Information for the public on data handling in the HSE Health Protection Surveillance Centre (HPSC)

Why is information collected about your illness?
Under the Infectious Diseases Regulations 1981, and subsequent amendments, the Health Protection Surveillance Centre is authorised by law to collect information from doctors and laboratories, via Medical Officers of Health (MoH), about diagnoses of certain infectious diseases in Ireland. These diseases are referred to as notifiable diseases. The law exists to monitor and control the occurrence of infectious diseases, and to help prevent further illness. The most recent amendment to the Regulations is the Infectious Diseases (Amendment) Regulations 2023 (S.I. No. 245 of 2023) - this contains the up to date list of notifiable diseases.

The main aim is to protect the health and safety of the community.

How does HPSC collect your health information?
To be effective, the collection of surveillance data must be standardised on a national basis. All medical practitioners, including clinical directors of diagnostic laboratories, are required to notify the Medical Officer of Health of notifiable diseases. The MoHs are located in the eight Departments of Public Health throughout the country. Laboratory notifications are made electronically through the Computerised Infectious Disease Reporting System (CIDR). Notifications from clinicians are entered into CIDR in the Departments of Public Health. The MoHs provide information to HPSC on the infectious diseases notified to them. Access to the information in CIDR is controlled so that personally identifiable information is visible only to those with a need to manage the individual case. All CIDR information is protected by appropriate security and confidentiality mechanisms and complies with Data Protection legislation. Where information, including personally identifiable information, on notifiable diseases is held in non-CIDR systems in HPSC, it is also protected by appropriate security and confidentiality mechanisms and complies with Data Protection legislation.

Why does HPSC collect your health information?
The health information collected by HPSC is used in a number of ways to:

  • evaluate the effectiveness of control and preventive health measures
  • detect outbreaks
  • monitor changes in infectious diseases
  • educate health professionals
  • support health planning and the allocation of appropriate resources within the healthcare system
  • identify high risk populations or areas to target interventions, such as vaccination
  • provide a valuable archive of disease activity for future reference
  • research and audit

What happens to your health information?
HPSC is committed to protecting the privacy of your information. Only authorised staff can access the information. The information is analysed regularly to produce reports which are published on the HPSC website. However, personally identifying information is NEVER included in those reports.

What about confidentiality?
In general, access to personal information (such as name and address) is not provided by the MOH/DPH to HPSC. However, in some circumstances where public health action is needed for international contact tracing or if HPSC doctors are leading a national or international outbreak investigation or have been assigned national responsibility (e.g. surveillance of influenza in critical care, or for monitoring the impact of a particular disease), HPSC doctors and relevant staff may be provided with identifying information. Access to such records is restricted to the fewest number of individuals possible in the context of the processing and analysis required. When public health action requires the transfer of personally identifiable information abroad, it is protected by appropriate security and confidentiality mechanisms. All staff working in HPSC treat your information with the strictest confidence and have signed legally enforceable confidentiality agreements.

HPSC is also certified to the Information Security standard ISO 27001: 2013. The purpose of maintaining this certification is to have appropriate controls and processes in place to ensure secure handling, storage and processing of personally identifiable information and confidential data. 

Who can access your data
It may only be accessed by:

  • Nominated HPSC public health experts are responsible for managing infectious disease surveillance data at national level. Patient level data will only be shared with authorised personnel in the interests of public health, subject to strict controls to ensure that data sharing is appropriate, that privacy is protected, and in line with data protection guidelines and regulations. These data will be minimised and anonymised/pseudonymised prior to sharing.
  • Data may be shared with external stakeholders for research purposes in anonymised format and in some special cases in pseudonymised format, with clearly defined terms and conditions, and appropriate Research Ethics Committee approval, data security, retention and publication guidelines

Can you access your information?
HPSC supports the right of an individual to see what personal information is held about them by HPSC. HPSC adheres to the following HSE policies which deal with how you can request access to your personal health information:

Where can you find further information?

Secure data handling at HPSC - Epi Insight, Volume 17, Issue 10, October 2016

Health Protection Surveillance Centre – https://www.hpsc.ie/NotifiableDiseases/

List of Notifiable Diseases - https://www.hpsc.ie/NotifiableDiseases/ListofNotifiableDiseases/

Computerised Infectious Disease Reporting System (CIDR) - https://www.hpsc.ie/CIDR/

Freedom of Information - http://foi.gov.ie/

Office of the Data Protection Commissioner - http://dataprotection.ie

Last updated: 7 June 2023