Please read the following important information which concerns the protection of personal information.
The Health Service Executive (HSE) is committed to safeguarding the confidentiality and privacy of all personal information which it collects. This policy applies to personal information collected by the HSE during the data subject notification process arising from the cyber-attack on the HSE in May 2021 (the Data Subject Notification Process).
The HSE is the Data Controller for all personal information which is collected and used for the purpose of the Data Subject Notification Process. A Data Controller is the legal entity which determines how and why Personal Data is collected and used. The HSE’s headquarters is located at Dr. Steevens Hospital, Steevens Lane, Dublin 8, Ireland.
The HSE has appointed a Data Protection Officer to oversee the HSE’s compliance with its data protection obligations. You can contact the HSE Data Protection Officer (DPO) by email at firstname.lastname@example.org.
Personal Data means any information relating to you which allows the HSE to identify you, such as your name & address, contact phone numbers and email address.
The HSE will collect and use the following Personal Data about you in relation to your use of the Data Subject Notification Portal in connection with the Data Subject Notification Process:
|Description||What its used for|
|First and last Name||We collect this information to help us identify
you when you log onto the DSN portal during the registration process.
It is used for verification purposes and deal with your queries
|Pin||The Pin number provided to you in your notification letter will be used to help us identify you when you log onto the DSN portal during the registration process.|
|Phone number||We collect your mobile phone number to help us identify you and to send relevant service-based SMS notifications to you.|
|Date of Birth||We collect this information to help us identify you.|
|Sex||We collect this information to help us identify you.|
|Address||We collect this information to help us identify you.|
|Email address||We collect your email address via the portal during the portal registration process to help us identify you.|
|IP Address||IP address is recorded only when the user accesses the DSN website.|
|Identity documents of Individuals
who are successfully authenticated
in ID Pal
|We collect this information during the ID Verification process. Users who consent to the ID verification process are requested to upload a photo of government issued ID in the integrated ID verification system (ID-Pal) to help us verify your identity and prevent fraud|
|Photo - authenticated in ID Pal||As part of provisioning access for individuals on the Data Subject Notification Portal, individuals will have an option to consent for online ID verification. As part of this online ID verification process, HSE via ID-Pal will be storing incoming information which is voluntarily provided. This will involve Biometric data (photo) and Personal Data (ID documents) to verify their identity|
|Identity documents of Individuals
who are successfully authenticated
in ID Pal
|We collect this information where you choose to verify your identity by sending us a photocopy of your government issued ID.|
|Utility bills (provided by post)||We may collect this information when an individual requests a change of address. Utility bills will be used to verify an individual’s current address.|
We will handle any data you share with the HSE in line with the General Data Protection Regulation (GDPR).
It is the legal and regulatory obligation for the HSE to contact the impacted individuals and share details of the breach and further facilitate any requests by the individuals regarding their data protection rights.
The HSE’s lawful basis for processing personal data of service users is as follows:
|1.||__RequestVerificationToken||Used by the antiforgery system.||Session||Essential|
|2.||.AspNet.ApplicationCookie||Used to identify user sessions. A user session starts when a user browses the portal for the first time. And ends when the session is closed. Authentication site settings can be used to change the session expiry time span.||Session||Essential|
|3.||adxPreviewUnpublishedEntities||Stores preview ON/OFF mode used in classic CMS system for portal administrators.||Session||Essential|
|4.||adx-notification||Used in basic form actions to store alert message to be shown on redirection.||Session||Essential|
|5.||ARRAffinity||Added automatically by Azure websites and ensures that requests are load balanced between different sites. Doesn't store any of user information.||Session||Essential|
|6.||ASP.NET_SessionId||Used to maintain the session of a logged in user to avoid repeated sign-in.||Session||Essential|
|7.||ContextLanguageCode||Stores the default language of the user accessing portal within a session and across webpages. The cookie is deleted after session closes.||Session||Essential|
|8.||Dynamics365PortalAnalytics||Critical service cookie to analyse service usage anonymously and aggregated for statistical purpose.||90 days||Essential|
|9.||isDSTObserved||Stores a value to indicate if the current moment is in daylight saving time.||Session||Essential|
|10.||isDSTSupport||Indicates whether a specified date and time falls in the range of daylight-saving time.||Session||Essential|
|11.||timeZoneCode||Stores the timezonecode field value of CRM timezonedefinition table for the current timezone.||Session||Essential|
|12.||timezoneoffset||Stores the timezone difference between UTC and Local browser time.||Session||Essential|
|13.||MC1=GUID||These web analytics cookies, provided by Microsoft Inc., are used to collect information about how visitors use the site. The information is used to compile reports and to help Microsoft improve the site.||Session||Essential|
|14.||MS0||The cookie enables user tracking by synchronising the ID across many Microsoft domains. Used widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains. There will be no advertisement on this website.||Session||Essential|
|15.||x-ms-cpim-csrf||Cross-Site Request Forgery token used for CRSF protection.||Session||Essential|
|16.||x-ms-cpim-sso:testhsedataprotectionb2c.onmicrosoft.com_0||Used for maintaining the SSO session.||Session||Essential|
|17.||OpenIdConnect.nonce.zcPrgMPr5aVw1Cl5h4YGXRwn%2Fdrmeq63lNLWwFpOTNY%3D||This is a random, unique string value to associate a user-session with an ID Token and to mitigate replay attacks.||Session||Essential|
|18.||.AspNet.ExternalCookie||Configures the application to use OWIN middleware based cookie authentication for external identities.||Session||Essential|
|19.||x-ms-cpim-cache|sdwl2wfmykymbfofytnf5q_0||Used to track transactions (number of authentication requests to Azure AD B2C) and the current transaction. Related to MS B2C and are essential and part of the MS B2C core identity provider technology.||Session||Essential|
|20.||x-ms-cpim-trans||Used for tracking the transactions (number of authentication requests to Azure AD B2C) and the current transaction. Related to MS B2C and are essential and part of the MS B2C core identity provider technology.||Session||Essential|
Cookies and other tracking tools used on the DSN portal and this website are retained for the duration of their “Lifetime” set out in section 7 above.
Personal Data collected and processed for identification and verification checks by automated means via ID-Pal is retained (i) where successful, for the life of the Data Subject Notification Process; or (ii) where unsuccessful, for no longer than 30 days.
All other Personal Data collected by the HSE is retained for the duration of the Data Subject Notification Process and where necessary for the establishment, exercise or defence of any legal claims, proceedings or related complaints concerning your Personal Data based on the relevant limitation periods for taking related legal action. For these purposes, such Personal Data collected and processed as part of the Data Subject Notification Process will be retained for the duration of the Data Subject Notification Process and up to 7.5 years. The HSE will conduct scheduled reviews of its retention periods for this purpose to ensure that your personal data is not kept for longer than is necessary. Personal Data may be retained for a longer period where necessary due to the existence of, or where the HSE becomes aware of likely, related legal proceedings.
When the HSE no longer needs your Personal Data, it will be securely deleted or destroyed.
HSE staff, agents and suppliers who are directly involved with the management and delivery of the Data Subject Notification Portal. These suppliers provide services including but not limited to identity verification services, telephony and SMS website portal and customer relationship management portal.
In certain situations, the HSE may have to disclose your personal information to other agencies where permitted or required by law.
All HSE staff, agents and suppliers which may have access to Personal Data shall be bound to the HSE via confidentiality agreements and are obliged to keep your Personal Data secure, and to use it only for the purposes specified by the HSE. A full list of suppliers is available upon request via the contact details in section 3 above.
There are special requirements set out under Chapter V of the GDPR to regulate transfers of Personal Data outside the European Economic Area (“EEA”) and to ensure that adequate security measures are in place to safeguard and maintain the integrity of your transferred Personal Data.
Where we transfer your Personal Data outside the EEA to our suppliers, we will make sure that it is done in compliance with the provisions of data protection laws (including Chapter V of the General Data Protection Regulation (GDPR)) such that Personal Data is protected to the same extent as in the EEA and we will use at least one of the following safeguards:
Some of the suppliers involved with the Data Subject Notification Process who provide SMS communication services as part of the identity and verification process may process your mobile number outside the EEA to the United States.
The suppliers used for sending SMS communication relies upon EU approved Binding Corporate Rules (BCRs) and SCCs to ensure compliance with applicable data protection laws (including the GDPR) when processing Personal Data on behalf of the HSE.
For further information on international data transfers involving Personal Data in the delivery of the Data Subject Notification Process, please contact us via the contact details in section 3 above.
Under certain circumstances, individuals have certain legal rights concerning their personal information and the manner in which we process it. For more information on how the HSE processes personal information and how to exercise data subject rights you can view the main HSE Privacy Notice here: hse-privacynotice-service-users.pdf.
If you are unhappy with the way that the HSE has processed your personal data, please contact the HSE’s Data Protection Officer (DPO). You can contact them by email at email@example.com.
Find additional DPO contact information.
If we are not able to resolve your complaint, you have the right to lodge a complaint directly with our supervisory authority, the Data Protection Commission.