This Data Protection Statement provides information about the ways in which the Mental Health Commission collects, stores and uses personal data relating to individuals (data subjects).
This Data Protection Statement relates to personal data received by the MHC in carrying out its statutory duties.
Who we are
The Mental Health Commission (MHC) is an independent body established under the Mental Health Act 2001. Its functions include promoting, encouraging and fostering high standards and good practice in the delivery of mental health services and putting systems in place to protect the rights of mental health patients who have been detained under the Mental Health Act 2001 and related legislation. This means that the MHC may need to process your personal data while you are in receipt of care and treatment at a mental health service so that it can perform its legal functions.
In December 2015, the MHC’s remit was extended to include the establishment of the Decision Support Service (DSS) under the provisions of the Assisted Decision Making (Capacity) Act 2015. Its core function is to support decision-making by, and for, adults with capacity difficulties. This means the DSS may need to process your personal data in carrying out its legal duties when it becomes fully operational.
Key areas of Data Protection Statement
This Data Protection Statement is designed to cover a number of key areas. These are as follows:
- The MHC and the GDPR
- Data Protection and the MHC
- Law Enforcement Directive (LED)
- Processing of personal data by the MHC
- What personal data does the MHC process?
- How does the MHC collect personal data?
- Legal basis for processing personal data by the MHC
- Who are the recipients of personal data processed by the MHC?
- Publication of information
- How long does the MHC retain personal data?
- Your data protection rights
- Restriction of data subject rights in certain circumstances
- Your right to complain
- Changes to the MHC Data Protection Statement
For the purposes of this Data Protection Statement, the following definitions apply:
Personal data is information from which you (or another person) are identifiable or which relates to you.
Special categories of personal data is personal data which is subject to a higher standard of protection under law due to its sensitivity. This includes personal data which reveals:
- any racial or ethnic origin
- financial status
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- data concerning a person’s sex life or sexual orientation
Processing refers to any use of personal data including its collection, disclosure, retention and storage.
The MHC is committed to protecting the rights and privacy of individuals in accordance with national data protection legislation and European Union (EU) Directives and regulations. These include, but are not limited to, the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
The MHC and the GDPR
The GDPR was introduced on 25 May 2018 and affects all countries within the EU. It sets out a series of laws concerning how data can be processed and used by organisations within member states. According to Article 5 of the GDPR, the key principles relating to the processing of personal data are
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality and
The GDPR is designed to strengthen and standardise data protection laws for all EU citizens. It increases the obligations and responsibilities for the MHC in how it collects, uses and protects personal data. Central to the GDPR are transparency, fairness and accountability. This means that the MHC is required to be fully transparent in how it uses and protects personal data. It also means that it must show accountability for its data processing activities.
The GDPR applies to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instructions of the Data Controller (a Data Processor). The MHC is a Data Controller for all personal data collected for the purpose of its activities. The MHC decides the minimum amount of personal data it needs to collect from you to allow it to operate its services. Its data processes are then documented and issued to relevant staff. In short, MHC staff, contractors, agents and other third parties are all bound by the rules in the GDPR.
The MHC routinely processes personal data. On occasion, special categories of personal data may also be processed. The MHC takes appropriate measures to protect the confidentiality of your personal data. Service providers that support MHC functions are also required to protect the confidentiality of your personal data and may not use it for any purpose other than providing services to the MHC.
You can contact the MHC in a number of ways. These are as follows:
Mental Health Commission, Waterloo Exchange, Waterloo House, Dublin 4, DO4E5W7
Data Protection and the MHC
The GDPR affects data protection in all EU member states. The Data Protection Act 2018 gives further effect to the GDPR in Irish law. Collectively, the GDPR and 2018 Act places enhanced accountability and transparency obligations on all organisations using your information. As importantly, it gives you greater control over your personal information.
Data Protection Officer (DPO)
The MHC has a Data Protection Officer. Should you have questions about how the MHC uses your information or you are concerned about any issue related to your personal data, you can contact the DPO in any of the following ways:
Data protection Officer, Mental Health Commission, Waterloo Exchange, Waterloo House, Dublin 4, DO4E5W7
Law Enforcement Directive (LED)
The Law Enforcement Directive (EU 2016/680) is a piece of EU legislation, parallel to the GDPR, which also took effect from May 2018. The Law Enforcement Directive (LED) deals with the processing of personal data by Data Controllers where the processing is for ‘law enforcement purposes’ which fall outside the scope of the GDPR.
As a Directive, the LED was transposed into Irish law. Part 5 of the Data Protection Act 2018 sets out the LED in the Irish context. The MHC is a ‘competent authority’ under this statute.
Processing of personal data by the MHC
The MHC processes personal data for a number of different purposes which arise from its statutory powers, functions and duties. These are outlined in the Mental Health Act 2001 (as amended) and its data protection responsibilities are outlined under the GDPR and the Data Protection Act 2018.
Based on its legislative purpose, it carries out the following functions:
- Handling issues of concern from individuals in relation to mental health services generally
- Inspecting approved centres for the provision of mental health services to ensure they meet the required standards of care for their residents
- Handling issues of concern from individuals concerning his/her care, treatment or other issue relating to an approved centre
- Arranging mental health tribunals for those involuntarily detained in approved centres
- Taking enforcement action, where necessary (for example, administrative and legal sanctions)
- Promoting awareness amongst members of the public of their rights in the context of mental health services
In carrying out these functions, the MHC may collect personal data. This may occur in the following areas:
Inquiries and investigations including personal data received from data subjects directly and personal data received from an approved centre which is the subject of an inquiry and/or investigation (this may also include personal data received by the MHC in its role as a ‘competent authority’ under Part 5 of the 2018 Act (‘Processing of Personal Data for Law Enforcement Purposes’)
- Queries and concerns including personal data received from individuals who have raised queries or concerns with the MHC
- Service providers and suppliers including personal data obtained from service providers or suppliers engaged by the MHC
- Job applications, including personal data received from persons applying for roles within the MHC
- Conferences and events including personal data relating to attendees at conferences and events organised by the MHC
- Training sessions including personal data relating to attendees at events organised by the MHC
- Complaints handling including personal data received from a data subject directly (or through his/her legal representatives) where the data subject makes a complaint to the MHC
What personal data does the MHC process?
The MHC processes personal data. This includes personal data received by the MHC where data subjects contact, or request information from, the MHC directly and personal data received by the MHC indirectly. This is under the conditions set out above. Personal data the MHC processes may include the following:
- Basic personal information (for example, a data subject’s forename/s and surname, date of birth, approved centre where s/he received treatment or was detained)
- Contact information (for example, a data subject’s postal address, email address and phone number/s)
- Any other personal data that is provided to the MHC during the course of the performance of its statutory functions
Special categories of personal data
The MHC processes ‘special categories of personal data’. This includes special category data received by the MHC where data subject’s contact, and request information from, the MHC directly in addition to special category data received by the MHC indirectly. According to Article 9 of the GDPR, such special category data may include personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.
Data relating to criminal convictions and offences
In the course of performing its statutory functions, the MHC may occasionally process personal data relating to criminal convictions and offences. This includes personal data where data subjects contact, or request information from, the MHC directly and personal data relating to criminal convictions and offences received by the MHC indirectly.
How does the MHC collect personal data?
Phone calls to the MHC
The MHC does not audio record phone conversations.
All emails sent to the MHC are recorded, forwarded to the relevant section of the MHC and are stored for the purposes of the matter to which the email relates. The sender’s email address will remain visible to all staff dealing with the matter.
Please note: It is the sender’s responsibility to ensure that the content of his/her emails does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
Post received by the MHC may be scanned and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period set out in the MHC’s Data Retention Policy and are then confidentially destroyed thereafter.
The MHC receives personal data through its interactions on social media platforms (for example, Twitter and LinkedIn). The MHC operates accounts on these platforms to promote awareness of its role in the overseeing of mental health services in Ireland and protecting the rights of service users. Messages and/or posts received by the MHC are viewed by MHC staff but personal data contained therein are not logged or stored other than on the relevant social media platform. No further processing of such personal data is carried out by the MHC.
Legal basis for processing personal data by the MHC
The legal basis for the processing of personal data by the MHC will depend on the legislative framework that applies and the purpose for which the processing is being carried out.
Article 6 of the GDPR sets out six legal bases on which personal data may be processed. Where the MHC is processing personal data for the purpose of performing its statutory functions, the primary legal bases under the GDPR are as follows:
- where the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6.1 (c))
- where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller (Article 6.1 (e)).
Legal Enforcement Directive (LED)
The Law Enforcement Directive (LED) deals with the processing of personal data for ‘law enforcement purposes’ by data controllers which fall within the definition of being a ‘competent authority’ for the purposes of the LED, as transposed into Irish law by Part 5 of the Data Protection Act 2018. Section 70 of the 2018 Act defines the scope of processing of personal data which falls within that part of the Act. It states that Part 5 of the Act applies to processing of personal data carried out ‘for the purposes of (i) the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security or (ii) the execution of criminal penalties…’
The term ‘competent authority’ is defined in Section 69 of the 2018 Act as being ‘a public authority, competent for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security.’ For certain processing activities which it carries out, the MHC is a ‘competent authority’ for the purposes of Part 5 of the 2018 Act.
In terms of the legal basis for the processing of personal data by the MHC as a ‘competent authority’, Section 71.2 of the 2018 Act provides that the processing of personal data (for the purpose of the LED) shall be lawful where, and to the extent that:
- it is necessary for the performance of a function of a controller for one of the purposes specified in Section 70 (as referred to above); or
- the data subject has, subject to certain requirements set out in Section 71.3, given his or her consent to processing
- Who are the recipients of personal data processed by the MHC?
- Disclosure to third parties
Personal data collected by the MHC is held confidentially. It is not shared by the MHC with any third parties with the following exceptions:
Where the sharing of the personal data is necessary for the performance by the MHC of its functions. This may arise, for example, in the context of mental health tribunals where the MHC will usually disclose the service user’s identity and related information to the panel members. This is required for practicality (because without disclosing this information it would prove difficult for the MHC to review a service user’s case) as well as to ensure the efficient and effective performance of the MHC’s statutory functions.
For the purposes of co-operation with other regulatory authorities. In certain circumstances, the MHC must cooperate with and assist other supervisory authorities in Ireland. In such circumstances, in accordance with the law, the MHC may provide personal data to other authorities such as the Child and Family Agency (Tusla), the Health and Information Quality Authority (HIQA) or any other regulatory body as part of its statutory functions. When this happens, the MHC generally tries to do so on an anonymised basis. If not anonymised, this is in order to protect your rights while you are receiving care and treatment.
Where there is an issue of concern. In certain circumstances, the MHC may request personal data from an approved centre to monitor any issues of concern that may have arisen on inspection. This is to ensure that the service has appropriate systems and procedures in place to address the care needs of its residents. This data may be used to verify the location of residents who have been transferred to another centre to ensure that appropriate care is taken and to monitor safety and compliance concerns.
For the purposes of legal proceedings. Health data or data relating to criminal offences or convictions may be submitted to the MHC in reports prepared by staff and/or independent consultant psychiatrists.
In the event that a matter is brought before the Courts, the materials, including any information, documents or submissions provided by an individual, may be made public in open court.
In the case of service providers or suppliers to the MHC. The MHC uses data processors to provide certain services to the MHC. The MHC requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing the service in accordance with the requirements set out at Article 28.3 of the GDPR
Publication of information
With the exception of Commission and Senior Management names in its annual reports and strategic plans, the MHC does not publish personal data on its website.
How long does the MHC retain personal data?
The retention periods for personal data held by the MHC are based on the requirements of the Data Protection Act 2018, the GDPR and on the purpose for which the personal data is collected and processed (for example, in the case of issues of concern, the MHC may retain personal data for as long as is necessary for the handling of that issue of concern). The retention periods applied by the MHC to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.
Your data protection rights
Under data protection legislation, data subjects have certain rights. Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by the MHC. The data subject’s rights are:
- The right to be informed about the processing of your personal data
- The right to access your personal data
- The right to rectification of your personal data
- The right to erasure of your personal data
- The right to data portability
- The right to object to processing of your personal data
- The right to restrict processing of your personal data
- Rights in relation to automated decision making, including profiling
Restriction of data subject rights in certain circumstances
Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the Data Protection Act 2018 contains certain provisions dealing with the restriction of the rights of data subjects (in particular, Sections 59, 60 and 61) which give further effect to the provisions of Article 23. General guidance in relation to the application of Article 23 and the related provisions of the 2018 Act have been provided by the Data Protection Commission and are available here.
Section 60 of the Data Protection Act 2018 provides for restrictions on the obligations of data controllers and on the rights of data subjects for important objectives of general public interest.
Your right to complain
If you have any concerns in relation to the manner in which the MHC processes your personal data, you may contact the MHC’s Data Protection Officer on email@example.com
Changes to the MHC Data Protection Statement
This Data Protection Statement is kept under regular review and, consequently, is subject to change. If you have any comments and/or queries in relation to this Data Protection Statement, please contact the MHC’s Data Protection Officer on firstname.lastname@example.org
This Data Protection Statement will be revised when the Decision Support Service (DSS) becomes fully functional to illustrate how your personal data is processed by that division.