Data Subject Access Requests
You can exercise any of these rights by sending a Data Subject Request by contacting [email protected]. We will acknowledge Data Subject Requests within 1 month from receipt of your valid Request. You will not normally have to pay a fee.
A ‘privacy notice’ lets you know what happens to any personal data that you may give us or that we may collect from you or about you (as a client, family member, carer, or visitor). This notice is issued by Centric Mental Health and covers the information we hold about our patients, their families, and other individuals who may use our services.
+ Who are we and what do we do?
Centric Mental Health is an Irish-owned company founded by Stuart McGoldrick. In August 2021 Centric Mental Health became a Centric company.
Our goal is to provide every client with the appropriate mental health support. We work to help clients identify and overcome their difficulties in a straightforward, individualised, and professional way. At Centric Mental Health we understand the importance of your personal or workplace mental health needs. As the leading provider of private mental health services, our nationwide network of psychologists and psychotherapists are experienced and skilled professionals in their fields. We work with the best to offer you the same.
Centric Mental Health is the noted Data Controller.
+ Why have we issued this Privacy notice?
We are committed to being open about the information we collect about you, how we use this information, with whom we share it, and how we store and secure it. We recognise the importance of protecting personal and confidential information in all that we do and take care to meet our legal and other duties, including compliance with relevant laws, regulations, and guidance
Under the General Data Protection Regulation (GDPR) Centric Mental Health has a legal duty to ensure your data, supplied as part of the client process within Centric Mental Health, is kept secure and safe.
Personal data will be obtained in a lawful, fair, and transparent manner for a specified purpose and will not be disclosed to any third party, except in a manner compatible with that purpose.
“Personal data” means data relating to a living individual who is or can be identified either from the data or the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller (“Centric Mental Health”)
All medical information is seen as “sensitive personal information” and we will endeavour to ensure your information is treated with the utmost respect and confidentiality.
In this privacy statement, we explain what we do with the data we obtain about you. We recommend you carefully read this statement. We recognise the importance of protecting personal and confidential information in all that we do and take care to meet our legal and other duties, including compliance with relevant laws, regulations, and guidance.
That means, among other things, that:
- We clearly state the purposes for which we process personal data. We do this using this privacy statement.
- We aim to limit our collection of personal data to only the personal data required for legitimate purposes.
- We first request your explicit consent to process your data in cases requiring your consent.
- We take appropriate security measures to protect your data and also require this from parties that process personal data on our behalf.
- We respect your right to access your personal data or have it corrected or deleted
+ Who controls the use of your personal data?
Centric Mental Health, whose registered address is Centric Mental Health, Level 7, RSA House, Sandyford Rd, Dundrum, Dublin 16. If you have any queries about the processing of your personal data, contact us as follows: by post, by email Email: [email protected], or by phone at 01 6111719
+Managing your Information
- So that we may provide a variety of Therapeutic Services with our Clinicians utilising a wide range of approaches Centric Mental Health will need to collect and keep information about you and your health on our records.
- We will only ask for and keep the necessary information. We will attempt to keep it as accurate and up-to-date as possible. We will explain the need for any information we ask for.
- Please inform us about any relevant changes that we should know about, such as change of address, phone numbers, family circumstances, or any new treatments or investigations being carried out that we are not aware of.
- All persons working in Centric Mental Health and any additional services (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties regarding personal health information and the consequences of breaching that duty.
- Access to client records is regulated to ensure that they are used only to the extent necessary to enable the clinician and or administration team to perform their tasks for the proper functioning of Centric Mental Health.
- Accepting bookings for scheduled in-person consultation, telephone or video consultation.
- Issuing text messages or e-mails as reminders for appointments.
- Ensuring all clinical notes have been updated and saved on a secured Software System named SilverCloud.
- Take into consideration Freedom of Information and Data Protection principles.
- Be clear about the purpose of the disclosure.
- Action any Subject Access Requests within appropriate timeframes.
- Be satisfied that we are disclosing the minimum information to the minimum amount of people necessary.
- Be satisfied that the intended recipient is aware the information is confidential and that they have their duty of confidentiality.
What personal data is collected?
To provide our services to you we need to process certain personal data about you, which includes:
- Biographical data – We collect the following biographical data: name, assumed names, address, phone number, email address, gender, family relationships (e.g. spouse, children), and date of birth.
- Interactions with us – If you interact with us, we will record details of those interactions (e.g. phone calls and logs of phone calls, email correspondence, and hard copy correspondence). If you make a complaint, we will process details about that complaint.
- Payment data – If you pay by direct debit or receive payments through electronic funds transfers, we will collect the IBAN, BIC, and the name of your bank/building society or your credit card details where relevant.
- Online services – When you interact with us online (by computer, tablet, or smartphone), you will often provide personal data to us, which you will be aware of when using the services or for which you give consent. We also automatically collect data about your use of our services, such as the type of device you are using its IP address, and how you interact with the services. Further details are available in the cookies policy that accompanies the relevant service.
Categories of Personal Data
Category of data
Purpose of Processing
Lawful of processing
name, address, contact details (phone, mobile, e
mail), dates of appointment
Individual Health identifiers,
date of birth, sexual orientation, gender, family members, family history, contact details of next of kin, and contact details of carers.
Necessary to support the administration of client care in clinical settings
Necessary to support the administration of client care in clinical settings
|Article 6.1(d): Processing is necessary to protect the vital interests of the data subject or of another natural person;
Article 6.1(e): Processing is necessary for the performance of a task
carried out in the public interest or in the exercise of official authority vested in the controller.
Special Categories are processed under the derogations in Articles 9.2(h) and 9.2(i).
record of billable services provided, client
name, address, contact details, billing and payment records, and debit or credit card details.
Required for providing a service and billing.
Article 6.1(c): Processing is necessary for compliance
with a legal obligation to which the controller is subject
Article 6.1(b) in relation to getting paid for providing a service private client
+ Recipients with whom we share personal data
|Categories of Recipient||Description|
|Health and Social Care
|other psychiatrists, psychologists, psychotherapists, or employee assistance programs if a second opinion is required; this can include but is not limited to GP practices, other hospitals, and other hospital departments who are involved in providing you with your care and community services.|
|Data Processors with a
|Secure Digital software [SilverCloud] referrals [Healthlink], payments [Stripe ] Clinical Management System [ Meddbase]
|Legal Arrangements||Where a formal court order has been issued
Section 7(1)(a) of the Ombudsman Act 1980 provides the Ombudsman with powers to acquire information or documents for a preliminary examination or investigation by him or her under the Act.
Ombudsman for Children: Section 14 of the Ombudsman for Children Act 2002 provides the Ombudsman for Children with the power to acquire information
|Third Parties – This will only be actioned under explicit client consent
|Solicitors, Insurance Companies, Health Insurance Companies, Banks
How we use and process your data
Centric Mental Health needs to process clinical information about our clients to ensure that all clinical staff has complete information to ensure you get the best treatment while under our care.
Each client will have a unique Medical Record and all your details are kept within your unique medical record.
We process your personal data to provide you with our services and to assist us in the operation of our business. Under data protection law we are required to ensure that there is an appropriate basis for the processing of your personal data, and we are required to let you know what that basis is.
There are various options under data protection law, but the primary bases that we use are (a) processing necessary for the performance of our contracts with you, (b) processing necessary for us to pursue our legitimate interests, (c) processing where we have your and/or your dependents’ consent, (d) processing that is required under applicable law (e ) Vital Interest.
In certain circumstances, we are required by law to report information to the appropriate authorities. This information is often provided after the authority has been given by a qualified health professional. For example:
- Where a formal court order has been issued
- Section 7(1)(a) of the Ombudsman Act 1980 provides the Ombudsman with powers to acquire information or documents for a preliminary examination or investigation by him or her under the Act.
- Ombudsman for Children: Section 14 of the Ombudsman for Children Act 2002 provides the Ombudsman for Children with the power to acquire information
The Data Protection Commissioner may, for the investigation of a complaint under the Data Protection Acts, require the Centric Mental Health to provide any documentation as is considered necessary information or documents for a preliminary examination or investigation.
+Transfers outside of the European Economic Area (EEA)
For this service Centric Mental Health processes all of your data within the EEA.
If we transfer your personal data outside of the EEA, please rest assured that we will ensure that appropriate measures are in place to protect your personal data and comply with our obligations under applicable data protection law.
+ Your Rights
Under GDPR, you have rights regarding the use of your personal details and Centric Mental Health as controller of that data has a responsibility in how we handle this information.
Centric Mental Health has a responsibility in how we handle this information.
You have the right to data protection when your details are:
- held on a computer.
- held on paper or another manual form as part of a filing system; and
- images of your data, e.g. CCTV
+What is the aim of these rights?
With Data protection rights we help you to make sure that the information stored with us about you is:
- Accurate and up-to-date.
- Only available to those who should have it.
- Only used for stated purposes.
- Stored securely
What should you expect?
- Expect fair treatment from Centric Mental Health and our staff in the way we obtain keep, use, and share your information.
- You have the right to be fully informed about why we are collecting your information and how we are using it.
- You have the right to object to Centric Mental Health using your details for a particular purpose.
- You have the right to ensure inaccurate information about you is corrected when it is safe to do so.
- Request to see a copy of all information kept about you unless exceptional circumstances apply
- Complain to the Data Protection Commissioner if your data protection rights are infringing.
Centric Mental Health must do?
Centric Mental Health will comply with the Principles of GDPR
- To obtain information lawfully, fairly, and transparently.
- Collect only data necessary for a specific purpose(s) and only use this data for set purpose
- Ensure the information is accurate and up to date. We will need your help with this, so please inform us if you have changed any contact or next of kin details.
- Data is stored as long as necessary to provide excellent care
- We will endeavour to keep your data safe and secure.
+ Right to obtain a copy of your information
Under GDPR, you have a right to obtain a copy of any information relating to you kept on a computer or in a structured manual filing system or intended for such a system by any entity or organisation.
A request for access, release, or copy of personal data can only be made by our client or parent / legal guardian in the case of a minor. Any third party (registered next-of-kin or solicitors authorised by our client, Patient Legal Guardian, or Power of Attorney) must be: sent in writing to: Centric Mental Health, Level 7, RSA House, Sandyford Rd, Dundrum, Dublin 16 or email: [email protected].
Please include the following information in your request:
- Name of psychologists and psychotherapists you attended
- Include your legal name, & date of birth
- Be accompanied by an appropriate identification example: Current Irish Driver’s License, Valid Passport, and Proof of address, for example, a current utility bill. This is only for the purpose of client verification.
It is important to note that Centric Mental Health abides by the data minimisation principle, therefore if you only need information for a specific date and or incident, please advise us accordingly.
Centric Mental Health does not issue medical–legal reports.
Once you have made your request, you must be given the information within 30 calendar days and free of charge. A charge will only apply if the request is deemed to be excessive or repetitive in nature. If there are to be any delays or questions will contact, you and keep you up to date.
You are also invited to download the Subject Access Request form.
Can access be refused?
Access can be refused to some or all of our client’s personal health information, only if providing access is likely to cause serious harm to the physical or mental health of the requester or if providing access would disclose the personal data of another person without their consent or would disclose a confidential expression of opinion about the requester.
The recommended method of delivery of the request is by
- Registered post via An Post service.
- Emailed using an agreed password and confirming receipt.
- Faxed following confirmation of fax number and confirmation of receipt.
For security reasons, the clinic you attend may have CCTV cameras at the different access points in and outside the building to prevent intruders or individuals who could damage property.
As a client of Centric Mental Health member of the public or staff, your image will be captured on such CCTV cameras, however, images will only be disclosed where necessary to investigate a break-in or other unauthorised access to the particular clinic
Retention of personal data
Centric Mental Health will retain your personal data in accordance with our respective retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it. It is also kept by any legal requirements that are imposed on us. This means that the retention period for your personal data will vary depending on the type of personal data. For further information about the criteria that we apply to determine retention periods please see below:
- Statutory and regulatory obligations – As we work in a highly regulated industry, we have certain statutory and regulatory obligations to retain personal data for set periods.
- Managing legal claims – When we assess how long we keep personal data we take into account whether that data may be required to defend any legal claims which may be made. If such data is required, we may keep it until the statute of limitations runs out about the type of claim that can be made.
- Business requirements – As we only collect personal data for defined purposes, we assess how long we need to keep personal data to meet our reasonable business purposes.
Consent for Minors
Where we are required to gather the personal information of a minor (defined as a person aged under 18 years of age*), we will require the attendance and consent of a parent or guardian, and will only acquire and store such data with their permission, as well as the awareness of the minor themselves.
* In the medical area, the Non-Fatal Offences Against the Person Act, 1997 (Section 23) provides that a minor who has reached the age of 16 can give consent to medical treatment and/or processing of their medical data.
Where the parents of the minor are not in a position to provide such consent, the support of a recognized body will act ‘in loco parents – for example, the family GP, school principal, social worker, or Gardai will be consulted to ensure that any such processing of personal data is being done in the vital interests of the minor. The minor will be made aware of the processing activity and its purposes as much as possible.
Parent/Guardian attendance – This policy applies to both clinic and video appointments
Age under 12 parents or guardians will attend the first session.
Age 13 – 18 parents need to accompany the young person to the clinic/online session and in some instances, a clinician will suggest a parent or guardian attend the opening and close of the session while respecting the child’s confidentiality.
Aged under 16 parents or guardians need to be on-site in the clinic or the same location if online while not attending the sessions.
Aged 16 – 18 and over parents and guardians need to be close by the clinic or in the same location if online and available if needed.
+Data protection Officer
If you have any questions about your data protection, you may contact Centric Mental Health’s Data Protection Officer:
Email: [email protected] Phone: 01 299 3500
Letter: Centric Mental Health –Data Protection Officer, Centric Health, Floor 7, RSA House, Dundrum Town Centre, Sandyford Road, Dundrum, Dublin 16, D16 FC92