The National Treatment Purchase Fund (‘NTPF’) is fully committed to the principles of data protection and its obligations as a data controller as set out in the General Data Protection Regulation (EU 2016/679) (the ‘GDPR’), the Data Protection Act 2018, the ePrivacy Regulations 2011, the Data Protection Acts 1988 and 2003 (if, and to the extent, applicable) and in related legislation (the ‘Data Protection Legislation’).
For certain of the data processing operations that the NTPF engages in, it acts as a controller in its own right and for other data processing operations it acts as a joint controller with others. For the purposes of the processing detailed in this Information Notice, the NTPF acts as a joint controller with hospitals as described below.
Click on the headings below to find out more about how we collect and process your personal data:
Who is the NTPF and what do they do?
The NTPF is an independent statutory body established by the Minister for Health (the ‘Minister’) which has statutory functions under Statutory Instrument 179 - National Treatment Purchase Fund (Establishment) Order, 2004 and the Nursing Homes Support Scheme Act (2009). Such functions include:
The relevant functions above, for the purposes of this Information Notice, are (a), (b) and (d). The processing carried out further to these functions is described in more detail below. Other processing operations conducted by the NTPF will be dealt with in other information notices.
Who can you contact within the NTPF for data protection matters?
Data Protection Officer
National Treatment Purchase Fund
Tel: 3531 6427 101
Details of the laws that apply to us with regard to processing your personal data
Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.
Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.
The data protection rules that apply to us are currently contained in the Data Protection Legislation. The rules are based around a number of important definitions. These include:
Who is responsible for your personal data?
For the purposes of its functions in relation to hospital waiting lists, the NTPF acts as a joint controller with regard to the personal data described in this Information Notice. The other joint controllers in this context are the public and private hospitals.
What personal data and special categories of personal data does the NTPF process and where does it get this information from
The NTPF processes certain personal data of patients which it receives from referring public hospitals (via a secure network) under the following categories or lists;
The personal data includes patient name, address, gender, contact details and date of birth. Special categories of personal data include medical record number, episode number, awaited procedure category and doctor details, both GP and consultant. In addition , the NTPF will receive other information from the hospital related to a patient such as the date they were placed on the waiting list or the referral date , their waiting list status, with reason, their clinical prioritisation and the type of list they are on e.g. in patient, day care or outpatients. The hospitals may also advise the NTPF if a patient is unable or does not want to avail of an offer of treatment from the NTPF.
The NTPF also generates case authorisation numbers (‘CANs’) which are specific to individual patients and thus shall be treated as personal data.
The NTPF receives additional information from patients directly as to whether they wish to remain on the relevant waiting list. This information is received through a postal factory who manages these communications for and on behalf of the NTPF and the relevant public hospitals. The NTPF has introduced an online option for patients to respond to this request. Additional personal data in the form of a unique code is processed through this facility, which can identify a patient. If a patient no longer requires the appointment, they are asked to submit a reason, which may also be regarded as their health data.
Where the NTPF has arranged for treatment of patients by private hospitals, the private hospitals will seek payment of the fees from the NTPF and will issue an invoice to the NTPF together with a discharge summary. This will include the patient’s name, date of birth, treatment received, date of treatment, and discharge details. As part of the payment procedure within the NTPF, the personal data of treating doctors including their name, place of work and IMC code will also be processed.
Finally, the NTPF processes the personal data of staff within public and private hospitals whose role it is to assist the NTPF in carrying out its functions. Such personal data includes work email addresses and work contact details
For what purpose does the NTPF process personal data?
The NTPF processes personal data in order to collate and validate patient waiting lists and to facilitate the provision of treatment to specified categories of patients who have been on hospital waiting lists for a long time. To this end, it carries out the following processing operations:
When a person interacts with this website, certain technical data is automatically collected and stored which relate to a user’s computer/device, browsing actions and patterns. Such technical data can also be regarded as personal data. This technical data is used to administer the website for example to troubleshoot any access issues suffered by users.
The NTPF also has a separate Cookie Information Notice which relates to the use of and visits to the website of the NTPF.
What is the NTPF’s legal basis for processing personal data and special categories of personal data?
The NTPF processes personal data and special categories of personal data on the legal basis that processing is necessary for the performance of tasks carried out in the public interest arising from the NTPF’s statutory functions under S.I. No. 179/2004 – National Treatment Purchase Fund (Establishment) Order 2004 as amended by the Nursing Home Support Scheme Act 2009.
Furthermore the NTPF processes the special categories of personal data set out above on the basis that processing of special categories of personal data is necessary for reasons of public interest in the area of public health to ensure high standards of quality and safety of health care and based on the fact that suitable and specific measures are in place to safeguard the fundamental rights and freedoms of data subject.
Does the NTPF disclose personal data and special categories of personal data to other parties and who are these recipients?
Personal data exchanged with hospitals
The NTPF receives waiting lists from public hospitals which it then validates and returns to the public hospitals and hospital groups. These lists necessarily contain personal data.
The NTPF will exchange information about a patient including their personal data with referring and treating hospitals, for the purpose of identifying patients on a particular waiting list for treatment and arranging treatment for that patient with a hospital.
In certain, limited and specific circumstances and where there is a data sharing agreement in place, the NTPF may share patient personal data with certain hospital groups.
The NTPF also shares validated waiting lists, which contain patient personal data and special categories of personal data, with the HSE. This sharing arrangement is governed by an agreement with the HSE and an agreement with voluntary hospitals, who have instructed the NTPF to share their validated waiting list with the HSE.
In the discharge of its functions the NTPF uses the services of third parties including postal factories, IT support, internal auditors, legal and data protection consultants who may, in that limited context, have access from time to time to personal data of patients when providing specific services to the NTPF.
We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection. Any such company will have access to personal information needed to perform the functions for which they are appointed but may not use the personal data for any other purpose.
Contracts will be in place with all third-party processors which set out the processor’s and the NTPF’s obligations with regard to the personal data that is being processed.
Is personal data and special categories of personal data transferred outside the European Economic Area?
The NTPF may commission a private hospital in Northern Ireland to provide treatment to patients on waiting list. If a patient agrees to accept such treatment, as part of the process for arranging payment for or the follow up after that treatment, the NTPF may transfer certain patient personal data to Northern Ireland, which in the event of Brexit will be outside the EEA. This transfer is on the basis of an agreement with the hospital in Northern Ireland which includes European Commission-approved Standard Contractual Clauses.
Furthermore, some of the data processors appointed by the NTPF may transfer your personal data outside the European Economic Area in connection with providing the services for which we have engaged them but are only permitted to do so with the NTPF’s prior agreement and on the basis that they comply with the provisions in Chapter V of the GDPR including the requirement that an approved safeguard measure must be in place such as an equivalency decision from the European Commission or European Commission-approved Standard Contractual Clauses.
How long will the NTPF retain patient personal data special categories of personal data and for?
The NTPF holds patient personal data and special categories of personal data for as long as is necessary to achieve the purposes set out above and in order for the NTPF to comply with its legal obligations. Patient personal data and special categories of personal data will be held no longer than 6 years from the year in which the NTPF pays for the treatment which a patient receives.
What rights do patients, as data subjects, have?
Subject to certain restrictions provided by law you have the right to:
Further details of these rights can be obtained from the Data Protection Officer of the NTPF (whose details are set out above) or from the Data Protection Commission.
You also have the right to make a complaint to the Data Protection Commission at any time in relation to any issues related to our processing of their personal data. The Data Protection Commission can be contacted as follows:
Changes to this Information Notice
Our Information Notice may change from time to time and any changes to the Information Notice will be posted on this page.