Privacy policy
Introduction
The purpose of this privacy policy is to explain how the HSE Hepatitis C (‘Hep C’) testing website and test service processes your data, what data is collected, who has access to the data and the purposes for which the data is used. This notice also provides you with information about your data protection rights under data protection law, including the EU General data Protection Regulation (EU Regulation 679/2016) (the ‘GDPR’).
Your visit to hepctest.hse.ie is collectively referred to as the “Site” and is subject to the terms set out in this privacy policy.
Please read the following carefully, along with the terms and conditions and the cookie notice.
The Data Controllers
The Health Service Executive (HSE) and SH:24 Community Interest Company (SH:24) are the Data Controllers for this website and for the home Hep-C testing program. They have decided the means and purposes for the processing of personal data. The HSE and SH:24 CIC are responsible for your personal data and for compliance with obligations under data protection law.
The Data Processor
The HSE has engaged SH:24 to deliver the free Hep C testing website and service in Ireland. SH:24 respects your privacy and is committed to protecting your personal data.
The Data Protection Officer
You can contact the HSE Data Protection Officer for data protection information in relation to the Hep C testing:
HSE Data Protection Officer
Email: DPO@HSE.ieTel: +35316350359
SH:24 Community Interest Company, as the data processor, is based in the UK. SH:24 have appointed a DPO (EU representative) and their contact details are:
The DPO Centre (Europe) Ltd
Alexandra House
3 Ballsbridge Park
Dublin
D04 C7H2
Email: dpo@SH24.org.uk
Telephone: +353 1 631 9460
How the Hep C Home Test service works
The Hep C testing process works as follows.
Hep C home Test website – potential users are directed to our Hep C testing website;
Confirmation – you need to confirm that you are over 18, living in Ireland, accept the terms and conditions and that you are ordering a test kit for yourself;
Risk factors – we will ask you a number of questions around your risk factors. The presence of these risk factors may increase your likelihood of having Hep C;
Registration – you must register on the Hep C website in order to request a test kit. We will ask for your name, contact details, address, mobile telephone number and other necessary information;
Validation – we will send you a SMS text message to your mobile telephone number so that we know we have the right person;
Unique ID – once we have verified your identity then we create a unique ID that we use on the test kits and testing process to reduce the use of names. The unique ID will be printed on your test kit as a QR code, and not your name;
Sending the test kit – SH:24 laboratory partners will send the test kit to your address via An Post;
Returning the test kit – the test kit will contain instructions on how to return the test kit to our laboratory in Ireland, again via An Post;
Laboratory tests – our laboratory partner will process your test, saving the results in their system using the unique ID. They won’t have any personal information about you;
Administration of Results – SH:24 systems will retrieve the lab results from the laboratory and store them in their Clinical Record System (CRS). They will link the results to your personal data;
Results – negative results will be returned to users via SMS at predefined time intervals. Reactive (positive) results are communicated via telephone call by a SH:24 clinician and users are asked if they wish to be referred to the HSE Hep Nurses at St Vincent’s Hospital, Dublin;
Follow-up – SH:24 will send follow-up SMS to those who have ordered kits, negative results, reactive (positive) results, inconclusive results and users needing extra help taking the blood sample.
Automated technologies or interactions
As you interact with our Site, we may automatically collect Technical Data about your equipment, browsing actions and patterns.
We collect this personal data by using cookies, and other similar technologies. Please see our cookie policy for further details.
What data is collected and processed?
Personal data, or personal information, means any information about an individual from which that person can be identified, whether directly or indirectly.
It does not include data where the identity has been removed (anonymous data).We may collect, use, store and transfer different kinds of personal data about you when you do so which we have grouped together follows:
Risk factors including if you have had a blood transfusion, surgery, or dental surgery, a body piercing or tattoo, had unexplained liver problems or an abnormal liver result, shared equipment to inject or snort drugs, previously been in contact with Hep C, had a Hep C test, been in prison and which country you were born in;
Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth (used for defining initial eligibility), country of birth and gender or gender identity and ethnicity (The HSE will use this data to co-ordinate and manage the service provided by the Hepatitis C Treatment Programme);
Contact Data includes, delivery address, Eircode, email address and mobile telephone number;
Confirmation of mobile telephone number via verification code;
Any previous risks for Hep C the user may have had;
Unique user ID;
QR code on each test kit containing the Unique user ID;
Health Data includes any information about your physical health including your medical history and/or current health status including but not limited to risk factors for hepatitis, data regarding test results and diagnoses;
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Site;
Usage Data includes information about how you use our Site, products and services;
Feedback Data includes information relating to your use of the Site or services.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose, but only where such data is pseudonymous or anonymous. This includes where the user does not complete the test ordering. Data is considered to be anonymous where you cannot be identified (whether directly or indirectly). For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this policy.
We do not collect, use and / or share any of your personal data for marketing purposes.
Legal basis for data processing
The HSE’s lawful basis for processing personal data relating to the Hep C testing program is as follows;
The processing of data is necessary for a task carried out in the public interest vested in the HSE (Article 6(1)e of the GDPR) and
The processing of special categories of personal health data is necessary for purposes of providing a medical diagnosis and/or the provision of health care treatment (Article 9(2)(h) of the GDPR).
The HSE’s official authority is found in the Health Act 2004 (as amended) and this is supported by s52 of the Data Protection Act 2018.
For more information on how we process your personal data and what lawful basis we rely on please see the table below.
Reason: Handling an initial request for a test kit and/or other services provided by SH:24.
Lawful Basis: The processing of data is necessary for a task carried out in the public interest vested in the HSE.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or provision of healthcare treatment.
Reason: Processing information about your medical history.
Lawful Basis: The processing of data is necessary for a task carried out in the public interest vested in the HSE.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or provision of healthcare treatment.
Reason: Providing healthcare (or health assessment) and related services.
Lawful Basis: The processing of data is necessary for a task carried out in the public interest vested in the HSE.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or provision of healthcare treatment.
Reason: Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice, and sharing your information with HSE clinical services (where relevant).
Lawful Basis: The processing of data is necessary for a task carried out in the public interest vested in the HSE.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or provision of healthcare treatment.
Reason: Users with reactive (positive) or indeterminate tests will be asked for their consent to pass their details to the HSE’s Hep Nursing Unit at St Vincent’s Hospital for further testing.
Lawful Basis: Consent of the user
Additional legal basis for special categories of personal data: This is necessary for the purposes of preventative health and medical diagnosis.
Reason: Communicating with you and resolving any queries or complaints that you might have, including responding to any data subject rights.
Lawful Basis: The processing of data is necessary for a task carried out in the public interest vested in the HSE.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or provision of healthcare treatment.
Reason: Complying with our legal and regulatory requirements including investigating complaints or claims and defending or exercising our legal rights.
Lawful Basis: The use is necessary for compliance with a legal obligation. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your data protection rights.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment. The use is necessary in order for us to establish, exercise or defend our legal rights.
Reason: Provision of feedback to help us improve our services e.g. website analytics, test analytics and feedback provided by users.
Lawful Basis: The processing of data is necessary for a task carried out in the public interest vested in the HSE.
Additional legal basis for special categories of personal data: n/a
Keeping your data secure
We know that data security is important to you and it is therefore important to us.
We have put in place appropriate security measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage of your personal data.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
They will only process your personal data on our instructions in accordance with this policy and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
The Hep C testing process uses SMS (text messaging) a lot. We think it’s the best and most private way to keep you up to date with the progress of your order with us, whether it’s for Hep C testing or support and advice.
Most phone handsets provide a preview of incoming SMS on receipt - be aware that this may make your interaction with the Hep C testing site visible to people around you.
However, it is possible to adjust your phone’s settings to prevent SMS previewing – very easy to change on most handsets. Learn more by visiting:
You may also wish to periodically delete your SMS history with us, just in case you lose your handset.
Disclosing your personal data
We will share your personal data with the parties below in order to provide services to you;
Internally within the HSE
Use of the Hep C testing site – the HSE receives only aggregated reports about how many people have used the Hep C site. The aggregation is done by location.
Users who have a reactive (positive) or indeterminate test for Hep C – you will be contacted by telephone by one of the SH:24 clinicians and asked for your consent to refer you to the HSE’s Hepatitis C Nursing Service, St. Vincent’s University Hospital. If the user consents, the SH:24 clinician will contact the nurse at St. Vincent’s passing on the user's contact details, which will include the following:
Name and surname
Date of birth
Address
Contact number (preferably a mobile)
Test results
External data processors (third parties)
SH:24 (UK) – website provider, test kit provision and testing co-ordinator
SH:24 sub-processors:
An Post (Ireland) – who deliver the test kits
Enfer Medical (Ireland) – who dispatch the test kits and provide laboratory pathology services
The Doctor’s Laboratory (UK) – laboratory pathology services
Amazon Web Services (UK) – hosting of SH:24 systems
Twilio (UK) – user verification using SMS text messaging
Voodoo SMS (Commify UK Limited) (UK) – user verification using SMS text messaging
Databricks (USA) – (anonymous) data management
SH:24 and their third parties respect the security of your personal data and to treat it in accordance with the law.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We transfer personal data from the European Union to the UK, which the EU has recognised as adequate for the purposes of the EU’s implementation of the GDPR.
Cookies
Consider whether you want a digital log of your visit to hepctest.hse.ie to be recorded in your browser.
If you don’t want a record to be kept, you can choose to delete your browser history afterwards or view our pages in incognito mode / private browsing, which won’t store your browser history, cookies, or search history after you’ve closed your browsers. However, you are not invisible.
Using incognito mode / private browsing does not hide your browser history from your internet service provider, HSE, SH:24 or your employer (if you are using a company device).
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
If you disable or refuse cookies, please note that some parts of this Site may become inaccessible or not function properly.
For more information about the cookies we use, please see cookies.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How long we will keep your data?
We will only retain information for as long as necessary. Records are maintained in line with the recommendations of the HSE retention policy, which can be found at https://www.hse.ie/eng/services/yourhealthservice/info/dp/recordretpolicy.pdf
Your data protection rights
You have certain legal rights concerning your information and the manner in which we process it. These include:
a right to get access to your personal information;
a right to request us to correct inaccurate information, or update incomplete information;
a right to request that we restrict the processing of your information in certain circumstances;
a right to request the deletion of personal information, excluding medical records;
a right to receive the personal information you provided to us in a portable format;
a right to object to us processing your personal information in certain circumstances; and
a right to lodge a complaint with the Data Protection Commission.
You can access your health records by making a subject access request (SAR) and forms are available for this on the HSE’s Data Requests page.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).
This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
The right to lodge a complaint with a supervisory authority for Republic of Ireland data subjects
If you have concerns about our data protection practices, you can contact the Data Protection Commission (‘DPC)’ at:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Tel: 01 765 0100 or 1800 437 737
Email via the DPC website:
Contact details
Contact details for the HSE’s Data Protection Staff are available here.
Further information
Further information about the Hep C testing program can be found on the HSE website here.
Changes to this privacy policy
This policy may change from time to time.
Date 31st March 2023