(021) 427 1971    
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

Welcome to the Mercy University Hospital, Company Limited by Guarantee, Grenville Place, Cork hereinafter referred to as “MUH”. This Privacy Statement explains how MUH handle and use your personal information and your rights in relation to that information.
MUH is committed to protecting and respecting your privacy. MUH values confidentiality as a core personal right of every citizen. MUH take our obligation to protect our patients’ and employees’ privacy very seriously. All patient information, whether oral, written, or electronic, is handled sensitively and confidentially, in accordance with the General Data Protection Regulation, Regulation (EU) 2016/679 and the Irish Data Protection Act 2018, Professional Codes of Practice and all other relevant legislation.
This Privacy Statement explains why and how MUH will use the personal information that MUH have obtained from you or others, with whom the hospital share it and the rights you have in connection with the information MUH use. Please read the following carefully.
This statement describes the way MUH handle and use the personal information that MUH obtain from all the different interactions you may have with us as a Hospital, including when you visit our Hospital, social media pages, website or when you contact us.
MUH is the controller in relation to the processing activities described below. This means that MUH decides why and how your personal information is processed. Please see the section at the end of this policy for our contact and legal information.
This statement has been developed in accordance with a ‘layered policy’ approach. This means that it offers you the opportunity to obtain more or less information about MUH’s information handling practices. By clicking on the links below, you can decide how much you wish to read, what you need to know and how quickly you need to obtain the relevant information.

2. Glossary of Terms and Definitions

CCTV Means closed-circuit television and is commonly known as video surveillance. “Closed-circuit” means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike “regular” TV, which is broadcast to the public at large. CCTV networks are commonly used to detect and deter criminal activities, and record traffic infractions, but they have other uses.
Compliance with a Legal Obligation

Is one of the lawful basis that MUH may rely on when processing personal data.

For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare Act 2005.


Is one of the lawful basis that MUH may rely on when processing personal data.

Means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


Cookies are small text files that are placed on your computer by the MUH website that you visit. They are used in order to make the website work, or work more efficiently, as well as to provide information to MUH. 
Covert Surveillance Means a discrete form of monitoring practice that involves the use of CCTV.
Data Controller Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Processor Agreement Means a specific data sharing agreement that data controllers are obliged to have in place with any data processors they engage with.
Data Protection Laws Means the relevant data protection legislations applicable to MUH such as the Irish Data Protection Acts 1988 – 2018 and the General Data Protection Regulation 2016/679 (GDPR) (see below).
Data Sharing Agreement Means the other forms of data sharing agreements that data controllers may put in place with other entities who are not data processors.
General Data Protection Regulation 2016/679 (GDPR) Is also known as the GDPR. The GDPR is a new set of rules designed to give EU citizens more control over their personal data.
Health Research Regulation 2018 The Irish Health Research Regulations, formally called the Irish Data Protection Act 2018 (Section 36 (2)) (Health Research) Regulations 2018, provide for “suitable and specific measures” for the processing of personal data for the purpose of health research, to protect the rights and freedoms of research participants.
International Data Transfers Means data transfers that take place outside the EU, EEA and non- adequate countries that have been recognised as having similar data protection legislations as that of the EU/EEA.
Legitimate Interest

Is one of the lawful basis that MUH may rely on when processing personal data.

Legitimate interest covers a wide range of interests such as the organisation, third party, commercial or for wider societal reasons.

Mercy University Hospital (MUH) Also referred to as MUH, is the hospital responsible for the management of your personal data.
Performance of a Contract

Is one of the lawful basis that MUH may rely on when processing personal data.

For example: an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee data in an employment context.

Personal Data Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
Safeguards Means the different controls and processes MUH may put in place to protect your data.
Special Category Data Means Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The following are examples of special category data:
  • Racial or ethnic origin
  • Political opinions
  • religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data concerning a natural person’s sex life or sexual orientation
Vital Interest

Is one of the lawful basis that MUH may rely on when processing personal data.

Means interests that are essential for someone’s life and generally only apply to matters of life and death.

3. Personal Information MUH Collect About You

MUH receive personal information about you that you give to us, that we collect from your visits to MUH, website, social media pages, referrals and diagnostics from other health professionals, Private health insurance companies for services provided and financial institutions for billing purposes. MUH only collect personal information which MUH need and that is relevant for the purposes for which the hospital intend to use it.MUH may hold and use personal data about you as a patient or in any other capacity. Depending on the services you receive from us, this may include special category personal data such as information relating to your health.
3.1. Information That MUH Collect
MUH collect personal data to provide our services to you. This data may be collected directly by our staff, or by Consultant’s, GPs, or other healthcare professionals who refer you to MUH, or who are involved in your treatment. Sometimes MUH may request that other healthcare providers, such as other hospitals and pharmacies, provide us with data relating to you in order to improve the quality of our service to you. In cases of emergency, MUH may receive your data from emergency services, such as the Gardai, the ambulance services or the fire brigade services. Once again, the hospital receives this data purely for the purpose of ensuring the care MUH provide to you is of the highest standard. The type of data MUH collect about you are as follows:
  • Information that you give us when you enquire about services at MUH or become a patient of ours such as your name, address, contact details (including email address and phone number);
  • The name and contact details (including phone number) of your next of kin or relatives;
  • Any information you include in correspondence you send to us or in forms you submit to us at MUH;
  • Details of your medical history such as details and records of treatment and care, notes, and reports about your health, including any allergies or health conditionsincluding information relating to clinic and hospital visits and medicines administered;
  • Results of diagnostic tests, e.g., x-rays, scans, blood tests
  • Financial information such as your payment card details and, in relation to certain refunds, your bank account details;
  • Other relevant information from people who care for you and know you well, e.g., health professions, relatives, and careers.
  • Your identification information when exercising the rights that you have in relation to our processing of your personal information (see further “Your Rights” in relation to your personal information);
  • Footage captured from our CCTV operation which is in use at our facilities for health, safety, and security purposes;
  • Information about complaints and incidents;
  • Information obtained from patient surveys that you have taken part in;
  • Information that you give us when you submit a question/comment in relation to our services or website;
  • Information you give us when you apply for a job with us (CV, cover letter, contact details);
  • Information you give us when you publish public comments on our social media pages e.g. Facebook Twitter, LinkedIn
3.2. When You Visit the MUH Site
  • Details of your use of its site namely traffic data, weblogs, and statistical data, including where and when you clicked on certain parts of our Site and details of the webpage from which you visited it;
  • The date and time you used the MUH Site;
  • The pages you visited on the MUH Site and how long you visited us for;
  • The website address from which you accessed the MUH website;
  • Cookie, pixels, and beacon identification information (for more information please see ourCookie Policy).
3.3. What Personal Information May MUH Receive From Third Parties and Other Sources?
When you use its services, MUH may obtain the following categories of personal data from others:
  • Your GP, other medical professionals including the HSE, other hospitals and health professionals when you transfer or are referred to our service;
  • Independent consultants who carry out procedures at MUH;
  • Your line manager if you are referred by them for medical assessment and/or treatment.

4. Use of Personal Data

MUH use your personal information for a variety of reasons. MUH rely on different grounds to process your personal information, depending on the purposes of our use. MUH use your personal information in the following ways:
4.1. Where You Have Provided Consent
MUH may use and process your personal information for the following purposes where you have consented for us to do so:
  1. Photography / Video Consent Form
  2. General Procedure Consent Form
  3. Research Projects
  4. Surveys You may withdraw your consent at any time. Please see the ‘Your Rights section’ below for further details.
4.2. Where Necessary to Comply with Our Legal Obligations
MUH will use your personal information to comply with our legal obligations:
  • To keep a record relating to the exercise of any of your rights.
  • To take any actions in relation to health and safety incidents, matters of concern required by law.
  • To handle and resolve any complaints MUH receive relating to the services we provide.
  • MUH may be obliged to comply with Law Enforcement Requests.
4.3. Where Necessary For Us To Pursue a Legitimate Interest
MUH may use and process your personal information where it is necessary for us to pursue our legitimate interests as a Hospital for the following purposes:
  • Processing necessary for us to support you with your enquiries;
  • To identify and record when you have received, opened, or engaged with its site or social media or other electronic communications (please see our Cookie Policy for more information);
  • To respond to correspondence you send to us and fulfil the requests you make;
  • Processing is necessary for us to operate the administrative and technical aspects of MUH efficiently and effectively;
  • To administer the MUH Site, and its social media pages and for internal operations, including troubleshooting, testing, and statistical purposes;
  • For the prevention of fraud and other criminal activities; • To verify the accuracy of data that MUH hold about you and create a better understanding of you as a patient;
  • For network and information security in order for us to take steps to protect your information against loss or damage, theft, or unauthorised access;
  • To comply with a request from you in connection with the exercise of your rights;
  • For efficiency, accuracy or other improvements of our databases and systems;
  • To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings;
  • For other general administration including managing your queries, complaints, or claims, and to send service messages to you.
4.4. Where Necessary For it to Fulfil Our Contractual Duties
MUH will use your personal information where this is necessary for us in the performance of our contractual duties.
4.5. Where Processing is in Your Vital Interest
MUH will use your personal information where this is in your vital interest . For example: it may be in a child’s vital interests to process their data and or/that of the parents or family.

6. Employee Data

Mercy University Hospital (MUH) is committed to protecting all personal data which MUH collect from applicants and staff before, during and after the course of their employment at MUH. MUH collect personal data from applicants and employees in order to keep records of employment as required by employment law, and to facilitate the administration of that relationship.
This data is collected from you when you initially apply for a position at MUH and, subsequently, throughout the term of your employment here. Most information will be collected directly from you, your manager, or by a member of the human resources or finance departments. In the case of job applications made through external agencies, MUH will initially collect data from the relevant agency. During the recruitment process, MUH may contact references or stated previous workplaces, to verify the information provided.
MUH use your personal information so that the hospital can provide you with employment and employment-related services. However, more specifically, MUH may use the personal data we gather for any or all the following purposes:


Description Type of Data Processed Lawful Basis for Processing
Assessing Training Needs Employee skills, experience and performance data may be used by MUH in order for the organisation to assess employee training needs.

Legitimate Interest

Employee Relations To carry out functions such as grievance, disciplinary and associated employee relations. For the Performance of a Contract



On termination of employment, the termination ofemployment is recorded.

Legitimate Interest

Internal Reporting Employee performance and sick-leave information may be used for internal reporting purposes.
  • Employee Feedback
  • Formal Enquiries Made

Legitimate Interest

Issuing References On request, MUH issue employment references to other entities.
  • Reference Checks (reference contact details)
Payroll Once employed, MUH provide the payroll team with your details for MUH to process your salary payments each month.
  • Payroll Data
For the Performance of a Contract
Pension As an employee or previous employee, if applicable MUH shall use pension details to discharge your pension.
  • Pension Data
For the Performance of a Contract

During the recruitment process MUH obtain your personal profile and work experience details through online forms, CVs submitted, references, external agencies and any details provided in cover letters.

This data is then used by MUH to assess your suitability for the role being applied for throughout the recruitment process.

This may include checks with past employers or references.

  • Information Provided on CV,
  • Garda Vetting,
  • Occupational Health Data,
  • Verifications of Experience
  • Qualifications Provided, Interview Notes
  • Bank details
  • Salary records
  • Visa Permit
  • CCTV recorded footage

Legitimate Interest

Compliance with a Legal Obligation

Scheduling Leave Leave requests is scheduled across rosters and to determine leave days granted to staff. Legitimate Interest
Staff ID Cards Once employed, MUH shall issue you with an official ID card. Legitimate Interest
There are various circumstances where MUH may share personal data with third parties. Generally, this includes your representatives and our representatives, and some pre-advised third parties. MUH may from time to time disclose your information to the following categories of recipients:
  • Any party which you have given us permission to speak with (family, friends or otherwise)
  • Health insurance providers
  • Legal representatives, if necessary
  • Statutory bodies as required by EU and Irish law
  • Pension service providers if and when applicable
  • Payroll service providers MUH take steps to ensure that any third-party partners who handle your information comply with data protection legislation and protect your information just as MUH do. MUH only disclose personal information that is necessary for them to provide the service that they are undertaking on our behalf. MUH will aim to anonymize your information or use aggregated non-specific data sets where possible.
When MUH collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which MUH use that information and our obligations under other laws, or the period required to defend ourselves against legal action. The only exceptions to this are where:
  • The law requires us to hold your personal information for a longer period, or delete it sooner;
  • You exercise your right to have the information erased (where applicable) and MUH do not need to hold it in connection with any of the reasons permitted or required under the law.
All records are retained in line with our Data Retention Schedule.

7. Disclosure of Your Personal Information By Us

MUH may disclose your personal information outside MUH in limited circumstances. If MUH do, we will put in place appropriate controls and data sharing agreements that requires recipients to protect your personal information, unless MUH are legally required to share that information. Any contractors or recipients that work for us will be obliged to follow our instructions. MUH do not sell your personal information to third parties. MUH may disclose your information to our third-party service providers, agents, and subcontractors (Suppliers) for the purposes of providing services to us or directly to you on our behalf. When MUH use Suppliers, we only disclose to them any personal information that is necessary for them to provide their services and only where MUH have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions. MUH may share your personal data with our selected suppliers, and contractors to provide you with our services. For example, these may include:
  • Health insurers to secure payment for your treatment where it is covered by your private health insurance policy;
  • Health professionals, independent consultants and other hospitals that require your personal data as part of the provision of medical treatment;
    IT service providers that either host or have access to our data as part of their product offering;
  • Regulatory bodies such as HIQA, the Health and Safety Authority, where MUH are obliged to make data available as required;
  • Manufacturers of medical devices and equipment for patient safety purposes, to allow for any necessary follow up post treatment;
  • Outsourced service providers such as the use of external laboratories;
  • Any party which you have given us permission to speak with (family, friends or otherwise) regarding your treatment,;
  • Your next of kin/relevant person, where you are not in a situation to grant us permission
  • GPs and other healthcare professionals involved in your treatment;
  • Healthcare specialists whose opinion may aid us in effective medical diagnosis and / or treatment;
  • Healthcare providers engaged to assist with your treatment (certain providers have facilities which assist us in providing you with efficient and effective treatment);
  • Billing agencies engaged by your consultant or other healthcare professionals involved in your treatment;
  • Legal representatives, as necessary;
  • Statutory bodies and health boards as required by EU and Irish law.;
  • Clinical audit to measure compliance with hospital policy and accreditation standards;
  • Quality improvement is used to improve the way care is delivered to MUH patients. Improving quality is about making healthcare safe, effective, patient-centred, timely, efficient, and equitable. In order to achieve improvements processes are defined, measured, analysed, with improvements implemented and then controlled;
  • Service evaluation is used as an internal evaluation of a service provided to a patient in order to identify issues or good practices and implement appropriate changes if necessary. The purpose is to assess how functional MUH services are for patients and adjust these services to meet the needs of patients when required;
  • Representation from an Elected Representative: Elected representatives may, during the course of their activities, be asked to make representations to, and on behalf of, an individual. From time to time, MUH may receive a request from an elected representative making representations on behalf of their constituents.When people contact their elected representative wanting representations to be made on their behalf, they are asking for assistance and expect that the elected representative will be able to respond effectively and efficiently to their concerns. Sections 40(1) and (2) of the Data Protection Act 2018 provide an elected representative with a legislative basis for the processing of the personal data (including special categories of personal data) of individual constituents in order to perform their functions. The processing of personal data by an elected representative is permitted under Section 40 where:(i)the elected representative either receives a request or representation directly from the da-ta subject, or where (ii) the elected representativereceives a request or representation from another person on behalf of the data subject and the elected representative is able to demonstrate that they are compliant with the principles of data protection.
MUH take steps to ensure that any third-party providers who handle your information comply with data protection legislation and protect your information to the same extent that we do. MUH only disclose personal information which is necessary for them to provide the service they are undertaking on our behalf. MUH will aim to anonymise your information or use aggregated non-specific data sets where possible. MUH may also disclose your personal information to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property or safety of our patients or others. See below a breakdown
Category of Third Party Description of Service Provided Lawful Basis for Processing
IT Service Providers

System based processing of personal and/or medical details as part of patient treatment and/or organisational/ operational requirements.

e.g. cloud hosting services; application development and support services; IT Infrastructure services; email services; call recording services.

Performance of a Contract

Legitimate Interest

Law Enforcement Agencies To assist law enforcement agencies in their efforts of preventing, detecting, investigating, or prosecuting criminal offences. Compliance with a legal obligation
Legal/Professional Advisors The provision of business consulting, audit and legal services including access to and analysis of personal data as part of business initiatives, statutory audits, legal claims, and ad-hoc consultancy advice.

Performance of a Contract

Legitimate Interest

Other Health Service Providers If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment, MUH will provide a copy of your record to that medical practitioner or health care facility provided this request is processed in the correct manner and with your knowledge.


Vital Interest

Outsourced Service Providers

The external processing of personal data to external providers where Mercy University Hospital does not have either the expertise, capacity, or demand to provide the processing required. 

E.g. test/analysis by external laboratories

Performance of a Contract

Regulatory Bodies Provision of personal data as required to satisfy recurring obligations, audit, and mandatory reporting purposes with bodies such as HIQA, TUSLA, Health, and Safety Authority, Health Protection Surveillance (reporting infectious diseases), National Cancer Registry Ireland, National Hemovigilance Office (NHO) etc.

Compliance with a Legal Obligation.

Relatives, personal carers and/or significant other(s)

MUH may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, legal representative, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.

Compliance with a Legal Obligation


Security & Maintenance CCTV Cameras and security personnel are in operation both inside and outside MUH premises in order to protect our staff, patients,visitors, and property.

Compliance with a legal obligation

Legitimate Interest

Transport, Storage & Shredding

The provision of courier services for the transportation of physical documents to and from suppliers, insurers and referring corporate/medical partners.

Storage and destruction of physical files for operational and regulatory purposes

Performance of a Contract

Your Local Doctor (GP)

After an admission and upon discharge, MUH send a letter to your local doctor or referring hospital. The letter informs them of your time at MUH, your medication, and any special instructions your doctor needs to know.

Sometimes your local doctor will contact MUH for additional information about your treatment. In this situation, MUH will only release information to the doctor whom you have specified as your local doctor on your patient admission form.

Your Private Health Insurer & Hospital Insurers

MUH will confirm your insurance is valid and that your policy covers MUH with your nominated insurance provider.

Legitimate Interest

Compliance with a Legal Obligation


8. Transfers of Your Personal Information Outside the EU/EEA

MUH do not transfer your personal information outside of Europe. If MUH do so in the future, we’ll let you know and take measures to protect your personal information. All information you provide to us is stored on our secure servers which are located within the European Economic Area (EEA). If at any time MUH transfer your personal information to, or store it in, countries located outside of the EEA we will amend this policy and notify you of the changes. MUH will also ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law. This is because some countries outside of the EEA do not have adequate data protection laws equivalent to those in the EEA. If MUH transfer your personal information to the United States of America, MUH will only send the personal information for which MUH have safeguards in place in accordance with applicable law. Where they apply to our data transfer activities, MUH may rely on adequacy decisions by the European Commission about certain countries for data transfers to countries outside the EEA.

10. How Long Do MUH Retain Your Information For

MUH are obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate operational purposes.
Other information will be retained for no longer than is necessary for the purpose for which it was obtained by us or as required or permitted for legal, regulatory, fraud prevention and legitimate operational purposes.
MUH will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which MUH collected it.

11. Health Research

Clinical research is the study of patients, their data (personal information) and sometimes their samples (blood, urine, tissue, hair, etc) in order to generate new knowledge about diseases and conditions affecting patients. The overall aim of clinical research is to improve the quality of our health service and the quality of life of patients by finding new and better ways to detect, prevent, diagnose, and treat diseases.
There are many different types of clinical research studies taking place in Mercy University Hospital, some examples are:
  • Clinical Trials: this is a study conducted to test if a new drug/device is effective at treating a specific disease.
  • Clinical Research Utilising Patient Samples: some studies involve looking at patient samples in conjunction with the medical data associated with the sample.
  • Observational Studies: these studies involve the observation of patients over a period of time and may include the collection of samples.
  • Research Using Patient Medical Records (Retrospective Studies): these studies involve looking back at patients medical history with the aim of learning more about the disease or condition, an example would be to determine the number of people with a certain disease or the average age of onset of a particular disease.

To enable us to perform clinical research, MUH collect and process various categories of personal information. Information MUH collect may include:
  • Personal details about you, such as date of birth, medical record number
  • Notes and reports about your health needs
  • Results of investigations, such as x-rays and laboratory tests
  • Relevant information from other health and social care professionals, your carers, or relatives
  • Samples (Blood, urine, hair, tissue samples, stored samples)

Following your consent: for clinical trials, clinical research using your samples and observational studies your consent will be sought before proceeding with the research. You will be provided with an information leaflet which will outline the study. If you agree to take part you will give your consent by signing a consent form and agreeing to all aspects of the research on the study consent form.
Pre-screening: pre-screening is the process researchers use to identify patients that may be suitable for the research study they wish to undertake. This involves accessing medical records for the purpose of identifying patients but no data is removed/copied/recorded. This is only done by healthcare practitioners, student healthcare practitioners, MUH authorised persons within MUH and hospital employees who normally have access to medical records. An authorised person must be an employee of either: a university, a registered charity which supports research and education, a practice which provides, manages, or develop healthcare practitioners, be Garda vetted and be under the control and direction of a healthcare practitioner employed by the MUH. The MUH is not required under the Law to seek your consent to access your personal data to conduct Pre-Screening, however, should you be deemed suitable you will be contacted in order to provide you with information about the study and if you feel comfortable and happy, to obtain your consent.

Research using patient medical records (Retrospective studies):is a type of research design in which pre-recorded, patient-centred data collected for the provision of healthcare are used to answer a research question. Consent is not sought for this type of study BUT only when the study meets certain criteria: (i)the data is protected by a unique coding system. This means your name and any other information that could identify you will never be stored with the medical data collected (ii) a risk assessment has concluded that the study is low risk (iii) it is performed by a healthcare practitioner who is an employee of MUH or a student healthcare practitioner (iii) is another employee of MUH who in their normal duties has access to medical records (iv) the data will not be shared unless completely anonymous (v) the published results will not identify any individual and (vi) the Research Ethics Committee must review and approve. If the study does not meet these criteria your consent will be sought.
A Research Ethics Committee is an independent group of people appointed to formally assess if health research conforms with recognised international ethical standards. It is responsible for protecting the rights of those who take part in the research and the usage of their personal data for health research.
All patient data collected for clinical research is protected by a process known as pseudonymisation or coding. Your identifiable data, such as your name, medical record number, address, telephone number, full date of birth are kept separate to your medical data. Your identifiable data is given a code and your medical data is given the same code. Your identifiable data and medical data are stored separately in pass-word protected, files on secure computer networks. Therefore your identifiable data can only be linked back to medical data by the researchers. Additionally, MUH researchers minimise the amount of data they collect to only that which is 100% necessary to achieve the objectives of the research study. Therefore in cases where your name, address, telephone number, etc are not required they are not collected. Whenever possible full anonymisation of your data is carried out.
Under GDPR there must be a legal and valid reason for a person/researcher to process data. There are 2 articles within GDPR that set out the legal basis for processing. These include Article 6 which is the legal basis for processing personal data and Article 9 which includes the legal basis for processing sensitive data. Medical data is sensitive personal data and therefore one legal basis from Article 6 and one legal basis from Article 9 is required. Researchers lawfully process personal data in MUH using Article 6 (1)(e) - processing is necessary for the performance of a task carried out in the public interest/ Article 6 (1)(f) - legitimate interest and Article 9 (2)(j) - processing is necessary for scientific research purposes. This means if you withdraw your consent data collected up to the time of withdrawal will continue to be processed.
Researchers may retain your data for a period of time, as determined by MUH, legislation or by scientific journals. All completed research must be shared with the wider scientific community in order to progress science and medicine beyond the research group. To do this, researcher publish their research in scientific journals. Data published in journals will never identify you. Data may also be irrevocably anonymised (all identifiable information is deleted and there is no way to ever link the medical data to you) and retained indefinitely. If the researchers intend to do this you will be informed and you will give your consent except for retrospective studies.

12. Clinical Audit

Clinical audit is one of the ways healthcare professionals check that the care they provide to patients is safe and up-to-date. This is called evidence-based practice. Healthcare professionals conduct clinical audits as part of their professional responsibilities to ensure that you receive the highest quality care. If the audit results show areas that could be improved, then changes are made and the audit may be repeated to monitor progress. MUH takes part in both internal and national audits. This is part of normal delivery of care and any of your data which is used for audit purposes is anonymised. Your personal data will not be made public.

13. Your Rights in Relation to Your Personal Information

You have certain rights in respect of your personal data and MUH have processes to enable you to exercise these rights.
You have the right to be provided with clear, transparent, and easily understandable information about how MUH use your personal data and your rights.
You have the right to obtain access to your personal data, and other certain information. This so you’re aware and can check that you are processing your personal data in accordance with data protection law. You can request copies in paper format about you that MUH hold, share or use. To facilitate your request, MUH may request proof of identification. This is known as a “Data Subject Access Request” or a DSAR in short. MUH can only provide you with your personal data and not personal data pertaining to another individual(s). There are caveats to this, for example, a parent requesting medical records for their child is permissible or a legal representative acting under your instructions to retrieve your records on your behalf.
If you believe that MUH hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and MUH will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified. Depending on the type of personal data you believe is inaccurate, MUH may ask you for further proof to ensure that the personal data is being corrected properly. If MUH are satisfied that the personal data is inaccurate, MUH will make the necessary changes.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with data protection laws. You have a right to ask for your personal data to be erased in certain circumstances. However, this right does not apply where MUH have to comply with a legal obligation or where we need personal data for the establishment, exercise, or defence of legal claims.
You have a right to request that processing of personal data is restricted in certain circumstances. However, MUH shall still continue to process the personal data for storage purposes, for the establishment, exercise, or defence of legal claims or with your consent.
Where MUH are relying on legitimate interests as a legal basis to process your data, you have a right to object to such processing on grounds relating to your particular situation.
In certain circumstances, you can request that MUH provide to you your personal data in a commonly used format. Some of these rights only apply in certain circumstances. They are not guaranteed or an absolute right.
13.8. Right to Lodge a Complaint to the Data Protection Commission
You have the right to lodge a complaint to the Data Protection Commission (DPC). You can do this by visiting there website:www.dataprotection.ie.The DPC can also be contacted in the following ways:
  1. By letter: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, DO2 RD28, Ireland
  2. By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
  3. By website: https://forms.dataprotection.ie/contact
  4. By Telephone: +353 (0761) 104 800
To exercise any of the rights highlighted above, please get in touch in the following ways: 1.
By Phone:021 4937922 2.
By Email:This email address is being protected from spambots. You need JavaScript enabled to view it. 3.
By Post: FOI, Mercy University Hospital, Greenville Place, Cork, T12 WE28, Ireland.

14. How Can You Contact Us

14.1 How to Make a Complaint

If a service user/family member/advocate wishes to make a complaint they can:
  • Tell a staff member
  • Ask to speak to the MUH Patient Liaison Officer
  • Complete a Feedback form/Comment Card
  • Telephone the Quality & Risk Management Department via the Hospital Switchboard on 021 4271971
  • Write to the MUH Complaints Officer, Quality & Risk Management Department, Mercy University Hospital, Cork
  • Send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

14.2 How You Can Contact Our Data Protection Officer?
Our Data Protection Officer can be contacted by:
By Phone:021 4935646
By Email:This email address is being protected from spambots. You need JavaScript enabled to view it.
By Post: The Data Protection Officer, Mercy University Hospital, Grenville Place, Cork. T12 WE28

15. Changes to Our Privacy Statement

Please check this page regularly for changes to this statement.

You can contact us with your queries in relation to this policy or for any other reason by post, email or by phone.

Please email us at: This email address is being protected from spambots. You need JavaScript enabled to view it..