Data Protection

Beacon Hospital provides exceptional patient care with dedicated teams of highly skilled compassionate professionals. Enabled by our world leading technologies and equipment Beacon Hospital is committed to providing excellent patient care.

Beacon Hospital processes personal data of patients and staff members in order to provide this care. This Privacy Policy outlines the details of the types of data we collect and the responsibilities of Beacon Hospital in how we collect, use, store and protect the data we collect to support patient care. This policy will also outline your rights as a data subject in accessing your data.

Introduction to Data Protection

Your personal data is any information that can be used to identify you. At Beacon Hospital, we take great care in how we handle this information.

When we talk about data processing, we mean any action taken with your information – such as collecting it, using it to provide care, storing it safely, or sharing it when necessary.

A Data Controller is the organisation responsible for deciding how and why your information is used. For your care, the Data Controller is Beacon Hospital Sandyford Limited, located at Beacon Hospital, Sandyford, Dublin 18, D18 AK68. You can learn more at www.beaconhospital.ie.

To support your treatment and keep our hospital running safely, we use your personal data across several systems, including:

  • Your Electronic Health Record
  • CCTV for security
  • Device and equipment registers
  • Health registry information

Our goal is to protect your information and use it only in ways that support your care and safety.

Data Protection at Beacon Hospital

  • What legislation supports how Beacon Hospital manages my data?

    Beacon Hospital follows the EU General Data Protection Regulation (GDPR), which has been in place since 2018. This law sets strict rules on how your personal information must be collected, used, stored, and protected.

  • How does Beacon Hospital use my personal data?

     

    Data Processing Activity Description Lawful basis under the GDPR
    Managing Your Care We collect and use your personal and medical information so we can assess your needs, plan your treatment, and provide your care.

     

    Article 6(1)(b) -contract; Article 9(2)(h) -healthcare

     

    Clinical Records We create and maintain a medical record to ensure your treatment is safe, accurate, and coordinated. Article 6(1)(b); Article 9(2)(h)
    Diagnostics and treatment Your information is used for tests, scans, procedures, and medications needed for your care. Article 6(1)(b); Article 9(2)(h)
    Communication and Coordination We share relevant information with your GP or other healthcare professionals involved in your treatment. Article 6(1)(b); Article 9(2)(h)
    Billing and Insurance We use your insurance and payment details to process claims and manage billing. Article 6(1)(b) -contract
    Legal and Public Health Reporting We may share information when required by law, such as reporting certain infectious diseases. Article 6(1)(c) -legal obligation; Article 9(2)(h) & 9(2)(i)
    Patient Safety and Complaints
    We use your information to review incidents, respond to complaints, and improve safety. Article 6(1)(f) -legitimate interests; Article 9(2)(h)
    Security (CCTV) CCTV is used to protect patients, staff, and hospital property. Article 6(1)(f) -legitimate interests

     

    Research (Where Applicable) Your information may be used for approved health research. This is done only with your consent where required, or under strict legal and ethical approvals.  

    Article 9(2)(j) and/or consent.

     

    Using Your Data to Improve our Services We may also use your information to help us run and improve our hospital services. This can include:

    clinical audit and quality improvement

    planning and monitoring services

    staff training and education

    reviewing incidents and improving patient safety

    Where possible, this information is minimised or de‑identified so you cannot be directly identified.

     

     

     

    Legal basis for processing your data

    Beacon Hospital processes your personal data in line with the General Data Protection Regulation (GDPR). As a healthcare provider, we mainly rely on:

    • Providing healthcare and treatment – Article 9(2)(h)
    • Contractual necessity to deliver your care – Article 6(1)(b)
    • Legal obligations – Article 6(1)(c)

    In some situations, we may also rely on legitimate interests or your consent, where appropriate.

  • How does Beacon Hospital obtain my data?

    Most of the information we use to care for you comes directly from you. When you attend the hospital, our Patient Services team will ask you to confirm basic details such as your:

    • Name
    • Address
    • Date of birth
    • GP information

     

    During your visit, the healthcare team will also ask you about:

    • Your medical history
    • The reason for your current visit
    • Any symptoms you are experiencing
    • Medications you take regularly
    • Other information that helps us understand your health needs

     

    We may also receive information about you from other healthcare providers involved in your care. This can include:

    • Your GP
    • Community health services
    • Another hospital or clinic

     

    They may send us your personal or medical information as part of a referral or to help us complete your assessment and treatment.

  • How long does Beacon Hospital keep my data for?

    Beacon Hospital keeps personal information in both paper and electronic form, including electronic medical records and clinical images used for diagnostic or treatment purposes.

    We only keep personal information for as long as it is necessary for your care, to meet legal and regulatory requirements, and to allow us to respond to any future questions, complaints, investigations, or legal claims relating to your treatment.

    Retention periods vary depending on the type of information involved, the purpose for which it was collected, and any legal, regulatory, or clinical obligations that apply. In some circumstances, information may need to be kept for longer where required for ongoing care, investigations, or legal proceedings.

    When personal information is no longer required, it is securely destroyed or disposed of in line with Beacon Hospital’s retention policy and applicable legal and regulatory requirements.

    Medical records:

    We keep your personal and medical information for 8 years after the death of the patient. This helps us:

    • support your ongoing or future care
    • meet legal and regulatory requirements
    • review complaints or incidents
    • manage or defend any legal claims

     

    CCTV recordings:

    CCTV footage is kept for 30 days to help protect patients, staff, and hospital property.

    Information used for legal claims:

    If your data is needed for a legal claim, we keep it for 10 years after the claim has been closed.

  • Who does Beacon Hospital share my personal and medical data with?

    Beacon Hospital only shares your personal and medical information when it is necessary for your care, for essential hospital services, or when required by law. We always share the minimum amount of information needed.

    Your information may be shared with:

    • Healthcare professionals involved in your care.
    • our GP and community services so your care continues smoothly after you leave the hospital.
    • Other hospitals or healthcare providers if your care is being transferred or discussed at a Multi‑Disciplinary Team (MDT) meeting.
    • Diagnostic companies to carry out laboratory tests, scans, or other investigations.
    • Specialist care providers who supply medical equipment or treatment you may need.
    • Insurance companies.

     

    If you give us your health insurance details, we share the information needed to:

    • Process your insurance claim.
    • Respond to insurer audits (only for the specific claim and only when requested in writing). When you register, you sign an insurance declaration explaining this.
    • Consultant billing teams.

    We may share the information required to process a consultant’s bill with their billing company or secretary. Only the details needed for that claim are provided.

    Research (in limited circumstances)

    Your information may be used for approved health research, but only:

    • When it has been anonymised, so you cannot be identified, or
    • When you have given specific consent.

     

    Legal requirements

    In certain situations, we must share information with the appropriate authorities. For example:

    • Reporting infectious diseases to the Health Protection Surveillance Centre.
    • Providing information when a court order is issued.
    • Sharing relevant information with Tusla if there is a child protection concern.

    Consultants involved in your care may access and use your medical information within Beacon Hospital systems. In some circumstances, relevant medical information may also be shared with a consultant’s private clinic or practice where necessary for your ongoing treatment, follow up care, billing, or clinical administration.

    Beacon Hospital is the Data Controller for the personal data held within Beacon Hospital systems and medical records. Consultants involved in your care may also access and use your information as part of your treatment within the hospital. Where a consultant separately collects, maintains, or processes information within their own private practice or clinic, they may act as an independent Data Controller for that processing.

  • Is my data shared outside of the EU or EEA?

    In some limited situations, your personal data may be transferred to countries outside the European Union (EU) or European Economic Area (EEA). These countries may not have the same level of data protection as EU law requires.

    If this happens, Beacon Hospital will make sure your information is still protected. We do this by:

    • Using a permitted exception under Article 49(1) of the GDPR, or
    • Putting strong safeguards in place, such as Standard Contractual Clauses, which are legally approved protections for international data transfers.

    These measures ensure your data remains safe and secure, even when processed outside the EU/EEA.

  • Your rights as Data Subject

    You have a number of rights in relation to your personal data. If we receive a valid request from you to exercise one of these rights, we will respond to valid data subject rights requests without undue delay and, in any event, within one month of receipt. Where a request is complex or where we receive a high number of requests, this period may be extended by up to a further two months, in line with data protection law.

    Please note that some rights are not absolute and may be limited in certain circumstances, particularly where we are required to retain or use information for healthcare, legal, regulatory, patient safety, or clinical governance reasons.

    Right to be Informed

    You have the right to be informed about why Beacon Hospital collects your personal data, how we use it, who we may share it with, how long we keep it, and how we protect it. This information is provided through this Data Protection Policy and other relevant patient information.

    Right of Access

    You have the right to request a copy of the personal data Beacon Hospital holds about you.

    When submitting a request, please provide enough information to help us verify your identity and locate the information you are requesting. This may include the date range, the type of records requested, or the subject of your request.

    To protect patient confidentiality, we may ask you to provide photographic identification and additional identifying information from your medical record before releasing personal data.

    If a third party, such as a solicitor, is making a request on your behalf, we will require written authorisation from you confirming that the information can be released to that third party.

    Right to Rectification

    You have the right to request that inaccurate or incomplete personal data is corrected or updated.

    Where information is found to be inaccurate or incomplete, we will take reasonable steps to correct it. In a healthcare setting, this may include adding a correction or note to the record rather than deleting or altering the original clinical entry.

    Right to Erasure

    You have the right to request that your personal data is erased in certain circumstances. For example, this may apply where the information is no longer needed for the purpose it was collected, where consent has been withdrawn and no other lawful basis applies, or where the information has been processed unlawfully.

    This right is not absolute. Beacon Hospital may be unable to erase personal data where it is required for healthcare, legal, regulatory, patient safety, clinical governance, insurance, audit, or public interest reasons. This includes information that forms part of the medical record and must be retained in line with healthcare record retention requirements.

    Right to Restriction of Processing

    You have the right to ask Beacon Hospital to restrict the use of your personal data in certain circumstances.

    This may apply where:

    1. You believe the information we hold is inaccurate and we need time to check it.
    2. The processing is unlawful, but you do not want the information erased.
    3. We no longer need the information, but you need it for a legal claim.
    4. You have objected to the processing and we are considering whether we have lawful grounds to continue using it.

    Where processing is restricted, we will only use the information in limited circumstances, such as with your consent, for legal claims, to protect the rights of another person, or for important public interest reasons.

    Right to Data Portability

    You have the right to receive certain personal data in a structured, commonly used, and machine-readable format.

    This right only applies where the processing is based on your consent or a contract, and where the processing is carried out by automated means.

    Where technically possible, you may also ask us to send this information directly to another organisation. This right may be limited where providing the data would affect the rights and freedoms of others.

    Right to Object

    You have the right to object to Beacon Hospital using your personal data in certain circumstances, including where processing is based on legitimate interests or public interest.

    You also have the right to object to direct marketing.

    If you object, we will stop using the information unless we have compelling lawful grounds to continue, or unless the information is required for legal claims.

    Right to Withdraw Consent

    Where Beacon Hospital relies on your consent to process your personal data, you have the right to withdraw that consent at any time.

    Withdrawing consent will not affect any processing that took place before consent was withdrawn.

    Right not to be Subject to Automated Decision-Making or Profiling

    You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision would have a legal or similarly significant effect on you.

    Beacon Hospital does not currently use automated decision-making or profiling in relation to patient care where decisions are made solely by automated means without human involvement.

    Right to Complain

    You have the right to make a complaint to the Data Protection Commission, which is Beacon Hospital’s supervisory authority.

    We ask that you contact Beacon Hospital first where possible, so that we have an opportunity to review and address your concerns.

    How to Exercise your Rights

    To exercise any of your data subject rights, please contact Beacon Hospital’s Data Protection Officer at: [email protected]

    Please include enough information to allow us to identify you and understand the nature of your request.

  • Right to Obtain a Copy of your Personal Data

    Under the GDPR, you have the right to request a copy of the personal information Beacon Hospital holds about you. This includes your medical records.

    A request for your data can only be made by:

    • you, or
    • someone you authorise, such as a family member, next of kin, or your solicitor

     

    How to request your personal data

    You can contact our Medical Records team:

    1. By email: [email protected]
    2. By post: Data Request Beacon Hospital Beacon Court Sandyford D18 AK68

     

    What to include in your request

    To help us find your records quickly, please include:

    • your full legal name
    • your date of birth
    • the date(s) you attended the hospital
    • details of what you are requesting (e.g., “my full medical record” or “my most recent scan result”)
    • Proof of identity

    In some cases, we may ask for identification such as a valid passport or Irish driver’s licence to make sure your information is not given to the wrong person.

    How long will it take?

    We will respond to your request within 30 days.

    In some cases, we may need more time. If an extension is required, we may take up to an additional two months. If this happens, we will let you know within the first 30 days and explain the reason for the delay.

    If we cannot fulfil your request

    If we are unable to meet your request, we will inform you within 30 days and explain the reason for the refusal.

    If you are unhappy with our decision

    You have the right to contact the Data Protection Commission (DPC) if your request is refused or if you are not satisfied with our response.

  • How Will My Records Be Sent to Me?

    You can choose how you would like to receive your records:

    • By secure email
    • By registered post
    • By collecting them in person at the hospital

     

    If you decide to collect your records yourself, we will ask you to bring proof of identification. This is to make sure your personal information is only given to the correct person

Data Protection officer

Beacon Hospital’s Data Protection officer can be contacted via email [email protected] or via telephone 01 650 4646 or by post addressed to:

Data Protection Officer
Beacon Hospital
Sandyford
Dublin 18
D18 AK68