Fair Processing Notice

Introduction

The UPMC Sports Surgery Clinic (SSC), company number 419994 with a registered place of business at Santry Demesne, Dublin 9, will act as a Data Controller when acting as a supplier of health services.It is important to the SSC to protect your privacy and confidentiality and we understand that customersare concerned to know that their data will not be used for any purpose unintended by them.

This notice outlines the manner in which we collect, use, store and disclose personal data collected from you and/or held about you, as well as your rights in relation to that data. Thisnotice covers all customers whose personal data might be processed by UPMC Sports Surgery Clinic and the Sports Medicine Department.

All personal data will be handled and processed as outlined in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

What personal information we collect about you

Much of the information we hold will have been provided by you, but some may come from other internal sources, or in some cases, external sources, such as your GP.

The information we hold includes your personal data and special category personal data (i.e. your medical information):

  • Information you provide when you make an appointment with us such as your name, address and contact details, next of kin and GP name and contact details.
  • Health Insurance information and financial information you provide when you make a payment to us.
  • Information about your health, treatments, tests, diagnoses, medication and rehabilitation.
  • Information obtained from customer surveys that you have taken part in.
  • Information you provide using the contact me on our website.
  • Images stored on CCTV systems for safety and security purposes.

How we use your information and the lawful basis for processing

We use your personal data and special category personal data to provide you with the best possible medical diagnosis and treatment.

The lawful bases for processing your personal data and your special category personal data are as follows:

  • processing is necessary for the purposes of medical diagnosis and the provision of health care or treatment and the management of health care systems and services
  • processing is necessary for the pursuit of our legitimate business interests
  • processing is necessary to comply with a legal obligation
  • processing is necessary for the establishment, exercise or defence of legal claims
  • processing is necessary for the investigation of complaints from patients
ProcessDescription
Diagnoses, Treatment and RehabilitationPersonal data and medical history are required for the assessment, diagnosis and treatment of conditions and injuries
Admissions & BookingsPersonal data and medical history are required to ensure that our clinical staff have the information they require for your assessment and/or treatment.
Insurance and Payment DetailsPersonal data and information about your treatment are required to generate invoices for treatment received and tosecure payment for your treatment where it is covered by your private health insurance policy.
Medical RecordsPersonal data and medical data are required to create and maintain your medical record which documents all aspects of your assessment, diagnosis and treatment while in our care.
Discharge, Transfers and ReferralsWe may share your medical data with next of kin, health professionals and other hospitals that require your personal data as part of the discharge process or the ongoing provision of medical treatment.
Handling Enquiries and ComplaintsWhere enquiries are received, or complaints made, personal data may be processed to investigate and respond to these.
Quality Improvements, Research and Clinical AuditsTo carry out internal clinical audits to comply with legal obligations and improve the quality of our services.
CCTVPersonal data is processed for the Health and Safety of Patients Visitors and Staff.

Our Legitimate Interests

The lawful basis for processing your personal data is the legitimate business interests of UPMC SSC. Among these interests is our objective to provide you with the best possible care. We have a medical and a business need to do this, and this is also in the interests of our patients.

We will never process your data where we believe our interests are overridden by your own interests or rights.

You have a right to object to our use of your personal data and we will respect that right should you exercise it however you should be aware that we may not be able to provide services to you.

How we handle your information

  • Personal data kept by UPMC SSC shall normally be stored on the UPMC SSC’s electronic patient database or where relevant in physical medical record files.
  • We will only disclose information about you to third parties if we need to comply with our contractual duties or where we are legally obliged to do so accordance with Principle 1 Articles 6 of the GDPPR.
  • Your GP and other medical professionals
  • Billing Providersengaged by your consultant or other healthcare professionals involved in your treatment.
  • Patient Satisfaction Surveys
  • Laboratory Services
  • Insurers, Health Insurers
  • National Blood Bank
  • Appointment Booking & Secretarial Services
  • Chart and Document Scanning
  • Regulatory bodies such as HIQA, the health and Safety Authority

Do we transfer this information outside of EU?

In limited and necessary circumstances, your information may be transferred outside of the EEA or to an international organisation to comply with our legal or contractual requirements.

When a video was taken via the Dartfish Application by the Sport Medicine Department personal data in relation to rehabilitation may be held outside of the EEA. We have in place safeguards including standard contractual clauses to ensure the security of your data.

How long do we retain your data?

  • We will ordinarily process your personal data throughout the course of your treatment and will then retain it for a period after that. The precise length of time will depend on the type of data, our legitimate business needs and other legal or regulatory rules that may require us to retain it for certain minimum periods.
  • In determining the appropriate retention period for different types of personal data, the amount, nature, and sensitivity of the personal data in question, as well as the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we need to process it and whether we can achieve those purposes by other means are considered.
  • Once we have determined that we no longer need to hold your personal data, we will delete it from our Systems. While we will endeavour to permanently erase your personal data once it reaches the end of its retention period, some of your personal data may still exist within our Systems, for example if it is waiting to be overwritten.
  • If in the future, we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.

Your rights as an individual

  • Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA2018) you have a number of rights with regard to your personal data:
  1. The right to access your personal data
  2. if your personal data is inaccurate, you have the right to have the data rectified without undue delay.
  3. If your personal data is incomplete, you have the right to have data completed, including by means of providing supplementary information.
  4. the erasure of your personal data or the right to be forgotten – the right to be forgotten is not an absolute right will not apply where processing is necessary for:
    • Compliance with a legal obligation
    • Reasons of public interest in the area of public health
    • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
    • Establishment, exercise or defence of legal claims.
  5. the right to restrict processing, object to processing as well as the right to data portability in certain circumstances. Where processing of your data is restricted, it can be stored by us but most other processing actions, such as deletion, will require your permission.
  6. If you have provided consent for the processing of your personal data, you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
  7. You have the right to lodge a complaint to the Data Protection Commission if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data
  • Any requests to access personal data will be dealt with free of charge unless it is considered unjustified and excessive in which case, we may charge a reasonable fee. Requests will be dealt with within 30 days, if an extension is required, we will notify you.
The Data Protection Commission

Data Protection Commission
Canal House
Station Road
Portarlington R32 AP23
Co. Laois

Phone: +353 (0761) 104 800

Lo Call: 1890 252 231
Fax: +353 57 868 4757

Email:

info@dataprotection.ie

How you can contact us with any queries or requests:

The Data Protection Officer

(For Data Protection Queries Only)

UPMC Sports Surgery Clinic
Santry Demesne
Dublin 9

dpo@upmc.ie

Subject Access Request

(For a copy of your medical records only)

UPMC Sports Surgery Clinic
Santry Demesne
Dublin 9
SSCsar@upmc.ie

Glossary

  • Data Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • Data Subject – is an individual who is the subject of personal data.
  • Lawful basis for processing personal data –In order for processing to be lawful, the GDPR requires that you must have a valid lawful basis. Most lawful bases require that processing is ‘necessary’ for a specific purpose. For processing special category data both a lawful basis for general processing and an additional condition for processing this type of data must be identified.
  • Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • Special Category Personal Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefsand the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Systems – include telephone, computer, internet and Wi-Fi systems, software and portals, accounts and/or networks belonging, controlled or used by SSC that are used to transmit, undertake and/or receive communications or are otherwise used in the course of SSC’s business.