This privacy notice sets out how the National Care Experience Programme processes personal information that it generates and holds in the course of its work. It explains what personal information we collect as a data controller on data subjects, how we use it, and the security that is in place to protect it. It also sets out the privacy rights that data subjects have under the General Data Protection Regulation (GDPR) 2016 and Irish data protection legislation.
Roles and responsibilities
The National Care Experience Programme is a partnership between the Health Service Executive (HSE), the Department of Health and the Health Information and Quality Authority (HIQA). HIQA as lead partner is the data controller. HIQA contracts data processors to aid in the implementation of the National Care Experience Programme. Behaviour and Attitudes manage the distribution and receipt of surveys and Xwerx develop and maintain www.yourexperience.ie.
Why do we collect personal information?
The National Care Experience Programme collects personal information to send surveys to eligible survey participants and processes responses to surveys.
Collecting this information is necessary to carry out surveys of health and social care. The results of surveys are used to improve the quality of care and are therefore carried out in the public interest.
We also collect information about people we work with in service providers, should as hospitals, to implement the survey and members of the public who are in contact with us from time to time.
Information about people’s use of the National Care Experience Programme website and the survey notification service is also collected. The purpose of this is to improve the functioning of the website and send notifications about survey results to people who wish to receive them.
What is our legal basis for processing data?
The National Care Experience Programme has developed a comprehensive information governance framework to ensure that the privacy rights of data subjects, whose information we process, are protected. The National Care Experience Programme complies with data protection laws, including the GDPR. Under Article 6(1)(e) of the GDPR and Section 38 of the Data Protection Act 2018, personal data can be collected and processed where necessary for the performance of a task carried out in the public interest or the exercise of a statutory function of the data controller. Article 9(2)(i) of the GDPR and Section 53 of the Data Protection Act 2018 permit the processing of healthcare data, which is “special category data”, in the public interest, which includes ensuring high standards of quality and safety in healthcare. As the results of surveys are used to inform quality improvements in health and social care, the survey is carried out in the public interest.
For more information on National Care Experience Programme information governance, please see here.
Information about people’s use of the National Care Experience Programme website and the survey notification service are collected on the basis of consent (Article 6(1)(a)). You are asked for your consent in order for the National Care Experience Programme to use information for these purposes.
Where does our data come from?
National Care Experience Programme data comes from four different sources. These are:
Service providers, such as hospitals, securely send us the contact details of eligible survey participants.
Upon receipt of an invitation to take part in a survey, eligible survey participants complete and return the survey by post or online.
Members of the public contact us to request information about our surveys and to sign up to our notifications service, so that they receive an email when we publish the results of surveys.
- Health and social care service providers
HIQA receives the details of health and social care providers who we work with to implement and deliver surveys.
What data do we collect?
We have set out below what types of personal data we collect and the purposes for which it is collected.
- Invitation to participate in a survey
We process the details of people using health and social care services, who are eligible to participate in our surveys. This data is provided by health or social care providers and is used solely to invite an eligible survey participant to take part in a survey. This data is destroyed six weeks after the closure of a survey.
Secure participants can log on to www.yourexperience.ie to complete the survey.
Online survey responses are anonymised upon receipt and held securely in an anonymised format following best practice as set out in ISO 27001.
The anonymised survey responses are retained indefinitely.
While technical information about the use of the website (including the IP addresses of visitors) is collected to improve the functioning of the website, this information is not linked to the on-line survey. This ensures that survey responses are not associated with individual website users.
- Hard copy survey responses
Upon receipt, hard copy or paper survey responses are uploaded onto a secure platform and are anonymised. The hard copy responses are destroyed within two months of the closure of a survey.
- Anonymised survey responses
Digitalised, anonymised survey responses are retained indefinitely.
The National Care Experience Programme’s website, www.yourexperience.ie collects IP addresses. IP addresses are held to identify any issues with logging on to or using the website and any attempts to breach the security of the website. IP addresses are held securely and are automatically deleted after one week.
Notification of results
The National Care Experience Programme provides an optional notifications service to members of the public. A member of the public can ask to receive an email notification when specific reports are published by the National Care Experience Programme, through www.yourexperience.ie, by providing their email address and their preference for a specific report or reports. The National Care Experience Programme retains the email address to action the request. The email address is retained until the member of the public unsubscribes, upon which time, it is destroyed.
How we collect and use technical information collected by our website
Certain technical information is collected via our internet service provider, to manage www.yourexperience.ie. This information helps us to assess how many visitors use the National Care Experience Programme website and how they use our site, to ensure that we provide the most helpful information in the most helpful structure.
We want our online services to be easy, useful and reliable. This sometimes involves placing small text files (known as cookies) on your internet devices. You can accept or reject any cookies that are not strictly necessary for the functioning of the website.
Information provided to us via email or by calling our helpline
Information that you provide to us via email or by calling our helpline (details provided on www.yourexperience.ie) will be treated in strict confidence and will not be shared with unauthorised third parties. Emails sent to email@example.com are received by the National Care Experience Programme team based in HIQA and are deleted at the end of each survey cycle if received during the survey cycle, or alternatively at the end of each calendar year. Calls to the National Care Experience Programme are not recorded and no records of callers or their personal details are retained.
Information about care health and social care providers
We may process personal information belonging to people who we work with in health and social care providers, to implement surveys of their service, for example staff who promote the survey within the hospital. This information is held securely by HIQA and destroyed once the person’s involvement in the National Care Experience Programme ceases.
Rights of data subjects
We ensure that all data subjects’ rights are upheld to ensure complete transparency when it comes to how we manage, process and retain personal information. As a data subject, you have the right to:
- access and receive a copy of your personal data
- seek to rectify or update any inaccurate personal information held
- seek to have data deleted
- object to the processing of data
- right to withdraw consent
- right to request restriction
A summary of these rights is set out here:
Access and receive a copy of your personal data
You are entitled to know if the National Care Experience Programme holds any personal information belonging to you and to receive a copy of this information free of charge. While some restrictions may apply to your right of access, we will ensure that this is explained accordingly.
Rectification and accuracy of data
The National Care Experience Programme ensures all personal information is accurate and up to date. In certain circumstances, you are entitled to have rectified any personal information belonging to you if it is incorrect or out of date.
Deletion of data
Under certain circumstances, such as if the data collected is no longer needed by the National Care Experience Programme, you may request the deletion of your personal data. The National Care Experience Programme ensures that all personal information has a specified retention period and is deleted in line with these retention periods.
Objecting to the processing of data
Where possible, you can object to the National Care Experience Programme processing your personal information, such as objecting to being included in a survey upon leaving your healthcare provider.
Request restriction of processing of your personal data
This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Physical and technical security measures are in place to ensure all data collected and processed by the National Care Experience Programme has adequate protection that is consistent with applicable privacy and data protection laws. Physical records, that is hard copy survey responses, are retained securely, until the end of their retention periods when they are due for destruction.
The National Care Experience Programme promotes good information governance practices among its staff and provides training on information governance for any staff who work on the National Care Experience Programme Team and its data processors. The National Care Experience Programme continually monitors and improves policies, procedures and information communications technology (ICT) security tools to ensure that all personal data is protected against theft, accidental loss, unauthorised access or alteration, erasure, use or disclosure.
In processing the online survey responses, the data processor, Behaviour and Attitudes, use the services of a company which is based outside the EEA. The online notifications service also entails the use of service providers based outside the EEA. In these circumstances, the National Care Experience Programme transfers personal data outside the EEA.
The National Care Experience Programme has ensured a similar degree of protection is afforded to all personal data transferred outside the EEA. It has done this by putting in at least one of the safeguards set out in the GDPR to protect personal data being transferred internationally. These safeguards include:
- Transferring personal data to countries that have been found to provide an adequate level of protection for personal data.
- Using specific approved contracts with our service providers that are based in countries outside the EEA. These contracts give personal data the same protection it has in the EEA.
- For service providers in the US, personal data is transferred in accordance with Privacy Shield scheme.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Making a complaint
We hope you have found this privacy notice useful and we are always happy to hear your feedback. If you have any queries about how the National Care Experience Programme has handled your personal information, or you would like any further information, please contact HIQA’s Data Protection Officer using the contact details below.
You also have the right to make a complaint to the Data Protection Commission directly by phone, email or post. The contact details of the Data Protection Commission are available here.
If you have any queries regarding the National Care Experience Programme’s data protection practices, please do not hesitate to contact us at the below details
Health Information and Quality Authority
Unit 1301, City Gate, Mahon, Co. Cork.
Tel: 021-240 9300
Data Protection Officer
Unit 1301, City Gate, Mahon, Co. Cork.
The National Care Experience Programme website contains links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements or their privacy practices. When you leave our website, we encourage you to read the privacy notice of every website you visit.
We will review and update this privacy statement as the need arises.
For more information on how the National Care Experience Programme collects and uses information please visit the information governance page on this website.