Privacy Statement

Last updated: Monday 20th December, 2021

Introduction

The Health Service Executive (HSE) as the Data Controller for the COVID-19 Appointment Scheduling System complies with all applicable data protection legislation. The purpose of this notice is, in the interest of transparency, to explain how the HSE needs to collect and use certain information about you when you need to book a COVID-19 test at one of our nationwide centres.

You can view our full Privacy Notice.

Lawful basis for processing

The HSE's lawful basis under the General Data Protection Regulation for processing personal data relating to the Appointment Scheduling System is as follows:

The processing of personal data is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6.1(e) GDPR);

The HSE is responsible for providing health services in Ireland, including the prevention of infectious diseases.

The HSE can process special categories of health data for reasons of substantial public interest (Article 9.2.(g)), based on Irish legislation (Health (Amendment) Act 2021), and this processing is proportionate to the purposes pursued, respects the rights of the international traveller and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects.

What Personal Data we Collect

In order to provide the Appointment Scheduling System for COVID-19 testing to you it is necessary for the HSE to collect and process various categories of personal information about you. Only relevant data is recorded, for example, data that is necessary to identify you, book your appointment and pass these details to the COVID-19 Test Centre.

Personal data means any information relating to you which allows the HSE to identify you, such as your name & address, contact telephone number and email address.

The HSE Appointment Scheduling System for booking a COVID-19 test will collect and use the following personal data about you:

First and last name
Mobile telephone number
Preferred test site
Preferred time slot
Date of birth
Gender
Eircode (optional) and address
COVID-19 identifier and your IHI (Individual Health Identifier), if available
Your IP address
Information about your use of this System
Positive Antigen result date
Reason for Antigen Test
Residential Care Facility Identifier
Vaccination Status
COVID-19 Symptoms

We will handle any data you share with the HSE in line with the General Data Protection Regulation (GDPR).

Cookies on the HSE Appointment Scheduling System

Cookies are small files that are created and saved on your phone, tablet or computer when you visit a website. This website uses only essential cookies.

Read our cookies statement to find out more about cookies and how we use them.

What we use your Personal Data for

Any personal data we collect from you in this System will only be used by the HSE for the following purposes:

To offer you open appointments at a COVID-19 test centre
To confirm your mobile telephone number is valid
To send a confirmation of your scheduled appointment to your mobile telephone
To help the HSE prepare for your test, by allocating a COVID-19 test ID, matching with your IHI number and pre-printing labels etc.
To keep our website secure
To provide appropriate anonymised reporting and analytical functionality.

Your test and test results will be processed by the HSE. If you have a positive result, then the HSE Contact Management Programme and the referring clinician will be informed.

The HSE will not use the data we collect about you on this System for any other purposes without first contacting you and seeking your consent.

The HSE may use anonymised data from this System for the purposes of analysing, planning and improving the service. This anonymised data will not include any of your personal data including your IP address.

How long will we hold onto your Personal Data

The HSE will only retain your personal data within the Appointment Scheduling System for the length of the COVID-19 emergency. Please be aware that some of your data will be transferred to other HSE systems e.g. testing centre, test results, Contact Management Programme and your general practitioner. Such transfers may be subject to other retention periods.

All personal data collected by the HSE is retained in accordance with the HSE Record Retention Policy. The HSE Record Retention Policy is published on the HSE website.

When the HSE no longer needs your personal data, they securely delete or destroy your personal data.

Who will have access to your Personal Data

Only HSE staff, agents and suppliers who are directly involved with the management of this System shall have access to your personal data which is collected by this System.

The HSE have identified the following staff, agents and suppliers involved with this System

HSE Testing and Tracing Staff
Swiftqueue – who provide the software that we use to run the Appointment Scheduling System. Swiftqueue use Phonovation to deliver text messages and Amazon Web Services, based in the EEA, for database storage.

All HSE staff, agents and suppliers which may have access to personal data shall be bound to the HSE via confidentiality agreements and are obliged to keep your personal data secure, and to use it only for the purposes specified by the HSE.

How your information will be kept secure

The HSE has legal obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to ensure all personal data which is collected and processed by the Appointment Scheduling System is kept confidential and secure. To comply with these legal obligations, the HSE and its suppliers who are supporting the Appointment Scheduling System have implemented a number of technical and organisational measures to protect the Appointment Scheduling System and the data stored on the system from unauthorised or unlawful processing, accidental loss, destruction or damage.

Will my personal data be transferred outside of the European Economic Area (EEA)

The HSE does not transfer any personal data about you outside the EEA. If the HSE decides to transfer your personal data outside the EEA they shall ensure the provisions of Chapter V of the General Data Protection Regulation (GDPR) are complied with.

What are your Rights

Under certain circumstances, by law you have the right to

Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
Right of portability – where certain conditions apply, you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
Right to review - in the event that the HSE refuses your request under rights of access, we will provide you with a reason as to why.
Withdraw your consent – where you have consented to receiving emails you may withdraw your consent at any time

If you wish to exercise any of these rights, then please submit a request, to HSE Consumer Affairs at: www.hse.ie/eng/services/yourhealthservice/info/contact/

When submitting a request, the HSE may need information from you to confirm your identity.

Once your identity has been confirmed, the HSE will supply you with your information free of charge, however, we may charge a reasonable fee if believe your request is clearly unfounded, excessive or repetitive.

Making a complaint

In the event that you wish to make a complaint about how your personal data is being processed by the HSE, or how your complaint has been handled, you have the right to lodge a complaint directly with the Data Protection supervisory authority and the HSE Data Protection Officer:

Data Protection Supervisory Authority – (www.dataprotection.ie)

The HSE Data Protection Officer (DPO) can be contacted directly, here:

Data Protection Officer HSE Email: dpo@hse.ie HSE, Room 102, Phoenix Hall St Mary's Hospital Dublin D20 CK33
Deputy Data Protection Officer West (excluding voluntaries) CHO 1 – Cavan, Donegal, Leitrim, Monaghan, Sligo CHO 2 – Galway, Mayo, Roscommon Mid-West Community Healthcare – Clare, Limerick, North Tipperary Saolta Hospital Group Email: ddpo.west@hse.ie Phone: 091 775373 Consumer Affairs, Merlin Park University Hospital, Galway.
Deputy Data Protection Officer Dublin North-East (excluding voluntaries) Midlands, Louth, Meath Community Health Organisation Community Health Organisation Dublin North City & County CHO 6 – Dublin South East, Dublin South & Wicklow RCSI Hospital Group National Children's Hospital Email: ddpo.dne@hse.ie Phone: 046 9251265 / 049 4377343 Consumer Affairs, HSE Dublin North East, Bective St., Kells, Co Meath.
Deputy Data Protection Officer Dublin mid-Leinster (excluding voluntaries) Dublin Midlands Hospital Group Ireland East Hospital Group Community Healthcare Dublin South, Kildare & West Wicklow Email: ddpo.dml@hse.ie Phone: 057 9357876 / 045 920105 Consumer Affairs, HSE, Third Floor Scott Building, Midland Regional Hospital Campus, Arden Road, Tullamore, Co. Offaly.
Deputy Data Protection Officer South (excluding voluntaries) Cork & Kerry Community Healthcare CHO 5 – Carlow, Kilkenny, South Tipperary, Waterford & Wexford UL Hospital Group South South-West Hospital Group Email: ddpo.south@hse.ie Phone: 021 492 8538 / 056 778 5598 Consumer Affairs, HSE South, Ground Floor East, Model Business Park, Model Farm Road, Cork. Eircode: T12 HT02