The National Treatment Purchase Fund (‘NTPF’) is fully committed to the principles of data protection and its obligations as a data controller as set out in the General Data Protection Regulation (EU 2016/679) (the ‘GDPR’), the Data Protection Act 2018, the ePrivacy Regulations 2011, the Data Protection Acts 1988 and 2003 (if, and to the extent, applicable) and in related legislation (the ‘Data Protection Legislation’).
For certain of the data processing operations that the NTPF engages in, it acts as a controller in its own right and for other data processing operations it acts as a joint controller with others for example with treating and/or referring hospitals.
Click on the headings below to find out more about how we collect and process your personal data:
Who is the NTPF and what do they do?
The NTPF is an independent statutory body established by the Minister for Health (the ‘Minister’) which has statutory functions under Statutory Instrument 179 - National Treatment Purchase Fund (Establishment) Order, 2004 and the Nursing Homes Support Scheme Act (2009). Such functions include:
The relevant functions above, for the purposes of this Information Notice, are (a), (b) and (d). The processing carried out further to these functions is described in more detail below. Other processing operations conducted by the NTPF will be dealt with in other information notices.
Who can you contact within the NTPF for data protection matters?
Data Protection Officer
National Treatment Purchase Fund
Ashford House
Tara Street
Dublin 2
Tel: 3531 6427 101
Email: dataprotection@ntpf.ie
Details of the laws that apply to us with regard to processing your personal data
Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.
Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.
The data protection rules that apply to us are currently contained in the Data Protection Legislation. The rules are based around a number of important definitions. These include:
Who is responsible for your personal data?
For the purposes of its functions in relation to hospital waiting lists, the NTPF acts as a joint controller with regard to the personal data described in this Information Notice. The other joint controllers in this context are the public and private hospitals who submit data to the NTPF.
What personal data and special categories of personal data does the NTPF process and where does it get this information
The NTPF processes certain personal data of patients, which it receives from referring public hospitals (via a secure network) under the following categories or lists;
The personal data includes patient name, address, gender, contact details and date of birth. Special categories of personal data include medical record number, episode number, Individual Healthcare Identifier (‘IHI’) once used more broadly within the health system, awaited procedure category and doctor details, both GP and consultant. In addition , the NTPF will receive other information from the hospital related to a patient such as the date they were placed on the waiting list or the referral date , their waiting list status, with reason, relevant administrative dates, their clinical prioritisation and the type of list they are on e.g. in patient, day care or outpatients. The hospitals may also advise the NTPF if a patient is unable or does not want to avail of an offer of treatment from the NTPF, if their clinical prioritisation has changed or if an alternative treatment or care pathway is recommended.
The NTPF facilitates the sending of a variety of correspondence to patients currently on waiting lists. Certain correspondence asks patients if they wish to remain on a relevant waiting list. Other correspondence offers patients care packages in a private hospital. The NTPF may receive additional information from patients directly who respond to such correspondence. For example, patients are asked for reasons as to why they do not wish to remain on a waiting list or why they do not accept the offer of a care package. The reasons provided, may also be regarded as health data. In relation to offers of treatment, patients may also be asked to provide an up to date contact number to help facilitate communication with the treating hospital.
The NTPF has introduced an online option for patients to respond to correspondence, which patients may find more convenient than responding in writing. Additional personal data in the form of a unique code is processed when using the on line response option, which can identify a patient.
The NTPF also generates case authorisation numbers (‘CANs’) when the NTPF commissions treatment for patients on particular waiting lists. CANs are specific to individual patients and thus is treated as personal data. Where the NTPF has arranged for treatment of patients, the treating hospitals will seek payment of the fees from the NTPF and will issue an invoice to the NTPF together with a discharge summary. This will include the patient’s name, address, date of birth, treatment received, date of treatment, CAN and discharge details. As part of the payment procedure within the NTPF, the personal data of treating doctors including their name, place of work and IMC code will also be processed.
The NTPF processes the personal data of staff within public and private hospitals whose role it is to assist the NTPF in carrying out its validation and commissioning functions. Such personal data includes work email addresses and work contact details, which are required in order to provide authorised staff with secure access to NTPF IT systems. Here the NTPF is acting as a data controller and details of this processing activity can be found in information notices on such IT systems.
Finally, should a member of the public, a patient, a doctor or a member of staff within a hospital, contact the NTPF by telephone, and if the call is out of hours or cannot be taken at the time, they will be invited to leave a voicemail message. This message may contain their personal data or special category personal data, depending on the nature of their message.
For what purpose does the NTPF process personal data?
The NTPF processes personal data in order to collate and validate patient waiting lists and to facilitate the provision of treatment to specified categories of patients who are on hospital waiting lists. To this end, it carries out the following processing operations:
When a person interacts with an NTPF maintained website, certain technical data is automatically collected and stored which relate to a user’s computer/device, browsing actions and patterns. Such technical data can also be regarded as personal data. This technical data is used to administer the website for example to troubleshoot any access issues suffered by users. The NTPF also has a separate Cookie Information Notice, which relates to the use of and visits to any of the websites operated by the NTPF.
What is the NTPF’s legal basis for processing personal data and special categories of personal data?
The NTPF processes personal data and special categories of personal data on the legal basis that processing is necessary for the performance of tasks carried out in the public interest arising from the NTPF’s statutory functions under S.I. No. 179/2004 – National Treatment Purchase Fund (Establishment) Order 2004 as amended by the Nursing Home Support Scheme Act 2009.
Furthermore the NTPF processes the special categories of personal data set out above on the basis that processing of special categories of personal data is necessary for reasons of public interest in the area of public health to ensure high standards of quality and safety of health care and based on the fact that suitable and specific measures are in place to safeguard the fundamental rights and freedoms of data subject.
Does the NTPF disclose personal data and special categories of personal data to other parties and who are these recipients?
Personal data exchanged with hospitals
The NTPF receives waiting lists from public hospitals which it then validates and returns to the public hospitals. These lists necessarily contain personal data.
The NTPF will exchange information about a patient including their personal data with referring and treating hospitals, for the purpose of identifying patients on a particular waiting list for treatment and arranging treatment for that patient with a hospital.
In certain, limited and specific circumstances and where there is a data sharing agreement in place, the NTPF may share patient personal data with certain hospital groups.
The NTPF also shares validated waiting lists, which contain patient personal data and special categories of personal data, with the HSE for a number of purposes, including but not limited to contributing to capacity and demand management within the public health service and obtaining Individual Health Identifiers, as defined in the Health Identifiers Act, 2014, from a register maintained by the HSE. This sharing arrangement is governed by an agreement with the HSE and an agreement with voluntary hospitals, who have instructed the NTPF to share their validated waiting list with the HSE.
Data processors
In the discharge of its functions, the NTPF uses the services of third parties including postal factories, ICT support, software providers, contractors, internal auditors, legal and data protection consultants who may, in that limited context, have access from time to time to personal data of patients, and authorised staff in hospitals when providing specific services to the NTPF.
We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection. Any such company will have access to personal information needed to perform the functions for which they are appointed but may not use the personal data for any other purpose.
Contracts will be in place with all third-party processors which set out the processor’s and the NTPF’s obligations with regard to the personal data that is being processed.
Other Recipients
In certain limited and very specific circumstances expressly laid down in law, the NTPF may be required to disclose the personal data of patients or treating doctors for example, to regulatory authorities. Should this arise, the NTPF will implement appropriate measures to protect the legitimate interests of data subjects.
The NTPF may provide reporting on the discharge of its functions including validation of waiting lists and commissioning treatment to the Department of Health. This may include pseudonymised data, which means the Department of Health will be unable to identify individual patients.
Is personal data and special categories of personal data transferred outside the European Economic Area?
The NTPF may commission a private hospital in Northern Ireland to provide treatment to patients on a waiting list. If a patient agrees to accept such treatment, as part of the process for arranging payment for or the follow up after that treatment, the NTPF may transfer certain patient personal data to Northern Ireland, which is now outside the European Economic Area (‘EEA’). Such transfers will comply with the requirements laid down in Chapter V of the GDPR.
Furthermore, some of the data processors appointed by the NTPF may transfer your personal data outside the European Economic Area in connection with providing the services for which we have engaged them. They are only permitted to do so with the NTPF’s prior agreement and on the basis that they comply with the provisions in Chapter V of the GDPR including the requirement that an approved safeguard measure must be in place such as an equivalency decision from the European Commission or European Commission-approved Standard Contractual Clauses.
How long will the NTPF retain patient personal data special categories of personal data and for?
The NTPF holds patient personal data and special categories of personal data for as long as is necessary to achieve the purposes set out above and in order for the NTPF to comply with its legal obligations. Patient personal data and special categories of personal data will be held no longer than 6 years from the year in which the NTPF pays for the treatment which a patient receives. Voicemails will be deleted at the earliest opportunity, once the query has been properly dealt with.
What rights do patients, as data subjects, have?
Subject to certain restrictions provided by law, you have the right to:
Further details of these rights can be obtained from the Data Protection Officer of the NTPF (whose details are set out above) or from the Data Protection Commission.
You also have the right to make a complaint to the Data Protection Commission at any time in relation to any issues related to our processing of their personal data. The Data Protection Commission can be contacted as follows:
Changes to this Information Notice
Our Information Notice may change from time to time and and previous versions are available upon request.
April 2023