Under the General Data Protection Regulation (GDPR) we are obliged to have a fair processing notice for personal data. This is often referred to as a Privacy Notice. It provides information about the ways in which we process (collect, store and use) your personal data as a patient in this hospital.

Everyone working within healthcare has a legal duty to keep patient information confidential.

“Personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller: St. John’s Hospital, Limerick.;

Personal data will be obtained in a lawful, fair and transparent manner for a specified purpose and will not be disclosed to any third party, except in a manner compatible with that purpose.

All medical information under GDPR is deemed a special category of personal information and as hospital we will endeavour to ensure your information is treated with the utmost respect and confidentiality.

1. Data Protection Legislation

All personal data we gather will be “processed” in accordance with all applicable data protection laws and principles, including the General Data Protection Regulation (EU) 2016/679 and the applicable Irish Data Protection Acts 2018.

For more information on GDPR we recommend the Data Commissioners website:

2. How do we collect your information?

Your information is collected in a number of different ways. This might be from a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you – in person, over the telephone or on a form you have completed. There may also be times when information is collected from your relatives or next of kin – e.g. if you are taken to our emergency department (A&E) but you are very unwell and unable communicate. During your treatment health specific data will be collected by the doctors, nurses and healthcare staff taking care of you and will be held in your patient chart (This can be paper and/or electronic).

3. What information do we collect?

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through appointments and hospital attendances
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of diagnostic tests, e.g. x-rays, scans, blood tests
  • Financial and health insurance information
  • Other relevant information from people who care for you and know you well, e.g. health professionals, relatives and carers.
  • We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).
  • CCTV and security information.

4. Why do we collect information about you?

To make sure you get the best care, doctors, nurses and the team of healthcare staff caring for you keep records about your health and any care or treatment you may receive from us. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.

5. How do you store my personal data?

Under GDPR, strict principles govern our use of personal data and our duty to ensure it is kept safe and secure. Your data may be stored within electronic or paper records, or a combination of both. All our records have restricted access controls, so that only those individuals who have a need to know the information can get access. This might be through the use of computer passwords, audit trails and physical safeguards e.g. security controlled access.

6. How do we use your information and why is this important?

We use your information to manage and deliver your care (Direct Care) to ensure that:

  • The right decisions are made about your care
  • Your treatment is safe and effective; and
  • We can coordinate with other organisations that may be involved in your care.

This is important because having accurate and up-to-date information will assist us in providing you with the best possible care.

In addition to using the data to provide for your care, this data is also routinely used to improve services and plan for the future (Indirect Care), therefore, your data may be used in:

  • Evaluating and improving patient safety
  • Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care. This can be carried out by multiple quality improvement methods e.g. clinical audit.
  • Training healthcare professionals
  • Ensuring that our services can be planned to meet the future demand. E.g. analysing peak times, staffing levels and average length of stay, projected demand by disease/condition.
  • Preparing statistics on hospital performance and monitoring how we spend public money
  • Supporting the health of the general public e.g. Influenza, winter vomiting bug.

The activities listed above are part of normal delivery of care and under GDPR your consent is not required. However we recognise our duty to always keep your data secure and confidential and where appropriate we de-identify your data when using it for improvement.

Using the data to understand and develop new treatments and techniques (Research).

Research in healthcare is vital in helping develop understanding about health risks and causes to develop new treatments. It is usual for patient information to be used for research.

Your consent will be sought prior to being asked to participate in a research study or to have your personal data used in a research study. In some circumstances, consent exemptions may be granted by the Health Research Board Consent Declaration Committee (HRBCDC). You will not be identified in any published results without your prior agreement.

7. What is the legal basis for processing?


Legal Basis under General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018

To manage and deliver your care (Direct Care)

o Article 6(1)(c) GDPR “processing necessary for performance of contract” with the data subject, or Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or Article 6(1)(f) – processing is necessary for the purposes of legitimate interests.

o Article 9(2)(h) GDPR– ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ or Article 9(2)(i) – ‘processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standards of quality and safety of health care…’

o Data Protection Act 2018, Section 52(1) (a) – ‘for the purposes of preventative or occupational medicine’, Section 52(1) (d)’ for the provision of medical care, treatment or social care’ and/or Section 52(1) (e) for the management of health or social care systems and services’ which allows patient information to be used for clinical audit provided that appropriate measures are taken to safeguard the fundamental rights of the data subject.

Data Protection Act 2018, Section 53(b) – ‘ensuring high standards of quality and safety of health care…

To improve services and plan for the future (Indirect Care)

To understand and develop new treatments and techniques (Research)

Where we rely on consent as the legal basis for processing, you can withdraw your consent at any time; this follows GDPR Art 6(1)(a), “the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and Art 9(2)(a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…”

In some circumstances, consent exemptions may be granted by the Health Research BN ….HRBCDC (Health Research Regulations 2018).

8. Who do we share your personal data with?

We only disclose personal data provided by you to external third parties in connection with specific purposes and compliance, including:

  • Other health care organisation that are involved in your care, HSE services such as Public Health, GPs, community services
  • Third parties who provide services to us
  • Authorities and bodies where required or permitted by law, e.g. HIQA, National Cancer Registry Ireland, Health and Safety Authority
  • National organisations e.g. National Office of Clinical Audit (NOCA).

9. Do we transfer your data outside of Ireland?

In some circumstances we may need to transfer your personal data outside of Ireland in order to provide the best care and services possible. Any transferred undertaken with be protected by Data Sharing Agreements and contracts.

10. How long do you hold onto my personal data?

We will retain your information for as long as necessary to provide you with services, and to comply with our legal and regulatory obligations.

We are committed to protecting your personal data to the very best of our ability and take the appropriate steps to do in collecting, storing and destroying your data.

11. What are my rights relating to personal data?

You have the following rights under the GDPR in relation to your personal data.

  • Right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
  • Right to rectification – you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
  • Right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
  • Right to restriction of processing or to object to processing – you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
  • Right to data portability – you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable

Some of these rights only apply in certain circumstances; they are not guaranteed or an absolute right. Please contact our Data Protection Officer if you have any questions or concerns about your rights. If you make a request, we have one month to respond to you.

12. How to make a complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. To make a complaint directly to the hospital see the contact information for the Data Protection Officer below.

You also have the right to make a complaint to the Data Protection Commissioner (DPC) by emailing

13. Who to contact if you have any queries about your personal data?

The Chief Executive’s Dept.
St. John’s Hospital.
St. John’s Square.
Telephone: (061) 462253

Last Updated: 20th December 2019