Frequently Asked Questions

The HSE processes personal data to provide healthcare and social care services, to fulfil its obligations as an employer and to comply with its legal requirements, including public health regulations. This means we collect, use, store, and share information which belong to our patients and service users, staff, vendors and service providers.

Here you can find information how we use your personal data and how you can exercise your data protection rights. It explains what you can do if you have concerns or want to exercise your rights, such as accessing a copy of your records.

If you need more help or want to make a data subject request, visit GDPR Information - HSE.ie for information and Data Requests - HSE.ie to support you in submitting a data subject request.

What legislation does the HSE rely on to process your personal data?

The HSE processes personal data in line with three key pieces of legislation:

General Data Protection Regulation (GDPR): sets out your rights and rules organisations must follow when handling personal data.

Data Protection Act 2018: supports GDPR and includes additional safeguards for health and social care information.

Health Act 2004 (along with subsequent amendments): gives the HSE its legal authority to collect and use personal data to deliver public health and social care services.

Further information: Data Protection Legislation (Data Protection Commission)

What is personal data?

Personal data (personal information) refers to any information that can identify you. The HSE collects and uses personal data to provide health and social care services. Examples of personal data we may process:

• Your name,
• Your date of birth
• Your address
• Your contact phone number
• Email address or online identifiers (e.g. IP address)
• Your PPS number or HSE ID number
• Phone call recordings (e.g. when you call HSE call centre)
• Billing and payment information
• Employment records (HSE staff)

The HSE uses this information to run services and plan for future healthcare needs.

Further information: Data Protection Legislation (Data Protection Commission)

What is special category of personal data?

Some types of personal data are more sensitive and need additional protection. These are called special categories of personal data. They include information about your health, racial or ethnic origin, religious or philosophical beliefs, genetic and biometric data and sexual orientation. The HSE uses this type of information to deliver safe and appropriate healthcare, for example, to understand your medical history, diagnose conditions, and plan treatment.

Examples of special category data we may collect:

• Appointment details and hospital visit records
• Medical conditions, diagnoses, and treatment records (health records)
• Medication prescribed or administered
• Lab test results (e.g. blood tests, imaging)
• Disability status
• Vaccination history
• Infectious disease status (e.g. COVID-19, HIV)
• Sexual health information
• Genetic test results
• Data about pregnancy or fertility
• Biometric data (like fingerprints or facial scans)
• Religious beliefs (e.g. for dietary or end-of-life care preferences)
• Ethnic background (e.g. for public health reporting)
• Trade union membership (staff only)

Further information: What is special category data? (Data Protection Commissioner)

When does the HSE process special categories of personal data?

The HSE processes this kind of data when it is necessary for:

• Preventative or occupational medicine
• Medical diagnosis
• Providing healthcare, treatment or social care
• Managing health or social care systems and services

What is data processing?

Processing in relation to personal data is any operation or set of operations performed on personal data including – collecting, recording, organising, structuring, erasing, destroying, altering, combining, disclosing or sharing the data. In the HSE, data processing happens every day to help provide you with safe, effective healthcare and to run health services.

Here are some common ways the HSE processes your personal data:

• Collecting your details when you register or attend an appointment
• Providing you with healthcare, treatment or social care
  Recording your treatment, test results, or clinical notes
  Dispensing and managing medication, including prescriptions and pharmacy records
  Organising and storing your medical records securely
  Sharing your information with doctors, nurses, and other healthcare professionals involved in your care
  Laboratory and diagnostic testing, such as blood tests, scans, or x-rays
  Preventative or occupational medicine
  Billing and insurance claims

• Clinical audits and quality improvement, to make services better and safer
• Investigating complaints, legal claims, or incidents
• Planning future services, like staffing or hospital capacity
• Issuing appointments and sending reminders by post, text message or phone call
• Conducting health research
• Reporting infectious diseases or other public health concerns
• Support learning and development for healthcare professionals

Further information: What is processing and further processing? (Data Protection Commissioner)

Who is a data controller?

A data controller is a person or organisation that decides how and why your personal data is used. In most cases, the HSE is the data controller for personal data processed for health and social services provided by us and for human resource purposes. However, you may also be using the services of voluntary hospitals, private hospitals, GPs and similar services who are independent data controllers and responsible for the personal data they process.

Further information: What is a Data Controller and a Data Processor? (Data Protection Commissioner)

Who is a data processor?

A data processor is someone who handles data on behalf of the controller, for example an external laboratory, billing service or translation services. They operate under the instructions of the data controller. This does not include an employee of the controller who processes data during the course of their employment. A data processor can be held liable if they are responsible for a data protection breach and must notify the data controller (HSE) of any breach which happens as a result of their processing of HSE data.

Further information: What is a Data Controller and a Data Processor? (Data Protection Commissioner)

What are the principles of GDPR?

Under the GDPR we must follow seven principles when handling your personal data:

• Lawfulness, fairness, and transparency: we only use your information when we have a legal reason to do so. We are open and transparent about how your information is used.
• Purpose limitation: we collect your information for specific purposes (e.g. healthcare, employment) and do not use it for anything else without your consent or if we are legally obliged to do so.
• Data minimisation: we only collect the information we need to provide to provide health and social care services.
• Accuracy: we keep your information accurate and up to date. If you notice an error, you have the right to request a correction. If you change your name or address you should notify the health service you attend so that they can update their records accordingly.
• Storage limitation: we keep your information only for as long as necessary. Medical records are retained and deleted according to the HSE’s Records Retention Policy.
• Integrity and confidentiality: we process your data in a manner to prevent loss, damage, or unauthorised access.
• Accountability: we are responsible for how your data is handled and must be able to show that we comply with the GDPR principles.

Further information: Guidance on the Principles of Data Protection (Data Protection Commissioner)

What are the legal bases for processing my personal data?

The HSE is required by law to protect your personal data and only use it when there is a legal reason. These legal reasons are known as the lawful bases for processing, and they are set out in the GDPR.

1. Public Interest / Official Authority - Article 6(1)(e) GDPR
   This is the main legal basis used by the HSE. It applies when processing is necessary to carry out tasks in the public interest or to exercise official authority. The HSE’s authority comes from legislation such as the Health Act 2004, which mandates the delivery of health services.
2. Vital Interests - Article 6(1)(d) GDPR
   Relied on in emergency situations where a person is unable to give consent, such as being unconscious in an emergency department, and processing is necessary to protect their life or health.
3. Legal Obligation - Article 6(1)(c) GDPR
   Applies when the HSE must process data to comply with laws, such as reporting infectious diseases or fulfilling statutory duties.

Legal basis for processing special category data

Special category data includes sensitive information such as health data, racial or ethnic origin, religious beliefs, genetic and biometric data, and sexual orientation. The HSE processes this data under Article 9(2)(h) GDPR which permits processing when it is necessary for:

• Preventative or occupational medicine
• Medical diagnosis
• Provision of healthcare or treatment
• Provision of social care
• Management of health or social care systems and services

In some circumstances the HSE may rely on other legal bases, including performance of a contract, legitimate interest, and consent.

Further information: Guidance on Legal Bases for Processing Personal Data (Data Protection Commissioner)

What is the difference between medical consent and GDPR consent?

In healthcare, medical consent and GDPR consent are two separate types of permission, each serving a different purpose. Medical consent is necessary for clinical procedures; but consent is not required or appropriate for processing of your personal data for healthcare purposes (for example, medical records management).

Further information: Is my consent required for my data to be processed? (Data Protection Commissioner)

How long does the HSE retain my personal data for?

The length of time your information can be stored depends on the type of data. Full details of how long each type of data may be stored for can be found in HSE Records Retention Policy. This policy helps ensure that records are kept only as long as necessary and are securely destroyed when no longer needed, in line with the GDPR principle of storage limitation.

Further information: How long should personal data be held to meet the obligations imposed by the GDPR? (Data Protection Commissioner)

How does the HSE keep my personal data safe?

We have a number of security precautions in place to prevent the loss, misuse or alteration of your information. All staff working for the HSE have a legal duty to keep information about you confidential and all staff are trained in information security and confidentiality. The HSE has strict information security policies and procedures in place to ensure that information about you is safe, whether it is held in paper or electronic format. Third parties engaged by the HSE must sign and comply with the HSE's data processing agreement, which outlines how they are obliged to handle, store and process data on our behalf.

Following the 2021 criminal cyber-attack on the HSE, we have taken major steps to strengthen our cyber security. These include:

• Upgrading our IT systems and defences
• Training staff to recognise and respond to cyber threats
• Working with national and international cyber security experts
• Monitoring the internet and dark web for any misuse of data
• Putting legal protections in place to prevent the use or sharing of stolen data

We continue to improve our security measures regularly to protect against threats.

Who is my personal data shared with?

Your personal data is only shared when it’s necessary for your care or for other necessary reasons, like those listed above. Within the HSE, your information is only shared with staff who need it to support your health or social care. Where possible, we use anonymised or pseudonymised data to protect your identity.

Sometimes, we may need to share your information with healthcare providers outside the HSE, such as private hospitals or voluntary organisations, to ensure you receive the best possible care. We only share what’s needed, and those providers are also bound by confidentiality and data protection laws.

In certain cases, we may be legally required to share your information with other agencies, such as the Department of Social Welfare, the Department of Health, the Courts, or in emergency situations.

If your care involves services outside Ireland, your information may be transferred to organisations in other countries. For more details, visit www.hse.ie/gdpr/disclosees.pdf or contact us directly.

What are my data subject rights?

Every individual, referred to as data subject, has the right to have their personal data protected and processed in a fair, lawful, and transparent manner. These rights help individuals understand how their personal data is used and place an obligation on the HSE to handle that information in a fair, transparent and accountable manner.

It is important to note that these rights are not absolute. The GDPR and the Data Protection Act 2018 allow for certain limitations and exemptions, particularly where the exercise of a right may conflict with other HSE legal obligations, public interest considerations, or the rights and freedoms of others.

The following outlines your information subject rights in clear terms, applicable where the HSE acts as a data controller. If you have any questions in relation to your rights, you can contact DPO@hse.ie for additional assistance.

Further information: Your Rights under the GDPR (Data Protection Commission) and Limiting Data Subject Rights and the Application of Article 23 of the GDPR (Data Protection Commissioner)

Who can exercise the data protection rights of children on their behalf?

Legal guardians can exercise the data protection rights on behalf of their child so long as it is in their child’s best interests to do so. However, it is important to realise that any personal data which relates to their child, is and remains, the personal data of their child. It does not belong to anyone else, such as their legal guardian and legal guardians do not have an automatic entitlement to that personal data.

The DPC’s Fundamentals for a Child-Oriented Approach to Data Processing sets out a number of criteria that should be considered when assessing if a child can exercise their own rights, or indeed if it is in a child’s best interests for their legal guardian to exercise their rights on their behalf. These criteria include:

The age of the child:  the closer the child is to the age of 18, the more likely it is that the HSE should deal directly with the child themselves, rather than involving the parent/ guardian. In this regard, the DPC considers that where a child has reached 17 years, other than in exceptional circumstances (i.e. where the best interests of the child demonstrably require it), the child’s data protection rights should not be exercised by the parent(s)/ guardian(s). Instead, the HSE should deal directly with the child.

The type of personal data at issue: The DPC considers that in cases where the exercise of a child’s data protection rights involves access to special category personal data, such as medical data, a careful consideration should be given to whether the release of such personal data could cause serious physical or mental harm to the child in question.

Whether enabling the child to exercise their data protection rights themself is in the best interest of the child: for example, do they understand the consequences of erasing certain types of personal data, will they fully comprehend what it is they are receiving as part of an access request, will receiving certain information be detrimental to their well-being?

Right to be informed

When you use HSE services, like visiting a HSE hospital, or community clinic, we collect personal data (e.g. name, address, date of birth) and health information (clinical diagnosis, medication, treatment etc.) to provide care to you. You have the right to know how your information is collected, used, stored, and shared. This is known as the right to be informed. It ensures that you are aware of what happens to your information and why.

The HSE gives you clear and accessible information through our privacy notice.  It includes the purposes for which we collect and use your information; examples of the type of information we collect; the legal basis for processing your information; who your information may be shared with, and how long we store your information for.

Right of access

You can ask for a copy of your personal and health data. This includes records of your treatment, test results, and notes made by healthcare professionals.

Further information: The Right of Access (Data Protection Commissioner)

Why some parts of my records might be redacted?

The HSE may redact parts of your records to keep other people's information confidential or to comply with legal requirements.

Further information: Redacting Documents and Records (Data Protection Commissioner)

What is redaction?

Redaction is the process of removing access to certain information while leaving intact the rest of the document or record containing it. 

Further information: Redacting Documents and Records (Data Protection Commissioner)

When might redaction be used?

The most common reason for the use of redaction is protection of data protection rights of other people.

Further information: Redacting Documents and Records (Data Protection Commissioner)

How do I make an access request (SAR)?

You have the right to obtain a copy of the personal data the HSE holds about you. This is called a Subject Access Request (SAR). HSE has published a SAR Form – by completing this form you can help us identify and locate your information efficiently.

Go to Requesting information from the HSE - HSE.ie to learn more about the SAR procedure.

To verify your identity, we may need to ask for a copy of your ID like a passport, or driving license, before your records are released.

When will I get a SAR response?

You’ll usually get a response within one calendar month. If your request is more complex, it might take us additional time. We will let you know if we require additional time.

Further information: How long does an organisation have to respond to my access request? (Data Protection Commissioner)

Can someone else make an access request on my behalf?

A trusted person, like a family member, solicitor, or friend, can ask for your records if you have given them explicit permission to do so. This will need to be confirmed by you via a letter outlining such permission or on production of a signed consent form.

Further information: Can anyone else make an access request on my behalf? (Data Protection Commissioner)

Can young people request access to records?

Where a child’s wishes to exercise their right of access to their health records, a careful consideration should be given to whether the release of such personal data could cause serious physical or mental harm to the child in question.

Refer to question ‘Who can exercise the data protection rights of children on their behalf?’.

Further information: Can anyone else make an access request on my behalf? (Data Protection Commissioner) and Fundamentals for a Child-Oriented Approach to Data Processing (PDF)

Right to rectification (correction)

You can ask for your personal data to be corrected if it’s wrong or incomplete, this includes things like your name, date of birth, or address. For minor corrections, such as fixing a spelling mistake or updating a phone number / address details, you do not need to make a data rectification request. These can usually be resolved directly with your local health service.

Your diagnosis may change or be revised over time, but that does not make your original diagnosis factually inaccurate and open to rectification. One reason for this is that a diagnosis is akin to a snapshot in time; it is the reflection of the professional opinion of the doctor or nurse at that moment in time and based on the information available to them at that moment in time. Even if the underlying information changes at a later date - resulting in a different opinion or diagnosis - the “snapshot” will not change. As a result, it remains factually accurate to record the opinion or diagnosis that was made and what the opinion or diagnosis was, such data would not be “inaccurate” as it is a factually accurate reflection that an opinion or diagnosis occurred and what the opinion or diagnosis was at the time. In circumstances such as this, the right to rectification would likely not apply where the data in question is not ‘inaccurate’.

What can be done instead: you can ask for a supplementary note to be added to your record stating that you disagree with the entry. This note will be clearly marked with the date and author, and the original entry will remain unchanged.

Further information: Can I Use the GDPR to have my medical records amended or erased? (Data Protection Commissioner)

Why is accuracy of medical records important?

Medical records are essential for safety and continuous care. They help healthcare professionals make informed decisions, support legal and administrative processes, and respond to complaints or legal claims. These records must be accurate, clear, and securely maintained.

How do I make a correction request?

You can ask for your personal data to be corrected if it is factually wrong or incomplete.

You can make this request by submitting a request on the Right to Redaction Form

Further information: Can I Use the GDPR to have my medical records amended or erased? (Data Protection Commissioner)

Right to erasure ("right to be forgotten")

You have the right to ask for your personal data to be deleted in certain circumstances. This is known as the right to erasure or the right to be forgotten under data protection law.

However, this right is not absolute. It only applies in specific situations, and there are important exceptions, especially in healthcare settings, where your information must be retained to protect your safety, maintain appropriate clinical records in line with regulatory and professional bodies, meet legal obligations, or serve the public interest.

Further information: Can I Use the GDPR to have my medical records amended or erased? (Data Protection Commissioner)

Why is the right to erasure limited in healthcare?

In a healthcare context, your request to delete personal data may be refused if your information forms part of your health records, which are needed for safe and effective care.

Health professionals rely on complete and accurate records to make informed decisions about your treatment. Deleting key information could compromise your care.

• The data is needed for public health purposes

Health records may be retained to monitor disease outbreaks, support vaccination programs, or ensure the safety of medical treatments.

• There are legal obligations to retain health records (e.g., records created under the Child Care legislation are held in perpetuity)
• The data is required for legal claims or complaints

Healthcare providers may need to keep records to defend against legal claims or respond to complaints.

Further information: Can I Use the GDPR to have my medical records amended or erased? (Data Protection Commissioner)

How to make an erasure request?

You can submit a request using the HSE form: Right to Erasure Form

Further information: Can I Use the GDPR to have my medical records amended or erased? (Data Protection Commissioner)

Right to restrict processing

You can ask the HSE to limit how your information is used if you believe it is inaccurate, or you object to its use.

Limitations: restrictions may not apply if the information is essential for treatment or legal obligations.

Alternative: you can request a supplementary note to be added to your records.

Further information: The right of restriction (Article 18 of the GDPR) (Data Protection Commissioner)

Right to data portability

This applies to information you gave directly to the HSE, such as contact details or health information submitted through an online form.

Limitations: this right only applies to information you provided directly and does not apply to most medical records used for public healthcare.

What can be done instead: if your request does not meet the criteria for portability, you can still request access to your records under the Right of Access. This allows you to view or receive a copy of your information.

Further information: The right to data portability (Article 20 of the GDPR) (Data Protection Commissioner)

Right to object

You have the right to object to your information being processed if the HSE has legal reasons or public health responsibilities, they may continue to process your information even if you object.

We will always try to respect your wishes if you do not wish for your information to be used in a particular way, unless to do so would mean that we could not provide you with safe and effective medical care.

Further information: The right to object to processing of personal data (Article 21 of the GDPR) (Data Protection Commissioner)

Right not to be subject to automated decision-making

You have the right not to be subject to decisions made solely by automated systems, without any human involvement, if those decisions have a significant impact on you. This includes decisions about your health, treatment, or access to services.

Healthcare decisions made by the HSE are reviewed or carried out by qualified personnel. Automated systems may be used for administrative tasks, but decisions about your care are not made by computers alone.

Further information: The right to object to processing of personal data (Article 21 of the GDPR) (Data Protection Commissioner)

Why does the HSE ask for my identification?

When you ask the HSE to exercise your data protection rights we need to verify your identity to ensure we appropriately deal with your request and provide you with your information. 

We try to keep this process as simple and fair as possible. If we already know you, for example, if you’re a regular patient and we can confirm your identity, we may not request any additional documents. But if we’re unsure, or if your request comes through email or from someone acting on your behalf, we may ask for a government issued identification, for example a copy of your passport or driving license. If someone else is making a request for you (like a solicitor or family member), we will ask for written permission from you or proof they have legal authority to act on your behalf, if not already provided.

We follow the principle of proportionality, which means we only ask for what’s necessary to confirm who you are. We won’t ask for photo ID if it’s not needed, and we won’t keep your documents longer than necessary to complete the identification verification process.

Who do I contact in the HSE if I have a complaint about how my personal data is being handled?

If you have concerns about how your personal data is handled, you can contact the HSE National Data Protection Office at dpo@hse.ie, relevant Regional Data Protection Office or the relevant service.

How do I make a complaint to the Data Protection Commission?

If you are not satisfied with the outcome of your request, you can make a complaint to the Data Protection Commission:
Online form: https://forms.dataprotection.ie/contact
Website: https://www.dataprotection.ie/