The National Treatment Purchase Fund (‘NTPF’) is fully committed to the principles of data protection and its obligations as a data controller as set out in the General Data Protection Regulation (EU 2016/679) (the ‘GDPR’), the Data Protection Act 2018, the ePrivacy Regulations 2011, the Data Protection Acts 1988 and 2003 (if, and to the extent, applicable) and in related legislation (the ‘Data Protection Legislation’).

For certain of the data processing operations that the NTPF engages in, it acts as a controller in its own right and for other data processing operations it acts as a joint controller with others. For the purposes of the processing detailed in this Information Notice, the NTPF acts as a joint controller with hospitals as described below.

Click on the headings below to find out more about how we collect and process your personal data:

Who is the NTPF and what do they do?

The NTPF is an independent statutory body established by the Minister for Health (the ‘Minister’) which has statutory functions under Statutory Instrument 179 - National Treatment Purchase Fund (Establishment) Order, 2004 and the Nursing Homes Support Scheme Act (2009). Such functions include:

  1. making arrangements with persons, whether resident in the State or elsewhere, for the provision of hospital treatment to such classes of persons as may be determined by the Minister, from time to time; and
  2. collecting, collating and validating information in relation to persons waiting for hospital treatment and to put in place information systems and procedures for that purpose;
  3. making arrangements with nursing homes, relating to the price at which long-term residential care services will be provided to those requiring such services and who are in receipt of financial support under the Nursing Homes Support Scheme Act 2009;
  4. furnishing whenever it is so required by the Minister or on its own initiative, advice to the Minister on issues relating to its functions; and
  5. performing any other function in relation to the purchase of hospital treatment that the Minister may from time to time assign to it.

The relevant functions above, for the purposes of this Information Notice, are (a), (b) and (d). The processing carried out further to these functions is described in more detail below. Other processing operations conducted by the NTPF will be dealt with in other information notices.

Who can you contact within the NTPF for data protection matters?

Data Protection Officer
National Treatment Purchase Fund
Ashford House
Tara Street
Dublin 2

Tel: 3531 6427 101

Details of the laws that apply to us with regard to processing your personal data

Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.

Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.

The data protection rules that apply to us are currently contained in the Data Protection Legislation. The rules are based around a number of important definitions. These include:

  • ‘Personal data’ is any information relating to an identified or identifiable natural person (‘data subject’).
  • ‘Special categories of personal data’ means personal data revealing racial or ethnic origins, political opinion, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • ‘Data controllers’ are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.
  • ‘Data processors’ are the people who or organisations which process personal data on behalf of, and on the instructions of, a data controller.
  • Where two or more controllers jointly determine the purposes and means of processing, they shall be ‘joint controllers’.

Who is responsible for your personal data?

For the purposes of its functions in relation to hospital waiting lists, the NTPF acts as a joint controller with regard to the personal data described in this Information Notice. The other joint controllers in this context are the public and private hospitals.

What personal data and special categories of personal data does the NTPF process and where does it get this information from

The NTPF processes certain personal data of patients which it receives from referring public hospitals (via a secure network) under the following categories or lists;

  1. patients waiting for a hospital appointment;
  2. patients who have a scheduled appointment; and
  3. patients who are currently unable to attend an appointment and therefore suspended on a list.

The personal data includes patient name, address, gender, contact details and date of birth. Special categories of personal data include medical record number, episode number, awaited procedure category and doctor details, both GP and consultant. In addition , the NTPF will receive other information from the hospital related to a patient such as the date they were placed on the waiting list or the referral date , their waiting list status, with reason, their clinical prioritisation and the type of list they are on e.g. in patient, day care or outpatients. The hospitals may also advise the NTPF if a patient is unable or does not want to avail of an offer of treatment from the NTPF.

The NTPF also generates case authorisation numbers (‘CANs’) which are specific to individual patients and thus shall be treated as personal data.

The NTPF receives additional information from patients directly as to whether they wish to remain on the relevant waiting list. This information is received through a postal factory who manages these communications for and on behalf of the NTPF and the relevant public hospitals. The NTPF has introduced an online option for patients to respond to this request. Additional personal data in the form of a unique code is processed through this facility, which can identify a patient. If a patient no longer requires the appointment, they are asked to submit a reason, which may also be regarded as their health data.

Where the NTPF has arranged for treatment of patients by private hospitals, the private hospitals will seek payment of the fees from the NTPF and will issue an invoice to the NTPF together with a discharge summary. This will include the patient’s name, date of birth, treatment received, date of treatment, and discharge details. As part of the payment procedure within the NTPF, the personal data of treating doctors including their name, place of work and IMC code will also be processed.

Finally, the NTPF processes the personal data of staff within public and private hospitals whose role it is to assist the NTPF in carrying out its functions. Such personal data includes work email addresses and work contact details

For what purpose does the NTPF process personal data?

The NTPF processes personal data in order to collate and validate patient waiting lists and to facilitate the provision of treatment to specified categories of patients who have been on hospital waiting lists for a long time. To this end, it carries out the following processing operations:

  • The NTPF receives waiting lists from public hospitals, collates information relating to such lists and validates this information. The NTPF then publishes aggregated, anonymised information on the National Waiting List Data portal of its website which comprises the aggregated numbers of patients waiting for specific periods, for specific treatments at specific hospitals. Aggregated numbers less than 5 are not published to ensure anonymity is maintained. Published waiting lists do not contain any personal data of individual patients;
  • The NTPF works in conjunction with public hospitals to facilitate a process whereby patients are requested to confirm in writing or on-line that they wish to remain on a waiting list;
  • Another aspect of its validation function involves the NTPF auditing the pathway of sample sets of patients who are on waiting lists. This involves the NTPF’s Audit & QA division attending at hospitals to check whether patients have been included on waiting lists in accordance with established rules, accurately and in a timely fashion. In carrying out this checking exercise the NTPF will be provided with access to patient records. In all cases this information will all be viewed on site at the hospital under controlled conditions and it will not be removed or processed for any other reason;
  • In terms of the NTPF’s statutory function to arrange for the provision of hospital treatment to classes of persons determined by the Minister, the NTPF advises referring hospitals of those patients that fall within those criteria. The referring hospital then coordinates with the individual patient to see if they wish to avail of the purchased treatment. The NTPF does not deal directly with individual patients for the purchased treatment but may process health and personal data of the patient in order to arrange for the provision of hospital treatment and in processing payments to the treating hospitals.

When a person interacts with this website, certain technical data is automatically collected and stored which relate to a user’s computer/device, browsing actions and patterns. Such technical data can also be regarded as personal data. This technical data is used to administer the website for example to troubleshoot any access issues suffered by users.

The NTPF also has a separate Cookie Information Notice which relates to the use of and visits to the website of the NTPF.

What is the NTPF’s legal basis for processing personal data and special categories of personal data?

The NTPF processes personal data and special categories of personal data on the legal basis that processing is necessary for the performance of tasks carried out in the public interest arising from the NTPF’s statutory functions under S.I. No. 179/2004 – National Treatment Purchase Fund (Establishment) Order 2004 as amended by the Nursing Home Support Scheme Act 2009.

Furthermore the NTPF processes the special categories of personal data set out above on the basis that processing of special categories of personal data is necessary for reasons of public interest in the area of public health to ensure high standards of quality and safety of health care and based on the fact that suitable and specific measures are in place to safeguard the fundamental rights and freedoms of data subject.

Does the NTPF disclose personal data and special categories of personal data to other parties and who are these recipients?

Personal data exchanged with hospitals

The NTPF receives waiting lists from public hospitals which it then validates and returns to the public hospitals and hospital groups. These lists necessarily contain personal data.

The NTPF will exchange information about a patient including their personal data with referring and treating hospitals, for the purpose of identifying patients on a particular waiting list for treatment and arranging treatment for that patient with a hospital.

In certain, limited and specific circumstances and where there is a data sharing agreement in place, the NTPF may share patient personal data with certain hospital groups.

The NTPF also shares validated waiting lists, which contain patient personal data and special categories of personal data, with the HSE. This sharing arrangement is governed by an agreement with the HSE and an agreement with voluntary hospitals, who have instructed the NTPF to share their validated waiting list with the HSE.

Data processors

In the discharge of its functions the NTPF uses the services of third parties including postal factories, IT support, internal auditors, legal and data protection consultants who may, in that limited context, have access from time to time to personal data of patients when providing specific services to the NTPF.

We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection. Any such company will have access to personal information needed to perform the functions for which they are appointed but may not use the personal data for any other purpose.

Contracts will be in place with all third-party processors which set out the processor’s and the NTPF’s obligations with regard to the personal data that is being processed.

Is personal data and special categories of personal data transferred outside the European Economic Area?

The NTPF may commission a private hospital in Northern Ireland to provide treatment to patients on waiting list. If a patient agrees to accept such treatment, as part of the process for arranging payment for or the follow up after that treatment, the NTPF may transfer certain patient personal data to Northern Ireland, which in the event of Brexit will be outside the EEA. This transfer is on the basis of an agreement with the hospital in Northern Ireland which includes European Commission-approved Standard Contractual Clauses.

Furthermore, some of the data processors appointed by the NTPF may transfer your personal data outside the European Economic Area in connection with providing the services for which we have engaged them but are only permitted to do so with the NTPF’s prior agreement and on the basis that they comply with the provisions in Chapter V of the GDPR including the requirement that an approved safeguard measure must be in place such as an equivalency decision from the European Commission or European Commission-approved Standard Contractual Clauses.

How long will the NTPF retain patient personal data special categories of personal data and for?

The NTPF holds patient personal data and special categories of personal data for as long as is necessary to achieve the purposes set out above and in order for the NTPF to comply with its legal obligations. Patient personal data and special categories of personal data will be held no longer than 6 years from the year in which the NTPF pays for the treatment which a patient receives.

What rights do patients, as data subjects, have?

Subject to certain restrictions provided by law you have the right to:

  • Request information about whether we hold personal data about you, and, if so, what that information is and why we are holding/using it.
  • Request access to your personal data (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal data or profiling of you.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to ‘data portability’). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

Further details of these rights can be obtained from the Data Protection Officer of the NTPF (whose details are set out above) or from the Data Protection Commission.

You also have the right to make a complaint to the Data Protection Commission at any time in relation to any issues related to our processing of their personal data. The Data Protection Commission can be contacted as follows:

  • Go to their website
  • Phone on +353 57 8684800 or +353 (0)761 104 800
  • Email
  • Address: Data Protection Office - Canal House, Station Road, Portarlington, Co. Laois, R32 AP23 OR 21 Fitzwilliam Square, Dublin 2, D02 RD28.

Changes to this Information Notice

Our Information Notice may change from time to time and any changes to the Information Notice will be posted on this page.

September 2020