Privacy Notice

The meanings of certain terms used in this Privacy Notice are outlined below. 

• Consent

  Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

• Data concerning health

  Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

• Data controller

  Data controller means the natural (living person) or legal person (such as a company), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• Personal data breach

  Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• Personal information/data

  Personal information/data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Primary purpose

  Primary purpose means the specific function or activity for which the information is collected. For SPMHS, this is the provision of healthcare. Any use or disclosure of the personal information for another purpose is known as the secondary purpose.

• Processing

  Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Processor

  Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

• Special categories of personal data

  Special categories of personal data means processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. 

• Communications

  SPMHS sends communications in relation to but not limited to its services and developments; upcoming events and campaigns; education material; service user engagement opportunities; advocacy updates; press releases and so on, that are not directly related to service users' direct care. These communications are shared by email or post through various mailing lists that an individual has subscribed to.

  Within each communication, SPMHS will always give the subscriber the option to opt out of receiving any further communications.

  Its lawful basis for sending communications to subscribers is based under GDPR Article 6(1)(a) – Consent.

• COVID-19 personal data processing

  SPMHS is currently collecting personal data and special categories of personal data from visitors to the hospital, its service users and staff members in regards to COVID-19 information.

  Demographic information, such as name, address, and contact number, is collected, along with details on COVID-19 in relation to the person. It is collected by means of a questionnaire and destroyed when no longer required.

  This processing is being carried out under lawful basis of GDPR Article 6(1)(c) - Legal obligation, GDPR Article 9(2)(i) - Public interest in the area of public health and GDPR Article 9(2)(h) - Provision and management of health for special categories of personal data. SPMHS has a legal obligation to protect employees under the Safety, Health and Welfare at Work Act 2005.

• COVID-19 vaccine data processing

  SPMHS collects personal data and special categories of personal data (health data) from staff when they provide SPMHS with a copy of their vaccine certificates. SPMHS collects this personal data for the purpose of staff planning in regard to infection control measures. SPMHS has a duty of care to its employees.

  This data processing is necessary for SPMHS to comply with its legal obligation to ensure the health and safety of employees under the Safety, Health and Welfare at Work Act 2005. The information collected will only be shared with strictly minimal, authorised staff members on a need-to-know basis. The information will be securely stored and only held for as long as necessary to ensure the health and safety of employees.

  SPMHS has carried out a data protection impact assessment for this processing. This data processing is being carried out under lawful basis of GDPR Article 6(1)(c) - Legal obligation, GDPR Article 9(2)(i) - Public Interest in the area of public health and GDPR Article 9(2)(h) - Provision and management of health for special categories of personal data.

• Employees

  If you are employed by SPMHS or if you have applied for a position at one of its facilities, SPMHS will collect information about your work history, contact details, referees and any other information that you submit in your job application.

  SPMHS collects similar background information about contractors, vendors, suppliers and health professionals who provide services to SPMHS and about students and volunteers who attend its facilities. All employees are required to obtain Garda Vetting clearance, and information from pre-employment medical screenings is also collected.

  SPMHS collects, uses and discloses personal information about its staff in order to perform its obligations as an employer and as required by Irish employment law. Its lawful basis for processing of employee personal data by its Human Resources (HR) Department and Administration Department is based under GDPR Article 6(1)(b) – Contract and under GDPR Article 9(2)(B) - Employment for the processing of sensitive data concerning employees (for example, medical certs). The processing of employee personal data by its Finance Department for the purpose of payroll is done under the legal basis of GDPR Article 6(1)(c) – Legal obligation.

  Garda Vetting processing

  SPMHS keeps Garda Vetting information for the duration of the relationship with the Garda Vetting applicant. It may be kept for longer in line with any statutory requirements if applicable. Where SPMHS is responsible for processing Garda Vetting, the personal data requested in the Garda Invitation Form is provided along with supporting identification documents. The personal data requested in the Garda Vetting form includes the person’s name, date of birth, email address, contact number, role being vetted for, current address, Eircode/postcode, name of organisation (if external).

  The Garda Vetting disclosure document that SPMHS receives from the National Garda Vetting Bureau includes the individual's name, address, date of birth and, where applicable, any records held by the National Garda Vetting Bureau.

  In the case of service providers who process Garda Vetting for their personnel, SPMHS must have an agreement whereby an employee of the contractor is not permitted on its sites without them first confirming receipt of a Garda Vetting ‘nil’ disclosure for the employee. Alternatively, if an employee of the contractor receives a disclosure noting any records held by the National Garda Vetting Bureau, SPMHS must be able to, by way of viewing the disclosure document in question, satisfy itself that the record is not relevant to the position that the person will hold with SPMHS in order to permit them to be onsite.

  The purpose of collecting this personal data is to comply with the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016. SPMHS is required by law to seek a Vetting Disclosure from the National Garda Vetting Bureau on any persons undertaking relevant work or activities under the Act, where there is access to or contact with vulnerable persons or children.

  The data will be used to determine if any records are held by the National Garda Vetting Bureau which may be incompatible with the duties and responsibilities an individual is required to undertake for SPMHS.

  All Garda Vetting documentation is securely stored in SPMHS with restricted access only to relevant HR personnel. All applications for Garda Vetting are logged and managed by SPMHS' HR Department.

• Health professionals

  SPMHS collects personal information about contractors, suppliers and health professionals that provide services to SPMHS for the primary purpose of assessing and engaging their services or expertise and for other purposes where legally required. Its lawful basis for this processing is based under GDPR Article 6(1)(b) – Contract.

• Health research purposes

  In most instances, SPMHS will rely on Article 6(1)(f) - Legitimate Interest and Article 9(2)(j) - Scientific Research of the GDPR if and when it uses your information for research.

  All applications for undertaking health research study must be approved by SPMHS' Research Ethics Committee.

  All health research in Ireland is governed by the Health Research Regulations 2018 (HRR) and the amended regulations 2021. The HRR make explicit consent the default position for processing personal data for health research. Authorised personnel meeting criteria set out in the amended HRR 2021 may access service user health records for pre-screening purposes to determine whether an individual (prospective research participant) is suitable or eligible for inclusion in the study and/or for retrospective chart reviews.

• Quality mental healthcare

  Personal and sensitive information of service users is collected by SPMHS for the primary purpose of ensuring that service users receive quality mental health treatment while under SPMHS' care. As a service user, SPMHS collects information regarding your demographics, health history, family history, lifestyle, cultural or ethnic background and test results to assist in providing mental healthcare to you.

  This information is collected by means of:

  • a general practitioner (GP) referral
  • admission to SPMHS' services
  • Dean Clinic electronic referral
  • telephone call to SPMHS' Support and Information Service
  • phone enquiries to our health professionals or staff
  • Prompt Assessment of Needs (PAON) service
  • telephone call to referred service users from SPMHS' Referral and Assessment Service staff members
  • family members, carers and next of kin.

  SPMHS collects information from you for the primary purpose of providing care and treatment to you. When your personal data is used for your care and administrative purposes related to your care, your data is being processed for the purposes of the legitimate interests pursued by SPMHS. SPMHS is obliged to record certain patient information under the Mental Health Act 2001 approved centre regulations. 

  SPMHS will only process special categories of personal data where it is necessary:

  • for the purposes of preventative or occupational medicine
  • for medical diagnosis
  • for the provision of healthcare, treatment or social care
  • for the management of health or social care systems and services
  • pursuant to a contract with a health professional.

  Processing is lawful where it is undertaken by or under the responsibility of:

  • a health practitioner
  • a person who, in the circumstances, owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner (for example, the outpatient clinic secretary, primary care centre staff, and so on).

  SPMHS' processing of special categories of personal data may also be necessary for reasons of public interest in the area of public health. If the purpose of the processing is for a reason other than the reasons outlined, SPMHS will seek explicit consent to process your sensitive personal data (referred to as "special categories" of personal data under the GDPR).

  Use among health professionals to provide your treatment

  Your treatment will be provided by a multidisciplinary team of health professionals working together. SPMHS staff may also refer you to other health service providers for further treatment following your admission; for example, to local community mental health services. SPMHS may disclose your personal information, with your consent, to the relevant provider to the extent required for any such referral (including disclosing that information electronically).

  Your personal information will only be disclosed to those healthcare workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose. These health professionals will share your personal information as part of the process of providing your treatment. SPMHS will only do this while maintaining confidentiality of this information and protecting your privacy in accordance with the law.

  Assessment for provision of healthcare services

  SPMHS may collect your personal information for the purpose of assessing your suitability for its mental healthcare services.

  Where personal information is collected, and you do not become a service user of SPMHS, your personal information will be retained in line with its hospital retention policy. Where your assessment has been conducted at the request of your GP, SPMHS will report the outcome of the assessment to that GP, as it may be relevant to any ongoing treatment or care provided to you by them.

  Your local doctor

  SPMHS will usually, with your consent, send a discharge summary to your referring medical practitioner or nominated GP following an admission. This is in accordance with international norms and long-standing medical practice. it is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by your GP. This discharge summary may be sent to your referring medical practitioner or GP electronically. If your nominated GP has changed or your GP’s details have changed following a previous admission, you must let SPMHS know.

  Other health service providers

  If, in the future, you are being treated by a medical practitioner or healthcare facility that needs to have access to the health record of your treatment, SPMHS will provide a copy of your record to that medical practitioner or healthcare facility, provided it has your explicit consent. SPMHS may provide information about your health records to another medical practitioner or health facility outside SPMHS without your consent in the event of an emergency, where your life or health is at risk.

  Students and trainees

  St Patrick's University Hospital is a teaching hospital and it supports the placement of students and trainees. These students and trainees may have access to your personal information for the purpose of the placement. Students and trainees on placement at the hospital are required to comply with the GDPR, Data Protection Act 2018 and other relevant legislation.

  Relatives, guardians, close friends or legal representatives

  SPMHS may obtain or provide information about you to your specified individuals and only where you provide your explicit consent to do so.

• Service User IT Support (SUITS)

  SPMHS' SUITS team provides information technology (IT) support to its service users. The SUITS team members will provide IT support to service users who require assistance in registering or logging on to Your Portal. They will also provide IT support to service users who may encounter issues accessing our technology-mediated services.

  The personal data collected by the SUITS team in order to provide this support includes; name, email address, phone number. The service user email address is required for service user access to their portal and video appointments on Microsoft Teams. The phone number is required to contact person in support of their query.

  The lawful basis for this processing is based under GDPR Article 6(1)(f) - Legitimate Interest.

  SUITS team provides information technology (IT) support to our service users. The SUITS team members will provide IT support to service users who require assistance in registering or logging on to Your Portal. They will also provide IT support to service users who may encounter issues accessing our technology-mediated services.

  The personal data collected by the SUITS team in order to provide this support includes; name, email address, phone number. The service user email address is required for service user access to their portal and video appointments on Microsoft Teams. The phone number is required to contact person in support of their query.

  The lawful basis for this processing is based under GDPR Article 6(1)(f) - Legitimate Interest.

• Students, volunteers and job applicants

  SPMHS collects personal information of job applicants, students and volunteers for the primary purpose of assessing their suitability for employment or undertaking work experience or clinical placement or providing other relevant assistance, as the case may be. Other purposes which SPMHS may use personal information about those individuals include to contact them, for insurance purposes, and to satisfy our legal obligations. SPMHS' legal basis for the collection of this data is under GDPR Article 6(1)(b) – Contract. 

• Video management systems

  SPMHS uses video management systems (commonly referred to as CCTV) throughout our organisation for the purpose of maintaining the safety and security of staff, service users, visitors and other attendees. SPMHS' CCTV systems may, but will not always, collect and store personal information. SPMHS will comply with its CCTV policy and the Data Protection Act 2018 in respect of any personal information collected via its CCTV systems. 

• Website

  This section of our Privacy Notice explains how your personal information collected from the WIMS website, walkinmyshoes.ie (collectively "website" hereafter), is handled by WIMS, the flagship campaign of SPMHS.

  Collection

  When you use the WIMS website, WIMS does not attempt to identify you as an individual user and will not collect personal information about you, unless you specifically provide this to WIMS.

  Sometimes, WIMS may collect your personal information if you choose to provide this to WIMS through an online form or by email; for example, if you:

  • sign up to its School Portal
  • get in touch using details through the Contact page
  • register for an event
  • enter WIMS' awards or competitions, such as Frame of Mind
  • apply to be a member of its Advisory Committee.

  Links to third party websites

  WIMS may create links to third party websites. WIMS is not responsible for the content or privacy practices employed by websites that are linked from its website.

  Use and disclosure

  WIMS will only use personal information collected through its website for the purposes for which you have given WIMS this information. WIMS will not use or disclose your personal information to other organisations or anyone else, unless you have consented to this disclosure or unless the third party is required to fulfil your order (such as event tickets; in such circumstances, the third party is bound by similar data protection requirements).

  WIMS will disclose your personal data if it believes in good faith that it is required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other statutory requirement.

  Data security

  Your personal data is held on secure servers. The nature of the Internet is such that WIMS cannot guarantee or warrant the security of any information you transmit to WIMS over the Internet. No data transmission over the Internet can be guaranteed to be 100% secure. However, WIMS will take all reasonable steps (including appropriate technical and organisational measures) to protect your personal data.

  Cookies

  The WIMS website uses certain cookies. The cookie policy can be accessed here. This cookie policy forms part of the overall Privacy Notice.

The Data Protection Act 2018 and the GDPR provide certain rights for data subjects. A good explanation of them is available on the website of the Office of the Data Protection Commissioner. You are not obliged to provide personal data to SPMHS; however, not doing so may have an impact on the most appropriate services that can be offered to you.

• Right to access information

  Article 15 of the GDPR

  You have a right to have access to the personal information that SPMHS holds about you (for service users, this includes health information contained in your health record).

  Requests are called Data Subject Access Requests.

  SPMHS will provide you with a copy of your information within one calendar month of receiving the request, unless the request is complex or SPMHS has received a number of requests from you. That period of providing a copy of personal information may be extended by two further months where necessary, taking into account the complexity and number of the requests. SPMHS will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

  When SPMHS receives requests for health-related data, it is obliged to consult with the appropriate health practitioner (normally, your treating clinician) to ensure providing the data to you will not result in serious harm to your physical or mental health. 

  Under GDPR and the Data Protection Act 2018, SPMHS is obliged to redact any information consisting of an expression of opinion about the service user by another person that was given in confidence to the hospital or on the understanding that it would be treated as confidential. Additionally, any information contained in a service user’s record, which may adversely affect the rights and freedoms of other individuals, will be redacted and not disclosed when releasing a copy of medical records in response to a Data Subject Access Request.

  There is no fee for making a Data Subject Access Request. However, where the request is manifestly unfounded or excessive, you may be charged a reasonable fee for the administrative costs of complying with the request. A fee may also be charged if you request further copies of your data following a request. The fee will be based on the administrative costs of providing further copies.

  If, for some reason, access is denied, SPMHS will provide an explanation as to why access has been denied. Where SPMHS allows access, the DPO will arrange to give you access to your personal information in the manner you have requested, if it is reasonable or practicable to do so.

  Requests for access and amendment can be made by email, post, or fax.

  View SPMHS' policy for Data Subject Access Requests here.

• Right to be forgotten

  Articles 17 and 19 of the GDPR

  You may ask SPMHS to delete your personal information. However, such requests will be dealt with on a case-by-case basis, as the right of erasure is not an absolute right and restrictions may apply. 

  SPMHS will be unable to fulfill an erasure request if the personal data is required for the treatment of an active service user. SPMHS will also not be able to delete data which is being held in the public interest, such as for protecting against cross-border threats or ensuring high standards of quality and safety of healthcare.

  Please be aware that, in certain circumstances, SPMHS may need to retain some information to ensure your preferences are respected in the completion of its duties. For example, SPMHS cannot erase all information about you where you have also asked it not to send you marketing material. Otherwise, your preference not to receive marketing material would be erased.

• Right to be informed

  Article 13 and 14 of the GDPR

  If you wish to confirm that SPMHS is processing your personal data or to have access to the personal data we may have about you, please contact SPMHS at dpo@stpatsmail.com. 
  
  You may also request, in writing to SPMHS' DPO, information about:

  • the purpose of the processing
  • the categories of personal data concerned
  • who else outside SPMHS might have received data from SPMHS
  • what the source of the information was (if you didn’t provide it directly to SPMHS)
  • and how long it will be stored.

• Right to data portability

  Article 20 of the GDPR

  In limited circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing. This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means, and where you have either consented to processing, or where processing is conducted on the basis of a contract between you and SPMHS.

  Although this is not the case for most healthcare providers, you can request a copy of your medical record in a format that allows you to transmit the data to another healthcare provider or GP. The protocol for transfer of medical records is for the receiving provider or practice to provide a signed patient consent form for the transfer of medical records from the original or sending practice. SPMHS will only send the records via a secure format.

• Right to object

  Article 21 of the GDPR

  You have the right to object to certain types of processing. The right to object only applies in certain circumstances. You have an absolute right to object to processing of your personal data where the processing relates to direct marketing, where such processing must be immediately stopped upon your request.

• Right to object to automated processing, including profiling

  Article 22 of the GDPR

  You shall have the right not to be subject to a decision based solely on automated processing (processing operation that is performed without any human intervention), including profiling, which produces legal effects concerning you or similarly significantly affects you.

  SPMHS does not make any decisions through fully automated decision-making.

• Right to rectification

  Articles 16 and 19 of the GDPR

  You can also request an amendment to (or to rectify) personal information that SPMHS holds about you, should you believe that it contains inaccurate information. The request will be reviewed with the relevant parties.

  SPMHS will make the requested changes unless there is a reason under the GDPR or other relevant law to refuse such access or refuse to make the requested changes.

  If SPMHS does not agree to change your personal information in accordance with your request, SPMHS will permit you to make a statement of the requested changes and SPMHS will enclose this with your personal information.

  Should you wish to obtain access to or request changes to your personal information that SPMHS holds, please contact the DPO at dpo@stpatsmail.com

• Right to restriction

  Article 18 of the GDPR

  You have a limited right to the restriction of processing of your personal data. Where processing of your data is restricted, it can be stored by SPMHS, but most other processing actions will require your permission. You may request that your medical record be locked or archived so that further processing of, or changes to, the record do not occur.

  Any such requests must be in writing, signed by the service user and sent to SPMHS' DPO (dpo@stpatsmail.com) together with identification, as continuing medical care cannot take place while the medical record is locked. These requests will be dealt with on a case-by-case basis.

• Data quality

  SPMHS takes reasonable steps to ensure that the personal information that it collects and holds is accurate, complete and up-to-date. It maintains and updates the personal information it holds as necessary or when you have advised SPMHS that your personal information has changed.

• Data retention and disposal

  When personal information is no longer required, it will be destroyed, deleted or de-identified securely in line with SPMHS' data retention and destruction policy and accepted document disposal schedules. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact the DPO.

• Disclosure

  SPMHS will only use or disclose your personal information for the primary purposes for which it was collected, for directly related secondary purposes which you would reasonably expect (or that SPMHS has told you), or as permitted or required by law.

  If there is any doubt about this expectation, then SPMHS will obtain your consent before using or disclosing your personal information for a secondary purpose.

  Personal data can be used or disclosed for some other purpose only:

  • Where the individual concerned has given explicit consent to the proposed use or disclosure
  • When information is to be communicated to other healthcare professionals involved in the individual’s care
  • For the purposes of medical teaching
  • Where there is a requirement to report to a statutory agency (such as an incident to the Mental Health Commission, a death to the coroner, or an adverse drug reaction to the Irish Medicines Board)
  • Where the healthcare professional reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety
  • When certain communicable diseases are notifiable by statute. Such notifications should preferably be made with the informed consent of the individual. In cases where informed consent is not provided, reporting should be to the relevant authority but should observe the individual’s confidentiality in all other respects
  • When the use or disclosure is required or authorised by law
  • When the information concerns a service user who does not have capacity and is normally a Ward of Court. Once appropriate documentation supporting this has been accepted by the DPO, information can be disclosed to a person responsible for the service user to enable appropriate care or treatment to be provided to the service user once adequate legal documentation supporting this has been accepted.

  Equally:

  • Any disclosure to a third party should be limited to that which is either authorised or required in order to achieve the desired statutory and organisational objective.
  • Personal data can be transferred to an individual or organisation outside the EU only with your explicit consent. SPMHS' DPO will ensure that you fully understand the risks to your data at the time of obtaining your explicit consent to the data transfer.
  • Anonymised information, which cannot be traced back to the service user, is used in SPMHS' clinical audits and is sent to other healthcare agencies, such as the Mental Health Commission, the Health Research Board, Economic and Social Research Institute, Irish Medicines Board, and the Coroner’s Office. This information is provided for regulatory clinical audit and data analysis purposes and is regulated by statute.
  • Clinical records are sometimes shared with SPMHS' legal counsel for obtaining legal advice when reviewing clinical records for release to data subjects in response to a data subject access request. SPMHS' lawful basis for this processing is made under section 47 of the Data Protection Act 2018.

• Procedures and guidelines

  SPMHS is firmly committed to ensuring personal privacy and compliance with the Data Protection Act 2018, including the provision of best practice guidelines and procedures in relation to all aspects of data protection.

• Protecting your data

  SPMHS takes very seriously its obligations to protect the personal information it holds against interference, misuse, loss and unauthorised access. SPMHS implements rigorous organisational and technical measures, including administrative, physical and technical access restrictions to records containing personal information, with only authorised people able to access records on a need-to-know basis. In addition, SPMHS trains its employees about the importance of confidentiality and maintaining the privacy and security of your information.

• Responsibility

  Overall responsibility for ensuring compliance with the GDPR and the Irish Data Protection Act 2018 rests with SPMHS as the data controller. All employees and data processors of SPMHS who separately collect, control or process the content and use of personal data are individually responsible for compliance with the GDPR and Data Protection Act 2018.  

• Sharing and storing your information

  SPMHS records and maintains a record of your care and treatment, which may be held in manual form and/or in electronic format, called an Electronic Health Record (EHR). All information that we collect and process is treated with the strictest confidentiality and only shared with authorised personnel. 

  Watch SPMHS' EHR video here.

• Your Portal

  Your Portal is SPMHS' service user portal, which aims to empower service users by giving them online access to record and share their own health-related information and to contribute to their mental health care and treatment planning. Its purpose is to improve the journey of mental health recovery, both during and after care and treatment.

  Service users register to access the portal and view key information uploaded to the portal by their care team. Your Portal is built to keep information private and very secure. Only the service user, their SPMHS care team, and anyone they choose to invite to it – such as a family member or GP - can access their record.

  Your Portal is hosted by Patients Know Best (PKB), which is one of the leading suppliers of personal health records in the United Kingdom and the Netherlands. PKB holds all data in an accredited data centre in the Netherlands, which protects information behind a secure firewall. Service user information is encrypted whether at rest in the portal or being sent to and from the portal. No service users’ portal information is processed outside of this secure PKB infrastructure.

  SPMHS' lawful basis for processing of personal data on the portal is made under GDPR article 6(1)(f) - Legitimate Interest. GDPR Article 9(2)(h) applies for the provision and management of health data on the portal.