Public Health - Data Protection Information Notice

Data protection is the safeguarding of the privacy rights of individuals in relation to the use of personal data. All staff working across the six HSE Departments of Public Health must use personal data about service users, employees, suppliers and other people lawfully and fairly.

All staff working in the HSE Departments of Public Health are legally required under EU GDPR and Irish legislation to ensure the security and confidentiality of all personal data they collect and use on behalf of service users and employees. Data Protection rights apply whether the personal data is held in electronic format or in a manual or paper-based form. Staff breaches of data protection regulation may result in disciplinary action.

One of our main roles is to investigate and control serious infectious diseases to protect you, your family and your community – in fact the whole population. Public Health staff keep records about the investigations carried out by the Department of Public Health team. These include medical records, which help to ensure that you receive the best possible protection of your health. Information is written down in paper or electronic records and kept safely.

Your records are used to guide and manage the protection of health you receive so that:

• Public Health professionals involved in health protection control serious infections as quickly and effectively as possible
• With your permission, appropriate information may be made available to another health professional. There is an accurate basis for protecting your health and that of others

There are very strict regulations controlling access to the data you supply to us. All Department of Public Health staff are bound by confidentiality and are only granted access to your data on a need-to-know basis in the performance of their duties under the Health Acts 1947, 1953 and 2004 and under the Infectious Diseases Regulations 1981. We may also collect data under the Health (Duties of Officers) Order 1949.

• Our staff are trained on good information governance and complete mandatory GDPR and Information security training
• We maintain and update annually a Record of Processing Activity across each Department (ROPA)

A log is maintained on all data protection incidents and breaches are reported to the Deputy Data Protection Officer in line with GDPR regulations

Public Health Investigation: what do we need from you

In the event of an infectious disease investigation, staff from the HSE’s Departments of Public Health may need to seek access to relevant personal data on staff, students, children, employees or other individuals in direct contact with your facility under Medical Officer of Health legislation.

Investigation, prevention of spread and control of notifiable infectious diseases are statutory functions and we need information to carry out these functions. The HPSC has a list of diseases that are notifiable by law.

There is a statutory duty for persons to provide such information to MOHs or staff working with them under Regulation 19 of the Infectious Diseases Regulations 1981.

Article 6.1(c, d & e) and Article 9.2(i) of GDPR allow for processing data necessary for reasons of public health.

Names, addresses, dates of birth, GP details and contact details such as mobile

and telephone numbers. In the case of children, parents’ contact details are also required, and any other data that is necessary or desirable for the investigation and control of the infectious disease.

There are very strict regulations controlling access to the data you supply to us. All HSE staff are bound by confidentiality and are only granted access to health data on a need-to-know basis. In addition, data acquired under MOH legislation are only accessed by those working under MOH legislation

The data you provide to us are not shared with anyone other than the public health investigation team unless it is essential for your health protection or that of others. Under statutory obligations anonymised data are notified to the HSE’s Health Protection Surveillance Centre (HPSC).

All information you send to us regarding your facility will be held securely. The HSE, as an organisation, is registered with the Data Protection Commissioner and is governed by General Data Protection Regulation (GPDR) 2018.

The personal data you send us will be incorporated into a new medical record which must adhere to the HSE Standards and Practices for Medical Healthcare Records and retention periods. The length of time we hold onto this medical record can vary depending on the type of disease under investigation.