Data Protection Statement

St Paul’s Child and Family Care Centre DAC (hereafter referred to as ‘St. Paul’s’, ‘we’, ‘us’ or ‘our’) is a registered charity (RCN: 20055905) providing services for children diagnosed with autism and associated learning/intellectual disability.

Children receive overnight and day respite care in either one of our three community houses or day service. Additionally, St. Paul’s provide comprehensive health, social care, and support services for the well-being of the children and their families.

St. Paul’s is funded agency under Section 39 of the Health Act 2004. We may be contacted:

By telephone

+353 (0)1 837 7673

By email

StPaulsDPO@mater.ie

By post

St. Paul’s Child and Family Care Centre,

Beaumont Woods,

Beaumont Road,

Dublin 9,

D09 XN88.

This Privacy Statement demonstrates our commitment as a data controller to comply with the EU General Data Protection Regulation (GDPR) and the Data Protection Laws.

We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of our clients, service users, visitors and staff.

We regularly review and update internal policies and procedures, conduct risk assessments (DPIA) and implement controls to mitigate the risk to your personal data, including protecting against theft, accidental loss, unauthorised access or alteration, erasure, use or disclosure.

We have appointed a Data Protection Officer (DPO) to oversee our compliance with our data protection obligations. If you have questions regarding our data protection practices, please do not hesitate to contact the DPO:

By email

StPaulsDPO@mater.ie

By post

Data Protection Office,

St. Paul’s Child and Family Care Centre,

Beaumont Woods,

Beaumont Road,

Dublin 9,

D09 XN88.

By phone

+353 (0)1 837 7673

The notice outlines:

• Your personal data that we collect and process;
• The purposes for processing your data;
• Who we share your personal data with;
• How long your data will be kept for;
• Your data protection rights and how you can exercise them;
• How to contact the Data Protection Officer.

Personal data means any information that relates to an individual. As a healthcare provider, St Paul’s needs to collect various categories of personal data about our patients, their family, carers, and members of the public.

Your personal data is collected in a number of ways. It may be from a referral from your GP or another healthcare professional you have seen or referred you to our service. We also collect your data in person, over the telephone or during the completion of your needs assessment or during your first appointment.

Your personal data will be collected by the staff at the beginning of and during the course of you care with us and will be held securely in your personal record.

Personal data we may collect include:

• Your name and contact details;
• Parent/Guardian name and contact details;
• Main Carer - name and contact details;
• School – name and contact details;
• GP – name and contact details;
• Referral Source (e.g., GP details);
• Health related information
  • Psychiatry, Psychology, Speech Language Therapy, Occupational Therapy and Social Worker notes
  • Medication (e.g., Kardex prescription record, medication records)
• Child Protection and Welfare reports;
• Personal Centred Plan;
• Racial or ethnic origin;
• Lifestyle and dietary requirements e.g. food preferences;
• Research and audit data;
• Service user feedback, enquiries, log of calls, complaints received, adverse occurrence information;
• Photographs, audio and videos of service users and / or family members (Provision of explicit consent is required so that we may process films, photographs, video recordings);
• Religious affiliation.

Some data such as health data, genetic data, racial or ethnic origin are defined as special categories of personal data, requiring additional conditions to lawfully process them.

We review our processing activities to ensure:

• we only collect personal data that is necessary to fulfil our objectives, the confidentiality of your data is maintained and your personal data is stored in a secure manner.

We use your personal data to manage and deliver your care (Direct Care) so that

• The right decisions are made about your care;
• Your treatment is safe and effective; and
• We can coordinate with other organisations that may be involved in your care.

This is important because having accurate and up-to-date information will assist us in providing you with the best possible care.

In addition to using the data to provide for your care, this data is also used to improve services and plan for the future (Indirect Care) therefore:

• Evaluating and improving service user safety;
• Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care. This can be carried out by multiple quality improvement methods e.g. clinical audit;
• Training healthcare professionals;
• Ensuring that our services can be planned to meet the future demand;
• Preparing statistics on hospital performance and monitoring how we spend public money;
• Supporting the health of the general public e.g. Influenza, winter vomiting bug.

The activities listed above are part of normal delivery of care and under GDPR your consent is not required. However, we recognise our duty to always keep your data secure and confidential and where appropriate we de-identify your data when using it for improvement.

We also use your personal data to:

• Contact you, your family and carers to send messages for appointments and follow-up care;
• Prevent or lessen a serious and/or imminent threat to somebody’s life, health or safety or to public health or public safety;
• Investigate complaints;
• Manage our administrative and business functions;
• Respond to requests from public bodies, agencies or the Gardaí;
• Carry out audits and compile statistics;
• Maintain safety and security across our premises;
• Defend against any legal claims or action;
• Meet our legal obligations including to process insurance claims.

Legal Basis under General Data Protection Regulation (EU) 2016/679 and Data Protection Act 2018

To manage and deliver your care (Direct Care)

To improve services and plan for the future (Indirect Care)

• Article 6(1)(c) GDPR “processing necessary for performance of contract” with the data subject, or Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or Article 6(1)(f) – processing is necessary for the purposes of legitimate interests.
• Article 9(2)(h) GDPR– ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ or Article 9(2)(i) – ‘processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standards of quality and safety of health care…’
• Data Protection Act 2018, Section 52(1) (a) – ‘for the purposes of preventative or occupational medicine’, Section 52(1) (d)’ for the provision of medical care, treatment or social care’ and/or Section 52(1) (e) for the management of health or social care systems and services’ which allows patient information to be used for clinical audit provided that appropriate measures are taken to safeguard the fundamental rights of the data subject. Data Protection Act 2018, Section 53(b) – ‘ensuring high standards of quality and safety of health care.

To understand and develop new treatments and techniques (Research)

Where we rely on consent as the legal basis for processing, you can withdraw your consent at any time; this follows GDPR Art 6(1)(a), “the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and Art 9(2)(a) “the data subject has given explicit consent to the processing of those personal data for one or more specified Page 7 of 13 purposes...”

In some circumstances, consent exemptions may be granted by the Health Research BN… HRBCDC (Health Research Regulations 2018).

Where we rely on the provisions of the Health Research Regulations 2021, personal data collected for the provision of health care may be used by the hospital for a retrospective chart review study but not disclosed to another person (a third party) unless such data is anonymised; any findings from the study that are published will not identify an individual whose personal data was used in the study, and the study will be reviewed and approved by a research ethics committee prior to commencement of the study.

In the provision of our services we share personal data with internal and external parties.

We disclose your information to the following:

• Medical Consultants and Health Practitioners employed by MMUH and engaged in your care such as Doctors, Psychiatrists, Psychologists, Social Workers, Nurses, Physiotherapists, Dieticians, SLT therapists, Occupational Therapists, Pharmacists, Persons-in-charge respite houses and Health Care Assistants.
• Other healthcare providers and social services that are involved in your care and education; (Schools including St. Paul’s Special School)
• In the course of the support that MMUH who are provide including Professional Services (Human Resources, Legal, Finance, Procurement, Information & Communications Technology) which underpin arrangement we have with the MMUH to manage the delivery of our services;
• Hardware and software vendors, such as medical device manufacturers, software providers and data backup and recovery providers;
• Authorities and bodies where required or permitted by law, e.g. An Garda Síochána, HIQA, the HSE, TUSLA, the State Claims Agency and the Health Protection Surveillance Centre (HPSC);

We may share your personal data with third parties that provide services to you and to your families. Third parties that process your data on our behalf are required to enter into a Data Processing Agreement (DPA) with us to ensure that data processing is conducted in line with our instructions and data protection obligations.

St. Paul’s stores your personal data in your personal Chart, in your Person Centred Plan, and in computer systems such as email records or secure computer files. Computer systems facilitate communication among clinicians, staff, and management for administration and service delivery.

Measures are in place to safeguard data, including secure storage of paper records and technology including firewalls and encryption for electronic data. Staff have signed confidentiality agreements and follow access control procedures to ensure data security and limit access to those who need it

We keep your personal data for as long as needed to satisfy the reasons it was collected for in the first place, We also keep your personal data as mandated by law or regulations, or to address any legal matters. Your data follows a set retention period which is based on HSE guidelines and when it is no longer necessary it will be securely disposed of or destroyed.

We do not generally transfer or process your data abroad. However where personal data is transferred to a third country outside of the EEA , St. Paul’s will take additional steps in order to ensure that your personal data is provided with an adequate level of protection.

You have rights and can control about how your personal data is under the Data Protection Laws.

You can get more information on your data protection rights from the Data Protection Commission website: Your Rights under the GDPR

You have the right to do the following:

• Ask us to show you all the personal data we have about you.
• Ask us for a copy of your personal data. This is called a Subject Access Request (SAR).
• If you find something incorrect, you can ask us to correct it.
• Request the deletion of your personal data from our systems, but there are some situations where we may not be able to do this.
• If you disagree with why we're collecting or using your personal data, you can let us know.
• Ask us to transfer your personal data to another service provider in certain cases.
• If you've given us permission (‘consent’) to use your personal data and you change your mind, you can withdraw your permission.
• Lastly, if you believe we've broken data protection laws, you can file a complaint.

You can exercise any of your rights and/or if you wish to make a SAR request by contacting us:

By post

Data Protection Office,

St. Paul’s Child and Family Care Centre,

Beaumont Woods,

Beaumont Road,

Dublin 9,

D09 XN88.

By email

StPaulsDPO@mater.ie

By phone

+353 (0)1 837 7673

If you contact us we may ask you to confirm who you are. This is to help protect your privacy.

You can request a copy of your personal data from us by writing to us by letter or email or by phone or by visiting in person.

We will need to collect the following details:

• Identification Information (first name, surname, date of birth);
• Contact Information (Phone Number, email Address, postal address);
• Details of the records you are requesting;

For confirmation of your identity

• A photocopy or scan of your passport; and
• If necessary the authorisation of a parent or guardian.

How long to process your request?

We plan your records within a calendar month or sooner, but sometimes it might take longer. When we start working on your request, we'll send you a letter to let you know how long it might take.

Usually, it's free to get a copy of your records but there are a small number of exceptions where we might need to charge a fee.

Can somebody else access your records

We'll only share your records with another person if we have your permission or your parent/guardian's permission. To do this, follow the steps mentioned earlier and send us a letter signed by you, saying you give permission for the release of your personal data. We may also contact you to confirm the request.

Submitting Your Request

You can submit your request:

By post

Data Protection Office,

St. Paul’s Child and Family Care Centre,

Beaumont Woods,

Beaumont Road,

Dublin 9,

D09 XN88.

By email

StPaulsDPO@mater.ie

The Data Protection Office can also help you to complete your request over the telephone, (+353 (0)1 837 7673) if required. If you contact us we may ask you to confirm who you are. This is to help protect your privacy.

We employ CCTV cameras in our facilities to ensure the safety and security of our staff, patients, visitors, and others. This includes managing safety and monitoring for any offenses or misconduct. Typically, we keep recorded footage for 30 days.

The Privacy Notice in relation to our Cookie Policy is available at St. Paul's Children's Services - Privacy & Cookies

We have appointed a Data Protection Officer (DPO) to oversee our compliance with our data protection obligations. If you have questions regarding our data protection practices, please do not hesitate to contact:

By email

StPaulsDPO@mater.ie

By phone

+353 (0)1 837 7673

By post

Data Protection Office,

St. Paul’s Child and Family Care Centre,

Beaumont Woods,

Beaumont Road,

Dublin 9,

D09 XN88.

If you would like to make a complaint, in the first instance please contact our Data Protection Officer (contact details above).

If you are unhappy with how we deal with complaint or how we have dealt with your request to exercise your rights in relation to your personal data, you always have the option to complain to the Data Protection Commission directly

By email

info@dataprotection.ie

By phone

01 7650100 / 1800 437 737

By post

Data Protection Commission,

21 Fitzwilliam Square South,

Dublin 2,

D02 RD28.

Website

www.dataprotection.ie

Where changes to this Privacy Statement occur, the updated version will be published on our website www.stpaulschildrensservices.ie and will be available at our office and respite houses.