Accessibility Tools

Privacy Policy

1. WHO ARE WE?

We are St John of God Hospital CLG (“SJOGH CLG”) with an address at Granada, Stillorgan Road, Stillorgan, Co. Dublin. We are part of the St John of God Hospitaller Services Group, which has its headquarters in Rome.

St John of God Hospital CLG is the data controller who determines the purposes and means of the processing of personal data for both St John of God Hospital and St Joseph’s Centre Shankill. Personal data may be collected directly by our staff, but in some circumstances by medical consultants, or other healthcare professionals who are involved in your treatment.

SJOGH CLG provides mental health services to private and public patients in Ireland. St Joseph’s Shankill provides person-centred care to our residents living with dementia specific needs, a copy of their privacy notice can be read at St Joseph’s Shankill | Dedicated to dementia care.

This notice sets out the basis on which any personal data we collect from you, or from others, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

For Data Protection related queries, our Data Protection Officer can be contacted by:

EmailDPOHosp@sjog.ie

Post: Data Protection Officer, St John of God Hospital, Stillorgan, Co. Dublin, A94 FH92

2. WHAT PERSONAL INFORMATION DO WE COLLECT FROM YOU?

We have set out below, the types of personal and special category data which SJOGH CLG may collect.

“Personal data” means any information relating to you which allows us to identify you, such as, your name, contact details, payment details and information about your use of the Hospital’s services. Personal data does not include data where the identity of the individual has been removed, i.e., anonymous data.

“Special category data” refers to more sensitive personal data which requires a higher level of protection, such as data relating to your health, religious beliefs, or political opinions. This sensitive data can only be processed under strict conditions.

Category

Personal Data Processed

Personal Data

Patient Details

When you become a patient of the Hospital and throughout your time as a patient, we will collect:

  • Full Name

  • Address

  • Contact details

  • Date of Birth

  • Gender

  • Marital status

  • PPS Number

  • Patient Number

  • Next of kin contact details/Emergency contacts

  • Family support service provision

  • Financial information

  • Information shared during treatment which may include third party data

  • Photograph

  • Admission/discharge to SJOGH and other services.

Next of Kin/Visitors Details

If you are one of our patients’ next of kin or a visitor of the Hospital, we may collect:

  • Name

  • Phone Number

  • Address

  • Email Address

Referrer & General Practitioner Details

Where an individual is referred to our services, we may collect:

  • Name

  • Contact details

  • Address/Practice address

  • Relation to patient

Financial and Insurance Details

Where you are a patient of the Hospital, we may collect:

  • Bank Details

  • Insurance Policy Details

Website User Details

When you access our website, we may collect:

  • IP address

  • Device type

  • Browser type

Fundraiser Details

Where you choose to become a donor or fundraiser:

  • Name & Contact details

  • The event which you may have attended

  • Payment details

Communications Data

Where you correspond with us by phone, e-mail, via our websites, or social media pages, we may collect:

  • Name & Contact details

  • Details in relation to your feedback/query/comment/complaint

Cookie Data

Where you accept cookies on our website, we will collect:

  • Your cookie preferences

  • Duration of your visit

  • Pages visited

It is never our aim to identify any one individual through the collection of cookie data.

Job Applicants Details

Where you apply for a position at SJOGH CLG, we will collect:

  • Information contained in CVs

  • Names

  • Address & Contact details

  • Employment History

  • Education and Qualification details

Supplier Details

Where suppliers provide us with services, we will collect:

  • Name

  • Business address & Contact details

  • Billing payment details

CCTV Data

Where you are a patient, visitor or an employee of the Hospital we may collect:

  • Images and Recordings of you entering/on the premises

Special Categories of Data

We will only collect and process special categories of data where it is necessary to provide you with the services you require and as part of a contract with health professionals.

Health & Medical Details

When you become a patient of the Hospital and throughout your time as a patient, we will collect:

  • Clinical and Consultation notes

  • Medical records

  • Medication information

  • Information which you inform us of, throughout the course of providing healthcare services

3. WHAT INFORMATION ABOUT YOU DO WE OBTAIN FROM OTHERS AND WHERE DO WE GET THIS INFORMATION?

When you use our healthcare services, we may obtain some of the above categories of personal data, such as, reasons for referral, medical history and medications information, contact details, etc. from others, including:

  • Other hospitals and service providers (where you are being referred to us from another hospital or service provider)

  • Your referring GP or your consultant 

  • Your family members, carers and/or next of kin

4. PURPOSES FOR COLLECTION AND OUR LAWFUL BASES FOR PROCESSING

In most cases, we collect information from you for the primary purpose of providing care and treatment to you and for associated administrative processes, for example, arranging payment for the services. Your personal data will be processed as part of our contract with you to provide you with these services. We are also obliged to record certain patient information under the Mental Health Act 2001 approved centre regulations.

The processing of special category data may also be necessary for reasons of public interest in the area of public health. If the purpose of the processing is for a reason other than the reasons outlined, we will seek explicit consent to process your special category personal data.

Below we have outlined what we do with your personal data, why we do it (the purpose) and our legal basis for processing.

Process

Why We Do It

Personal Data Involved

Our Legal Basis

Collect pre-admission information from your GP or consultant in the context of a referral

To carry out the referral process

  • Patient Details

  • Health & Medical Details

  • Referrer & GP details

Performance of a Contract

Add you to our waiting lists

So that we can offer you or your loved one a place as soon as one becomes available.

  • Patient Details

  • Next of Kin Details

  • Insurance Details

  • Health & Medical Details

Performance of a Contract

Contact you in relation to queries and appointments

To ensure your queries are answered and that you are kept up to date about upcoming visits.

  • Patient Details

  • Next of Kin Details

  • Insurance Details

  • Health & Medical Details

Performance of a Contract

Manage admissions and bookings

This is necessary for hospital administration & admission and to provide you with the healthcare you wish to receive.

  • Patient Details

  • Next of Kin Details

  • Health & Medical Details

Performance of a Contract

Protection of Vital Interests

For the provision of Health, Social Care, Treatment, and Management of our Services.

Insurance and payment

To verify insurance cover with the patient’s insurer or other third party responsible for the payment of treatment.

  • Patient Details

  • Financial and Insurance Details

Performance of a Contract

Generate invoices

Following completion of your treatment, medical records are used to ensure that you are billed correctly.

  • Patient Details

  • Financial and Insurance Details

Performance of a Contract

Manage and deliver your care and treatment

To provide care and treatment to you.

  • Patient Details

  • Health & Medical Details

Performance of a Contract

For the provision of Health, Social Care, Treatment, and Management of our Services.

Legal Obligation – Mental Health Act 2001

Document your data during your treatment and time as a patient

To maintain up-to-date clinical records regarding each patient’s treatment on our various systems. Our healthcare professionals may use a digital dictation system to facilitate this process.

  • Patient Details

  • Health & Medical Details

For the provision of Health, Social Care, Treatment, and Management of our Services.

Generate prescriptions and ordering medication

To accurately prescribe and administer medication required as part of each patient’s treatment.

  • Patient Details

  • Health & Medical Details

For the provision of Health, Social Care, Treatment, and Management of our Services.

Handover Sheets

To document patient wellbeing, progress, and status to assist and facilitate handovers among Hospital staff during shift changes.

  • Patient Details

  • Health & Medical Details

For the provision of Health, Social Care, Treatment, and Management of our Services.

Conduct multi-disciplinary team meetings

To discuss patient treatments, diagnoses, etc., with healthcare specialists to ensure patient treatment is based on best practice.

  • Patient Details

  • Health & Medical Details

For the provision of Health, Social Care, Treatment, and Management of our Services.

Transfers to other or alternative healthcare providers

If you engage with an alternative healthcare provider, we will provide a copy of your clinical record to you or the alternative healthcare provider (on your behalf).

  • Patient Details

  • Health & Medical Details

For the provision of Health, Social Care, Treatment, and Management of our Services.

Patient discharge

To draft relevant discharge documentation and communicate with your referring GP or consultant in order to facilitate the provision of ongoing healthcare.

  • Patient Details

  • Health & Medical Details

For the provision of Health, Social Care, Treatment, and Management of our Services.

Carry out patient satisfaction surveys

To ensure patient satisfaction or manage areas of dissatisfaction.

  • Patient Details

  • Details about experiences

Our Legitimate Interests

Manage and investigate complaints

Where you make a formal complaint, we will use your data to investigate the complaint and carry out our formal complaint procedure

  • Patient Details

  • Details about experiences

Our Legitimate Interests

Carry out health research studies

To help develop understanding about health risks and causes to develop new treatments.
All applications to carry out health research studies must first receive approval from our Research Ethics Committee.

Health & Medical Details

Your Explicit Consent or in accordance with the HRR.

Carry out Retrospective Chart Review studies

To help develop understanding about health risks and causes to develop new treatments.
If your records and data are to be used for a Retrospective Chart Review, your personal data will be protected by being fully anonymised or given a unique code so that your name does not appear alongside the information or in any of the results of the research. Any findings from a study that are published will not identify you. Any such study will be reviewed and approved by a research ethics committee prior to commencement.

Health & Medical Details

Our Legitimate Interests

Public Interest, Scientific, Historical Research Purposes

Conduct clinical audits

To improve and advance treatment and care and to ensure best practice and for quality assurance and improvement purposes.
If your records/data are to be used for activities such as clinical audit and quality improvement, all information will be anonymised meaning that it cannot be traced back to any service user.

Health & Medical Details

Our Legitimate Interests

CCTV recording

For security and health and safety purposes.

CCTV Data

Our Legitimate Interests

Communicate with you as part of our relationship with you or as per our contract with you as a supplier

  • To set you up as a supplier on our systems.

  • To ensure payment of our invoices.

  • To liaise with you about projects that we are undertaking with you.

Supplier Details

Performance of a Contract

Carry out fundraising and marketing activities

To keep you up to date with events and other news.

  • Fundraising Data

  • Communications Data

Your Consent

Process job applications

To determine if you’re the right fit for an open role.
We use a third-party service provider to manage our recruitment process.

Job Applicant Details

Our Legitimate Interests

5. OUR WEBSITE

When visiting our website, we will not attempt to identify you as an individual user or collect personal information from you.

We may sometimes include on our website, links to third party websites. We are not responsible for the content or privacy practices employed by websites that are linked from ours.

With your permission, our website uses certain cookies including analytics cookies. With regard to analytics cookies, we are committed to using this cookie information in the most privacy-centric way possible, meaning that we will never combine analytics cookie data for other purposes such as targeted advertising, marketing, tracking or profiling individuals and/or to track you across devices, browsers, or through your Google account. We have set analytics cookies to the most basic setting which simply allows us to understand basic insights about how individuals interact with our website.

For further information, our cookie policy can be accessed here.

6. WHO DO WE SHARE THIS INFORMATION WITH?

We will only use or share your personal information for the primary purposes for which it was collected, for directly related secondary purposes which you might reasonably expect (or that we have told you), or as required or permitted by law. We may also share your personal data with our selected business associates, suppliers and contractors (data processors) to provide you with our services. This may include, for example:

  • Medical Professionals including your GP, occupational therapists, dentists, dieticians, opticians and other carers.

  • Our Pharmacy Partners

  • Our Catering Services

  • Our Accounting Software Providers

  • Our Digital Dictation System Providers

  • Our Online Psychometric Assessment Providers

  • Our Electronic Patient Health Record Providers

  • Our Incident Management Platform

  • Our Recruitment Platform Providers

  • Our Web Hosting Providers

  • Our Analytics Cookie Provider (this information will not identify you).

  • Our Storage and Archiving/Shredding Providers

  • Our Professional Advisers, such as legal advisors, insurance advisors, etc. 

  • Your Insurance Company, where you have given us the details to pay for your treatment.

In addition, we may disclose your personal information:

  • If we are under a duty to disclose your information in order to comply with a legal obligation or where there is a requirement to report to a statutory agency, for example:

    • To the Mental Health Commission 

    • To HIQA

    • The Irish Medicines Board

    • To the Revenue Commissioners

    • To Tusla

    • The Gardaí or other law enforcement agencies

  • As part of a project with other companies in the St John of God Hospitaller Services Group.

  • Where the healthcare professional reasonably believes the use or disclosure of your personal data is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.

  • In order to enforce or apply our terms of use and other agreements or to protect our rights, property, or the safety, our customers, or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.

  • If we, or substantially all of our assets are acquired by a third party, information held by us about our customers and service users will be one of the transferred assets.

7. TRANSFERS OUTSIDE OF THE EUROPEAN UNION OR EUROPEAN ECONOMIC AREA

In limited circumstances, we may need to transfer your personal data outside of the European Economic Area (EEA). For example, where the recipients of personal data described in Section 6 are located in countries outside of the EEA.

In such cases, we will ensure that any transfer of your personal data to countries outside the EEA is subject to appropriate safeguards meaning that your personal data will receive the same level of protection as within the EEA and under the principles set out in this Privacy Notice. We willy rely on the following safeguards:

  • Adequacy Decisions 

  • European Standard Contractual Clauses (“SCCS”) 

  • In limited circumstances, where the transfer is permitted by applicable data protection laws. 

The European SCCs are contractual clauses approved by the European Commission that ensure appropriate data protection safeguards when personal information is transferred from the EEA to third countries. They can be viewed here.

8. HOW LONG DO WE KEEP HOLD OF YOUR INFORMATION?

The time periods for which we retain your information depends on the type of information and the purposes for which we use it. We will keep your information for no longer than is required or permitted.

To determine the appropriate retention period for personal data, we firstly consider applicable legal requirements or whether any statutory retention periods apply. We also consider the volume, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of the information, the purposes for which we process the data and whether we can achieve those purposes through other means.  Additionally, we have a Policy and Schedule in relation to the Retention of Records that aligns with the HSE 2013 Retention Schedule and other industry standard guidelines.

9. AUTOMATED DECISION–MAKING AND PROFILING

SJOGH CLG does not carry out Automated Decision Making or Profiling activities.

10. WHAT ARE YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA?

You have the following rights:

  • The right to request a copy of and access the personal data we hold about you.

  • The right to request us to rectify any inaccurate personal data about you without undue delay. 

  • The right to request that we erase any personal data we hold about you in circumstances, such as, where it is no longer necessary for us to hold the personal data or, in some circumstances, if you have withdrawn your consent to the processing.

  • The right to object to the processing personal data about you, such as, processing for profiling or direct marketing purposes.

  • The right to ask us to provide your personal data to you in a portable format or, where technically feasible, for us to port that personal data to another provider provided it does not result in a disclosure of personal data relating to other people.

  • The right to request a restriction of the processing of your personal data. 

  • The right to withdraw your consent where you have previously provided it for certain purposes. This will not affect the lawfulness of the processing prior to your withdrawal. 

You may exercise any of the above rights by contacting the DPO using the details set out at Section 13.

You also have the right to lodge a complaint with your local supervisory authority with respect to our processing of your personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is www.dataprotection.ie

HOW TO MAKE A DATA SUBJECT ACCESS REQUEST 

Requests for access to personal data should be made to the Data Protection Officer or the Medical Records Officer. To ensure that we can action your request as quickly as possible, we ask that you include the following information in your request:

  1. Identify the records or information that you require.

  2. Provide full personal contact details.

  3. Provide a copy of one form of identification, i.e., passport or driving licence.

If you are making a request on behalf of another individual, we will require written authority from that individual in order to release their records to you.

11. FUNDRAISING AND MARKETING MESSAGES

If you have opted-in to receive marketing communications from SJOGH CLG, we will use the details you provide to us to send you updates on upcoming events, fundraisers etc., happening at SJOGH.

You have the right to ask us not to process your personal details for such purposes and you can change your mind and ‘opt out’ of receiving marketing updates at any time.

HOW TO OPT-OUT

To do so, simply click the ‘unsubscribe’ button located at the bottom of any email which you receive from us.

Alternatively, send us an email, writing “unsubscribe” in the subject heading to DPOHosp@sjog.ie 

Please note that opting out of marketing messages will not stop service communications.

12. WHAT WILL HAPPEN IF WE CHANGE OUR PRIVACY NOTICE?

This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you visit our website or use our services. This notice was last updated in September 2024.

13. HOW CAN YOU CONTACT US?

For Data Protection related queries, our Data Protection Officer can be contacted by:

EmailDPOHosp@sjog.ie

Post: Data Protection Officer, St John of God Hospital, Stillorgan, Co. Dublin, A94 FH92

14. CORONAVIRUS AND DATA PROTECTION

All measures taken in response to Coronavirus involving the use of personal data, including health data, will be necessary and proportionate. Where SJOGH Clg. is acting on the guidance or directions of public health authorities, or other relevant authorities, Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including the sharing of limited health data, (e.g. reporting results of Coronavirus testing, personal data in relation to the provision of vaccinations to staff, list of staff vaccinations), once suitable safeguards are implemented. Such safeguards may include limitation on access to the data and strict time limits for erasure.

Employers will also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation, together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.