A notice about cookies

This website uses cookies. Some cookies may have been set already. To find out more about our use of cookies you can visit our Privacy policy. By browsing this website, you agree to our use of cookies.


This is a prototype - your feedback will help us to improve it.

Organisation Information

Department of Health Privacy Policy

Published: 5 June 2019
From: Department of Health

The Department of Health

The role of the Department of Health (‘the department’) is to serve the public and support the Minister for Health, Ministers of State and the government.

The department’s mission is to improve the health and wellbeing of people in Ireland by:

  • keeping people healthy
  • providing the healthcare people need
  • delivering high quality services
  • getting best value from health system resources

The department is the data controller of all data which it collects from members of the public, healthcare professionals, State agencies under the aegis of the department, or other public bodies.

Purpose of Privacy Statement

This Privacy Statement is a statement of the department’s commitment to protecting personal data and individuals’ rights and privacy afforded by the General Data Protection Regulation (‘the GDPR’) and the Data Protection Acts 1988 to 2018.

Principles of Data Protection

The department is committed to adhering to the following principles of data protection:

  • personal data will be obtained and processed lawfully, fairly and transparently
  • personal data will be obtained for specific, explicit and legitimate purposes, and will not be used in a manner which is incompatible with those purposes
  • personal data collected and used will be adequate, relevant and limited to what is necessary to the purposes for which they are processed
  • personal data will be kept accurate, complete and up to date
  • personal data will be retained for no longer than is necessary
  • personal data will be processed in a secure manner

What is Personal Data?

Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identified or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Protection Officer

The department has appointed a Data Protection Officer (‘DPO’) whom you may contact if you have any questions or concerns. The DPO’s role is to improve accountability, monitor compliance and raise awareness of data protection within the department. The DPO is also the point of contact for members of the public and the Data Protection Commission (‘the DPC’).

The Data Protection Officer’s contact details are below

Data Protection Officer, Department of Health

Purpose and Legal Basis for Processing

The department needs to process certain personal data to carry out the tasks required for the performance of its functions and to comply with certain legal obligations. We also process personal data received from members of the public who contact us so that we can provide them with the services they require.

Processing of Information takes place for the following purposes:

  • processing data necessary to monitor and evaluate performance of the health care system;
  • processing necessary to meet obligations provided for in legislation
  • processing data to promote and implement departmental policies relating to health promotion and awareness, health research activities, patient safety initiatives and other programmes run by the department
  • processing relating to discovery of records, access to the institutional and related records (AIRR), statutory committees of investigation and litigation
  • processing in relation to health sector human resources policies and processes and appointments to Boards and committees
  • processing necessary to perform the department’s leadership role including governance/oversight of agencies under the aegis of the department
  • processing necessary to respond to queries and requests for information from patients/family members, members of the public, third parties such as solicitors, elected representatives, interest groups and other stakeholders
  • processing necessary to communicate with a wide range of stakeholders including media, members of the public and public consultations
  • processing necessary to meet the department’s obligations to the Oireachtas, such as replies to parliamentary questions and briefing for Oireachtas committees
  • processing necessary to fulfil cross government/agency commitments in relation to strategy implementation and whole of government projects
  • processing personal information to fulfil the department’s EU/international role on health-related issues
  • processing necessary to make payments and undertake audits
  • processing arising from procurement/contractual agreements with service providers
  • processing necessary to meet the department’s obligations under the Freedom of Information, Data Protection and Protected Disclosures legislation

Most of the personal data processing by this department is carried out for the performance of the Minister’s functions or in the public interest. In addition, personal data is processed by the department in compliance with certain legal obligations to which the department is subject.

The department may also process personal data in accordance with certain contracts it has put in place and, in limited circumstances, where it has a legitimate interest in processing certain data, for example audit purposes.

In very limited circumstances the department will process personal data on the basis of the individual’s consent. This includes data relating to health research activities.

What types of personal data are collected by the department?

In order to perform its functions, the department needs to collect many categories of personal data.

While the types of personal data processed may change depending on the purpose, the general categories of personal data collected and the reasons for collecting the data are set out in the following table.

    Reason Categories of Personal Data Collected
    Patient Safety Issues and Notifications May include name, gender, date of birth, address, medical condition, name of GP/consultant, attending hospital
    Processing purposes to meet the specific obligations under legislation May include contact and location information, medical condition and in relation to health professionals, identification/registration number, and information on qualifications
    Public Correspondence Name, gender, date of birth, address, medical condition, name of GP/consultant, attending hospital, other details provided by members of the public in correspondence with the department
    Public Consultations Contact details as well as personal beliefs and opinions volunteered by members of the public, including media
    Parliamentary Questions and Representations made by Elected Representatives Name, gender, date of birth, address, medical condition, name of GP/consultant, attending hospital, other details provided by members of the public to the elected representative
    Health Promotion and Awareness Campaigns and Other Research Activities, Patient Safety Initiatives and Other Programmes Contact details and other personal information requested from or provided by members of the public/healthcare providers, survey participants
    Contact/Information Purposes Contact details such as name, address, telephone and email address of officials in agencies under the aegis of the department, other healthcare providers, representative bodies, interest/lobby groups, media, research bodies and third level institutions, other government departments/agencies and EU/international bodies
    Litigation/Statutory Committees of Investigation Personal data, including contact details and medical and family history, contained in records relating to litigation/statutory committees of investigation, in which department is involved. In some instances financial details necessary to facilitate payments
    Processing purposes under FOI, Data Protection, Protected Disclosures and other legislation Contact details such as name, address, telephone and email address, occupation
    Committee/Board Appointments Contact details such as name, address, email, telephone number, information relating to educational and work experience
    Information relating to certain human resources policies/Recognition of Professional Qualifications Education, work experience and contact data including identification number relating to health sector staff

Please note that the information listed above may be used for another one or more purpose, as outlined in the section dealing with Purpose and Legal Basis for Processing.

How does the department collect Personal Data?

Directly from individuals

The department collects personal data directly from members of the public, patients and their family members and third-party representatives such as Solicitors, and lobby/interest groups. This data may be received by phone, email or written correspondence. It may also be obtained through public consultations.

Elected Representatives

Personal data is also obtained from elected representatives representing a constituent or his/her family member who is seeking information or a service on behalf of the constituent.

Healthcare Providers

Personal data relating to healthcare providers is also held in the department. This includes information relating to service providers and their representative bodies, agencies providing services in the healthcare sector and information held on healthcare professionals in relation to specific schemes.

State Agencies

The Health Service Executive and other State agencies under the aegis of the department disclose data to the department in the performance of their functions. Information includes data required to support the management of the service in question, governance activities, appointments to Committees/Boards, information relating to human resources policies and procedures, information relating to legal cases against the State and contact details for mailing lists etc.

The list of State agencies under the aegis of the department is available here.

Other Public Bodies

The department liaises with a wide range of government departments and agencies in order to perform its functions, for example:

  • information regarding legal cases is received from the Chief State’s Solicitors Office, the State Claims Agency, Tribunals of Inquiry etc
  • information received from Public Appointments Service (PAS) relating to candidates for Board appointments at State agencies to the department for consideration by the Minister
  • information from third level institutions, research agencies, EU/international bodies relating to the performance of the functions of the department

Who does the department share personal data with?

In some instances, personal information held by the department is shared with other government departments/agencies to enable the department to perform its functions. In such cases the disclosure is made in a manner consistent with the original purpose for which the information was provided.

What are my rights under Data Protection Legislation?

You have certain rights available to you in relation to personal data held by the department. However not all rights listed are applicable in every circumstance. These rights are outlined below and can be exercised by contacting the Data Protection Officer, as detailed above, indicating which right(s) you wish to exercise.

  • right to access your data
  • right to have inaccuracies corrected
  • right to have information erased
  • right to restriction of processing
  • right to move your data (data portability)
  • right to object to processing
  • right to withdraw consent if you previously gave consent in relation to processing of personal data
  • right not to be subject to a decision based solely on automated processing, including profiling
  • right to lodge a complaint with the Data Protection Commission

How do I access my personal data?

To obtain a copy of your personal data held by the Department of Health, please complete a Subject Access Request form The completed form, along with some photographic identification (passport/driver’s licence) should be returned to the address below:

Data Protection Officer, Department of Health
Address: Block 1, Miesian Plaza, 50-58 Lower Baggot Street, Dublin, D02 XW14
Phone: 016354476
Email: DPO@health.gov.ie

The information requested will be provided within one month of the date of receipt of the request by the department.

There are a small number of circumstances in which the right to access personal data may be limited. For example, data subjects do not have a right to see communications between the department and its legal advisers where it would be subject to legal privilege in court. The right of access to information relating to other people is also curtailed.

Right to make a complaint

You have the right, if you are unhappy with how we have delivered on our obligations, to make a complaint at any time to the Data Protection Commission. You can contact the Commission at:

The website of the www.dataprotection.ie

Data Protection Commission
Address: 21 Fitzwilliam Square South, Dublin 2, Ireland, D02 RD28
Phone: 0761104800
Email: info@dataprotection.ie

Changes to this Privacy Statement

Our Privacy Statement may change from time to time. If we make any changes we will post those changes here and the “Version Control” page at the back of this Privacy Statement.

Version Control

    Version Date Changes made by Details
    1.0 24 May 2018 DPO First version of Privacy Statement
    2.0 1 August 2018 DPO Second version of Privacy Statement
    3.0 1 March 2019 DPO Third version of Privacy Statement
    4.0 12 August 2019 ROC Fourth version of Privacy Statement – change contact details for DPO/Unit