Keeping your personal data private is important to the Mater Hospital, St Vincent’s University Hospital and University College Dublin. It is also the law: the General Data Protection Regulation 2018 or ‘GDPR’. The Mater Hospital, St Vincent’s University Hospital and University College Dublin will follow GDPR when using and storing your data. The Mater Hospital, St Vincent’s University Hospital and University College Dublin has a number of security measures in place to protect your personal data. The personal data collected about you will be held by the Mater Hospital, St Vincent’s University Hospital and University College Dublin and its authorized representatives. These organisations are responsible for processing your personal data and will follow the applicable data protection laws.

Your personal data will be processed on the basis of your consent. Some of your data will have been originally collected as part of your routine medical care and some data will be collected as part of the research study. We will get most of the personal data directly from you but we will also get some personal data from your: 

  • hospital medical charts/notes for example: your name, date of birth, gender, medical record number, height, weight, blood pressure
  • laboratory reports, for example, blood test results
  • x-ray test results
  • activity device
  • study provided home monitoring devices
  • GP, during the course of the study

Personal data is any information which can identify you (such as your name, address, hospital number). The research team will use a study number (a unique number which is used instead of your name) to make sure your data is kept private. Data which has this study number is called coded data. Your name or other identifying details will not appear on any publications or reports from the study.  To take part in this study, you must agree to share your personal data, and give your consent for this data to be used and stored (this is called data processing).

All records identifying you will be kept private and, to the extent permitted by the applicable laws and/or regulations, will not be made publicly available or shared without your express written consent. Data will be entered into a password protected database, on a secure hospital server. 

Only hospital and research staff who are working on this study will have access to the database. Data from this study will be processed in line with the investigator’s requirements and requirements of the regulatory authorities (local and foreign). 

Direct access to your study records will be provided to the National Research Ethics Committee (NREC), sponsor appointed study monitors or auditors and to government drug regulatory authorities, such as the Health Products Regulatory Authority, for the purposes of verifying the authenticity of the information collected for the study without violating your confidentiality, to the extent permitted by applicable laws and regulations.

We may, as part of the study, share your personal data will our collaborators listed at www.ucd.ie/medicine/cephr/collaborators.

These collaborators will either be acting as Processors of your information as part of this research study e.g., clinical research organisations (CROs), non-Mater Hospital or St Vincent’s Hospital employees supporting the research process or Controllers in their own right.

Service Providers: We will check any third party that we use to make sure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data. We will have written contracts with them which provide assurances regarding the protections that they will give to your personal data and their compliance with our data security standards and international transfer restrictions. 

Disclosures to Third Parties: In certain circumstances, we share and/or are obliged to share your personal data with third parties outside Mater Hospital, or St Vincent’s Hospital for the purposes described above and in accordance with Data Protection Legislation. 

These third parties include but are not limited to:

  • the Health Products Regulatory Authority;
  • the Health Service Executive; 
  • the Joint Commission International;
  • relevant industry bodies;
  • external professional advisors; and
  • Others, where it is permitted by law, or where we have your consent.

Your personal information may be transferred, stored and processed in one or more countries outside the European Economic Area (“EEA”), for example with collaborators or when one of our service providers use employees or equipment based outside the EEA. For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Legislation. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU commission’s model clauses. 

If you would like to see a copy of any relevant provisions, please contact your data protection officer.

We will keep your personal data for 15 years after the study ends. This may mean that some information is held for longer than other information.

Under GDPR, you have rights. However, in certain circumstances, these rights may be restricted. 

These rights may include:

  1. The right to check what type of personal data we hold about you and get a copy of it.
  2. The right to as to not give your consent for your data to be processed. We will stop using your personal data unless we can show we have a legitimate reason for continuing to use your personal data. 
  3. The right to change your personal data if you feel it is not correct or complete
  4. The right to ask your data to be taken out or erased from the study
  5. The right to give your consent for your personal data to be processed in some ways but not in others if you feel it is not accurate or not lawful
  6. The right to take away a copy of your data and to have it sent to another data controller

A Data Controller is the person or organization who is in charge of deciding how and why your personal data will used. The Data Controllers for this study are:

  • Mater Misericordiae University Hospital, Eccles Street, Dublin 7, Company Registration number: 351402
  • St Vincent’s University Hospital, Elm Park, Dublin 4, Company Registration Number: 338585
  • University College Dublin, Belfield, Dublin 4, Company Registration number: 239961
  • Professor Patrick Mallon, Employee of Saint Vincent’s University Hospital, Elm Park, Dublin 4 and University College Dublin, Belfield, Dublin 4.

During the course of the study, you, your doctor or a member of the research team may decide that you should no longer take part in the study. Participants are free to withdraw from the study at any time. If you leave the study you can decide whether to allow your personal data to continue to be processed as part of the overall study objectives or whether to withdraw consent for your data to be processed.  A member of the research team will discuss this with you.