HSE Health App privacy notice

Your privacy and data security are very important to us.

The HSE own and manage the HSE Health App. We aim to be clear and transparent about the information that we collect about you and how we use it.

On this page you will find information about:

• the personal data we collect and what we use it for
• how long we hold onto your personal data
• who has access to your personal data
• your rights to your data
• how to make a complaint
• the role of the data controller and the data protection officer (DPO)

Using the app is your choice

It's your choice if you want to download, use, keep or delete the app. You do not have to use it.

HSE Health App: terms of use

How to securely use the app

You can use the HSE Health App if you:

• use health and social care services in Ireland
• have an iOS or Android device

To access your personal information on the app you will need:

• a device that has the minimum level of security required of the app
• a verified MyGovID account
• an individual health identifier (IHI) that is on the National Register of IHI’s

Once you are authenticated, you must be logged into the app to view your personal health information.

Types of personal data we use

Your personal data is 'processed' when anything is done with it. For example, when it is collected or reviewed.

We process data about your:

• demographics - this is so we can correctly identify you and match you to your health records
• appointments - so we can communicate with you about them
• medicines - this is so we can show you any medicines that are claimed for under the drug payment or medical card scheme and so you can add other medicines you are taking
• vaccination records
• medical card, EHIC and other health cards - this is so you have a digital copy of your card. You'll still also get a physical one
• location - this is so we can use maps to provide you with directions to health services
• use of the app - this is to improve the app and all data collected is anonymous

You must give permission for your location data to be used. We do not use location data for tracking, profiling or any other purpose.

How we process your personal data

We collect your personal data from multiple sources. These include both HSE services and other healthcare services. We then store your personal data online. We do this in compliance with the GDPR and other relevant laws.

When you download the app and you log in with a verified MyGovID account, we put your health and personal information in the app for only you to see. We will not process your personal data until you are successfully logged in.

You can use the app without logging in. But you will only be able to view general health information similar to the HSE website. We will not process your personal health data in the app if you are not successfully logged in.

You will not see all your health data straight away. This may come in the future, as we develop the app.

The only appointment and vaccination information currently available will be about:

• maternity appointments
• COVID-19 and flu vaccinations

Other appointment and vaccination data will be added in future releases.

Why we use your personal data

We use your data:

• so that the HSE Health App works correctly
• to give you access to your health data through the app
• to communicate with you through the app

Communicating with you

We use the app to communicate with you about:

• health-related information - this includes appointments, medicines and vaccinations
• functional information in the app - this includes confirmation you have successfully logged in or that your records have been added
• general health campaigns
• public health emergencies

If you do not log in to the app, you can still access general information taken from our website.

Who can access your personal data

Only people who directly work on the app and who are authorised will have access to personal data in the app.

This includes:

• HSE staff who manage the operations and security of the app
• agents - such as customer care agents who provide customer support to users
• suppliers - such as Microsoft and Salesforce whose technology we use

Access to your personal data depends on the role a person has. This is monitored to make sure that there is no unauthorised access.

Anyone who has access to personal data is bound by confidentiality and data protection agreements. They must keep your personal data secure and use it only for the purposes agreed with us.

How long we store your data

You can stop using the app at any time. If you delete the app, all of your personal data in the app will be deleted from your phone.

We will still hold your personal and health information for other HSE services in line with the HSE retention policy.

Making a complaint

If you are not happy with how we are processing your personal data, contact our Data Protection Officer (DPO). The DPO ensures that we are compliant with data protection.

You can also make a complaint directly to the Data Protection Commission.

If there's a problem with your personal data

Use the option 'report an issue' to contact us through the app if your information in the app is wrong or inaccurate.

You can also phone HSE Live on 1800 700 700.

Data controllers

A data controller is an organisation or person that decides what data is processed. They also decide how and why this needs to be done. They are legally responsible for that data.

Data controllers involved in the app are:

• HSE
• Department of Social Protection
• non-HSE hospitals

HSE

We are the data controller for all personal data collected and used by the app.

Department of Social Protection

The Department of Social Protection are the data controllers for MyGovID. We use MyGovID to prove your identity and you do this on the MyGovID website. The app does not share your personal data with the Department.

Non-HSE hospitals

Hospitals that are not run by the HSE are data controllers for data from their hospital management systems (IPMS). There are data sharing agreements in place with these hospitals.

The Non-HSE hospitals are:

• National Maternity Hospital
• Holles Street
• Coombe Women’s Hospital
• Rotunda Hospital

Data processors

Data processors are appointed by data controllers. A data processor is an organisation or person that processes data.

Data processors have contracts and agreements with us to process personal data in the app. They can not process or transfer personal data in the app outside the European Economic Area (EEA).

Data processors include:

• Amazon - offers compute, storage and networking and hosts app components
• Microsoft - cloud provider hosting the app repository and all associated tools
• Waystone - security testing team who ensure the app is secure
• Mandiant - security testing team
• DEPT - provide development and support
• Nearform - support for delivery and the backend tools
• Deloitte - support with customer management
• Salesforce - used to provide a customer management system

Some of these data processors use sub-processors. Sub-processors can not process or transfer personal data outside the EEA.

Sub-processors include:

• PiwikPro - used by DEPT to gather anonymous analytics
• DataDog - used by Nearform to gather anonymous strictly necessary analytics
• Edgescan - used by Waystone as part of security testing

Your rights under GDPR

Under the GDPR, you have the right to:

• request a copy of the personal data we hold about you and to check that we are lawfully processing it
• have any incomplete or inaccurate information we hold about you corrected
• object to the processing of your personal data
• ask us to delete or remove personal data where there is no good reason for us to process it or where you have made an objection
• object to us making any automated decisions about you based on your personal data or profiling of you
• request to restrict or suspend the processing of your personal data
• request the transfer of your personal data in an electronic and structured way to you or someone else

How to exercise your rights

You can exercise your rights in a number of ways. These include:

• submit a data request
• contact a Data Protection Officer (DPO)

Requesting information from the HSE

Analytics data we process

We collect data about how you use the app. This is strictly necessary data. We do it so that we can check the security and essential operations of the app. The tools are set automatically.

We also use optional analytics. This is to help us understand more about how you use the app and to plan for future updates. You can opt in or out of these analytics in the app settings.

We use Software Development Kits (SDKs) and cookies to collect this data. Cookies are small text files stored on your device when you use the HSE health app. The SDKs and cookies on the HSE health app are available here.

Strictly necessary SDKs we use

The strictly necessary SDKs we need to put on your device for the HSE health app to work are:

@credo-ts/askar

This is to store verifiable credentials that usually contain personal data. They are stored on your device and are encrypted. This data is stored on your device

@datadog/mobile-react-native

This is for error handling and reporting. No personal data is processed. This data is accessed remotely by DataDog

@datadog/mobile-react-navigation

This is for error handling and reporting. No personal data is processed. This data is accessed remotely by DataDog

react-native-keychain

We create an encryption key and save it using react-native-keychain. This key is then used to encrypt user data stored with react-native-mmkv. This data is stored on your device

react-native-mmkv

This helps save application settings and preferences. We use it to store navigation data or tokens needed to keep you logged in, so this information is available even when you close and reopen the app. This data is stored on your device

SDK for analytics to function

This is used to gather your choice for optional analytics

@piwikpro/react-native-piwik-pro-sdk

This is to collect analytics about your use. The data is anonymous. This is stored on your device

Other SDKs

react-native-marketingcloudsdk

This is to enable Salesforce to provide a customer management system to the HSE. A unique Salesforce Device ID is stored in Salesforce Marketing Cloud, allowing the HSE to track whether users have opted in or out of push notifications.

Analytics cookies we need to set

The optional analytics cookies we need to put on your device are all for collecting data about how you use the app. The data is stored on your device.

_pk_id.{id}

This is a Piwik Pro cookie. It's used to recognise you and keep your information in the app. This expires after 6 months

_pk_ses.{id}

This is a Piwik Pro cookie. It shows your active session on the app. If the cookie doesn’t exist, it means that the session ended more than 30 minutes ago and was counted in the _pk_id cookie. This expires after a few seconds

Analytics consent

This cookie is used to register the consent for Piwik Pro analytics on the app. This expires after a session

Stg_last_interaction

This is a Piwik Pro cookie. It’s used to tell if your session is still running, or a new session has started. This expires after 12 months

Stg_returning_visitor

This is a Piwik Pro cookie. It’s used to tell if you have visited the app before. This expires after 12 months

Stg_traffic_source_priority

This is a Piwik Pro cookie. It stores the type of traffic source you have came from. This expires after 30 minutes