nature of the project, access to personal data may be required. The legal bases for processing your personal data can be found under Article 6 and 9 of the GDPR.  Participation in these terms is always voluntary and may be consent based. Should it be required to identify any participants (or their data), you will be contacted with all the relevant information on a research project to allow you to make an informed decision on whether to participate.

Your decision bears no impact on the quality of services you are entitled to and will be provided with by SJOGCS.

It is within our legitimate interests to conduct health care research for the benefit of our patients, for improvement to our service delivery, for the involvement of our patients, and to increase the knowledge base and for the academic education and continuous professional development of healthcare staff and students.

Your data, or the anonymous data derived from it, will not be transferred to a third country or international organisation outside the EU/EEA. Anonymous electronic data used for a study will be retained for 10 years. After 10 years, data will be securely destroyed by the ICT Department of SJOGCS.

You have the right to refuse for your data to be included in a research study. You have the right to access, rectification, erasure, restriction, objection, and data portability for your own personal data under GDPR. Where we have collected your consent for a research project, you have the right to withdraw that consent at any time. You will have received an Information Leaflet when your consent was sought. You can withdraw your consent by contacting the Principal Investigator whose contact details are on the Information Leaflet presented to you.

Withdrawing your consent will bear no impact on the quality of services you are entitled to and will be provided with by SJOGCS. The anonymous data derived from the personal data does not attract the same rights as anonymous data falls outside the GDPR.

As research studies are conducted under the amended Health Research Regulations, your consent may not be sought at all times. Any proposed research will be first reviewed and must be approved by a Research Ethics Committee prior to commencement of a study. The Research Ethics Committee is a body independent from SJOGCS.

11.1.  Retrospective Chart Reviews and Pre-Screening

The original purpose for processing your personal data is to deliver a healthcare service to you. Under this notice, the purpose of processing your personal data may be for a retrospective chart review study or pre-screening for selection for inclusion in a research study project. The legal bases for processing your personal data can be found under Article 6 and 9 of the GDPR. The study will be reviewed and approved by a research ethics committee prior to commencement of the study. The legal basis for processing your data for a Retrospective Chart Review research project or pre-screening for selection for inclusion in a research study project is “legitimate interests” Article 6.1. (f) of the GDPR. The condition that your special category personal data (i.e., Health data) is processed for these research activities is under Article 9.2. (j) of the GDPR: “scientific or historical research purposes or statistical purposes in accordance with Article 89”.

For Retrospective Chart Review your personal data may be shared for the purposes of healthcare research to a person who in the course of his or her duties for the controller, would ordinarily have access to the personal data of individuals, health care practitioners, and individuals studying to be a health care practitioner, who are under the control and direction of SJOGCS or an employee of the controller (for example, a medical records clerk). The data which is held by the controller (that were obtained for the provision of health care to those individuals), cannot be disclosed to another person (a third party) by the controller unless such data is anonymised, and any findings from the study that are published must not identify an individual whose personal data was used in the study.

Any proposed research using retrospective chart review will be first reviewed and must be approved by a Research Ethics Committee prior to commencement of a study. The Research Ethics Committee is a body independent from SJOGCS.

11.2.  What is a Research Ethics Committee?

A Research Ethics Committee is an independent group of people appointed to formally assess if health research conforms to recognised international ethical standards. It is responsible for protecting the rights of those who take part in the research and the usage of their personal data for health research.

11.3.  Your Rights

You may exercise any of your rights by contacting the DPO at Saint John of God Community Services clg, Stillorgan, Co Dublin by e-mail: dpocs@sjog.ie. You may request additional information regarding a research study you are taking part in by contacting the Principal Investigator whose contact details are on the information leaflet.

If you are dissatisfied with the manner in which your personal data is being processed, you may lodge a complaint with the Data Protection Commission. You can do so by clicking here.

12. How Long Do We Retain Your Information?

We are obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate operational purposes. Other information will be retained for no longer than is necessary for the purpose for which it was obtained by us or as required or permitted for legal, regulatory, fraud prevention, and legitimate operational purposes.

We will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which we collected it.

13. International Data Transfers

We do not transfer your personal information outside of Europe. If we do so in the future, we’ll let you know and take measures to protect your personal information. All information you provide to us is stored on our secure servers which are located within the European Economic Area (EEA).

If at any time we transfer your personal information to, or store it in, countries located outside of the EEA we will amend this policy and notify you of the changes. We will also ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law. This is because some countries outside of the EEA do not have adequate data protection laws equivalent to those in the EEA. If we transfer your personal information to the United States of America, we will only send the personal information for which we have safeguards in place in accordance with applicable law. Where they apply to our data transfer activities, we may rely on adequacy decisions by the European Commission about certain countries for data transfers to countries outside the EEA.

14. Do We Use Automated Decision-Making and Profiling?

SJOGCS do not use automated decision-making and profiling.

15. What Are Your Rights With Respect To Your Personal Data?

A data subject has the right of access to personal data which has been collected concerning him or her, and to exercise that right easily and at reasonable intervals, to be aware of and verify the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example, the data in their medical records containing information such as diagnoses, examination results, and assessments by treating physicians and any treatment or interventions provided. You have the following rights:

  • The right to access a copy of the personal data we hold about you.
  • The right to require us to rectify any inaccurate personal data about you without undue delay.
  • The right to have us erase personal data we hold about you in circumstances such as where it is no longer necessary for us to hold the personal data or, in some circumstances, if you have withdrawn your consent to the processing. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • The right to object to us processing personal data about you.
  • The right to ask us to provide your personal data to you in a portable format or, where technically feasible, for us to port that personal data to another provider, provided it does not result in a disclosure of personal data relating to other people.
  • The right to request a restriction of the processing of your personal data.
  • Where our processing of your personal data is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful.
  • The right to lodge a complaint with the Data Protection Commission if you are dissatisfied with the manner in which your data is being processed. The local Supervisory Authority in Ireland is the Data Protection Commission. You can lodge a complaint by clicking here.

You may exercise any of the above rights by using the contact details in the “How Can You Contact Us” section below. When exercising your right to a Subject Access Request, you will be invited to complete a Subject Access Request Form {{include link to the form on the words Subject Access Request}}. You may be invited to provide us with the following:

  1. A completed Subject Access Request Form
  2. Identify the records or information that you require.
  3. Provide full personal contact details.
  4. Provide a copy of one form of identification, i.e., passport or driver’s licence

16. Data Security

We take the security of your personal information seriously and use a variety of measures based on good industry practice to keep it secure. Nonetheless, transmissions over the internet and to our website and our social media pages may not be completely secure, so please exercise caution. When accessing links to other websites, their privacy policies, not ours, will apply to your personal information.

We employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction, and damage.

SJOGCS will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We use technology such as firewalls and encryption to keep your data safe. We also have policies and procedures for staff in relation to access control and passwords.

Our sites, and social media pages may contain links to other websites run by other organisations which we do not control. This statement does not apply to those other websites, so we encourage you to read their privacy statements. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content, or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

17. Changes to this Privacy Statement

This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you use our site or our services. This notice was last updated on 08 March 2022.

18. How Can You Contact Us?

You can contact SJOGCS in the following ways:

By Post: DPO, Saint John of God Community Services clg, Crinken House, Crinken Lane, Shankill Co Dublin.

E-mail: dpocs@sjog.ie