This Data Protection Statement provides information about the ways in which the MHNMI(MHNMI) collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by the MHNMI in carrying out its statutory duties.
Mental Health Nurse Managers Ireland
Who we are
Mental Health Nurse Managers Ireland is an association that provides managerial, educational and clinical support to senior mental health nurse managers across the Irish Mental Health Services. Mental Health Nurse Managers Ireland has been reconstituted from the Association of Psychiatric Nurse Managers (APNM) following a change of title of the organisation at the Annual General Meeting in 2003. The change of name was proposed to reflect a more positive and modern view of services for people with mental health needs and to accord with changing legislation in the area of mental health care.
Key areas of Data Protection Statement
This Data Protection Statement is designed to cover a number of key areas. These are as follows:
- Definitions
- Legislation
- The MHNMI and the GDPR
- Data Protection and the MHNMI
- Law Enforcement Directive (LED)
- Processing of personal data by the MHNMI
- What personal data does the MHNMI process?
- How does the MHNMI collect personal data?
- Legal basis for processing personal data by the MHNMI
- Who are the recipients of personal data processed by the MHNMI?
- Publication of information
- How long does the MHNMI retain personal data?
- Your data protection rights
- Restriction of data subject rights in certain circumstances
- Your right to complain
- Changes to the MHNMI Data Protection Statement
Definitions
For the purposes of this Data Protection Statement, the following definitions apply:
Personal data is information from which you (or another person) are identifiable or which relates to you.
Special categories of personal data is personal data which is subject to a higher standard of protection under law due to its sensitivity. This includes personal data which reveals:
- any racial or ethnic origin
- financial status
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data concerning a person’s sex life or sexual orientation
Processing refers to any use of personal data including its collection, disclosure, retention and storage.
Legislation
The MHNMI is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) Directives and regulations. These include, but are not limited to, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
The MHNMI and the GDPR
The GDPR was introduced on 25 May 2018 and affects all countries within the EU. It sets out a series of laws concerning how data can be processed and used by organisations within member states. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality and
- accountability
The GDPR is designed to strengthen and standardise data protection laws for all EU citizens. It increases the obligations and responsibilities for the MHNMI in how it collects, uses and protects personal data. Central to the GDPR are transparency, fairness and accountability. This means that the MHNMI is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.
The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instructions of the Data Controller (a Data Processor). The MHNMI is a Data Controller for all personal data collected for the purpose of its activities. The MHNMI decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, MHNMI staff, contractors, agents and other third parties are all bound by the rules in the GDPR.
The MHNMI routinely processes personal data. On occasion, special categories of personal data may also be processed. The MHNMI takes appropriate measures to protect the confidentiality of your personal data. Service providers that support MHNMI functions are also required to protect the confidentiality of your personal data and may not use it for any purpose other than providing services to the MHNMI.
You can contact the MHNMI in a number of ways. These are as follows:
Data Protection and the MHNMI
The GDPR affects data protection in all EU member states. The Data Protection Act 2018 gives further effect to the GDPR in Irish law. Collectively, the GDPR and 2018 Act places enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.
Data Protection Officer (DPO)
The MHNMI has a Data Protection Officer. Should you have questions about how the MHNMI uses your information or you are concerned about any issue related to your personal data, you can contact the DPO in any of the following ways:
Law Enforcement Directive (LED)
The Law Enforcement Directive (EU 2016/680) is a piece of EU legislation, parallel to the GDPR, which also took effect from May 2018. The Law Enforcement Directive (LED) deals with the processing of personal data by Data Controllers where the processing is for ‘law enforcement purposes’ which fall outside the scope of the GDPR.
As a Directive, the LED was transposed into Irish law. Part 5 of the Data Protection Act 2018 sets out the LED in the Irish context. The MHNMI is a ‘competent authority’ under this statute.
Processing of personal data by the MHNMI
The MHNMI processes personal data for a number of different purposes which arise from its statutory powers, functions and duties. These are outlined in the Mental Health Act 2001 (as amended) and its data protection responsibilities are outlined under the GDPR and the Data Protection Act 2018.
Based on its legislative purpose, it carries out the following functions:
- Handling issues of concern from individuals in relation to mental health services generally
- Inspecting approved centres for the provision of mental health services to ensure they meet the required standards of care for their residents
- Handling issues of concern from individuals concerning his/her care, treatment or other issue relating to an approved centre
- Arranging mental health tribunals for those involuntarily detained in approved centres
- Taking enforcement action, where necessary (for example, administrative and legal sanctions)
- Promoting awareness amongst members of the public of their rights in the context of mental health services
In carrying out these functions, the MHNMI may collect personal data. This may occur in the following areas:
- Inquiries and investigationsincluding personal data received from data subjects directly and personal data received from an approved centre which is the subject of an inquiry and/or investigation (this may also include personal data received by the MHNMI in its role as a ‘competent authority’ under Part 5 of the 2018 Act (‘Processing of Personal Data for Law Enforcement Purposes’)
- Queries and concernsincluding personal data received from individuals who have raised queries or concerns with the MHNMI
- Service providers and suppliersincluding personal data obtained from service providers or suppliers engaged by the MHNMI
- Job applications,including personal data received from persons applying for roles within the MHNMI
- Conferences and eventsincluding personal data relating to attendees at conferences and events organised by the MHNMI
- Training sessions including personal data relating to attendees at events organised by the MHNMI
- Complaints handlingincluding personal data received from a data subject directly (or through his/her legal representatives) where the data subject makes a complaint to the MHNMI
What personal data does the MHNMI process?
Personal data
The MHNMI processes personal data. This includes personal data received by the MHNMI where data subjects contact, or request information from, the MHNMI directly and personal data received by the MHNMI indirectly. This is under the conditions set out above. Personal data the MHNMI processes may include the following:
- Basic personal information (for example, a data subject’s forename/s and surname, date of birth, approved centre where s/he received treatment or was detained)
- Contact information (for example, a data subject’s postal address, email address and phone number/s)
- Any other personal data that is provided to the MHNMI during the course of the performance of its statutory functions
Special categories of personal data
The MHNMI processes ‘special categories of personal data’. This includes special category data received by the MHNMI where data subject’s contact, and request information from, the MHNMI directly in addition to special category data received by the MHNMI indirectly. According to Article 9 of the GDPR, such special category data may include personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.
Data relating to criminal convictions and offences
In the course of performing its statutory functions, the MHNMI may occasionally process personal data relating to criminal convictions and offences. This includes personal data where data subjects contact, or request information from, the MHNMI directly and personal data relating to criminal convictions and offences received by the MHNMI indirectly.
How does the MHNMI collect personal data?
Phone calls to the MHNMI
The MHNMI does not audio record phone conversations.
Emails
All emails sent to the MHNMI are recorded, forwarded to the relevant section of the MHNMI and are stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter.
Please note:
It is the sender’s responsibility to ensure that the content of his/her emails does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
Post
Post received by the MHNMI may be scanned and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period set out in the MHNMI’s Data Retention Policy and are then confidentially destroyed thereafter.
Social media
The MHNMI receives personal data through its interactions on social media platforms (for example, Twitter and LinkedIn). The MHNMI operates accounts on these platforms to promote awareness of its role in the overseeing of mental health services in Ireland and protecting the rights of service users. Messages and/or posts received by the MHNMI are viewed by MHNMI staff but personal data contained therein are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by the MHNMI.
Website
The MHNMI websites are located at www.MHNM.ie
Legal basis for processing personal data by the MHNMI
The legal basis for the processing of personal data by the MHNMI will depend on the legislative framework that applies and the purpose for which the processing is being carried out.
GDPR
Article 6 of the GDPR sets out six legal bases on which personal data may be processed. Where the MHNMI is processing personal data for the purpose of performing its statutory functions, the primary legal bases under the GDPR are as follows:
- where the processing is necessary for compliance with a legal obligationto which the controller is subject (Article 6.1 (c))
- where the processing is necessary for the performance of a task carried out in the public interestor in the exercise of an official authority vested in the controller (Article 6.1 (e)).
Legal Enforcement Directive (LED)
The Law Enforcement Directive (LED) deals with the processing of personal data for ‘law enforcement purposes’ by data controllers which fall within the definition of being a ‘competent authority’ for the purposes of the LED, as transposed into Irish law by Part 5 of the Data Protection Act 2018. Section 70 of the 2018 Act defines the scope of processing of personal data which falls within that part of the Act. It states that Part 5 of the Act applies to processing of personal data carried out ‘for the purposes of (i) the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security or (ii) the execution of criminal penalties…’
The term ‘competent authority’ is defined in Section 69 of the 2018 Act as being ‘a public authority, competent for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security.’ For certain processing activities which it carries out, the MHNMI is a ‘competent authority’ for the purposes of Part 5 of the 2018 Act.
In terms of the legal basis for the processing of personal data by the MHNMI as a ‘competent authority’, Section 71.2 of the 2018 Act provides that the processing of personal data (for the purpose of the LED) shall be lawful where, and to the extent that:
- it is necessary for the performance of a function of a controller for one of the purposes specified in Section 70 (as referred to above); or
- the data subject has, subject to certain requirements set out in Section 71.3, given his or her consent to processing
Who are the recipients of personal data processed by the MHNMI?
Disclosure to third parties
Personal data collected by the MHNMI is held confidentially. It is not shared by the MHNMI with any third parties with the following exceptions:
Where the sharing of the personal data is necessary for the performance by the MHNMI of its functions. This may arise, for example, in the context of mental health tribunals where the MHNMI will usually disclose the service user’s identity and related information to the panel members. This is required for practicality (because without disclosing this information it would prove difficult for the MHNMI to review a service user’s case) as well as to ensure the efficient and effective performance of the MHNMI’s statutory functions.
For the purposes of co-operation with other regulatory authorities. In certain circumstances, the MHNMI must cooperate with and assist other supervisory authorities in Ireland. In such circumstances, in accordance with the law, the MHNMI may provide personal data to other authorities such as the Child and Family Agency (Tusla), the Health and Information Quality Authority (HIQA) or any other regulatory body as part of its statutory functions. When this happens, the MHNMI generally tries to do so on an anonymised basis. If not anonymised, this is in order to protect your rights while you are receiving care and treatment.
Where there is an issue of concern. In certain circumstances, the MHNMI may request personal data from an approved centre to monitor any issues of concern that may have arisen on inspection. This is to ensure that the service has appropriate systems and procedures in place to address the care needs of its residents. This data may be used to verify the location of residents who have been transferred to another centre to ensure that appropriate care is taken and to monitor safety and compliance concerns.
For the purposes of legal proceedings. Health data or data relating to criminal offences or convictions may be submitted to the MHNMI in reports prepared by staff and/or independent consultant psychiatrists.
In the event that a matter is brought before the Courts, the materials, including any information, documents or submissions provided by an individual, may be made public in open court.
In the case of service providers or suppliers to the MHNMI. The MHNMI uses data processors to provide certain services to the MHNMI. The MHNMI requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing the service in accordance with the requirements set out at Article 28.3 of the GDPR
Publication of information
With the exception of Commission and Senior Management names in its annual reports and strategic plans, the MHNMI does not publish personal data on its website.
How long does the MHNMI retain personal data?
The retention periods for personal data held by the MHNMI are based on the requirements of the Data Protection Act 2018, the GDPR and on the purpose for which the personal data is collected and processed (for example, in the case of issues of concern, the MHNMI may retain personal data for as long as is necessary for the handling of that issue of concern). The retention periods applied by the MHNMI to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.
Your data protection rights
Under data protection legislation, data subjects have certain rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by the MHNMI. The data subject’s rights are:
- The right to be informed about the processing of your personal data
- The right to access your personal data
- The right to rectification of your personal data
- The right to erasure of your personal data
- The right to data portability
- The right to object to processing of your personal data
- The right to restrict processing of your personal data
- Rights in relation to automated decision making, including profiling
Restriction of data subject rights in certain circumstances
Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission and are available here.
Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of data controllers and on the rights of data subjects for important objectives of general public interest.
Your right to complain
If you have any concerns in relation to the manner in which the MHNMI processes your personal data, you may contact the MHNMI’s Data Protection Officer on info@MHNM.ie
Changes to the MHNMI Data Protection Statement
This Data Protection Statement is kept under regular review and, consequently, is subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the MHNMI’s Data Protection Officer on info@MHNM.ie
Please note:
This Data Protection Statement will be revised when the Decision Support Service (DSS) becomes fully functional to illustrate how your personal data is processed by that division.
February 2020