Data Protection Statement

31 Mar, 2020

Introduction

The Decision Support Service is part of the Mental Health Commission. This Data Protection Statement provides information about the ways in which the Mental Health Commission collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by the Mental Health Commission and the Decision Support Service in carrying out their statutory duties.

Mental Health Commission and the Decision Support Service

The Mental Health Commission is an independent body established under the Mental Health Act 2001. Its functions include promoting, encouraging and fostering high standards and good practice in the delivery of mental health services and putting systems in place to protect the rights of mental health patients who have been detained under the Mental Health Act 2001 and related legislation. This means that the Mental Health Commission may need to process your personal data while you are in receipt of care and treatment at a mental health service so that it can perform its legal functions.

In December 2015, the Mental Health Commission’s remit was extended to include the establishment of the Decision Support Service under the provisions of the Assisted Decision Making (Capacity) Act 2015. Its core function is to support decision-making by, and for, adults with capacity difficulties. This means the Decision Support Service may need to process your personal data in carrying out its legal duties when it becomes fully operational.

Key areas of Data Protection Statement

This is the Data Protection Statement of the Mental Health Commission (which includes the Decision Support Service). It is designed to cover a number of key areas. These are as follows:

Definitions
Legislation
The Mental Health Commission and the GDPR
Data Protection and the Mental Health Commission
Processing of personal data by the Mental Health Commission
What personal data does the Mental Health Commission process?
How does the Mental Health Commission collect personal data?
Legal basis for processing personal data by the Mental Health Commission
Who are the recipients of personal data processed by the Mental Health Commission?
Publication of information
How long does the Mental Health Commission retain personal data?
Your data protection rights
Restriction of data subject rights in certain circumstances
Your right to complain
Changes to the Mental Health Commission Data Protection Statement

Definitions

For the purposes of this Data Protection Statement, the following definitions apply:

Personal data is information from which you (or another person) are identifiable or which relates to you.

Special categories of personal data is personal data which is subject to a higher standard of protection under law due to its sensitivity. This includes personal data which reveals:

any racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
health data
data concerning a person’s sex life or sexual orientation

Processing refers to any use of personal data including its collection, disclosure, retention and storage.

Legislation

The Mental Health Commission is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union directives and regulations. These include, but are not limited to, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

The Mental Health Commission and the GDPR

The GDPR was introduced on 25 May 2018 and affects all countries within the European Union. It sets out a series of laws concerning how data can be processed and used by organisations within Member States. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are:

lawfulness, fairness and transparency
purpose limitation
data minimisation
accuracy
storage limitation
integrity and confidentiality and
accountability

The GDPR is designed to strengthen and standardise data protection laws for all European Union citizens. It increases the obligations and responsibilities for the Mental Health Commission in how it collects, uses and protects personal data. Central to the GDPR are transparency, fairness and accountability. This means that the Mental Health Commission is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.

The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instructions of the Data Controller (a Data Processor).

The Mental Health Commission is a Data Controller for all personal data collected for the purpose of its activities. The Mental Health Commission decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, Mental Health Commission staff, the Decision Support Service, contractors, agents and third parties are all bound by the rules in the GDPR.

The Mental Health Commission routinely processes personal data. On occasion, special categories of personal data may also be processed. The Mental Health Commission takes appropriate measures to protect the confidentiality of your personal data. Service providers that support Mental Health Commission functions are also required to protect the confidentiality of your personal data and may not use it for any purpose other than providing services to the Mental Health Commission.

You can contact the Mental Health Commission in a number of ways. These are as follows

By post

Mental Health Commission,
Waterloo Exchange,
Waterloo Road,
Dublin 4
D04 E3W7

By Telephone

01 6362400

By email

info@mhcirl.ie

Data protection and the Mental Health Commission

The GDPR affects data protection in all European Union Member States. It was transposed into Irish law through the enactment of the Data Protection Act 2018. Collectively, the GDPR and 2018 Act places enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.

Data Protection Officer

The Mental Health Commission has a Data Protection Officer. Should you have questions about how the Mental Health Commission uses your information or you are concerned about any issue related to your personal data, you may contact the Data Protection Officer in any of the following ways:

By post

Data Protection Officer

Mental Health Commission,
Waterloo Exchange,
Waterloo Road,
Dublin 4
D04 E3W7

By email

dpfoi@mhcirl.ie

Processing of personal data by the Mental Health Commission

The Mental Health Commission processes personal data for a number of different purposes which arise from its statutory powers, functions and duties. These are outlined in the Mental Health Act 2001 (as amended) and its data protection responsibilities are outlined under the GDPR and the Data Protection Act 2018.

Based on its legislative purpose, it carries out the following functions:

Handling issues of concern from individuals in relation to mental health services generally
Inspecting approved centres for the provision of mental health services to ensure they meet the required standards of care for their residents
Handling issues of concern from individuals concerning his/her care, treatment or other issue relating to an approved centre
Arranging mental health tribunals for those involuntarily detained in approved centres
Taking enforcement action, where necessary (for example, administrative and legal sanctions)
Promoting awareness amongst members of the public of their rights in the context of mental health services

In carrying out these functions, the Mental Health Commission may collect personal data. This may occur in the following areas:

Inquiries and investigations including personal data received from data subjects directly and personal data received from an approved centre which is the subject of an inquiry and/or investigation
Queries and concerns: including personal data received from individuals who have raised queries or concerns with the Mental Health Commission
Service providers and suppliers including personal data obtained from service providers or suppliers engaged by the Mental Health Commission
Job applications: including personal data received from persons applying for roles within the Mental Health Commission
Conferences and events including personal data relating to attendees at conferences and events organised by the Mental Health Commission
Training sessions including personal data relating to attendees at events organised by the Mental Health Commission
Complaints handling including personal data received from a data subject directly (or though his/her legal representatives) where the data subject makes a complaint to the Mental Health Commission

What personal data does the Mental Health Commission process?

Personal data

The Mental Health Commission processes personal data. This includes personal data received by the Mental Health Commission where data subjects contact, or request information from, the Mental Health Commission directly and personal data received by the Mental Health Commission indirectly. This is under conditions set out above. Personal data the Mental Health Commission processes may include the following:

Basic personal information (for example, a data subject’s forename/s and surname, data of birth, approved centre where s/he received treatment and/or was detained)
Contact information (for example, a data subject’s postal address, email address and phone number/s)
Any other personal data that is provided to the Mental Health Commission during the course of the performance of its statutory functions

Special categories of personal data

The Mental Health Commission processes ‘special categories of personal data’. This includes special category data received by the Mental Health Commission’ where data subject’s contact, and request information from, the Mental Health Commission directly in addition to special category data received by the Mental Health Commission indirectly. According to Article 9 of the GDPR, such special category data may include personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.

Data relating to criminal convictions and offences

In the course of performing its statutory functions, the Mental Health Commission may occasionally process personal data relating to criminal convictions and offences. This includes personal data where data subjects contact, or request information from, the Mental Health Commission directly and personal data relating to criminal convictions and offences received by the Mental Health Commission indirectly.

How does the Mental Health Commission collect personal data?

Phone calls to the Mental Health Commission

The Mental Health Commission does not audio record phone conversations.

Emails

All emails sent to the Mental Health Commission are recorded, forwarded to the relevant section of the Mental Health Commission and are stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter.

Please note:

It is the sender’s responsibility to ensure that the content of his/her email does not infringe the law. Unsolicited, unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.

Post

Post received by the Mental Health Commission may be scanned and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period set out in the Mental Health Commission’s Data Retention Policy and are then confidentiality destroyed thereafter.

Social media

The Mental Health Commission receives personal data through its interactions on social media platforms (for example, Twitter and LinkedIn). The Mental Health Commission operates accounts on these platforms to promote awareness of its role in the overseeing of mental health services in Ireland and protecting the rights of service users. Messages and/or posts received by the Mental Health Commission are viewed by Mental Health Commission staff but personal data contained therein are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by the Mental Health Commission.

Website

The Mental Health Commission websites are located at https://www.mhcirl.ie/, https://decisionsupportservice.ie/.They do not use any third party of persistent cookies. The Decision Support Service’s Cookie Statement can be accessed here.

Legal basis for processing of personal data by the Mental Health Commission

The legal basis for the processing of personal data by the Mental Health Commission will depend on the legislative framework that applies and the purpose for which the processing is being carried out.

GDPR

Article 6 of the GDPR sets out six legal bases on which personal data may be processed. Where the Mental Health Commission is processing personal data for the purpose of performing its statutory functions, the primary legal bases under the GDPR are as follows:

where the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6.1 (c))
where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller (Article 6.1 (e)).

Who are the recipients of personal data processed by the Mental Health Commission?

Disclosure to third parties

Personal data collected by the Mental Health Commission is held confidentially. It is not shared by the Mental Health Commission with any third parties with the following exceptions:

Where the sharing of the personal data is necessary for the performance by the Mental Health Commission of its functions:

This may arise, for example, in the context of mental health tribunals where the Mental Health Commission will usually disclose the service user’s identity and related information to the panel members. This is required for practicality (because without disclosing this information it would prove difficult for the Mental Health Commission to review a service user’s case) as well as to ensure the efficient and effective performance of the Mental Health Commission’s statutory functions.

For the purposes of co-operation with other regulatory authorities

In certain circumstances, the Mental Health Commission must cooperate with and assist other supervisory authorities in Ireland. In such circumstances, in accordance with the law, the Mental Health Commission may provide personal data to other authorities such as the Child and Family Agency (Tusla), the Health and Information Quality Authority (HIQA) or any other regulatory body as part of its statutory functions. When this happens, the Mental Health Commission generally tries to do so on an anonymised basis. If not anonymised, this is in order to protect your rights while you are receiving care and treatment.

Where there is an issue of concern

In certain circumstances, the Mental Health Commission may request personal data from an approved centre to monitor any issues of concern that may have arisen on inspection. This is to ensure that the service has appropriate systems and procedures in place to address the care needs of its residents. This data may be used to verify the location of residents who have been transferred to another centre to ensure that appropriate care is taken and to monitor safety and compliance concerns.

For the purposes of legal proceedings

Health data or data relating to criminal offences or convictions may be submitted to the Mental Health Commission in reports prepared by staff and/or independent consultant psychiatrists.

In the event that a matter is brought before the Courts, the materials, including any information, documents or submissions provided by an individual, may be made public in open court.

In the case of service providers or suppliers to the Mental Health Commission

The Mental Health Commission uses data processors to provide certain services to the Mental Health Commission. The Mental Health Commission requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing the service in accordance with the requirements set out at Article 28.3 of the GDPR.

Publication of information

With the exception of Commission and Senior Management names in its annual reports and strategic plans, the Mental Health Commission does not publish personal data on its website.

How long does the Mental Health Commission retain personal data?

The retention periods for personal data held by the Mental Health Commission are based on the requirements of the Data Protection Act 2018, the GDPR and on the purpose for which the personal data is collected and processed (for example, in the case of issues of concern, the Mental Health Commission may retain personal data for as long as is necessary for the handling of that issue of concern). The retention periods applied by the Mental Health Commission to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.

Your data protection rights

Under data protection legislation, data subjects have certain rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by the Mental Health Commission. The data subject’s rights are:

The right to be informed about the processing of your personal data
The right to access your personal data
The right to rectification of your personal data
The right to erasure of your personal data
The right to data portability
The right to object to the processing of your personal data
The right to restrict the processing of your personal data
Rights in relation to automated decision making, including profiling

Restriction of data subject rights in certain circumstances

Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission.

Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of data controllers and on the rights of data subjects for important objectives of general public interest.

Your right to complain

If you have any concerns in relation to the manner in which the Mental Health Commission processes your personal data, you may contact the Mental Health Commission’s Data Protection Officer on dpfoi@mhcirl.ie.

Changes to the Mental Health Commission Data Protection Statement

This Data Protection Statement is kept under regular review and, consequently, is subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the Mental Health Commission’s Data Protection Officer on dpfoi@mhcirl.ie

Please note:

This Data Protection Statement will be revised when the Decision Support Service becomes fully functional to illustrate how your personal data is processed by that division.