Privacy Notice

Who are we?

We are Saint John of God Hospital CLG with an address at Granada, Stillorgan Road, Stillorgan, Co. Dublin. We are part of the Saint John of God Hospitaller Services Group, which has its headquarters in Rome.


Saint John of God Hospital CLG is the legal agency which determines the purposes and means of the processing of personal data for both Saint John of God Hospital and Saint Joseph’s Centre Shankill.


Saint John of God Hospital provides mental health services to private and public patients in Ireland.


Saint Joseph’s Shankill provides person-centred care to our residents with dementia specific needs.


We take your privacy seriously. This notice sets out the basis on which any personal data we collect from you, or from others, will be processed by us.  Please read the following carefully to understand our practices regarding your personal data and how we will treat it.


For the purpose of the General Data Protection Regulation (the GDPR) the data controller is Saint John of God Hospital CLG (“the Hospital”).


Our Data Protection Officer (“DPO”) is:


Pembroke Privacy Ltd.

Address: 3-4 Upper Pembroke Street, Dublin, D02 VN24

Phone: +353 1 639 2958

What Personal Information do we Collect from you?

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity of the individual has been removed (anonymous data).


“Special category data” refers to more sensitive personal data which require a higher level of protection. This sensitive data can only be processed under strict conditions.


All patient personal data is gathered by the Hospital from many sources. You may give us your personal data at the point of admission or when you present to the hospital.


Personal data may also be provided by family members, a referring GP, another hospital or your consultant.


The type of information we collect includes your name; address; date of birth; contact details of parents/guardians/next of kin; marital status; photograph; PPS number; GP name and contact details; private health insurance details; community pharmacy name and contact details; family support service provision; education; multidisciplinary team appointments and CCTV footage.


You may also interact with us if you are a next-of-kin of one of our patients. The type of information we collect includes your name, phone number, address and e-mail address.


If you are visiting one of our patients at our hospital or any of our facilities, we may collect your name,  the name of the patient you are visiting and CCTV footage.


  • If you choose to receive information in relation to our organisation or our services by signing up at a fundraising event, we may collect your contact details for those purposes.
  • You may correspond with us by phone, e-mail, via our websites, or social media pages, or otherwise. We ask you to disclose only as much information as is necessary to provide you with services or to submit a question/suggestion/comment in relation to our site or our services.
  • Applying to work with us: the type of information you may provide in your CV, a cover letter, your name, address, e-mail address and phone number. CVs should include information relevant to your employment history and education (degrees obtained, places worked, positions held, relevant awards, and so forth). We ask that you do not disclose sensitive personal information (e.g. gender, height, weight, medical information, religion, philosophical or political beliefs, and financial data) in your application.
  • Supplying us with products or services. Suppliers provide us with information which may include a contact name, e-mail address, business address, telephone number and billing payment details.


We may also collect the following Special Categories of Personal Data:


  • Information relating to your health including mental health, diagnosis information, medication details; medical records; services provided by us; admission/discharge to Saint John of God Hospital and other services; laboratory tests and results; clinical consultation recordings; current/future residential/day service provision and history; multidisciplinary team reports;
  • In some circumstances, patients may disclose data relating to their relatives and other third parties;
  • Information relating to your religious beliefs; and
  • Details of your sexual orientation where you inform us of same in the course of providing healthcare services.
What information about your do we obtain from others?

When you use our healthcare services, we may obtain the following categories of personal data from others:

  • Name
  • Address
  • Date of birth
  • Phone number
  • Gender
  • Medical records
  • Reasons for referral
  • Medical/Psychiatric history
  • Collateral history
  • Community pharmacy name and contact details
  • Medications/treatment received to date
  • Next-of-kin details
Where did we get this information?

We obtain this information from:

  • Other hospitals and service providers (where you are being referred to us from another hospital or service provider)
  • Your referring GP; and/or
  • Your family members/next of kin
Why do we collect this information?

We collect the information in order to provide you with our services, to market our services to you, to improve our website and to recruit staff.


We will use this information:

  • To provide you with healthcare services.
  • To anonymise your data so that we can carry out carry out clinical audits. Patient data is processed by the hospital to improve and advance treatment and care. We conduct clinical audits with the purpose of ensuring best practice and for quality assurance and improvement purposes. If your records and data are to be used for activities such as clinical audit and quality improvement it will be anonymised i.e. you cannot be identified from the data.
  • We conduct Retrospective Chart Reviews in accordance with international best practice. Research using patient medical records for this purpose is only conducted by healthcare professionals. Medical records are reviewed but no direct patient contact is required. You will not be asked to give your explicit consent. Your personal information will be protected by being fully anonymised or given a unique code so that your name does not appear alongside the information or in any of the results of the research. Any findings from a study that are published will not identify you. Any such study will be reviewed and approved by a research ethics committee prior to commencement.
  • To undertake health research, with your consent or on the basis of a consent declaration from the Health Research Consent Declaration Committee.
  • The results of quality improvement and clinical work can be published subject to our internal governance procedures.
  • We support the placement of students and trainees who may have access to your medical record. All staff are required to comply with the General Data Protection Regulation and other Saint John of God Hospital policies.
  • To communicate with you as part of our relationship with you or as per our contract with you;
  • To ensure payment of our invoices.
  • To set you up as a supplier on our systems.
  • To liaise with you about projects that we are undertaking with you.
  • To create a candidate profile for you if you are a prospective employee.
  • For our website, to administer and improve our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, to keep our site safe and secure For further information please see our Cookie Policy. To make suggestions and recommendations to you and other users of our website about services that may interest you or them.
  • To deliver information about our services, where you have subscribed or consented to receiving same.
  • To carry out fundraising and marketing activity where you have consented to this.
  • To comply with applicable laws and regulations.
  • We carry out patient satisfaction and experience surveys.


The legal bases for the processing of your data are:


  • The processing is necessary for the performance of a contract which you have entered into with us or to take steps at your request prior to entering into a contract.
  • Where you have provided consent for the processing for one of more specified purposes, such as marketing, for example, when you opt-in to receiving this information.
  • The processing is necessary for compliance with a legal obligation to which we are subject.
  • The processing is necessary in order to protect the vital interests of you or of another natural person.
  • The processing is necessary for the purposes of the legitimate interests which we pursue prior to contract (for example, in providing you with information about our services) and post contract (for further details, see the section entitled ‘Who Do We Share This Information With?’) where such interests are not overridden by your interests or fundamental rights or freedoms which require the protection of your information.


The legal bases for the processing of your Special Categories of Personal Data are:


  • The processing is necessary for the provision of health care or treatment and for the purposes of medical diagnosis.
  • In some circumstances, where the processing is necessary for reasons of public interest in the area of public health.
  • The processing is necessary in order to protect your vital interests or that of another person where you are physically or legally incapable of giving consent.
  • If processing is necessary for the establishment, exercise or defence of legal claims or to comply with a legal obligation arising from substantial public interest.
With whom do we share this information?

We may share your personal data with our selected business associates/ suppliers and contractors to provide you with our services (data processors). For example, these business partners may include our web hosting provider, archive/shredding companies and our IT service providers.  A list of sub-processors is available from the DPO.


In addition, we may disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
  • If we or substantially all of our assets are acquired by a third party, in which case information held by us about our customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your information in order to comply with any legal obligation e.g. to Mental Health Commission, HIQA, the Revenue Commissioners or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property, or safety, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  • As part of a project with other companies in the Saint John of God Hospitaller Services Group.
How long do we keep hold of your information?

The time periods for which we retain your information depends on the type of information and the purposes for which we use it. We will keep your information for no longer than is required or permitted.


We have a Policy and Schedule in relation to the Retention of Records.


For further information on the periods for which your personal data is kept, please see our Data Retention Policy which can be accessed from the DPO:


Pembroke Privacy Ltd.

Address: 3-4 Upper Pembroke Street, Dublin, D02 VN24

Phone: +353 1 639 2958

Do we transfer your information outside of the European Union or European Economic Area?


Do we use automated decision-making and profiling?


What are your rights with respect to your personal data?

You have the following rights:


  • The right to access the personal data we hold about you.
  • The right to require us to rectify any inaccurate personal data about you without undue delay.
  • The right to have us erase any personal data we hold about you in circumstances such as where it is no longer necessary for us to hold the personal data or, in some circumstances, if you have withdrawn your consent to the processing.
  • The right to object to us processing personal data about you such as processing for profiling or direct marketing.
  • The right to ask us to provide your personal data to you in a portable format or, where technically feasible, for us to port that personal data to another provider provided it does not result in a disclosure of personal data relating to other people.
  • The right to request a restriction of the processing of your personal data

Data Security


Saint John of God Hospital CLG will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We use technology such as firewalls and encryption to keep your data safe. We also have policies and procedures for staff and vendors in relation to access control and passwords.


Where our processing of your personal data is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful.


You may exercise any of the above rights by contacting the DPO –


Pembroke Privacy Ltd.

Address: 3-4 Upper Pembroke Street, Dublin, D02 VN24

Phone: +353 1 639 2958



You may lodge a complaint with your local supervisory authority with respect to our processing of your personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is





This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you use our site or our services. This notice was last updated on 5th March 2021.

What will happen if we change our privacy notice

This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you use our site or our services. This notice was last updated on 5th March 2021.

How can you contact us?

Saint John of God Hospital CLG fosters a culture of openness and transparency in relation to privacy matters.  The General Data Protection Regulation (GDPR) lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.  This regulation protects fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.


A data subject should have the right of access to personal data which has been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of and verify the lawfulness of the processing.  This includes the right for data subjects to have access to data concerning their health, for example, the data in their medical records containing information such as diagnoses, examination results and assessments by treating physicians and any treatment or interventions provided.


Requests for access to personal data under GDPR should be made in writing and duly signed.  In preparing your request, you should follow the following guidelines:


  1. State your request is made under GDPR.
  2. Identify the records or information that you require.
  3. Provide full personal contact details.
  4. Provide a copy of one form of identification, i.e. passport, driving licence or utility bill.



Our Data Protection Officer is:


Pembroke Privacy Ltd.

Address: 3-4 Upper Pembroke Street, Dublin, D02 VN24

Phone: +353 1 639 2958



Covid 19 and Data Protection

All measures taken in response to Coronavirus involving the use of personal data, including health data, will be necessary and proportionate. Where Saint John of God Hospital CLG is acting on the guidance or directions of public health authorities, or other relevant authorities, Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including the sharing of limited health data, (e.g. reporting results of Coronavirus testing, personal data in relation to the provision of vaccinations to staff, list of staff vaccinations), once suitable safeguards are implemented. Such safeguards may include limitation on access to the data and strict time limits for erasure.


Employers will also have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005 (as amended). This obligation, together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.