Data Protection and Privacy

Introduction - Ensuring privacy

Bon Secours Health System CLG (“Bon Secours”) understands that your privacy is important to you and that you care about how your personal data is used.
We respect and value the privacy of all of our patients and residents and will only collect and use personal data in ways that are described here,
and in a way that is consistent with our obligations and your rights under the EU General Data Protection Regulation (“the GDPR”).

All medical information under the GDPR is deemed as a special category of personal information.
Personal data we gather will be “processed” in accordance with all applicable data protection laws including the GDPR and the applicable Irish Data Protection legislation.
For the purposes of the GDPR, Bon Secours Health System CLG is a “Data Controller” registered with the Irish Data Protection Commission.

For further information or queries about your data and your data protection rights, please contact

DPO, Bon Secours Health System Group Offices, 7 Riverwalk, Citywest, Dublin 24, D24 H2

Email :

Please click HERE for a PDF version of Bon Secours Data Protection and Privacy Statement.

Under the GDPR, you have the following rights, which Bon Secours will always work to uphold:

  1. The right to be informed about our collection and use of your personal data. This Privacy Statement should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 14.
  2. The right to access personal data Bon Secours holds about you. Part 13 of this Statement will tell you how to do this.
  3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 14 of this Statement to find out more.
  4. The right to erasure, for example the right to ask us to delete or otherwise dispose of any of your personal data that we have, where there is no compelling reason to continue processing.

This right only applies in certain circumstances; it is not a guaranteed or absolute right. Please contact us using the details in Part 14 of this Statement to find out more.

  • The right to restrict (i.e., prevent) the processing of your personal data.
  • The right to object to us using your personal data for a particular purpose or purposes.
  • The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract or the provision of medical care or treatment and that data is processed using automated means, you can ask us for a copy of that personal data to reuse with another service in many cases.
  • Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 14 of this Statement.

Further information about your rights can also be obtained from the Data Protection Commission. If you have any cause for complaint about our use of your personal data,
you have the right to lodge a complaint with the

Data Protection Commission,
21 Fitzwilliam 
Square South,
Dublin 2
D02 RD28,

As a healthcare provider it is important for us to have a complete picture about your health in order to care for you. The personal data we collect enables us to
confirm your identity when we contact you, or when you contact us. It enables us to provide the correct high-quality care to meet your individual needs.

Our staff including our nurses, doctors and other healthcare professionals caring for you, keep records about your health and the care you receive for the
purposes of preventative medicine, medical diagnosis, medical research, the provision of medical care and treatment and the management of healthcare services.
Having accurate and up-to-date information will assist us in providing you with the best possible care.

The following is a non-exhaustive list of various categories and types of personal data we may collect some of the following personal data (this may vary according to your relationship with us):

  • Personal details about you, your date of birth, address, mobile phone number, contact detail, next of kin.
  • Financial and health insurance information.
  • Clinical information treatment procedures diagnosis and reports.
  • Results of investigations, such as X-Rays and laboratory tests.
  • Patient feedback, enquiries received, log of calls received, log of complaints received, and
  • Closed-circuit television (CCTV) footage images.

Bon Secours may process certain special category data which may include health information, racial or ethnic origin, religious or philosophical beliefs, genetic and biometric data.

While the type of personal data we process may change occasionally, we believe it is important that you are aware of the types of personal data we gather and use.  Under the GDPR, we must always have a lawful basis for using your personal data. The lawful basis for Bon Secours processing your Special categories of personal data are as follows:

  • The processing is necessary in order to protect your vital interests.
  • Pursuant to a contract with you, the HSE, your health insurer or for patients being treated under the National Treatment Purchase Fund (NTPF) scheme.
  • For the purposes of preventative or occupational medicine.
  • For the provision of healthcare treatment.
  • For the provision of medical diagnosis.
  • For the management of health or social care systems and services.
  • For the purposes of invoicing, billing, and account management.
  • For the purposes of our legitimate interests such as to prevent fraud.

Special categories of personal data are defined by the GDPR and include things like racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life details and sexual orientation.

  • Bon Secours only process personal data where it is necessary and may use your personal data for typically one of the following purposes:
    • To manage and deliver your care (Direct Care) to ensure that:
    • The right decisions are made about your care.
    • Your treatment is safe and effective, and
    • To coordinate with other organisations that may be involved in your care.
    • To remind you of appointments by email, phone, and/or text.
  • To assist in safeguarding patients, visitors, staff and property.

If the purpose of the processing is for a reason other than the reasons above, we will seek your consent to process your sensitive personal data.

Bon Secours promotes a minimum use of personal data in all its health research projects and all Researchers are required to complete a ‘Data Protection Impact Assessment’ in relation to the personal data they wish to collect and use in their health research study.

Research in healthcare is vital in helping develop understanding about health risks and causes to develop new treatments. All Health Research at Bon Secours is reviewed and approved in advance by our Research Ethics Committee. Your consent will be sought prior to being asked to participate in a research study or to have your personal data used in a research study unless your consent is deemed not necessary under the Health Research Regulations 2018. In some circumstances, consent exemptions may be granted by the Health Research Board Consent Declaration Committee (HRBCDC). In such circumstances you will not be identified in any published results without your prior agreement. More information can be found on our website and on research posters placed around our hospitals.


Chart review studies use data which was previously collected by the hospital for the provision of your health care. These studies facilitate the rapid collection of clinical, safety, and healthcare resource utilisation data.
The default option for retrospective chart review studies is to obtain your consent.

Consent may not be obtained if the following conditions are met:

  • The study is approved by a Research Ethics committee.
  • A Data Protection Risk Impact Assessment (DPIA) has been carried out by the researcher demonstrates that your privacy will not be at risk.


Chart review studies may only be carried out by:

  • A Consultant who is privileged to provide services but is not employed by the Bon Secours or a person studying to be a health practitioner under the direction and control of Bon Secours .
  • An employee of the Bon Secours who would ordinarily have access to your personal data in the course of their duties .

Any data collected in this manner will not be disclosed to another person and any findings, if published, will not identify individuals.


Who is an “authorised person”? An authorised person may be an employee of:

  • An institution of higher education.
  • A body or person whose principal activity is the provision, management or development of a health practitioner.
  • A registered charitable organisation, one of whose object is to support research and education in the health services.
  • A person under the direction and control of a health practitioner who is an employee of the Bon Secours.


Access to your data will be for the sole purpose of pre-screening as set out in an agreement between the Hospital and the employer of the pre-screener.
If you are identified as a potential candidate, you may be contacted by the research team, and you will be asked to consent to take part in the research.


In addition to using the data to provide for your care, personal data is also routinely used to improve the quality of services we provide and plan for the future (Indirect Care), therefore, your data may be used to:

  • Evaluate and improve patient safety and care.
  • Review the care we provide for you to ensure it is of the highest standard. This can be carried out using multiple quality improvement methods e.g., clinical audit.
  • Investigate complaints, legal claims, or adverse incidents.
  • Provide information for planning so we can meet future needs for health services.
  • Provide information to prepare statistics on Health Service performance; and
  • Facilitate continuous training and development of our staff.

Bon Secours recognise its duty to keep your personal data secure and confidential and where appropriate we de-identify your data when using it for quality improvement activities.

To provide you with the highest quality of healthcare, we need to keep records about you.  Your data may be collected in a number of different ways such as a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you over the telephone, in person, or on a form you have completed. There may also be times when personal data is collected from your relatives or a next of kin where you might be very unwell and unable to communicate. During your treatment health specific data may also be collected by our nurses, doctors, and other healthcare professionals who are taking care of you. This personal data will be held in your patient chart (this can be either electronic and/or paper).

Bon Secours is fully committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have a number of security precautions in place to prevent the loss, misuse, or alteration of your personal data. Staff working for Bon Secours have a legal duty to keep information about you confidential and staff are trained in information security and confidentiality. Bon Secours has strict information security policies and procedures in place to ensure your personal data is safe, whether it is held in paper or electronic format.

Bon Secours only keep personal information for a period that is deemed necessary to carry out the function and operational purpose for which it was originally collected, unless it is specifically required by law to keep your information for longer. All personal information is subject to a specified retention period and is securely destroyed once no longer needed.

Bon Secours may store or transfer some or all of your personal data in countries that are not part of the European Economic Area (the “EEA”). These are known as “third countries” and may not have data protection laws that are as strong as those in the EEA. This means that we will take additional steps to ensure that your personal data is treated just as safely and securely as it would be treated within the EEA and under the GDPR.

We use specific contracts with external third parties that are approved by the European Commission (EC) for the transfer of personal data to third countries or that will be transferred to third parties located in countries deemed by the EC as having an adequate level of data protection. These contracts ensure the same levels of personal data protection apply as are provided for under the GDPR.

Depending on your personal circumstances we may need to share personal data with selected third parties. In some cases, those third parties may require access to some or all of your personal data that we hold and may include:

  • Health insurers to secure payment for your treatment where it is covered by your private health insurance policy.
  • Health professionals, independent consultants and other hospitals or Community Services that require your personal data as part of the provision of health, medical, occupational health treatment or for clinical and billing audits.
  • ICT service providers that either host or have access to our data as part of their product offering.
  • Regulatory bodies such as the National Cancer Registry Ireland, the Health Protection Surveillance Centre, the Health Information and Quality Authority, the Department of Public Health, (Health Service Executive (HSE)) or the National Treatment Purchase Fund where we are obliged to make data available.
  • Outsourced service providers such as the use of external laboratories.
  • Other companies and organisations with whom we exchange data for the purposes of fraud protection and credit risk reduction including debt collect agencies.
  • Audit and Quality Assurance Bodies or Registries for quality assurance processes and service evaluation.

Where Bon Secours is required to provide statistical information to the HSE we will ensure that you cannot be identified by anonymising the information. If it is not possible to anonymise your data, we will seek your consent.

Bon Secours may also be receiving services from third party providers for example, referral services. To assist in this process, we may need to share your personal information with those providers. We are careful to share only information that is necessary for this purpose. Anyone who receives this information is also bound by confidentiality and data protection legislation. In certain situations, we may have to disclose your personal information in accordance with legal requirements, or in an emergency to prevent injury to other persons.

If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, obligations, and the third party’s obligations under Data Protection legislation.

If any personal data is transferred outside of the EEA, we will take steps to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the GDPR, as explained in Part 9 of this Statement.

In some limited circumstances, Bon Secours may be legally required to share certain personal data, which might include yours, such as if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a Regulatory Body.

If you want to know what personal data Bon Secours hold about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held).
This is known as a “data subject access request”.

All data subject access requests should be made in writing send to or by post to

Bon Secours Health System Group Offices are located at,
7 Riverwalk,
Dublin 24,
D24 H2CE.

To make this as easy as possible for you, a Data Subject Access Request Form is available for you to use.
This form is available using this link HERE (see pdf at bottom of page also). You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.  Bon Secours will need proof of identity such as a passport or a driver’s licence which you should send to us when you’re making your request. Where the request is extremely broad, we may seek clarification on the data you require.

There is normally no charge for a subject access request, however Bon Secours reserves the right to impose a fee for ‘manifestly unfounded or excessive requests to cover our administrative costs in responding.

Bon Secours will respond to your data subject access request within a month. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. We will keep you fully informed of our progress in addressing your request.

Bon Secours has appointed a Data Protection Officer (DPO) to oversee Bon Secours compliance with its data protection obligations.
If you have questions regarding Bon Secours data protection practices or wish to make a complaint or provide a complement, please do not hesitate to contact us as follows:
Email: or write to the
DPO, Bon Secours Health System Group Offices, 7 Riverwalk, Citywest, Dublin 24, D24 H2

Revision Date: 17/09/2021

    Follow us:

    Visited Pages

    Appointment Request

    Visiting Restrictions

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Enim ac lectus morbi sodales montes, nunc ornare. Consequat fringilla tortor, ultrices auctor egestas. Malesuada volutpat, volutpat malesuada sed est, senectus eu, rhoncus sed. At arcu orci dui non pharetra nibh. Tortor arcu arcu a, sed urna, orci vel, accumsan.