Privacy Notice

Download The Privacy Notice Document

February 2026
Under the General Data Protection Regulation (GDPR) we are obliged to have a fair processing notice for personal data. This is often referred to as a Privacy Notice. It provides information about the ways in which we process (collect, store and use) your personal data as a patient in this Hospital. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller Marymount University Hospital & Hospice.

Personal data will be obtained in a lawful, fair and transparent manner for a specified purpose and will not be disclosed to any third party, except in a manner compatible with that purpose.

All medical information under GDPR is deemed a special category of personal information and as a Hospital we will endeavor to ensure your information is treated with the utmost respect and confidentiality.

If you require more detailed information about the Hospital’s information handling practices, then please read this document.

1. Contact Details

RoleAddressPhoneEmail
Data Controller Marymount University Hospital & HospiceCurraheen Road, Cork+353 (0)21 450 3000info@marymount.ie
Data Protection OfficerCurraheen Road, Cork+353 (0)21 450 3000marymountDPO@ambitcompliance.ie

2. Data Protection Legislation

All personal data we gather will be processed in accordance with all applicable data protection laws and principles, including the General Data Protection Regulation (EU) 2016/679 and the Data Protection Acts 1988 – 2018 (as amended).

For more information on Data Protection we recommend the Data Protection Commission website https://www.dataprotection.ie/en/individuals

How Do We Collect Your Information?

Your information is collected in a number of different ways.

This might be from a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you – in person, over the telephone or on a form you have completed.

There may also be times when information is collected from your relatives or next of kin – e.g. if are very unwell and unable communicate. During your treatment health specific data will be collected by the doctors, nurses and healthcare staff taking care of you and will be held in your patient chart (this can be paper and/or electronic.)

3. What Information Do We Collect?

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through appointments and Hospital attendances
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of diagnostic tests, e.g. x-rays, scans, blood tests
  • Financial and health insurance information
  • Other relevant information from people who care for you and know you well, e.g. health professionals, relatives and carers
  • We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate)
  • CCTV and security information

4. Why Do We Collect Information About You?

Hospital staff, including doctors, nurses, and the team of healthcare staff caring for you, keep records about your health and any care or treatment you may receive from us. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.

5. How Do We Store Your Personal Data?

Under Data Protection Law, strict principles govern our use of personal data and our duty to ensure it is kept safe and secure. Your data may be stored within electronic or paper records, or a combination of both. All our records have restricted access controls, so that only those individuals who have a need to know the information can get access. This might be through the use of computer passwords, audit trails and physical safeguards e.g. security controlled access.

6. How and Why Do We Use Your Information?

7. Direct Care

We use your information to manage and deliver your care (Direct Care) to ensure that:

  • The right decisions are made about your care
  • Your treatment is safe and effective; and
  • We can coordinate with other organisations that may be involved in your care
    This is important because having accurate and up-to-date information will assist us in providing
    you with the best possible care

8. Indirect Care

In addition to using the data to provide for your care, this data is also routinely used to improve services and plan for the future (Indirect Care). Therefore, your data may be used in:

  • Evaluating and improving patient safety
  • Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care. This can be carried out by multiple quality improvement methods e.g. clinical audit
  • Training healthcare professionals
  • Ensuring that our services can be planned to meet the future demand. E.g. analysing peak times, staffing levels and average length of stay, projected demand by disease/condition
  • Preparing statistics on Hospital performance and monitoring how we spend public money
  • Supporting the health of the general public e.g. Influenza, winter vomiting bug

The activities listed above are part of normal delivery of care and under Data Protection Law your consent is not required. However, we recognise our duty to always keep your data secure and confidential and where appropriate we de-identify your data when using it for improvement.

9. Research

Using the data to understand and develop new treatments and techniques (Research). Research in healthcare is vital in helping develop understanding about health risks and causes to develop new treatments. It is usual for patient information to be used for research.

Normally, your consent will be sought prior to being asked to participate in a research study or to have your personal data used in a research study. In some circumstances, consent may not be required to carry our research using your personal data, for example retrospective chart reviews that are low risk, and have highly visible transparency arrangements in place.

More information on health research and Data Protection is available on the HRCDC and the Health Research Board websites: https://hrcdc.ie/ and https://www.hrb.ie

10. What is the Legal Basis for Processing Your Data?

Under Data Protection Law, organisations must identify a legal basis for using your personal data. Where your personal data is used for the reasons explained above, the following applies:

11. To Manage and Deliver Your Care (Direct Care) AND To Improve Services and Plan for
the Future (Indirect Care)

12. Legal Basis under Article 6 of GDPR and Data Protection Act 2018:

  • Article 6(1)(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes (for example: to provide third parties Solicitors, Insurance Companies, Banks with personal data)
  • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (for example: in relation to getting paid for providing a service to private patients)
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject (for example: reporting incidents to HIQA)
  • Article 6(1)(d) – processing is necessary in order to protect the vital interests of the data subject or of another natural person (for example: delivery of care in an emergency setting)
  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (for example: delivery of healthcare services)
  • Article 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

13. Lawful Condition for Processing Special Category Personal Data under Article 9 of
GDPR and Data Protection Act 2018

  • Article 9(2)(h) GDPR – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the
    management of health or social care systems and services…’ or Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standards of quality and safety of health care…’
  • Data Protection Act 2018, Section 52(1)(a) – ‘for the purposes of preventative or occupational medicine’, Section 52(1)(d) ‘for the provision of medical care, treatment or social care’ and/or Section 52(1)(e) ‘for the management of health or social care systems and services’ which allows patient information to be used for clinical audit provided that appropriate measures are taken to safeguard the fundamental rights of the data subject
  • Data Protection Act 2018, Section 53(b) – Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including (b) ensuring high standards of quality and safety of health care and of medicinal products and medical devices

14. To Understand and Develop New Treatments and Techniques (Research)

15. Legal Basis under Article 6 of GDPR and Data Protection Act 2018:

  • Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or Article 6(1)(f) – processing is necessary for the purposes of legitimate interests
  • Under the Health Research Regulations, consent must be obtained as a suitable and specific measure to safeguard the fundamental rights and freedoms of the data subject
  • In some circumstances, consent exemptions may be granted by the Health Research HRCDC (Health Research Regulations 2018)
  • Article 6(1)(a) when appropriate ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes

16. Lawful Condition for Processing Special Category Personal Data:

  • Article 9(2)(h) ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ or Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standards of quality and safety of health care…’
  • Data Protection Act 2018, Section 52(1)(a) ‘for the purposes of preventative or occupational medicine’, Section 52(1)(d) ‘for the provision of medical care, treatment or social care’ and/or Section 52(1)(e) ‘for the management of health or social care systems and services’ which allows patient information to be used for clinical audit provided that appropriate measures are taken to safeguard the fundamental rights of the data subject
  • Data Protection Act 2018, Section 53(b) – Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including (b) ensuring high standards of quality and safety of health care and of medicinal products and medical devices

17. Who Do We Share Your Personal Data With?

We may disclose your personal data to external third parties in connection with specific purposes and compliance, including:

  • Other health care organisation that are involved in your care. Services such as Public
    Health, GPs, or community services
  • Third parties who provide services to us (Solicitors, Auditors (internal and external), IT
    service providers)
  • Authorities and bodies where required or permitted by law, e.g. HIQA, National Cancer
    Registry Ireland, Health and Safety Authority, Director of Public Health of certain diseases
  • National organisations e.g. National Office of Clinical Audit (NOCA)
  • National Integrated Medical Imaging System (NIMIS)
  • Insurance Companies
  • National Treatment Purchase Fund (NTPF)
  • An Garda Síochána

18. Use Among Health Professionals to Provide Your Treatment

Modern health care practices mean that your treatment will be provided by a multi-disciplinary team of health professionals working together. Your personal data may be shared with other health care organisations that are involved in your care including services such as the HSE, Public Health, GPs, or community services.

Hospital staff may consult with senior medical experts when determining your diagnosis or treatment. With developments in technology the Hospital staff may consult with health professionals and medical experts, both public and private, located remotely, including outside the Hospital, in relation to your diagnosis or treatment, including by sending health information and clinical images electronically. Marymount staff may also refer you to other health service providers, both public and private, for further treatment during and following your admission (for example, to a physiotherapist or outpatient for community health services). We may disclose your personal data to the relevant provider to the extent required for any such referral (including disclosing that information electronically).

19. Assessment for Provision of Health Care Services

As part of your care, the Hospital may be required to disclose your personal data to third party medical suppliers for the purpose of ordering specific products or to enable appropriate follow up, for example, if you require prosthesis, certain pharmaceutical treatments or other medical implantable products as part of your treatment.

Where you undergo assessment or treatment by a third party provider (for example radiotherapy in another Hospital facility) the Hospital may disclose your personal data to the third party provider for the purpose of transferring your care to this provider.

20. Your Local Doctor

The Hospital will usually send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission. This is in accordance with international norms and long-standing medical practice and is intended to inform your doctor of information that may be relevant to any on-going care or treatment provided by your general practitioner.

If your nominated general practitioner has changed or your general practitioner’s details have
changed following a previous admission, you must let us know.

21. Students and Trainees

Marymount University Hospital & Hospice supports the placement of students and trainees. These students and trainees may have access to your personal information for the purpose of the placement. Students and trainees on placement at the Hospital are required to comply with the Data Protection Policy, Data Protection Law and our Privacy Notice

22. Relatives, Guardian, Close Friends or Legal Representative

We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.

Other Healthcare Entities or Facilities

The Hospital may need to share your personal information amongst other healthcare facilities. For example, this may occur where you are transferred between other Hospitals/healthcare facilities or to coordinate your care with other service providers in the Cork area.

23. Do We Transmit Your Data Outside Ireland?

In some circumstances we may need to transfer your personal data outside of Ireland in order to provide the best care and services possible. The Hospital will take reasonable steps to ensure that the third parties do not breach the Data Protection requirements. The steps the Hospital will take may include ensuring the third party is bound by privacy protection obligations which are the same (or substantially the same) as those which bind the Hospital and requiring that the third party has information security measures in place which are of an acceptable standard.

24. How Long Do We Keep Your Personal Data?

We will retain your information for as long as necessary to provide you with services, and to comply with our legal and regulatory obligations.

We are committed to protecting your personal data to the very best of our ability and take the appropriate steps to do in collecting, storing and destroying your data.

25. What Are Your Rights Relating to Personal Data?

You have the following rights under the GDPR in relation to your personal data.

26. The Right to Be Informed (Article 13 & 14 of the GDPR)

You have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

This privacy notice aims to provide you with this important privacy information in a concise, transparent, intelligible, easily accessible way.

27. The Right to Access Information (Article 15 of the GDPR)

You have a right to have access to the personal information that we hold about you (for patients, this includes health information contained in your health record). Requests are called Subject Access Requests. We will provide you with a copy of your information within one month of receiving the request, unless the request is complex or the Hospital has received a number of requests from you.

There is no fee for making a Subject Access Request. However, where the request is manifestly unfounded or excessive you may be charged a reasonable fee for the administrative costs of complying with the request. A fee may also be charged if an individual requests further copies of their data following a request. The fee will be based on the administrative costs of providing further copies.

28. The Right to Rectification (Articles 16 & 19 of the GDPR)

You can also request an amendment to personal information that we hold about you should you believe that it contains inaccurate information. The request will be reviewed with the relevant parties.

The Hospital will make the requested changes unless there is a reason under the GDPR or other relevant law to refuse such access or refuse to make the requested changes.

If the Hospital does not agree to change your personal data in accordance with your request, it will permit you to make a statement of the requested changes and it will enclose this with your personal information.

Should you wish to obtain access to or request changes to your personal data held by the
Hospital please contact our routine access department at marymountDPO@ambitcompliance.ie

29. The Right to Be Forgotten (Articles 17 & 19 of the GDPR)

You may ask the Hospital to delete your personal information. However, such requests will be dealt with on a case-by-case basis as the right of erasure is not an absolute right and restrictions may apply.

30. The Right to Data Portability (Article 20 of the GDPR)

In limited circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing.

This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means, and where you have either consented to processing, or where processing is conducted on the basis of a contract between you and Hospital.

Although this is not the case for most healthcare providers, you can request a copy of your medical record in a format that allows you to transmit the data to another health care provider or general practitioner. The protocol for transfer of medical records is for the receiving provider/practice to provide a signed patient consent form for the transfer of medical records from the original or sending practice. Marymount will only send the records via a secure format.

31. The Right to Object (Article 21 of the GDPR)

You have the right to object to certain types of processing. The right to object only applies in certain circumstances. You have a stronger right to object to processing of your personal data where the processing relates to direct marketing.

32. The Right of Restriction (Article 18 of the GDPR)

You have a limited right to the restriction of processing of your personal data. Where processing of your data is restricted, it can be stored by the Hospital, but most other processing actions, such as deletion, will require your permission.

You may request that your medical record be locked or archived so that further processing of, or changes to, the record do not occur. Any such requests must be in writing, signed by the patient and sent to the Data Protection Officer (see details below) together with identification as continuing medical care cannot take place while the medical record is locked.

These requests will be dealt with on a case by case basis.

33. In Addition, You Have the Following Rights Under GDPR

  • Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling
  • Withdraw your consent – where you have consented to receiving emails or newsletters you may withdraw your consent at any time

If you wish to exercise any of these rights, please submit a written request to Marymount Data Protection Officer (please see contact details in the Who to contact section below).

When submitting a request, Marymount’s Data Protection Officer may need information from you
to confirm your identity.

Some of these rights only apply in certain circumstances; they are not guaranteed or an absolute right. Please contact our Data Protection Officer if you have any questions or concerns about your rights. If you make a request, we have one month to respond to you.

34. How to Make a Complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your personal data. To make a complaint directly to the Hospital see the contact information for the Patient Services Department and the Data Protection Officer below.

You also have the right to make a complaint to the Data Protection Commission by emailing
info@dataprotection.ie or marymountDPO@ambitcompliance.ie

Shopping Basket
Scroll to Top