Skip to main content

Privacy Notice - Clinical Patient Management System 2.0

Privacy Notice – Clinical Patient Management System (CPMS) 2.0 | European Reference Networks (ERNs)

About Children’s Health Ireland

Children’s Health Ireland (CHI) was established under the Children’s Health Act 2018. The objective of CHI is to improve, promote and protect the health, mental health and well-being of children in a manner that embodies the values of child-centred, compassionate and progressive care provided with respect, excellence and integrity.

Key functions of CHI under the 2018 Act are to plan, conduct, maintain, manage, provide and develop paediatric services in the hospital, and to facilitate, foster, promote and carry out research and innovation aimed at improving paediatric services and advancing medical and scientific knowledge relating to paediatric services through research and scientific investigation and inquiry.

This privacy notice should be read in conjunction with the CHI’s Main Privacy Notice, which explains what personal data CHI collects and processes in its day‑to‑day activities, along with further details on how that data is used and individuals’ data protection rights.

The Main Privacy Notice is available here: https://www.childrenshealthireland.ie/policies-statements/privacy-policy/

Ábhar an leathanaigh

Ar an leathanach seo gheobhaidh tú eolas faoi:

Background

Data privacy in the context of the European Reference Networks is the shared responsibility of a joint controllership between the European Commission (hereafter the “Commission”) and Children’s Health Ireland (hereafter “CHI”) as a Healthcare Provider. Under this arrangement, CHI is responsible for deciding when and why patient data is shared for clinical care, while the Commission is responsible for the operation and security of the CPMS 2.0 platform used by the ERNs for cross-border discussions of rare clinical cases. The responsibilities of each party are set out in a joint‑controller arrangement in line with Article 26 of the GDPR.

This privacy statement explains the reason for CHI’s processing of your personal data, the way we collect, handle, and ensure protection of all personal data provided, how that information is used and which rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer, and the relevant Supervisory Authorities.

What Is the CPMS 2.0?

The CPMS 2.0 (Clinical Patient Management System 2.0) is a web-based application with desktop and mobile interfaces used by the European Reference Networks (ERNs) to support cross-border clinical discussions related to the diagnosis and treatment of rare or complex health conditions. It is a secure platform that allows healthcare professionals to exchange patient information and medical expertise, sharing clinical data across national borders to ensure that patients receive the best possible care.

What Are the European Reference Networks and How Can They Help You?

European Reference Networks (ERNs) are networks of healthcare professionals working with rare diseases across Europe. ERNs allow healthcare professionals to discuss rare/complex clinical cases like yours, helping your doctors to correctly diagnose or establish a care plan for your health problem.

For an ERN to advise your doctors, the relevant data collected about you in CHI must be shared with healthcare professionals in other hospitals, some of which may be located in other EU countries.

The information in relation to the processing operations via the CPMS 2.0 platform undertaken by the Commission are presented below i.e. this privacy statement explains how personal data is handled when:

  • as a user, you register in CPMS 2.0 and use the platform;
  • as a patient, your clinical case is uploaded and discussed in the CPMS 2.0.
  • as a patient, you give explicit consent for your clinical case to be fully anonymised, and used for education purposes
  • as a patient, you give explicit consent for your pseudonymised data to be exported to ERN registries

1.0 Personal Data

Personal data means any information that relates to an individual. This can include details such as:

CHI Patients

  • Patient Identifying Data
  • Patient identifying data consist of first and last name, sex, date of birth, nationality. A nickname is assigned to the patient within CPMS 2.0 and can be changed by the enrolling doctor. Only the enrolling healthcare professional has access to the patient identifying data.
  • Patient Medical Data
  • Patient medical data consist of all kinds of medical information needed to establish a diagnosis or advise a treatment. It can contain medical images, text documents, lab results, medical history, etc. Patient medical data is only uploaded, stored within CPMS 2.0, and shared with collaborating ERNs in a pseudonymised format. Only the enrolling healthcare professional and the healthcare professionals that participate in the discussion of a patient case have access to the patient medical data.

Pseudonymised data, is personal data that goes through a process of removing directly identifiable data such as your name and replacing it with a code. Pseudonymised/coded data remains as personal data until the point of anonymisation, where data cannot be linked to the individual it relates to.

2.0 How do you use my personal data?

Your personal data (including any pseudonymised data, will be processed for purposes including to:

  • Support your direct clinical care by allowing CHI clinicians to securely share relevant clinical information with European Reference Network (ERN) experts for diagnosis, case discussion, and treatment planning, with your explicit consent.
  • Enable specialist multidisciplinary review of complex or rare‑disease cases using CPMS 2.0’s secure tools for discussing clinical findings, imaging, and diagnostic results.
  • Ensure safe and high‑quality clinical decision‑making, where CPMS 2.0 facilitates timely expert advice to support your ongoing care.
  • Comply with legal and regulatory obligations, including responding to lawful requests from health, oversight, or regulatory bodies.
  • Deliver health and safety reporting;
  • Seek refreshed or additional consent where required, including consent from a parent or legal guardian where the patient is a child and this is required by law.
  • Respond to data protection requests.

Under the GDPR, we must always have a lawful basis for processing personal data. CHI’s lawful basis for processing the personal data of patient data in regards to CPMS 2.0 are as follows:

  • You have given explicit consent to the processing of your personal data for one or more specified purposes (Article 6(1)(a) & 9(2)(a) GDPR);
  • You have given explicit consent to the processing of your personal data for one or more specified purposes (Article 6(1)(a) & 9(2)(a) GDPR);

If you gave consent for your case to be discussed and you accept to contribute to the advancement of knowledge on rare cases like yours, you may give additional consents, as specified below:

  1. if you give explicit consent for your clinical case to be used for educational purposes, your data will be fully anonymised and may be used to educate other healthcare professionals, including young doctors or medical students, for advancing their knowledge and education on rare cases like yours.
  2. if you give explicit consent for your data to be exported to ERN registries, your pseudonymised data may be exported to registries of rare/complex diseases, to be used for scientific research.

Giving or refusing these additional consents will not affect your access to diagnosis, treatment, or clinical care through CHI or the ERNs.

3.0 What are my rights?

Under the GDPR, you have the following rights:

  • The right to be informed about our collection and use of your personal data. This privacy notice meets this requirement, but you can always contact us to find out more or to ask any questions using the details in Section 9.0
  • The right to access the personal data we hold about you. Section 8.0 outlines how to exercise this right.
  • The right to have your personal data rectified if inaccurate or incomplete.
  • The right to be forgotten, i.e., the right to request that your personal data are deleted
  • The right to restrict the processing of your personal data.
  • The right to object to us using your personal data for a particular purpose or purposes.
  • The right to data portability – to transmit your personal data to another data controller, where CHI is processing your information under a specific lawful basis.
  • You may withdraw your consent at any time. If you withdraw your consent after your case has been discussed in CPMS 2.0, no further information about you will be shared or discussed through the platform. However, information already shared and any clinical advice provided may need to be retained as part of your CHI medical record, where this is required for your ongoing care or to meet legal and professional obligations. Withdrawal of consent does not affect the lawfulness of processing that took place before consent was withdrawn.
  • The right not to be subject to a decision based solely on automated processing, including profiling, unless certain conditions are met. CPMS 2.0 is used to support clinical discussion by healthcare professionals and does not involve automated decision‑making that produces legal or similarly significant effects.
  • Right to make a complaint to the Data Protection Commissioner or the European Data Protection Supervisor.

4.0 How does CHI keep my personal data secure and confidential?

We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have a number of safeguards in place to prevent the loss, misuse, alteration, unauthorised access to and disclosure of your personal data. Where required, CHI carries out Data Protection Impact Assessments (DPIAs) to identify and mitigate privacy risks associated with the processing of personal data.

Under data protection law, specific principles govern our use of personal data and our requirement to ensure it is kept safe and secure. Your data may be stored within electronic or paper records, or a combination of both. Examples of safeguards to protect personal data include data encryption, pseudonymisation/coding, anonymisation and restricted access to  records. Further, CHI employees have committed themselves to confidentiality contractually and/or are under a statutory obligation of confidentiality.

Where your data is processed using the Clinical Patient Management System (CPMS 2.0), additional technical and organisational safeguards are applied at a European level.

CPMS 2.0 is operated by the European Commission, which is responsible for the security of the platform itself, including secure hosting within the EU, role‑based access controls, encryption, multi‑factor authentication, and audit logging. Further information on how the European Commission protects personal data processed within CPMS 2.0 is available in their Privacy Statement: https://cpms2.ern-net.eu/screen/privacy-policy

5.0 How long will you keep my personal data?

Your data will be retained only for as long as necessary for the purposes to which you consented and for which data was collected.

5.1. User-related data

The EU Commission are data controller for this processing and keep user personal data only for the time necessary. As long as a user wants to use the CPMS 2.0 the user account remains active, and the associated personal data is therefore retained. A user can, at any time, delete the user account. In this case, the user account and all associated personal data will be permanently deleted. After 5 years of inactivity, the need for keeping user data will be evaluated and the user account will be deleted if deemed necessary.

Please see their privacy notice for further detail: https://cpms2.ern-net.eu/screen/privacy-policy

5.2. Patient-related data

The Commission keeps patient related data for the time required to the correct follow up of the patient and his/her family needs, as defined at enrolment time. You can, at any time and by simple request to CHI, request the deletion of your personal data. At least every 15 years, the need for keeping patient data will be evaluated by the ERN concerned and the patient data will be deleted if deemed no longer relevant.

5.3. Discussion Data

Audio and video recordings are kept for 30 days after the discussion.

Please see the Commission’s privacy notice for further detail: https://cpms2.ern-net.eu/screen/privacy-policy

6.0 Data transfers outside the EEA?

In general, CHI seeks to ensure that personal data is stored and processed within the European Economic Area (EEA). Where your personal data is processed using the Clinical Patient Management System (CPMS 2.0), it is hosted and operated by the European Commission on secure cloud infrastructure located within the EU.

In limited circumstances, and only where clinically necessary, authorised healthcare professionals based outside the EEA (for example, in Ukraine) may be invited to participate in a specific clinical case discussion within CPMS 2.0. In such cases, access is strictly controlled and limited to what is necessary for clinical consultation. Your data is pseudonymised, shared on a case‑by‑case basis, and protected by technical and organisational safeguards such as role‑based access controls, encryption, multi‑factor authentication, and audit logging.

Where personal data is transferred to or accessed from a country outside the EEA, appropriate safeguards are applied to ensure an adequate level of protection in line with data‑protection law. These safeguards are implemented at European Commission level for CPMS 2.0 and may include legal, technical, and organisational measures. Further information on how the European Commission manages international data access for CPMS 2.0 is available in their Privacy Statement: https://cpms2.ern-net.eu/screen/privacy-policy

CHI does not independently transfer CPMS 2.0 data outside the EEA.

7.0 Do you share my personal data?

CHI only shares your personal data where it is necessary and lawful to do so, and always in a way that supports your care and protects your privacy.

Where CPMS 2.0 is used, your personal data may be shared on a limited, case‑by‑case basis with authorised healthcare professionals who are members of the relevant European Reference Network (ERN). This sharing is done solely for clinical case discussion and specialist consultation to support diagnosis and treatment planning for complex or rare conditions.

Access to your data is strictly controlled and limited to the enrolling CHI clinician, their designated assistant, and the specific invited ERN experts involved in your case. Personal data is not shared for marketing or commercial purposes.

CPMS 2.0 is operated by the European Commission, which is responsible for sharing and access controls within the platform itself. CHI remains responsible for the decision to upload and share patient data in CPMS 2.0, in line with its clinical responsibilities and your consent.

Any additional sharing of your data for purposes beyond direct care, such as anonymised education or pseudonymised research, will only take place where you have given explicit additional consent and where the appropriate CHI governance and approvals are in place.

8.0 How can I access my personal data?

You have the right to request access to your personal data and to receive information about how it is being used, in line with data‑protection law.

If your personal data is held by CHI, including information in your medical record or information submitted by CHI clinicians for use in CPMS 2.0, you can make a Subject Access Request (SAR) by contacting CHI’s Data Protection Office (see Section 9.0). CHI will respond to your request in accordance with applicable legal timeframes.

Where your personal data is processed within the CPMS 2.0 platform itself, the European Commission acts as a data controller for that element of processing. CHI will support you in exercising your rights and, where appropriate, will liaise with the European Commission to ensure your request is handled correctly.

Please note that patients do not have direct access to CPMS 2.0. Any clinically relevant information arising from CPMS 2.0 discussions that affects your care should be recorded in your CHI medical record, which remains the primary and authorative source for accessing your health information.

If you have any questions about accessing your data or exercising your rights, you may contact CHI’s Data Protection Office for assistance.

9.0 Contacting us, making a complaint or providing feedback

We hope you have found this privacy notice useful. To provide feedback in relation to any aspect of how CHI has handled your personal information, to exercise your rights, or if you have any questions and/or would like to make a complaint, you can contact our Data Protection Officer by post, email or phone through the contact details below.

CHI has appointed a Data Protection Officer (DPO) to oversee CHI’s compliance with its data protection obligations. If you have questions regarding CHI’s data protection practices, please do not hesitate to contact us as follows:

CHI at Crumlin
Email: dpo@childrenshealthireland.ie
Phone: +353 1 409 6100
Post: Data Protection Officer Children’s Health Ireland (CHI) at Crumlin, Crumlin, D12 N512, Ireland

CHI at Temple Street
Email: dpo@childrenshealthireland.ie
Phone: + 353 1 878 4200
Post: Data Protection Officer Children’s Health Ireland (CHI) at Temple Street, Temple Street, D01 YC67, Ireland

CHI at Tallaght
Email: dpo@childrenshealthireland.ie
Phone: +353 1 409 6100
Post: Data Protection Officer Tallaght University Hospital, Tallaght, Dublin 24 D24 NR0A

CHI at Connolly
Email: dpo@childrenshealthireland.ie
Phone: + 353 1 878 4200
Post: CHI at Connolly, Connolly Hospital, Mill Road, Blanchardstown, Dublin 15, D15 RRN1

9.1 European Commission Contact Details (Controller for CPMS 2.0 Platform Processing)

If you would like to exercise your rights as a user of CPMS 2.0 under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the data controller at:

European Commission – Data Protection Officer
Email: DATA-PROTECTION-OFFICER@ec.europa.eu
Post: European Commission, Data Protection Officer,
Rue de la Loi / Wetstraat 200,
1049 Brussels, Belgium

Further information on how the European Commission processes personal data is available in their Privacy Statement:
https://health.ec.europa.eu/privacy-policy_en

CHI will support you, where appropriate, in directing or assisting with CPMS‑related requests involving the European Commission.

Supervisory Authority – Data Protection Commission (DPC)

You may contact the Data Protection Commission at any stage, and you do not have to make a complaint to CHI before contacting the Commission. Additionally, if you are unhappy with the outcome of your complaint or how your request to exercise your rights in relation to your personal data has been processed by CHI, you also have the right to make a complaint to the Data Protection Commission directly.

Email

info@dataprotection.ie

Website

www.dataprotection.ie

Phone

01 7650100 / 1800437 737

Post

Dublin Office:

Data Protection Commission,

21 Fitzwilliam Square South,

Dublin 2,

D02 RD28.

Portarlington Office:

Data Protection Commission, Canal House,

Station Road, Portarlington, R32 AP23,

Co. Laois.

10.0 Changes to this privacy notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our practices in a way that affects personal data protection.

Version: 001 Dated: 29/04/2026

Roinn an leathanach seo

Cláraigh dár nuachtlitir