Data Protection and Privacy

Bon Secours is a not-for-profit organisation with its mission centred on providing compassionate, world class medical treatment to all those it serves in its 5 modern acute hospitals in Cork, Dublin, Galway, Tralee and Limerick, as well as in its the Care Village in Cork. Bon Secours is accredited by the Joint Commission International Accreditation Standards for Hospital (JCI), the leading organisation in the international accreditation of hospitals for quality and patient safety.

All personal data we gather will be processed in accordance with all applicable data protection laws and principles, including the EU General Data Protection Regulation and the applicable Irish Data Protection legislation.

This Privacy Statement explains how Bon Secours use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

To assist in safeguarding your information, Bon Secours has developed a set of fundamental information governance principles and policies to ensure that it minimises the amount of personal data it collects, that it uses personal data only for the purpose it was obtained and in accordance with its legal obligations.

Bon Secours promotes good information governance practices among its staff and monitors and improves internal policies, procedures, and uses Information Communications Technology (ICT) security tools to ensure that all personal data is protected against theft, accidental loss, unauthorised access or alteration, erasure, use or disclosure. 

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’ such as your Medical Record Number (MRN).

A Data Controller is the legal entity which determines how and why personal data is collected and used.
The Bon Secours Health System Group Offices are located at,
7 Riverwalk,
Citywest,
Dublin 24,
D24 H2CE.

Under the GDPR, you have the following rights, which Bon Secours will always work to uphold:

1. The right to be informed about our collection and use of your personal data. This Privacy Statement should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in how to make a complaint or provide a compliment section of this Statement.
2. The right to access personal data Bon Secours holds about you (see how can I access my Personal Data? section of this Statement).
3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in how to make a complaint or provide a compliment section of this Statement to find out more.
4. The right to erasure, for example the right to ask us to delete or otherwise dispose of any of your personal data that we have, where there is no compelling reason to continue processing.This right only applies in certain circumstances; it is not a guaranteed or absolute right. Please contact us using the details in how to make a complaint or provide a compliment section of this Statement.

• The right to restrict (i.e., prevent) the processing of your personal data.
• The right to object to us using your personal data for a particular purpose or purposes.
• The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract or the provision of medical care or treatment and that data is processed using automated means, you can ask us for a copy of that personal data to reuse with another service in many cases.
• Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

We will be unable to fulfil an erasure request if the personal data is required for the treatment of an active patient.

In certain circumstances we may need to retain information to ensure your preferences are respected in the completion of our duties. For example, we won’t erase all information about you where you have asked us not to send you marketing material as your preference not to receive marketing material would be erased.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the contact details provided in how to make a complaint or provide a compliment section of this Statement .

Further information about your rights can also be obtained from the DPC. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the;

Data Protection Commission,
21 Fitzwilliam 
Square South,
Dublin 2
D02 RD28,
Ireland,
Email: info@dataprotection.ie
Website: www.dataprotection.ie

As a healthcare provider it is important for us to have a complete picture about your health in order to care for you. The personal data we collect enables us to confirm your identity when we contact you, or when you contact us. It enables us to provide the correct high-quality care to meet your individual needs.

Our staff including our nurses, doctors and other healthcare professionals caring for you, keep records about your health and the care you receive for the purposes of preventative medicine, medical diagnosis, medical research, the provision of medical care and treatment and the management of healthcare services. Having accurate and up-to-date information will assist us in providing you with the best possible care.

The following is a non-exhaustive list of various categories and types of personal data we may collect some of the following personal data (this may vary according to your relationship with us):

• Personal details about you, your date of birth, address, mobile phone number, contact detail, Nominated Individual.
• Financial and health insurance information
• Clinical information treatment procedures diagnosis and reports
• Results of investigations, such as X-Rays and laboratory tests
• Patient feedback, enquiries received, log of calls received, log of complaints received, and
• CCTV image recordings.

Bon Secours may process certain special category data which may include health information, racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data.

While the type of personal data we process may change occasionally, we believe it is important that you are aware of the types of personal data we gather and use. Under the GDPR, we must always have a lawful basis for using your personal data. The lawful basis for Bon Secours processing your Special categories of personal data are as follows:

• The processing is necessary in order to protect your vital interests
• Pursuant to a contract with you, the HSE, your health insurer or for patients being treated under the National Treatment Purchase Fund (NTPF) scheme
• For the purposes of preventative or occupational medicine
• For the provision of healthcare treatment
• For the provision of medical diagnosis
• For the management of health or social care systems and services
• For the purposes of sending, details about our services were you have consented to receive them
• For the purposes of invoicing, billing, and account management
• For the purposes of our legitimate interests such as to prevent fraud, establishing, exercising or defending a legal claim.

Bon Secours only process personal data where it is necessary and may use typically one of the following purposes:

• To manage and deliver your care (Direct Care) to ensure that:
  • The right decisions are made about your care
  • Your treatment is safe and effective, and
  • To coordinate with other organisations or your GP that may be involved in your care
  • To remind you of appointments by email, phone, and/or text
• To assist in safeguarding patients, visitors, staff, property and crime prevention.

If the purpose of the processing is for a reason other than the reasons above, we will seek your consent to process your sensitive personal data.

Bon Secours promotes a minimum use of personal data in all its health research projects and all Researchers are required to complete a ‘Data Protection Impact Assessment’ in relation to the personal data they wish to collect and use in their health research study.

Research in healthcare is vital in helping develop understanding about health risks and causes to develop new treatments. All Health Research at Bon Secours is reviewed and approved in advance by our Research Ethics Committee. Your consent will be sought prior to being asked to participate in a research study or to have your personal data used in a research study unless your consent is deemed not necessary under the Health Research Regulations 2018. In some circumstances, consent exemptions may be granted by the Health Research Board Consent Declaration Committee (HRBCDC). In such circumstances you will not be identified in any published results without your prior agreement. More information can be found on our website and on research posters placed around our hospitals.

To provide you with the highest quality of healthcare, we need to keep records about you.  Your data may be collected in a number of different ways such as a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you over the telephone, in person, or on a form you have completed. There may also be times when personal data is collected from your relatives or a next of kin where you might be very unwell and unable to communicate. During your treatment health specific data may also be collected by our nurses, doctors, and other healthcare professionals who are taking care of you. This personal data will be held in your patient chart (this can be either electronic and/or paper).

Bon Secours is fully committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have a number of security precautions in place to prevent the loss, misuse, or alteration of your personal data. Staff working for Bon Secours have a legal duty to keep information about you confidential and staff are trained in information security and confidentiality. Bon Secours has strict information security policies and procedures in place to ensure your personal data is safe, whether it is held in paper or electronic format.

Bon Secours only keeps personal information in either physical (paper) or in an electronical form (including clinical images taken for diagnostic or treatment purposes) for a period that is deemed necessary to carry out the function and operational purpose for which it was originally collected, unless it is specifically required by law to keep your information for longer. All personal information is subject to a specified retention period and is securely destroyed once no longer needed.

Bon Secours may store or transfer some or all of your personal data in countries that are not part of the European Economic Area (the “EEA”). These are known as “third countries” and may not have data protection laws that are as strong as those in the EEA. This means that we will take additional steps to ensure that your personal data is treated just as safely and securely as it would be treated within the EEA and under the GDPR.

We use specific contracts with external third parties that are approved by the European Commission (EC) for the transfer of personal data to third countries or that will be transferred to third parties located in countries deemed by the EC as having an adequate level of data protection. These contracts ensure the same levels of personal data protection apply as are provided for under the GDPR.

Depending on your personal circumstances we may need to share personal data with selected third parties. In some cases, those third parties may require access to some or all of your personal data that we hold and may include:

• Health insurers to secure payment for your treatment where it is covered by your private health insurance policy
• Health professionals, independent consultants and other hospitals or Community Services that require your personal data as part of the provision of health, medical, occupational health treatment or for clinical and billing audits
• Any party which you have given us permission to speak with (e.g., Nominated Individual, spouse or partner, parent, child, or other relative, friend, guardians, or a person exercising your power of attorney under an enduring power of attorney) regarding your treatment or where you are not in a situation to grant us permission
• ICT service providers that either host or have access to our data as part of their product offering
• Regulatory bodies such as the National Cancer Registry Ireland, the Health Protection Surveillance Centre, the Health Information and Quality Authority, the Department of Public Health, (Health Service Executive (HSE)) or the National Treatment Purchase Fund where we are obliged to make data available
• Outsourced Service Providers such as the use of external laboratories
• Other companies and organisations with whom we exchange data for the purposes of fraud protection and credit risk reduction including debt collect agencies, and
• Audit and Quality Assurance Bodies or Registries for quality assurance processes and service evaluation.
• We may also disclose your personal information to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation or to protect our rights, property or safety of our patients, residents or employees or others.

Where Bon Secours is required to provide statistical information to the HSE we will ensure that you cannot be identified by anonymising the information. If it is not possible to anonymise your data, we will seek your consent.

Bon Secours may also be receiving services from third party providers for example, referral services or couriers. To assist in this process, we may need to share your personal information with those providers. We are careful to share only information that is necessary for this purpose. Anyone who receives this information is also bound by confidentiality and data protection legislation. In certain situations, we may have to disclose your personal information in accordance with legal requirements, or in an emergency to prevent injury to other persons.

If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights and the third party’s obligations under Data Protection legislation.

If any personal data is transferred outside of the EEA, we will take steps to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the GDPR, as explained in Part 9 of this Statement.

In some limited circumstances, Bon Secours may be legally required to share certain personal data, which might include yours, such as if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a Regulatory Body.

If you want to know what personal data Bon Secours hold about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “data subject access request”.

All data subject access requests should be made in writing and send to the email how to make a complaint or provide a compliment section of this Statement. To make this as easy as possible for you, a Data Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.  We will need proof of identity such as a passport or a driver’s licence which you should send to us when you’re making your request. Where the request is extremely broad, we may seek clarification on the data you require.

There is normally no charge for a subject access request, however if a request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

Bon Secours will respond to your data subject access request within a month. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. We will keep you fully informed of our progress in addressing your request.

Bon Secours has appointed a Data Protection Officer (DPO) to oversee Bon Secours compliance with its data protection obligations.
If you have questions regarding Bon Secours data protection practices or wish to make a complaint or provide a complement, please do not hesitate to contact us as follows:
Email: dpo@bonsecours.ie or write to the
DPO, Bon Secours Health System Group Offices, 7 Riverwalk, Citywest, Dublin 24, D24 H2