Freedom of Information and Data Protection

Freedom of Information

What are Freedom of Information requests?

The Freedom of Information Act 2014 gives you the right to access records held by Tallaght University Hospital (TUH). Such requests may be for personal or non-personal (i.e. corporate) records.

Requesting personal information

TUH is a Freedom of Information (FOI) body. As an FOI body, TUH welcomes requests for personal records. You may request, for example, the following items:

• any records held by TUH relating to you personally, irrespective of when they were created
• all other records created after 21 April 1998 (which is the commencement date of Freedom of Information legislation in Ireland)
• any additional information which may be required to assist in the understanding of a current record

You have the right to have your personal records amended or deleted where the information is found to be incorrect or misleading. You also have the right to seek reasons for decisions that affect or have affected you.

Requesting non-personal information

As an FOI body, TUH welcomes requests for non-personal records. In general, these requests focus on corporate information. Where non-personal requests are made, the timeframe for acknowledgement and delivery is the same as requests for personal records.

How to make an FOI request

Your request must be in writing. In making your request, you are asked to:

• state that you are making a request under the Freedom of Information Act 2014
• provide as much information as possible about the records you seek to access
• specify how you would like to receive these records (that is, whether you would like to receive them by post or by email)

Sending in your FOI request

Your request can be sent by post or by email. Here are the addresses you may use:

Allowing somebody to access your records (personal information only) 

When making an FOI request, you may request that your records be send to a third party who you appoint (for example, a solicitor, health professional, family member, etc.). TUH will only give your records to someone else when it has your consent to do so. Requests should be made as outlined above but we must also receive a letter signed by you, stating that you give your consent to the release of the records to the named individual. We may contact you about the request to release your records to a third party if further information or clarification is required.

Identification (personal records only)

To gain access to personal information, you are required to provide proof of identity. This is requested to ensure that information is released to the correct person and sent to the correct postal or email address. Items of identification required are:

• a copy of identification showing your full name and photograph (for example, your passport, driver’s licence, etc.)
• proof of your address to which the materials will be sent (for example, the top of a utility bill showing both your name and your address) – this must be less than six months old

Do I need to provide identification for access to non-personal records?
No. As access is not sought into personal records, identification is not required

Timeframe

A decision on your request will usually be made within four weeks. This is where a week is defined as five working days, excluding weekends and bank holidays.

Acknowledgement of request

Receipt of your request will be acknowledged within ten working days (where a week is defined as five working days, excluding weekends and bank holidays). At this time, you will be advised as to when you may expect to receive a decision on your request.

Medical records of a deceased relative

When a patient dies, the next of kin or other family members may request access to the patient’s medical records. These requests are always dealt with by the Freedom of Information Officer (FOI). The FOI Officer will balance the patient’s right to confidentiality with the right of another person to be given that information in the public interest.

To access the medical records of a deceased relative, you must make the request in writing. You must provide the following information:

• name of the deceased
• his/her address
• his/ her date of birth
• his/her MRN number (if known)
• copy of the deceased’s Death Certificate
• proof of your relationship to the deceased person
• proof of your own identify (see above)
• proof of address to which the information is to be sent (see above)

Your request and the accompanying information should be sent to the following address:

Right to an internal review of initial decision

The Freedom of Information Act 2014 sets out a series of exemptions to protect sensitive information where its disclosure may damage key interests of the State and/or third parties. This means that there are specific circumstances where the requested information will not be released (for example, to protect confidentiality, etc.). If any of these exemptions are applied to withhold information, the reasons will be clearly explained to you when you receive the decision made about your request.

Right to an internal review of initial decision

You may seek an internal review of the initial decision. This review will involve a complete reconsideration of the matter by a more senior member of staff at TUH to the person who made the initial decision. Reasons for seeking an internal review include where you

• are dissatisfied with the initial response (for example, refusal of information, form of access, charges, etc.) or
• did not receive a reply within the specified four weeks dated from your initial request (this is known as a ‘deemed refusal’ and, where this occurs, you are allowed to proceed to an internal review)

A request for an internal review must be submitted within four weeks from the date of the initial decision to your request (although late appeals may be permitted in certain circumstances). The FOI Appeals Officer reviewing the appeal must complete the review within three weeks (where a week is defined as five working days, excluding weekends and bank holidays). An internal review must normally be completed before an appeal may be made to the Office of the Information Commissioner (OIC).

The outcome of the internal review will be communicated to you within three weeks of receipt of your request to appeal.

Your request can be sent by post or by email. Here are the addresses you may use:

The fee for an internal review under Section 21 of the Freedom of Information Act 2014 is €30 (€10 for medical card holders and their dependents). No fee is charged for an internal review concerning access to personal records belonging to the requester.

Appeals to the Office of the Information Commissioner (OIC)

Once the internal review process has been completed, you may appeal the decision to the Office of the Information Commissioner (OIC). This appeal must be made within six months.

If you make an appeal, the OIC will investigate the matter fully and issue a fresh decision. You may send your request by post or online. Here are the addresses:

The fee for appeals to the OIC is set out under Section 22 of the Freedom of Information Act 2014. It is currently set at €50 (€15 for medical card holders and their dependents).

Fees applicable to FOI requests

The €15 application fee has been abolished. Fees may be charged, however, for the search, retrieval and copying of records requested. This process involves the following stages:

• locating the broad set of records in which those requested may be found
• identifying, extracting and assembling the particular records for examination

Please note that fees for the estimated cost of search, retrieval and copying of records will only be charged with respect to records being released. The current charges are €20 for each hour spent searching for, and retrieving, records. Photocopying is charged at €0.04 per sheet for records released.

Estimating the cost for search, retrieval and copying fees

Fees may be charged for the search, retrieval and copying of records. The following table sets out the bases upon which such fees are calculated.

In cases where search, retrieval and copying fees apply, TUH is obliged to charge the requester a deposit of at least 20% of the estimated cost.

Please note there is no fee charged for access to a personal record relating to yourself.

Accessing personal information without making a Freedom of Information request

You can make a request for your personal information without using the Freedom of Information Act 2014. Instead, you can make a request under data protection legislation (e.g. the GDPR, Data Protection Act 2018, etc.). This is called a ‘Data Subject Access Request (DSAR).’ To obtain information on making a DSAR, you may click here. 

Please note: This does not apply to requests for non-personal (i.e. corporate) information. These requests must be made under the Freedom of Information Act 2014.

Access to Information on the Environment

The European Communities (Access to Information on the Environment) Regulations 2007-2018 (AIE Regulations) gives you the right to access information held by Tallaght University Hospital (TUH) about environmental issues. These requests are for non-personal information only.

Why may I access this information?

The AIE Regulations give you the right of access to environmental information held by public authorities. The belief is that giving the general public access to this information encourages greater awareness of issues that affect the environment. When this happens, it encourages greater participation in decision-making on these matters.

What are Access to Information on the Environment (AIE) requests?

The AIE Regulations allow you access to a wide range of information. You can make a request to TUH for information in written, visual, electronic or any other material form from any of the following categories:

• The state of the elements of the environment. This includes, but is not limited to, air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components including genetically modified organisms and the interaction among these elements
• Factors such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment
• Measures (including administrative measures) such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to above as well as measures or activities designed to protect those elements
• Cost-benefit and other economic analyses and assumptions used for the above measures and activities
• The state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures that may be affected by the elements of the environment
• Reports on the implementation of environmental legislation

How do I make an Access to Information on the Environment (AIE) request?

Your request must be in writing. In making your request, you are asked to

• say that you are making the request under the AIE Regulations
• provide as much detail as possible about the information you are asking for

Where do I send my request?

You may send your request by post or by email. Here are the addresses:

How long does it take to receive a response? 

You can expect to receive a response within one month from the day your request is received by the AIE Officer at TUH.

How will you send this information to me?

In making your request, you should say if you would like to receive the information by post or by email.

How much does it cost to make an Access to Information on the Environment (AIE) request?

There is no charge for making an AIE request.

Are there any other charges?

Fees may be charged for the search, retrieval and copying of information you ask for. A charge will happen where the request is complex or requires considerable work to locate the information requested. The AIE Officer will let you know if there is a charge and you may then decide on that basis whether you would like to proceed with your request.

How much does it cost for search, retrieval and copying?

Fees may be charged for search, retrieval and coping the information you are asking for. With each request received, the AIE Officer follows two steps:

• locating the area where the information is kept
• identifying the exact information, reviewing and assembling it to be sent out

If the information you have asked for is complex or significantly large, a fee will be charged. A fee is charged only if the information is to be sent to you. In cases where charges are likely to occur, TUH will ask the person making the request to pay a deposit of at least 20% of the estimated cost at the beginning of the process.

What are the current charges?

The current charges are €20 for each hour spent searching for, and retrieving, information. The charge for photocopying is €0.04 per sheet of the information to be sent to you.

The following table shows how these fees are calculated:

How do I make a request for an internal review?

In asking for an internal review, there are four steps to be followed. These are:

• you must make your request for an internal appeal in writing
• your request is to be sent by post or by email
• you must address your request to the ‘AIE Internal Reviewer’ and not to the AIE Officer
• you must make this request within one month from the date of the letter outlining the original decision

Who is the Internal Reviewer?

The Internal Reviewer is a member of staff who is more senior to the AIE Officer.

Where do I send my request for an internal review?

If you are making a request for an internal review, you may send it to one of the following addresses:

Is there a charge for an internal review? 

No.  There is no charge for an internal review.

Fees may, however, be charged for the search, retrieval and coping of information you are asking for. These are calculated in the same way as set out above.

When can I expect a response to my request for an internal review?

You will receive a response to the internal review within one month of TUH receiving your request for an internal review.

Can I appeal the decision of the Internal Reviewer?

Yes. If you are not happy with the decision of the Internal Reviewer, you may appeal to the Commissioner for Environmental Information. The Commissioner will carry out a full and independent review of the decision. You must make this appeal within one month of receiving the decision from the Internal Reviewer at TUH.

How do I contact the Commissioner for Environmental Information?

The Commissioner for Environmental Information may be contacted by post or by email. You may also make an appeal by following the steps set out on its webpage. The contact details are as follows:

Is there a charge for appealing to the Commissioner for Environmental Information? 

Yes. When appealing a decision, a fee of €50 is payable to the Commissioner for Environmental Information. The reduced rate for medical card holders is €15. Furthermore, if an individual not party to the original request wants to appeal a decision to release information that s/he feels will incriminate her/him, the fee is also €15.

Data Protection Statement

This Data Protection Statement provides information about the ways in which Tallaght University Hospital (TUH) collects, stores and uses personal data relating to individuals (data subjects). It relates to personal data received by TUH when carrying out its duties and exercising its functions.

Tallaght University Hospital (TUH)

TUH is one of Ireland’s largest acute teaching hospitals, providing adult, psychiatric and age-related healthcare on one site. Currently, it has 495 adult beds with over 3,000 people on staff. TUH is a provider of local, regional and national specialties. It is a national urology centre, the second largest provider of dialysis services in the country and a regional orthopaedic trauma centre. The hospital also has 67 paediatric beds under the governance of Children’s Health Ireland (CHI) and 52 mental health beds under HSE governance.

TUH is one of the two main teaching hospitals of Trinity College Dublin (TCD) - specialising in the training and professional development of staff in areas such as nursing, health and social care, emergency medicine and surgery, amongst many others. TUH is part of the Dublin Midlands Hospital Group which serves a population of over 1.2 million across seven counties.

The hospital’s Emergency Department catered for 52,398 attendances in 2019. A further 251,455 patients were treated through the hospital’s adult outpatient clinics in 2019. The hospital’s operations are supported by 200 general practitioners in surrounding communities and aligned with CHO7.

Multi-layered approach

This Data Protection Statement has been developed in accordance with a ‘layered policy’ approach. This means that it offers you the opportunity to obtain more or less information about TUH’s information handling practices. By clicking on the links below, you can decide how much you wish to read, what you need to know and how quickly you need to obtain the relevant information.

Key areas of the Data Protection Statement

TUH’s Data Protection Statement is designed to cover a number of key areas. These are as follows:

• Definitions
• Legislation
• Tallaght University Hospital and the GDPR
• Data Protection and Tallaght University Hospital
• Processing of personal data by Tallaght University Hospital
• What personal data does Tallaght University Hospital process?
• How does Tallaght University Hospital collect personal data?
• Legislative basis for processing personal data at Tallaght University Hospital
• Who are the recipients of personal data processed by Tallaght University Hospital?
• Publication of information
• How long does Tallaght University Hospital retain personal data?
• Your data protection rights
• Restriction of data subjects’ rights in certain circumstances
• Your right to complain
• Changes to this Data Protection Statement 

Definitions

For the purposes of this Data Protection Statement, the following definitions apply:

Data subject

An identified or identifiable natural person. It is a person who is living

Personal data

Information from which you (or another person) is identifiable or which relates to you. It does not refer to corporate data

Special categories of personal data

Personal data which are subject to a higher standard of protection under law due to its sensitivity. This includes personal data which reveal:

• any racial or ethnic origin
• financial status
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data
• health data
• data concerning a person’s sex life or sexual orientation

Data concerning health

Personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his/her health status

Processing

Processing refers to any use of personal data. It includes collection, disclosure, retention and storage

Legislation

Tallaght University Hospital (TUH) is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) regulations and directives. These include, but are not limited to, the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2011.

Tallaght University Hospital and the GDPR

The General Data Protection Regulation (GDPR) was introduced on 25 May 2018 and affects all countries within the EU. It sets out a series of laws concerning how data can be processed and used by organisations within Member States. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are

• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality
• accountability

The GDPR is designed to strengthen and standardise data protection laws for all EU citizens. It increases the obligations and responsibilities for TUH in how it collects, uses and protects personal data. This means that TUH is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.

The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instruction of the Data Controller (a Data Processor). TUH is a Data Controller for personal data collected for the purpose of its core activities. TUH decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, TUH staff, contractors, agents and other third parties are all bound by the rules set out in the GDPR.

You may contact TUH in a number of ways. These are as follows:

Data protection and Tallaght University Hospital 

The General Data Protection Regulation (GDPR) affects data protection in all EU Member States. The Data Protection Act 2018 gives further effect to the GDPR in Irish law. Collectively, the GDPR and the 2018 Act place enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.

Data Protection Officer (DPO)

Tallaght University Hospital (TUH) has a Data Protection Officer (DPO). Should you have any questions about how our hospital uses your information, or you are concerned about any issue relating to your personal data, you may contact the DPO in any of the following ways:

Processing of personal data by Tallaght University Hospital 

Tallaght University Hospital (TUH) processes personal data for a number of different purposes which arise from its functions and activities. These are outlined mainly in health legislation and its data protection responsibilities are outlined under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

TUH’s mission is patient focused. In carrying through on this, it strives to:

• serve the healthcare needs of the community
• provide care based on best practice
• enhance our patients’ wellbeing through education and information
• educate healthcare students in partnership with third level institutions
• support our staff in lifelong learning
• undertake and support research for improved patient and public care
• develop voluntary participation and support

In carrying out these functions, TUH may collect personal data. This may occur in, for example, the following ways:

Provision of core services

Personal data are received directly from data subjects in order to provide healthcare to those individuals

Inquiries

This is where personal data are received directly from data subjects

Queries and concerns

These include personal data received from individuals who have raised queries or concerns with TUH

Service providers and suppliers

This includes personal data obtained from service providers or suppliers engaged by TUH

Job applications

This includes personal data received from persons applying for roles within TUH

Conferences and events

This includes personal data relating to attendees at conferences and events organised by TUH

Training sessions

This includes personal data relating to attendees at events organised by TUH

Complaints handling

This includes personal data received from a data subject directly (or through his/her legal representatives) where the data subject makes a complaint to TUH

What personal data does Tallaght University Hospital process?

Personal data

Tallaght University Hospital (TUH) processes personal data. This includes personal data received by TUH where an individual contacts, or requests information from, TUH directly and personal data received by TUH indirectly. This is under the conditions set out above. The personal data TUH processes may include the following:

Basic personal information

This includes, for example, a data subject’s forename/s and surname, date of birth, etc.

Contact information

This includes, for example, a data subject’s postal address, email address, telephone number, etc.

Any other personal information

This includes any other personal information provided to TUH during the course of the performance of its functions

Special category personal data

TUH processes ‘special category personal data.’ This includes special category personal data received by TUH where an individual contacts and requests information from the hospital directly in addition to special category personal data received by TUH indirectly. According to Article 9 of the GDPR, special category personal data may include personal data relating to

• health
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data for the purpose of uniquely identifying a natural person
• data concerning a person’s sex life or sexual orientation

How does Tallaght University Hospital collect personal data?

Phone calls to TUH

Tallaght University Hospital (TUH) does not audio record phone conversations.

Emails

Emails sent to TUH may be logged, forwarded to the relevant section of the hospital and stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter

Please note:

It is the sender’s responsibility to ensure that the content of his/her emails does not infringe the law. Unsolicited and unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities. Further emails from such recipients may be blocked

Post

Post received by the hospital may be logged, scanned and stored for the purpose of the matter to which the post item pertains. Original hard copy versions of post items may be retained for a period set out in the HSE Standards and Recommended Practices for Healthcare Records Management and are confidentially and securely destroyed thereafter.

Social media

TUH receives personal data through its interactions on social media platforms (for example, Twitter, LinkedIn, etc.). TUH operates accounts on these platforms to promote awareness of its role in providing healthcare in Dublin and of its academic partnership with Trinity College Dublin (TCD). Messages and/or posts received by TUH are viewed by its staff but personal data contained in these communicaitons are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by TUH.

Website

TUH’s website is located at www.tuh.ie. It uses third party or persistent cookies. TUH’s Cookies Statement can be accessed here.

Legal basis for processing personal data at Tallaght University Hospital

The legal basis for processing personal data by Tallaght University Hospital (TUH) will depend on the legislative framework that applies and the purpose for which the processing is being carried out.

GDPR

Article 6 of the GDPR sets out six lawful grounds on which personal data may be processed. Where TUH is processing personal data for the purpose of performing its core functions, it will do so on one of these. The six lawful grounds are as follows:

• Consent
• Contractual necessity
• Legal obligation
• Vital interests
• Public interest
• Legitimate interests

Who are the recipients of personal data processed by Tallaght University Hospital?

Disclosure to third parties

Personal data collected by Tallaght University Hospital (TUH) is held confidentially and securely. It is not shared by the hospital with any third parties with the following exceptions:

Where the sharing of personal data is necessary for the performance by TUH of its functions

This may occur, for example, where the hospital enlists the services of a laboratory to carry out testing for the benefit of providing accuracy in diagnoses

For the purposes of co-operation with regulatory authorities

In certain circumstances, the TUH must cooperate with, and assist, regulatory authorities in Ireland. Where this happens, in accordance with the law, TUH may provide personal data to authorities (for example, the Child and Family Agency (Tusla) or the Health and Information Quality Authority (HIQA)). When this happens, however, TUH generally tries to do so on an anonymised basis. If not anonymised, this will be done in order to protect your rights while you are receiving care and treatment

Where there is an issue of concern

In certain circumstances, TUH may request personal data to monitor issues of concern. This may be, for example, to ensure that a service has appropriate systems and procedures in place to address the care needs of a patient

For the purposes of legal proceedings

In certain circumstances, TUH must assist law enforcement authorities. Where this happens, in accordance with the law, TUH may provide personal data to, for example, An Garda Síochána, the Coroner’s Court, etc. Where this happens, TUH takes all steps necessary to ensure such personal data are protected.

In the case of service providers or suppliers to TUH

TUH uses Data Processors to provide certain services to the hospital. It requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing service in accordance with the requirements set out at Article 28.3 of the General Data Protection Regulation (GDPR).

Publication of information

With the exception of Board Members, Senior Management and Consultants, Tallaght University Hospital (TUH) does not publish personal data on its website.

How long does Tallaght University Hospital retain personal data?

The retention periods for personal data are based on the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and on the purpose for which the personal data are collected and processed. The retention periods applied to personal data processed are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action, if applicable.

Your data protection rights

Under data protection legislation, you have designated rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by Tallaght University Hospital (TUH). Your rights are as follows:

1. The right to be informed about the processing of your personal data
2. The right to access your personal data
3. The right to the rectification of your personal data
4. The right to the erasure of your personal data
5. The right to data portability
6. The right to object to the processing of your personal data
7. The right to restrict the processing of your personal data
8. Rights in relation to automated decision making (including profiling)

Restriction of data subjects’ rights in certain circumstances

Article 23 of the General Data Protection Regulation (GDPR) allows for data subjects’ rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission (DPC) and are available here. 

Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of Data Controllers and on the rights of data subjects for important objectives of general public interest.

Your right to complain

If you have any concerns in relation to the manner in which Tallaght University Hospital processes your personal data, you may contact the hospital’s Data Protection Officer (DPO) on dpo@tuh.ie.

Changes to this Data Protection Statement

This Data Protection Statement is kept under regular review and may therefore be subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the Data Protection Officer (DPO) on dpo@tuh.ie.

23rd November 2021

Data Protection and Access Requests

Introduction

The EU General Data Protection Regulation 2016/69 (GDPR) was introduced on 25 May 2018. It was transposed into Irish law by the enactment of the Data Protection Act 2018. This European and national legislation regulates the processing of personal data of a living person (known as a ‘data subject’). Essentially, this legislation is designed to strengthen the protection of the rights and freedoms of data subjects.

Tallaght University Hospital (TUH) is fully committed to the protection of the rights and freedoms of individuals whose personal data it holds. For further information on how TUH collects, stores and uses personal information relating to data subjects, please see our Data Protection Statement.

Data Controller

Tallaght University Hospital is a Data Controller for all personal data collected for the purposes of its core activities.

Your data protection rights

Under data protection legislation, you have designated rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by TUH. Your rights are as follows:

1. The right to be informed about the processing of your personal data
2. The right to access your personal data
3. The right to the rectification of your personal data
4. The right to the erasure of your personal data
5. The right to data portability
6. The right to object to the processing of your personal data
7. The right to restrict the processing of your personal data
8. Rights in relation to automated decision making (including profiling)

Restriction of data subject rights in certain circumstances

Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission (DPC) and is available from its website.   

Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of data controllers and on the rights of data subjects for important objectives of general public interest.

Data Subject Access Requests

To make a request, please write to the Release of Information Department at TUH. The contact details are

In your email/letter, you should: 

• state that you are making a request under the GDPR and Data Protection Act 2018
• provide as much information as possible about the records you require
• specify how you would like to receive the records – that is, would you like to receive them by email or by post?

Proof of identity

Before you can be given access to personal information relating to yourself, you will be asked to provide proof of identify. This is requested to ensure that information is released to the appropriate person and sent to the correct email or postal address.

You are asked to provide two types of identification. These are as follows:

• a copy of your identification bearing your full name and photograph (for example, passport, driver’s licence, etc.)
• proof of address to which the materials are to be sent (for example, the top of a utility bill bearing both your name and address); this must be less than 6 months old

Timeframe

The time it takes to process your request can vary depending on the records you are looking for and how many other requests are being processed at the same time. We endeavour, however, to get your records to you within one month. Where it may take longer to process your request, we will contact you to make you aware of this and to give you an indication on when you may receive your information.

Allowing somebody to access your records

When making a Data Subject Access Request, you may request that your records be send to a third party who you appoint (for example, a solicitor, health professional, family member, etc.). TUH will only give your records to someone else when it has your consent to do so. Requests should be made as outlined above but we must also receive a letter signed by you, stating that you give your consent to the release of the records to the named individual. We may contact you about the request to release your records to a third party if further information or clarification is required.

Contact details for the Data Protection Officer (DPO)

Should you have questions about how TUH uses your information, or if you are concerned about any issue related to your personal data, you are welcome to contact our DPO. The contact details are as follows:

Further guidance on data protection 

The Data Protection Commission (DPC) is the supervisory body for the GDPR in Ireland. Its website provides general information on the Data Protection Act 2018, the GDPR and other relevant information on the protection of the rights and freedoms of individuals in relation to the processing of their personal data. The contact details for the DPC are as follows:

Information Governance Practice

A statement on information governance practices at Tallaght University Hospital

Tallaght University Hospital (TUH) is committed to ensuring the privacy and confidentiality of your personal information. This page sets out how the hospital will handle your personal information. If you require additional information, you can read our Data Protection Statement by clicking here.

Legal basis

In processing your personal information, TUH must comply with legislation which includes, but is not limited to, the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Freedom of Information Act 2014. We are committed to complying with all applicable privacy laws which govern how TUH collects, uses, discloses and stores your personal information.

What is information governance?

Information governance is the set of standards we must follow in handling personal healthcare records. Good information governance means that all personal health information is handled legally, securely, efficiently and effectively, in order to deliver the best possible care to people who use our services. It also includes, where appropriate, the sharing of relevant personal health information with our healthcare providers.

What does it involve?

Information governance at TUH covers a number of areas and activities. These include the following:

• We must manage our records efficiently and effectively.
  This means that information should be accurate, up-to-date and accessible when it is needed

• We must ensure that information is kept securely and is accessed only by those who should be accessing it.
• We must protect the confidentiality of the information.
  Information provided in confidence should not be used or disclosed in a way that might identify an individual without their consent and/or a legal basis for processing

• Patients have a right to access health information about themselves.
  For further information on how to do so, please click here and here.

Why do we need information about you?

In order to provide you with the highest quality of healthcare, TUH needs to keep records about you. These records may include the following information:

• Personal information.
  For example, your name, date of birth, next-of-kin, contact details, etc.

• Contacts we may have had with you.
  For example, information on clinic visits, hospital admissions, etc.

• Notes and reports on your health.
  For example, information on treatment and care you need and/or may have received either directly from us or from other care providers such as a primary care team or your own GP

• Results of medical investigations.
  For example, x-rays, blood tests, etc.

What do we use this information for?

Our staff who provide healthcare to you will use this information in a number of ways. These include, for example, to

• confirm who you are when we contact you or when you contact us
• make decisions about your ongoing care and treatment
• make sure your care is safe and effective
• check the quality of your care
• ensure a safe care journey through our hospital and onto other care providers if required

Do I have a choice?

If you want to receive safe and appropriate care and treatment at TUH, we must maintain an accurate record of relevant information about you. If you have concerns, however, about providing information, or how we share this information with our healthcare providers, please discuss this with our staff so you fully understand the impact on your care or treatment.

Do you share information about me with anyone?

In providing care, we may share relevant information about you with other organisations. These include, for example,

• other hospitals that are involved in your care and treatment
• your GP
• community healthcare services
• local authorities
• primary care
• pharmacy

When we do share your information with other organisations involved in your care, we do so under formal agreement about how it will be used, kept confidential and safe. We will not disclose your information to any other third party without your permission unless there are extenuating circumstances (for example, if the health and safety of others is at risk, if there is a legislative requirement for us to pass on information, etc.).

Information may also be used in non-clinical ways. These include, for example, to

• help manage finances (for example, billing, costings, etc.)
• teach and train our staff
• manage and plan our services
• perform clinical audits
• help investigate concerns or complaints that you and/or your family may have about your healthcare

Where possible, TUH uses information that would not identify you personally. In this way, it aims to use anonymous information.

Do you use my information for research?

TUH is an academic teaching hospital associated with Trinity College Dublin (TCD). We support and promote research activity throughout our hospital. Most importantly, research plays a vital role in the development of healthcare and the health services we deliver.

Our Research Ethics Committee must approve research before it takes place. If we wish to use your personal information for research, we will ask you for permission first. You will not be identified in any published research or results without your agreement.

Can I see the information you hold about me?

You have the right to access information TUH holds about you. The GDPR, the Data Protection Act 2018 and the Freedom of Information Act 2014 all allow for you to access the information we hold about you.

You may access a copy of your personal healthcare records in either of two ways. These are as follows:

For information on accessing your personal information under data protection legislation, please click here.

For information on accessing your personal information under the Freedom of Information Act 2014, please click here.

Data Protection Officer (DPO)

TUH has a Data Protection Officer (DPO). Should you have any questions about how TUH uses your information, or you are concerned about any issue relating to your personal data, you may contact the DPO in any of the following ways: