PAMS Data Protection

The National Treatment Purchase Fund (‘NTPF’) is fully committed to the principles of data protection and its obligations as a data controller as set out in the General Data Protection Regulation (EU 2016/679) (the ‘GDPR’), the Data Protection Act 2018, the ePrivacy Regulations 2011, the Data Protection Acts 1988 to 2018 (if, and to the extent, applicable) and in related legislation (the ‘Data Protection Legislation’).

Context

The NTPF is an independent statutory body established by the Minister for Health (the ‘Minister’). Amongst other things, its functions include making arrangements (and providing funding) for the provision of hospital treatment to public patients in order to reduce waiting lists and waiting times for public patients.

The NTPF is developing and implementing an IT system, called the Patient Access Management System (“PAMS”), to help it to better manage the organisational complexities associated with the processes by which such treatments are arranged between the NTPF, referring hospitals, treating hospitals, and patients.

Personal data relating to patients will be processed by the NTPF through the PAMS system. In addition, a limited amount of personal data will also be processed in relation to those staff members within the participating public and private hospitals whose roles involve arranging for the treatment of certain cohorts of patients through the NTPF Commissioning Process. Specifically, where a person within a referring or treating hospital is authorised to use the PAMS system in the context of their role, that person’s name, email address and the IP address of the computer they use to access PAMS will be processed by the NTPF. The users’ name obvious comprises “personal data” for the purposes of the Data Protection Legislation. Some of the other items of information processed may also comprise “personal data”.

In order to process any personal data about any individual, the NTPF must do so in a way that is fair and that meets the principles set out in the EU General Data Protection Regulation (GDPR). Those principles require that personal data is processed in a transparent way. That in turn means that individuals must be provided with specific information about how the NTPF obtains and uses their personal data.

Against that backdrop, the purpose of this Notice is to provide staff members within those referring and treating hospitals who participate in treatment programmes organised and co-ordinated by the NTPF with information about the obtaining and processing of their personal data in the context of the PAMS system, to include the purpose and the lawful basis for such processing.

Who is the NTPF and what do they do?

The NTPF is an independent statutory body established by the Minister for Health (the ‘Minister’) which has statutory functions under Statutory Instrument 179 – National Treatment Purchase Fund (Establishment) Order, 2004 and the Nursing Homes Support Scheme Act (2009). Such functions include:

1. (a) making arrangements with persons, whether resident in the State or elsewhere, for the provision of hospital treatment to such classes of persons as may be determined by the Minister, from time to time; and
2. (b) collecting, collating and validating information in relation to persons waiting for hospital treatment and to put in place information Solutions and procedures for that purpose;
3. (c) making arrangements with nursing homes, relating to the price at which long-term residential care services will be provided to those requiring such services and who are in receipt of financial support under the Nursing Homes Support Scheme Act 2009;
4. (d) furnishing whenever it is so required by the Minister or on its own initiative, advice to the Minister on issues relating to its functions; and
5. (e) performing any other function in relation to the purchase of hospital treatment that the Minister may from time to time assign to it.

The relevant function above, for the purposes of this Information Notice, is (a). The processing carried out further to this function is described in more detail below. Other processing operations conducted by the NTPF will be dealt with in other information notices.

Who can you contact within the NTPF for data protection matters?

Data Protection Officer
National Treatment Purchase Fund
Ashford House
Tara Street
Dublin 2

Tel: 3531 6427 101
Email: dataprotection@ntpf.ie

Details of the laws that apply to us with regard to processing your personal data

Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.

Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.

The data protection rules that apply to us are currently contained in the Data Protection Legislation. The rules are based around a number of important definitions. These include:

• ‘Personal data’ is any information relating to an identified or identifiable natural person (‘data subject’).
• ‘Special categories of personal data’ means personal data revealing racial or ethnic origins, political opinion, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
• ‘Data controllers’ are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.
• ‘Data processors’ are the people who or organisations which process personal data on behalf of, and on the instructions of, a data controller.
• Where two or more controllers jointly determine the purposes and means of processing, they shall be ‘joint controllers’.

Who is responsible for your personal data?

In the discharge of its function in relation to arranging treatment for certain cohorts of patients on public hospital waiting lists, the NTPF generally acts as a joint controller along with the public and private hospitals who provide treatment, in terms of patient personal data and special categories of personal data. The Data Protection Notice in relation to the processing of patient personal data can be found on the general data protection page.

As indicated above, the NTPF is developing and implementing PAMS to help it to better manage the organisational complexities associated with the processes by which such treatments are arranged between the NTPF, referring hospitals, treating hospitals and patients.

To the extent that the implementation and operation of PAMS requires the NTPF to obtain and process a limited amount of personal data relating to staff members within the participating public and private hospitals, the NTPF acts as a joint controller in respect of such data, along with the relevant public and/or private hospital to which the staff member is attached.

The NTPF can be contacted at the address noted above.

What personal data does NTPF process and where does it get this information from?

In the development, implementation and operation of PAMS, the NTPF will obtain and process a limited amount of personal data in relation to those staff members within the participating public and private hospitals whose roles involve arranging for the treatment of certain cohorts of patients through the NTPF Commissioning Process. Specifically, where a person within a referring or treating hospital is authorised to use the PAMS system in the context of their role, that person’s name, email address and the IP address of the computer they use to access PAMS will be processed by the NTPF. The users’ name obvious comprises “personal data” for the purposes of the Data Protection Legislation. Some of the other items of information processed may also comprise “personal data”.

In the course of the development phase of PAMS, the NTPF will obtain users’ names and email addresses from the authorised users themselves. Thereafter, users’ names and email addresses will be processed, along with their respective IP addresses, on each occasion the user interacts with PAMS.

For what purpose does the NTPF process personal data?

In the development and roll-out phase of PAMS, the NTPF will first process the personal data of authorised users in order to ascertain whether or not they can access PAMS using the particular hospital’s IT infrastructure. Once the system as a whole goes live, the NTPF will process the personal data of authorised users when they access and utilise PAMS on an ongoing basis. Having regard to the sensitivity of the patient data held and processed in PAMS, it is necessary that all access authentication information and activity within PAMS is recorded and stored for security and audit purposes.

What is the NTPF’s legal basis for processing personal data?

In respect of personal data relating to staff members within the participating public and private hospitals who operate PAMS, the NTPF processes such personal data on the basis that it is necessary and proportionate for the performance of tasks carried out in the public interest arising from the NTPF’s statutory functions under S.I. No. 179/2004 – National Treatment Purchase Fund (Establishment) Order 2004 as amended by the Nursing Home Support Scheme Act 2009, and specifically section 4.1 (a) therein.

Does the NTPF disclose personal data to other parties and who are these recipients?

Data processors

For the purposes of the development, implementation and operation of PAMS, the NTPF has engaged the services of expert IT consultants and is utilising third party IT software. The IT consultants and software providers may have access from time to time to personal data of authorised users as necessary for support and maintenance purposes only.

We require all third parties who may have access to your personal data in the context of the development, implementation and operation of PAMS to have appropriate technical and operational security measures in place to protect that data, in line with Irish and EU laws on data protection. The purposes for which any such company will have access to personal information will be strictly limited to such purposes as are necessary to perform the functions for which they are appointed. They will not be permitted to use the personal data for any other purpose.

Contracts are in place with all third-party processors which set out the processor’s obligations and the NTPF’s obligations with regard to the personal data that is being processed.

Other authorised users of PAMS

The authorised users in other hospitals who are involved in the treatment of a particular patient will have sight of all activity and progress with an entry within PAMS for a particular patient. If you administered particular processes as they relate to that particular patient, then other users involved in the organising of treatment for that patient will also be able to see your name, i.e. your name will be linked to those earlier steps in the process that were administered by you.

Is personal data transferred outside the European Economic Area?

The NTPF does not transfer your personal data outside the European Economic Area.

PAMS utilises Microsoft Azure Active Directory Multi Factor Authentication to authenticate authorised users to the PAMS. Microsoft replicates some portions of the Active Directory data gathered to authenticate users to the United States of America from the EEA. This information includes the email address of the user and the telephone number to which the authentication will take place.

The transfer of personal data outside the EU will only be permitted with the NTPF’s prior agreement and on the basis that processor in question complies with all applicable provisions in Chapter V of the GDPR including the requirement that an approved safeguard measures must be in place such as an equivalency decision from the European Commission or European Commission-approved Standard Contractual Clauses.

How long will the NTPF retain authorised staff members’ personal data for?

The NTPF holds your personal data for as long as you are authorised by the hospital that employs you, to have access to PAMS and thereafter for 2 years for audit, back up and business continuity purposes.

What rights do authorised users of PAMS, as data subjects, have

Subject to certain restrictions provided by law you have the right to:

• Request information about whether we hold personal data about you, and, if so, what that information is and why we are holding/using it.
• Request access to your personal data (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal data. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your personal data or profiling of you.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to ‘data portability’). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

Further details of these rights can be obtained from the Data Protection Officer of the NTPF (whose details are set out above) or from the Data Protection Commission.

You also have the right to make a complaint to the Data Protection Commission at any time in relation to any issues related to our processing of their personal data. The Data Protection Commission can be contacted as follows:

• Go to their website www.dataprotection.ie
• Phone on +353 57 8684800 or +353 (0)761 104 800
• Email info@dataprotection.ie
• Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23 OR 21 Fitzwilliam Square, Dublin 2, D02 RD28.