St Patrick’s Mental Health Services Privacy Notice

St Patrick’s Mental Health Services (SPMHS) is an independent, not-for-profit organisation that provides quality mental health care, promotes mental health awareness, and protects the rights and integrity of those suffering from mental illness. SPMHS is regulated by the Mental Health Commission.

St Patrick’s Mental Health Services Privacy Notice

St Patrick’s Mental Health Services Privacy Notice

St Patrick’s Mental Health Services (SPMHS) is an independent, not-for-profit organisation that provides quality mental health care, promotes mental health awareness, and protects the rights and integrity of those suffering from mental illness. SPMHS is regulated by the Mental Health Commission.

All personal data in possession of SPMHS is processed in accordance with the obligations of the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018 which gives further effect to the GDPR in Ireland. SPMHS also processes personal data in accordance with the 2011 “e-Privacy Regulations” (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks And Services) (Privacy And Electronic Communications) Regulations 2011).

We understand that you are aware of and care about your own personal privacy interests, and we take that very seriously. This Privacy Notice describes SPMHS policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

  • Data Protection Officer

    St. Patrick’s Mental Health Services has appointed an internal Data Protection Officer for you to contact if you have any questions or concerns about our SPMHS personal data protection policies or practices. The SPMHS data protection officer’s name and contact information are; John Woods, St Patrick’s Mental Health Services, James' Street, Dublin 8. Phone: +353 1 2493216. Email:

  • Purpose of Privacy Notice

    This privacy notice is a statement of St Patrick’s Mental Health Services commitment to protect the rights and privacy of individuals in accordance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018, and other relevant legislation.

  • How SPMHS Collect and Use (Process) Your Personal Information

    1. Provision of Quality Mental Health Care to our Service Users

    Personal and sensitive information of our service users is collected by us for the primary purpose of ensuring that service users receive quality mental health treatment whilst under our care. As a service user, we collect information regarding your demographics, health history, family history, lifestyle, cultural or ethnic background and test results to assist in providing mental health care to you.

    This information is collected by means of a GP Referral, on admission to our services, Dean Clinic Electronic Referral, telephone call to our Support & Information Service, phone enquiries to SPMHS Health Professionals or Staff and Prompt Assessment of Mental Health Needs Service telephone call to referred service users from SPMHS referral and assessment staff members.

    Our legal basis for processing of special categories of data (sensitive data) is under GDPR Article 9(2)(h) – Provision & Management of Health and under GDPR Article 6(1)(c) – Legal Obligation for general processing (non-sensitive e.g. demographic information).

    2. Employees

    If you are employed by St Patrick’s Mental Health Services or if you have applied for a position at one of our facilities, we will collect information about your work history, contact details, referees and any other information that you submit in your job application. We collect similar background information about contractors, vendors, suppliers and health professionals who provide services to St. Patrick’s Mental Health Services and about students and volunteers that attend our facilities. All employees of SPMHS are required to obtain Garda Vetting clearance, and information from pre-employment medical screenings is also collected.

    St Patrick’s Mental Health Service collects, uses and discloses personal information about its staff in order to perform its obligations as an employer and as required by Irish employment law. Our legal basis for processing of employee personal data by our Human Resources department is under GDPR Article 6(1)(b) – Contract and under Legal Basis GDPR Article 9(2)(B) - Employment for the processing of sensitive data concerning employee’s. The processing of employee personal data by our finance department for the purpose of payroll is done under the legal basis of GDPR Article 6(1)(c) – legal obligation.

    3. Students, Volunteers and Job Applicants

    We also collect personal information of job applicants, students and volunteers for the primary purpose of assessing their suitability for employment or undertaking work experience or clinical placement or providing other relevant assistance, as the case may be. Other purposes which we may use personal information about those individuals include to contact them, for insurance purposes and to satisfy our legal obligations. Our legal basis for the collection of this data is under GDPR Article 6(1)(b) – Contract.

    4. Health Professionals, Contractors and Suppliers

    St Patrick’s Mental Health Services collects personal information about contractors, suppliers and health professionals that provide services to St. Patrick’s Mental Health Services for the primary purpose of assessing and engaging their services or expertise and for other purposes where legally required. Our legal basis for processing is under GDPR Article 6(1)(b) – Contract.

    5. St Patrick’s Mental Health Services Website

    When you visit our website, we do not attempt to identify you and we do not store your personal information. We will only collect and store your personal information if you choose to provide this to us via an online form or by email, for example through our general enquiry or contacts page. Please refer to our website privacy policy for more detailed information.

    6. Communications

    We will send information about our services to our service users, if we believe it to be of interest to them, but we will only do so with the service user's explicit consent. The service user is provided with choice of communication medium (Email, Post, SMS). Our legal basis for sending communications to our service user's is under GDPR Article 6(1)(A) – Consent. You as service user have the right to withdraw consent at any time, which will not affect the lawfulness of processing based on consent before its withdrawal. We publish our Ezine to schools and GP's. Our legal basis for this means of  communication is under GDPR Article 6(1)(F) - Legitimate Interest and we provide an option to unsubscribe on each Ezine we publish. 


  • Disclosure

    St Patrick’s Mental Health Services will only use or disclose your personal information for the primary purposes for which it was collected or for directly related secondary purposes which you would reasonably expect (or that we have told you) or as permitted or required by law. If there is any doubt about this expectation, then we will obtain your consent before using or disclosing your personal information for a secondary purpose.
    Personal data can be used or disclosed for some other purpose only where:
    • The individual concerned has given explicit consent to the proposed use or disclosure.
    • When information is to be communicated to other health care professionals involved in your care.
    • For the purposes of medical teaching. 
    • When there is a requirement to report to a statutory agency (e.g. an incident to the Mental Health Commission, a death to the Coroner, an adverse drug reaction to the Irish Medicines Board).
    • The healthcare professional reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.
    • Certain communicable diseases are notifiable by statute. Such notifications should preferably be made with the informed consent of the service user. In cases where informed consent is not provided, reporting should be to the relevant authority but should observe the service user’s confidentiality in all other respects.
    • The use or disclosure is required or authorised by law.
    • The information concerns a service user who does not have capacity and is normally a Ward of Court. Once appropriate documentation supporting this has been accepted by the DPO, information can be disclosed to a person responsible for the service user to enable appropriate care or treatment to be provided to the service user once adequate legal documentation supporting this has been accepted.
    • Any disclosure to a third party should be limited to that which is either authorised or required in order to achieve the desired statutory and organisational objective.
    • Personal data can be transferred to an individual or organisation outside the European Union only with your explicit consent. The SPMHS Data Protection Officer will ensure that you fully understand the risks to your data at the time of obtaining your explicit consent to data transfer.
    • Anonymised information, which cannot be traced back to the service user, is used in clinical audits within St Patrick’s Mental Health Services and is sent to other health care agencies such as the Mental Health Commission, the Health Research Board (HRB), Economic and Social Research Institute (ESRI), Irish Medicines Board, and the Coroner’s Office. This information is provided for regulatory, clinical audit and data analysis purposes and is regulated by statute including the Data Protection Acts.
    • Clinical records are sometimes shared with our legal counsel for obtaining legal advice when reviewing clinical records for release to data subjects in response to a data subject access request. Our lawful basis for this processing is made under section 47 of the Data Protection Act 2018. 

  • Responsibility

    Overall responsibility for ensuring compliance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018 rests with St Patrick’s Mental Health Services as the Data Controller. All employees and data processors of St Patrick’s Mental Health Services who separately collect, control or process the content and use of personal data are individually responsible for compliance with the GDPR and Data Protection Act 2018.  

  • Procedures and Guidelines

    St Patrick’s Mental Health Services is firmly committed to ensuring personal privacy and compliance with the Data Protection Act 2018, including the provision of best practice guidelines and procedures in relation to all aspects of Data Protection.

  • How does SPMHS share and store your information?

    St. Patrick’s Mental Health Services records and maintains a record of your care and treatment, which may be held in manual form and/or in electronic format called an Electronic Health Record (EHR). All information collected and processed by St. Patrick’s Mental Health Services is treated with the strictest confidentiality and only shared with authorised personnel. Click here to view our EHR video and here to access our EHR booklet with answers to FAQ’s.

  • Data Subject Rights

    The Data Protection Act 2018 and the GDPR provide certain rights for data subjects. A good explanation of them is available on the website of the Office of the Data Protection Commissioner. You are not obliged to provide personal data to SPMHS, however by not doing so, this may have an impact on the most appropriate services that can be offered to you.

    If you wish to confirm that SPMHS is processing your personal data, or to have access to the personal data SPMHS may have about you, please contact us at View our policy for data subject access requests, which also contains details on your data subject rights.

    You may also request in writing to our data protection officer information about: the purpose of the processing; the categories of personal data concerned; who else outside SPMHS might have received the data from SPMHS; what the source of the information was (if you didn’t provide it directly to SPMHS); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by SPMHS if it is inaccurate. Requests for access and amendment can be made by email, post or fax.

    You may request that SPMHS erase that data or cease processing it, subject to certain exceptions. You may also request that SPMHS cease using your data for direct marketing purposes. When technically feasible, SPMHS will—at your request—provide your personal data to you or transmit it directly to another controller.
    Reasonable access to your personal data will be provided at no cost to SPMHS service users, employee’s and others upon written request made to SPMHS. If access cannot be provided within a reasonable time frame, SPMHS will provide you with an explanation and date when the information will be provided. If for some reason access is denied, SPMHS will provide an explanation as to why access has been denied. Where we allow access, the data protection officer will arrange to give you access to your personal information in the manner you have requested, if it is reasonable or practicable to do so.

  • Data Quality

    St Patrick’s Mental Health Services takes reasonable steps to ensure that the personal information that we collect, and hold is accurate, complete and up-to-date. We maintain and update the personal information we hold as necessary or when you have advised us that your personal information has changed.

  • Protecting Your Data

    We take very seriously our obligations to protect the personal information we hold against interference, misuse, loss and unauthorised access. St. Patrick’s Mental Health Services implements rigorous organisational and technical measures including administrative, physical and technical access restrictions to records containing personal information, with only authorised people able to access records on a need to know basis. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.

  • Data Retention & Disposal

    When personal information is no longer required, it will be destroyed, deleted or de-identified securely in line with our data retention and destruction policy and accepted document disposal schedules. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact the SPMHS data protection officer.

  • Queries, Concerns, Complaints

    If you have any queries or concerns about your privacy or wish to make a complaint regarding an impingement on your privacy, please contact our Data Protection Officer. Your complaint should be in writing and you should provide sufficient details together with any supporting material regarding your complaint.
    On receipt of your complaint, the data protection officer will take steps to investigate the issue and will notify you of the outcome. We will endeavor to respond to your complaint within a reasonable period. If you are not satisfied with our response, you can contact us to discuss your concerns further or make a complaint to the Office of the Data Protection Commissioner see

  • Privacy Notice Review

    The SPMHS Privacy Notice will be reviewed regularly in light of any legislative or other relevant developments. We reserve the right to change this Privacy Notice from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Statement. 

    We encourage you to regularly review this Privacy Notice to make sure you are aware of any changes and how your information may be used.

    Last Updated

    This Privacy Notice was last amended 2nd July 2019.



Continue to…

Website Privacy Policy