our health service

HSE DSN Privacy Notice

Please read the following important information which concerns the protection of personal information.

The privacy notice will set out the following:

  1. Purpose
  2. The Data Controller
  3. The Data Protection Officer (DPO)
  4. What Personal Data is Collected?
  5. What we use your Personal Data for
  6. Legal Basis for Processing
  7. Cookies on the website
  8. How long will we hold onto your Personal Data?
  9. Who will have access to your Personal Data?
  10. International data transfers
  11. Your Rights
  12. Making a complaints

1. Purpose

The Health Service Executive (HSE) is committed to safeguarding the confidentiality and privacy of all personal information which it collects. This policy applies to personal information collected by the HSE during the data subject notification process arising from the cyber-attack on the HSE in May 2021 (the Data Subject Notification Process).

2. The Data Controller

The HSE is the Data Controller for all personal information which is collected and used for the purpose of the Data Subject Notification Process. A Data Controller is the legal entity which determines how and why Personal Data is collected and used. The HSE’s headquarters is located at Dr. Steevens Hospital, Steevens Lane, Dublin 8, Ireland.

3. The Data Protection Officer (DPO)

The HSE has appointed a Data Protection Officer to oversee the HSE’s compliance with its data protection obligations. You can contact the HSE Data Protection Officer (DPO) by email at dpo@hse.ie.


4. What Personal Data is Collected?

Personal data means any information relating to you which allows the HSE to identify you, such as your name & address, contact phone numbers and email address.

The HSE will collect and use the following Personal Data about you in relation to your use of the Data Subject Notification Process:

Description What its used for
First and last Name We collect this information to help us identify you when you log onto the DSN portal during the registration process.
It is used for verification purposes and deal with your queries
Pin The Pin number provided to you in your notification letter will be used to help us identify you when you log onto the DSN portal during the registration process.
Phone number We collect your mobile phone number to help us identify you and to send relevant service-based SMS notifications to you.
Date of Birth We collect this information to help us identify you.
Sex We collect this information to help us identify you.
Address We collect this information to help us identify you.
Email address We collect your email address via the portal during the portal registration process to help us identify you.
IP Address IP address is recorded only when the user accesses the DSN website.
Identity documents of Individuals
who are successfully authenticated
in ID Pal
We collect this information during the ID Verification process. Users who consent to the ID verification process are requested to upload a photo of government issued ID in the integrated ID verification system (ID-Pal) to help us verify your identity and prevent fraud
Photo - authenticated in ID Pal As part of provisioning access for individuals on the Data Subject Notification Portal, individuals will have an option to consent for online ID verification. As part of this online ID verification process, HSE via ID-Pal will be storing incoming information which is voluntarily provided. This will involve Biometric data (photo) and Personal Data (ID documents) to verify their identity
Identity documents of Individuals
who are successfully authenticated
in ID Pal
We collect this information where you choose to verify your identity by sending us a photocopy of your government issued ID.
Utility bills (provided by post) We may collect this information when an individual requests a change of address. Utility bills will be used to verify an individual’s current address.

We will handle any data you share with the HSE in line with the General Data Protection Regulation (GDPR).


5. What we use your Personal Data for?

Any personal data we collect from you on this website will only be used by the HSE for the following purposes:

It is the legal and regulatory obligation for the HSE to contact the impacted individuals and share details of the breach and further facilitate any requests by the individuals regarding their data protection rights.

7. Cookies on the website

Cookies are small files that are created and saved on your phone, tablet, or computer when you visit a website. The term cookies can refer to cookies set in your web browser (e.g., Chrome, Safari, Edge, Firefox or Brave) as well as several similar technologies including tracking pixels/web beacons, local shared objects/flash cookies and access to device information.

The DSN portal makes use of essential cookies only. Essential cookies are necessary for the website to function and cannot be switched off in our systems. They enable functionality such as log in, network management and security. You can set your browser to block or alert you about these cookies, but some parts of the site may not work correctly if you do. These cookies do not store any personally identifiable information.

The following table describes the cookies that are active on DSN portals, and their lifetime.

S.No Cookie name Description Lifetime Type
1. __RequestVerificationToken Used by the antiforgery system. Session Essential
2. .AspNet.ApplicationCookie Used to identify user sessions. A user session starts when a user browses the portal for the first time. And ends when the session is closed. Authentication site settings can be used to change the session expiry time span.. Session Essential
3. adxPreviewUnpublishedEntities Stores preview ON/OFF mode used in classic CMS system for portal administrators. Session Essential
4. adx-notification Used in basic form actions to store alert message to be shown on redirection. Session Essential
5. ARRAffinity Added automatically by Azure websites and ensures that requests are load balanced between different sites. Doesn't store any of user information. Session Essential
6. ASP.NET_SessionId Used to maintain the session of a logged in user to avoid repeated sign-in. Session Essential
7. ContextLanguageCode Stores the default language of the user accessing portal within a session and across webpages. The cookie is deleted after session closes. Session Essential
8. Dynamics365PortalAnalytics Critical service cookie to analyse service usage anonymously and aggregated for statistical purpose. 90 days Essential
9. isDSTObserved Stores a value to indicate if the current moment is in daylight saving time. Session Essential
10. isDSTSupport Indicates whether a specified date and time falls in the range of daylight-saving time. Session Essential
11. timeZoneCode Stores the timezonecode field value of CRM timezonedefinition table for the current timezone. Session Essential
12. timezoneoffset Stores the timezone difference between UTC and Local browser time. Session Essential
13. MC1=GUID These web analytics cookies, provided by Microsoft Inc., are used to collect information about how visitors use the site. The information is used to compile reports and to help Microsoft improve the site. Session Essential
14. MS0 The cookie enables user tracking by synchronising the ID across many Microsoft domains. Used widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains. There will be no advertisement on this website. Session Essential
15. x-ms-cpim-csrf Cross-Site Request Forgery token used for CRSF protection. Session Essential
16. x-ms-cpim-sso:testhsedataprotectionb2c.onmicrosoft.com_0 Used for maintaining the SSO session. Session Essential
17. OpenIdConnect.nonce.zcPrgMPr5aVw1Cl5h4YGXRwn%2Fdrmeq63lNLWwFpOTNY%3D This is a random, unique string value to associate a user-session with an ID Token and to mitigate replay attacks. Session Essential
18. .AspNet.ExternalCookie Configures the application to use OWIN middleware based cookie authentication for external identities. Session Essential
19. x-ms-cpim-cache|sdwl2wfmykymbfofytnf5q_0 Used to track transactions (number of authentication requests to Azure AD B2C) and the current transaction. Related to MS B2C and are essential and part of the MS B2C core identity provider technology. Session Essential
20. x-ms-cpim-trans Used for tracking the transactions (number of authentication requests to Azure AD B2C) and the current transaction. Related to MS B2C and are essential and part of the MS B2C core identity provider technology. Session Essential

8. How long will we hold onto your Personal Data?

Personal data collected and processed as part of the Data Subject Notification Process may be retained by the HSE for 7.5 years for the establishment, exercise or defence of legal claims.

When the HSE no longer needs your Personal Data, it will be securely deleted or destroyed.

9. Who will have access to your Personal Data?

HSE staff, agents and suppliers who are directly involved with the management and delivery of the Data Subject Notification Portal. These suppliers provide services including but not limited to identity verification services, telephony and SMS website portal and customer relationship management portal.

In certain situations, the HSE may have to disclose your personal information to other agencies where permitted or required by law.

The categories of other organisations that we may share information with include the following:

10. International Data Transfers - Will your personal data be transferred outside of the European Economic Area (EEA)?

There are special requirements set out under Chapter V of the GDPR to regulate transfers of Personal Data outside the European Economic Area (“EEA”) and to ensure that adequate security measures are in place to safeguard and maintain the integrity of your transferred Personal Data.

Where we transfer your Personal Data outside the EEA to our suppliers, we will make sure that it is done in compliance with the provisions of data protection laws (including Chapter V of the General Data Protection Regulation (GDPR)) such that Personal Data is protected to the same extent as in the EEA and we will use at least one of the following safeguards:

Some of the suppliers involved with the Data Subject Notification Process who provide SMS communication services as part of the identity and verification process may process your mobile number outside the EEA to the United States.

The suppliers used for sending SMS communication relies upon EU approved Binding Corporate Rules (BCRs) and SCCs to ensure compliance with applicable data protection laws (including the GDPR) when processing Personal Data on behalf of the HSE.

For further information on international data transfers involving Personal Data in the delivery of the Data Subject Notification Process, please contact us via the contact details in section 3 above.

11. Your Rights

Under certain circumstances, individuals have certain legal rights concerning their personal information and the manner in which we process it. For more information on how the HSE processes personal information and how to exercise data subject rights you can view the main HSE Privacy Notice here: hse-privacynotice-service-users.pdf.

12. Making a complaint

If you are unhappy with the way that the HSE has processed your personal data, please contact the HSE’s Data Protection Officer (DPO). You can contact them by email at dpo@hse.ie.

Find additional DPO contact information.

If we are not able to resolve your complaint, you have the right to lodge a complaint directly with our supervisory authority, the Data Protection Commission.