DATA PROTECTION INFORMATION NOTICE

The National Treatment Purchase Fund (‘NTPF’) is fully committed to the principles of data protection and its obligations as a data controller as set out in the General Data Protection Regulation (EU 2016/679) (the ‘GDPR’), the Data Protection Act 2018, the ePrivacy Regulations 2011, the Data Protection Acts 1988 and 2003 (if, and to the extent, applicable) and in related legislation (the ‘Data Protection Legislation’).

For certain of the data processing operations that the NTPF engages in, it acts as a controller in its own right and for other data processing operations it acts as a joint controller with others for example with treating and/or referring hospitals.

Click on the headings below to find out more about how we collect and process your personal data:

Who is the NTPF and what do they do?

The NTPF is an independent statutory body established by the Minister for Health (the ‘Minister’) which has statutory functions under Statutory Instrument 179 - National Treatment Purchase Fund (Establishment) Order, 2004 and the Nursing Homes Support Scheme Act (2009). Such functions include:

  1. making arrangements with persons, whether resident in the State or elsewhere, for the provision of hospital treatment to such classes of persons as may be determined by the Minister, from time to time; and
  2. collecting, collating and validating information in relation to persons waiting for hospital treatment and to put in place information systems and procedures for that purpose;
  3. making arrangements with nursing homes, relating to the price at which long-term residential care services will be provided to those requiring such services and who are in receipt of financial support under the Nursing Homes Support Scheme Act 2009;
  4. furnishing whenever it is so required by the Minister or on its own initiative, advice to the Minister on issues relating to its functions; and
  5. performing any other function in relation to the purchase of hospital treatment that the Minister may from time to time assign to it.

The relevant functions above, for the purposes of this Information Notice, are (a), (b) and (d). The processing carried out further to these functions is described in more detail below. Other processing operations conducted by the NTPF will be dealt with in other information notices.

Who can you contact within the NTPF for data protection matters?

Data Protection Officer
National Treatment Purchase Fund
Ashford House
Tara Street
Dublin 2

Tel: 3531 6427 101
Email: dataprotection@ntpf.ie

Details of the laws that apply to us with regard to processing your personal data

Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.

Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.

The data protection rules that apply to us are currently contained in the Data Protection Legislation. The rules are based around a number of important definitions. These include:

  • ‘Personal data’ is any information relating to an identified or identifiable natural person (‘data subject’).
  • ‘Special categories of personal data’ means personal data revealing racial or ethnic origins, political opinion, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • ‘Data controllers’ are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.
  • ‘Data processors’ are the people who or organisations which process personal data on behalf of, and on the instructions of, a data controller.
  • Where two or more controllers jointly determine the purposes and means of processing, they shall be ‘joint controllers’.

Who is responsible for your personal data?

For the purposes of its functions in relation to hospital waiting lists, the NTPF acts as a joint controller with regard to the personal data described in this Information Notice. The other joint controllers in this context are the public and private hospitals who submit data to the NTPF.

What personal data and special categories of personal data does the NTPF process and where does it get this information

The NTPF processes certain personal data of patients, which it receives from referring public hospitals (via a secure network) under the following categories or lists;

  1. patients waiting for a hospital appointment;
  2. patients who have a scheduled appointment;
  3. patients who are currently unable to attend an appointment or are accessing care commissioned by the NTPF and therefore suspended on a waiting list; and
  4. patients who have been removed recently from a waiting list.

The personal data includes patient name, address, gender, contact details and date of birth. Special categories of personal data include medical record number, episode number, Individual Healthcare Identifier (‘IHI’) once used more broadly within the health system, awaited procedure category and doctor details, both GP and consultant. In addition , the NTPF will receive other information from the hospital related to a patient such as the date they were placed on the waiting list or the referral date , their waiting list status, with reason, relevant administrative dates, their clinical prioritisation and the type of list they are on e.g. in patient, day care or outpatients. The hospitals may also advise the NTPF if a patient is unable or does not want to avail of an offer of treatment from the NTPF, if their clinical prioritisation has changed or if an alternative treatment or care pathway is recommended.

The NTPF facilitates the sending of a variety of correspondence to patients currently on waiting lists. Certain correspondence asks patients if they wish to remain on a relevant waiting list. Other correspondence offers patients care packages in a private hospital. The NTPF may receive additional information from patients directly who respond to such correspondence. For example, patients are asked for reasons as to why they do not wish to remain on a waiting list or why they do not accept the offer of a care package. The reasons provided, may also be regarded as health data. In relation to offers of treatment, patients may also be asked to provide an up to date contact number to help facilitate communication with the treating hospital.

The NTPF has introduced an online option for patients to respond to correspondence, which patients may find more convenient than responding in writing. Additional personal data in the form of a unique code is processed when using the on line response option, which can identify a patient.

The NTPF also generates case authorisation numbers (‘CANs’) when the NTPF commissions treatment for patients on particular waiting lists. CANs are specific to individual patients and thus is treated as personal data. Where the NTPF has arranged for treatment of patients, the treating hospitals will seek payment of the fees from the NTPF and will issue an invoice to the NTPF together with a discharge summary. This will include the patient’s name, address, date of birth, treatment received, date of treatment, CAN and discharge details. As part of the payment procedure within the NTPF, the personal data of treating doctors including their name, place of work and IMC code will also be processed.

The NTPF processes the personal data of staff within public and private hospitals whose role it is to assist the NTPF in carrying out its validation and commissioning functions. Such personal data includes work email addresses and work contact details, which are required in order to provide authorised staff with secure access to NTPF IT systems. Here the NTPF is acting as a data controller and details of this processing activity can be found in information notices on such IT systems.

Finally, should a member of the public, a patient, a doctor or a member of staff within a hospital, contact the NTPF by telephone, and if the call is out of hours or cannot be taken at the time, they will be invited to leave a voicemail message. This message may contain their personal data or special category personal data, depending on the nature of their message.

For what purpose does the NTPF process personal data?

The NTPF processes personal data in order to collate and validate patient waiting lists and to facilitate the provision of treatment to specified categories of patients who are on hospital waiting lists. To this end, it carries out the following processing operations:

  • The NTPF receives waiting lists from public hospitals, collates information relating to such lists and validates this information. The NTPF then publishes aggregated information on the National Waiting List Data portal of its website and to the Government Open Data Portal at data.gov.ie. The published information comprises the aggregated numbers of patients waiting for specific periods, for specific treatments at specific hospitals. Statistical Disclosure Control (SDC) techniques are applied to the data to preserve confidentiality and mitigate against identification or self-identification of individuals. In cases where there are less than 5 people in any particular cell, the NTPF has replaced that value with the average (mean) of all values that are less than 5 across that category. Where there are less than 20 patients waiting in a particular specialty/hospital, the NTPF has aggregated the numbers under a ‘Small Volume’ heading. Published waiting lists do not contain any personal data of individual patients;
  • The NTPF works in conjunction with public hospitals to facilitate a process whereby patients are requested to confirm in writing or on-line that they wish for example to avail of a treatment package funded by the NTPF or to remain on a waiting list;
  • The NTPF also works with clinicians in public hospitals to validate certain waiting lists, at the request of the Department of Health;
  • Another aspect of its validation function involves the NTPF auditing the pathway of sample sets of patients who are on waiting lists. This may involve the NTPF’s Audit & Quality Assurance division attending at hospitals or conducting a remote desktop Audit/Review to check whether patients have been included on waiting lists in accordance with established rules, accurately and in a timely fashion. In carrying out this checking exercise, the NTPF is provided with access to patient records. These audits may be conducted onsite at the hospital under controlled conditions or remotely using secure methods to transfer patient level information;
  • In terms of the NTPF’s statutory function to arrange for the provision of hospital treatment to classes of persons determined by the Minister, there are two separate processes. In the first instance, the NTPF advises referring hospitals of those patients that fall within those criteria. The referring hospital then coordinates with the individual patient to see if they wish to avail of the purchased treatment. The NTPF does not deal directly with individual patients for the purchased treatment but may process health and personal data of the patient in order to arrange for the provision of hospital treatment and in processing payments to the treating hospitals. In the second instance, the NTPF, in consultation with the referring hospital, offers care packages in private hospitals, to patients on certain waiting lists. The offers are made in writing to patients and they can respond in writing. It is anticipated that an on line response option will be available to patients, in the future. Care packages are funded by the NTPF. The NTPF will process details of treatment received by patients, when the private hospital submits invoices for payment.
  • The NTPF may also fund certain specific patient initiatives for identified procedures and will process patient personal data and special category personal data to validate invoices received from treating hospitals for payment by the NTPF.
  • The NTPF will process personal data left on a voicemail to contact the caller or direct their query as necessary.

When a person interacts with an NTPF maintained website, certain technical data is automatically collected and stored which relate to a user’s computer/device, browsing actions and patterns. Such technical data can also be regarded as personal data. This technical data is used to administer the website for example to troubleshoot any access issues suffered by users. The NTPF also has a separate Cookie Information Notice, which relates to the use of and visits to any of the websites operated by the NTPF.

What is the NTPF’s legal basis for processing personal data and special categories of personal data?

The NTPF processes personal data and special categories of personal data on the legal basis that processing is necessary for the performance of tasks carried out in the public interest arising from the NTPF’s statutory functions under S.I. No. 179/2004 – National Treatment Purchase Fund (Establishment) Order 2004 as amended by the Nursing Home Support Scheme Act 2009.

Furthermore the NTPF processes the special categories of personal data set out above on the basis that processing of special categories of personal data is necessary for reasons of public interest in the area of public health to ensure high standards of quality and safety of health care and based on the fact that suitable and specific measures are in place to safeguard the fundamental rights and freedoms of data subject.

Does the NTPF disclose personal data and special categories of personal data to other parties and who are these recipients?

Personal data exchanged with hospitals

The NTPF receives waiting lists from public hospitals which it then validates and returns to the public hospitals. These lists necessarily contain personal data.

The NTPF will exchange information about a patient including their personal data with referring and treating hospitals, for the purpose of identifying patients on a particular waiting list for treatment and arranging treatment for that patient with a hospital.

In certain, limited and specific circumstances and where there is a data sharing agreement in place, the NTPF may share patient personal data with certain hospital groups.

The NTPF also shares validated waiting lists, which contain patient personal data and special categories of personal data, with the HSE for a number of purposes, including but not limited to contributing to capacity and demand management within the public health service and obtaining Individual Health Identifiers, as defined in the Health Identifiers Act, 2014, from a register maintained by the HSE. This sharing arrangement is governed by an agreement with the HSE and an agreement with voluntary hospitals, who have instructed the NTPF to share their validated waiting list with the HSE.

Data processors

In the discharge of its functions, the NTPF uses the services of third parties including postal factories, ICT support, software providers, contractors, internal auditors, legal and data protection consultants who may, in that limited context, have access from time to time to personal data of patients, and authorised staff in hospitals when providing specific services to the NTPF.

We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection. Any such company will have access to personal information needed to perform the functions for which they are appointed but may not use the personal data for any other purpose.

Contracts will be in place with all third-party processors which set out the processor’s and the NTPF’s obligations with regard to the personal data that is being processed.

Other Recipients

In certain limited and very specific circumstances expressly laid down in law, the NTPF may be required to disclose the personal data of patients or treating doctors for example, to regulatory authorities. Should this arise, the NTPF will implement appropriate measures to protect the legitimate interests of data subjects.

The NTPF may provide reporting on the discharge of its functions including validation of waiting lists and commissioning treatment to the Department of Health. This may include pseudonymised data, which means the Department of Health will be unable to identify individual patients.

Is personal data and special categories of personal data transferred outside the European Economic Area?

The NTPF may commission a private hospital in Northern Ireland to provide treatment to patients on a waiting list. If a patient agrees to accept such treatment, as part of the process for arranging payment for or the follow up after that treatment, the NTPF may transfer certain patient personal data to Northern Ireland, which is now outside the European Economic Area (‘EEA’). Such transfers will comply with the requirements laid down in Chapter V of the GDPR.

Furthermore, some of the data processors appointed by the NTPF may transfer your personal data outside the European Economic Area in connection with providing the services for which we have engaged them. They are only permitted to do so with the NTPF’s prior agreement and on the basis that they comply with the provisions in Chapter V of the GDPR including the requirement that an approved safeguard measure must be in place such as an equivalency decision from the European Commission or European Commission-approved Standard Contractual Clauses.

How long will the NTPF retain patient personal data special categories of personal data and for?

The NTPF holds patient personal data and special categories of personal data for as long as is necessary to achieve the purposes set out above and in order for the NTPF to comply with its legal obligations. Patient personal data and special categories of personal data will be held no longer than 6 years from the year in which the NTPF pays for the treatment which a patient receives. Voicemails will be deleted at the earliest opportunity, once the query has been properly dealt with.

What rights do patients, as data subjects, have?

Subject to certain restrictions provided by law, you have the right to:

  • Request information about whether we hold personal data about you, and, if so, what that information is and why we are holding/using it.
  • Request access to your personal data (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal data or profiling of you.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to ‘data portability’). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

Further details of these rights can be obtained from the Data Protection Officer of the NTPF (whose details are set out above) or from the Data Protection Commission.

You also have the right to make a complaint to the Data Protection Commission at any time in relation to any issues related to our processing of their personal data. The Data Protection Commission can be contacted as follows:

  • Go to their website www.dataprotection.ie
  • Phone on +353 57 8684800 or +353 (0)761 104 800
  • Email info@dataprotection.ie
  • Address: Data Protection Office - Canal House, Station Road, Portarlington, Co. Laois, R32 AP23 OR 21 Fitzwilliam Square, Dublin 2, D02 RD28.

Changes to this Information Notice

Our Information Notice may change from time to time and and previous versions are available upon request.

April 2023