Who are we / what is “The Children’s Practice”? Who is the Data Controller?
The Children’s Practice is a private provider of children’s medical services in Dublin, Ireland. The Children’s Practice Data Controller is Turlough Bolger. This statement relates to our privacy practices and GDPR compliance in connection with this website, www.thechildrenspractice.ie. We are not responsible for the content, privacy practices or GDPR compliance of other websites. Any external links to other websites are clearly identifiable as such.
The Children’s Practice website and our email is hosted by LetsHost.ie, and you can read more about LetsHost and their GDPR compliance here: https://www.letshost.ie/gdpr-statement/
Where are we? Where is the location of processing?
The Children’s Practice offers clinic-based appointments from The Children’s Practice, Suite 5 Cubes 1, Beacon South Quarter, Dublin 18. We can be contacted by phone on 01 2955 956, by fax on 01 697 5775 and our email address is firstname.lastname@example.org. Personal Data is processed at our clinic base, registered address or at other locations where our medical staff may be located on occasion.
What personal data do we process? How do we process data?
We process the following data:
- Names (of parents / guardians and children)
- Their address(es)
- Their contact details such as telephone numbers / email addresses
- Their Dates of birth
We process information relating to the health (physical and mental) and education of children using our service. We also process text submitted via forms on our website (which may or may not include names, e-mail addresses and telephone numbers) and IP addresses. We collect information in manual / paper and electronic formats. We do not record telephone calls or conduct audio or video recording.
We do not currently process any kind of credit card information via our website.
How do we store and protect data?
Physical / paper-based data is stored at our clinic at Sandyford in County Dublin under lock and key. Electronic data is similarly stored on remote cloud servers and devices storing this information are password protected.
Some client information submitted via webforms such as clients looking to make an appointment with The Children’s Practice and / or those who submit a query via our website are stored temporarily on our servers as a backup in case of any email issues in terms of delivery – but once this correspondence has been answered / dealt with these records are periodically removed.
All data is accessible only by The Children’s Practice staff. We do not email patient reports.
Information provide via this website is secured within HTTPS networks. HTTPS is the protocol over which data is sent between your browser and The Children’s Practice website. The “S” at the end of HTTPS stands for secure and indicates that these communications are encrypted.
How long do we retain data for?
Our stance on data retention is guided by the HSE. As per the HSE’s most recently (2013) published Records Retention Periods policy (https://www.hse.ie/eng/services/list/3/acutehospitals/hospitals/ulh/staff/resources/pppgs/rm/recret2013.pdf), we retain paper and electronic information relating to children / young people until the patient’s 25th birthday or 26th if the young person was 17 at the conclusion of treatment, or 8 years after death.
We retain financial data – this being typically paper receipts and invoices stored in a paper format – for the current year plus six years. Once a retention period has expired, data is destroyed under confidential conditions.
Why do we process personal data?
We process data as part of the process of providing Paediatric medical services. This includes, but is not limited to booking clinic appointments, carrying out assessments and interventions, referring children to / discussing children’s health needs with parents / guardians and other professionals, invoicing, end-of-year accounting and other day-to-day administration purposes that are within our legitimate interests.
Who do we share data with and why?
The Children’s Practice does not share data with individuals, companies or organisations except under the following circumstances:
- With your Consent – we will share personal information relating to your child with other professionals when we have your written permission to do so; examples include referring your child to another professional or sending a copy of your child’s medical report to their school.
- For processing by third parties – including LetsHost (website host), and our Accountants.
- For legal reasons – The Children’s Practice will share personal information with outside organisations when legally obliged to do so e.g. at the request of the Gardaí or Revenue Commissioners.
Consent: Prior to initial assessment / consultation / intervention, we provide parents / guardians of under 16s with a Consent Form which must be signed before assessment / consultation / intervention commences. Young people aged 16+ are required to sign their own Consent Form. Our Consent Form does not contain pre-ticked boxes and does not assume Consent; Consent must be freely given. Once provided, Consent remains valid for two years, although parents / guardians and young people can withdraw their Consent by advising us in writing of their desire to do so.
What is GDPR? The General Data Protection Regulation (GDPR) is a piece of legislation prepared by the European Union that aims to give you more control over how your data is used and protected. The new legislation comes into effect on the 25th May 2018. GDPR affords you the following rights:
- Right to be Informed: You have the right to be provided with “fair processing information”, which will be completely transparent about how we have gathered and will use your data. You have the right to be notified about any third party processors with whom we share your personal data, along with the reason for doing so.
- Right of Access: You have the right to confirmation that your personal data are being processed and to access a copy of your personal data.
- Right of Rectification: You have the right to have your personal data corrected if it is inaccurate or incomplete.
- Right to Erasure: You have the right to have your personal data deleted from our systems in the following situations:
- When you withdraw consent
- Data deletion is to comply with a legal obligation
- Where the data was unlawfully processed
- Where it is no longer necessary
- Where you object to the processing
- Where the personal data is processed to offer “information society services” to a child
We may have grounds to refuse such deletion requests for the following reasons:
- Exercise the right of freedom of expression
- For public health purposes in the public interest
- To comply with legal obligations
- The exercise or defence of legal claims
- Archiving purposes in the public interest
To exercise these rights, please send an e-mail to email@example.com. We may ask you to verify your identity as part of processing the requests to exercise your rights. We will endeavour to respond to all requests within 30 days of receiving the initial request. If we are unable to complete the request within the 30 day limit, we will notify you within the required time limit.
Technical details in connection with visits to this website are logged by our internet service provider for our statistical purposes. No information is collected that could be used by us to personally identify website visitors. The technical details logged are confined to the following items:
- the IP address of the visitor’s web server – this is the identifying details for your computer, or your internet company’s computer, expressed in “internet protocol” code (for example 192.16x.xx.xx). Every computer connected to the web has a unique IP address, although the address may not be the same every time a connection is made.
- the top-level domain name used (for example .ie, .com, .org, .net)
- the previous website address from which the visitor reached us, including any search terms used
- the type of web browser and operating system used by the website visitor.
“The Children’s Practice” makes no attempt to identify individual visitors, or to associate the technical details listed above with any individual, nor will we disclose such technical information in respect of individual website visitors to any third party (apart from our internet service provider, which records such data on our behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by law. The technical information will be used only by “The Children’s Practice” and only for statistical and other administrative purposes. You should note that technical details, which we cannot associate with any identifiable individual, do not constitute “personal data” for the purposes of the GDPR.
Cross-border data transfer: Our use of LetsHost and our email hosted by LetsHost means that certain personal data may be stored on servers located outside of the EU. We understand that these companies are GDPR compliant and have subscribed to the EU-US and Swiss-US Privacy Shield which is a regulatory implementation designed to guarantee that EU citizens are adequately protected under EU data protection laws as their data passes into and out of the United States. Read more about Privacy Shield here: https://www.privacyshield.gov/welcome
Complaints about how your data is processed: If you are concerned about how personal data is processed by The Children’s Practice, please contact us via this link: https://www.thechildrenspractice.ie/contact/ or by emailing firstname.lastname@example.org