Privacy Notice

Introduction

This Privacy Notice sets out the basis upon which we collect, use, store, and disclose personal data collected from you and/or held about you, as well as your rights in relation to that data. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Data Controller

For the purposes of Data Protection Law:

Neurospine Ltd (Company Registration No. 604339), with a registered place of business at Suite 10, Sports Surgery Clinic, Santry Demesne, Dublin 9, acts as a Data Controller when providing neurosurgical healthcare services.

In this role, Neurospine Ltd is responsible for processing your personal data in a safe, secure, and compliant manner.

Our Commitment to Privacy

Neurospine Ltd is committed to protecting your privacy and maintaining the confidentiality of your personal data. We recognise the importance of safeguarding personal data and ensuring that it is used appropriately, lawfully, and transparently.

This Privacy Notice applies to all patients and individuals whose personal data is processed by Neurospine Ltd.

Legal Basis for Processing Data

All personal data is processed in accordance with:

• The General Data Protection Regulation (GDPR)
• The Data Protection Act 2018

We ensure that all personal data is processed lawfully, fairly, and transparently, and only to the extent necessary for the purposes for which it is collected.

What Personal Information We Collect

Most of the information we hold is provided directly by you. Some information may also be received from internal sources or external healthcare providers such as your GP or referring physician.

Personal data we collect from you may include the following:

• Information you provide when you make an enquiry or become a patient, such as your name, date of birth, address, and contact details, including email address and phone number.
• Information you provide when making a payment, including financial details, health insurance information, and billing or payment details.
• Name and contact details of your next of kin or relatives.
• Clinical notes and medical reports, including details relating to your health, diagnosis, treatment, care received, clinic or hospital visits, and medications administered.
• Information relating to complaints and incidents.
• Information obtained from patient or customer surveys in which you have participated.
• Information submitted when you contact us with questions, comments, or feedback, including via our website.
• Information you provide when using the Contact Us or Book an Appointment forms on our website.
• Information submitted as part of a job application, including your CV, cover letter, and contact details.
• Information you make publicly available when posting comments or reviews on social media or public platforms such as Facebook, Twitter, Google, LinkedIn, and similar platforms.
• Audio recordings used for clinical dictation purposes, which are retained temporarily to generate clinic letters for your GP or referring consultant. These recordings are securely encrypted and stored within our firewall-protected systems.

Where you provide us with personal data relating to your next of kin or another individual, it is your responsibility to ensure that they are aware of and accept the terms of this Privacy Notice.

How We Use Your Information and Lawful Basis

Special Category Data (Health Information)

The legal bases for processing your special category personal data, including medical and health information, are set out under Article 9 of the General Data Protection Regulation (GDPR). Such processing is necessary for one or more of the following purposes:

• Medical purposes and provision of healthcare. For preventive or occupational medicine, medical diagnosis, the provision of healthcare or treatment, and the management of healthcare systems and services. Legal basis: Article 9(2)(h).
• Protection of vital interests. Where processing is necessary to protect your vital interests, or those of another person, and you are physically or legally incapable of giving consent. Legal basis: Article 9(2)(c).
• Legal claims. For the establishment, exercise, or defence of legal claims. Legal basis: Article 9(2)(f).
• Compliance with legal obligations. Where processing is necessary to comply with legal and regulatory obligations applicable to us as a healthcare provider. Legal basis: Article 9(2)(b) and/or 9(2)(g).
• Public interest in public health. For reasons of public interest in the area of public health, including ensuring high standards of quality and safety of healthcare. Legal basis: Article 9(2)(i).
• Research, archiving, and statistical purposes. For archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to appropriate safeguards. Legal basis: Article 9(2)(j).

How We Use Your Information

Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used for the purpose or purposes for which it was collected. Your information enables us to provide safe, effective, and high-quality care, and to continually improve our services.

We may use your information for the following purposes:

• To create and maintain your medical record. Including recording all aspects of your assessment, diagnosis, and treatment within our clinical and administrative systems.
• To support your clinical care. Ensuring that our clinical staff have access to the information required to assess and treat you.
• To manage billing and payments. Including generating invoices, processing payments, and managing insurance claims.
• To communicate with you. Including appointment management and providing information about our services where you have agreed to receive such communications.
• For recruitment purposes. Including creating and managing candidate profiles where you apply for a position with us.
• To improve our website services and security. Ensuring functionality, performance, and protection against unauthorised access.
• For clinical audit, service improvement, and research. To monitor quality, improve patient outcomes, and support evidence-based practice.
• To manage referrals and continuity of care. Including sharing relevant information with GPs, referring consultants, and other healthcare professionals involved in your care.
• To respond to enquiries and complaints. Including handling queries, feedback, and investigating issues where necessary.

Research and Clinical Audit

Neurospine Ltd supports and promotes clinical audit and research activities as part of its commitment to improving patient care and advancing medical knowledge.

All such activities are conducted in accordance with ethical and legal requirements. Where appropriate:

• Research is subject to ethical approval.
• Data is minimised, securely handled, and pseudonymised where appropriate.
• Strict safeguards are in place to protect your rights and confidentiality.

In certain circumstances, retrospective chart reviews may be carried out without obtaining individual consent where this is not feasible, and where appropriate approvals and safeguards are in place in accordance with GDPR.

You will not be identified in any research outputs, publications, or presentations without your explicit consent.

How We Handle Your Information

Personal data are stored securely within NeuroSpine systems.

• Data are held within electronic clinical record systems.
• Physical records may be used where necessary.
• Access is restricted to authorised staff.
• Data are only shared where necessary for care or legal reasons.

We may share your information with:

• Your GP or other healthcare providers.
• Billing providers related to your care.

Use of Ambient AI and Audio Recording

Neurospine Ltd uses ambient AI technology to assist in the recording of clinical consultations and the generation of clinical documentation, including summaries and correspondence to your GP or referring consultant.

This technology is used solely to support the accuracy, efficiency, and quality of clinical record-keeping and communication between healthcare providers.

• Audio recordings are processed securely, encrypted within our firewall-protected systems, and are accessible only to authorised staff with appropriate login credentials.
• Recordings are used exclusively for the purpose of generating clinical notes and correspondence as part of your care.

You will be given the opportunity to opt out of having your consultation audio recorded using this technology. If you choose to opt out:

• No audio recording of your consultation will take place.
• Instead, the clinician may generate a separate audio summary after the consultation to support clinical documentation.

Your decision to opt out will not affect the care or treatment you receive in any way.

How Long We Retain Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including providing healthcare services and complying with legal, regulatory, and professional obligations.

In general, medical records are retained for a period of eight years following the conclusion of your treatment, in line with applicable guidelines.

Your personal data will be processed throughout the course of your treatment and retained for a defined period afterwards. Retention periods are determined based on:

• Legal and regulatory requirements.
• Clinical and patient care needs.
• The nature, sensitivity, and risk associated with the data.

Your data is retained:

• During your treatment.
• For an appropriate period after treatment, in accordance with applicable legal, clinical, and regulatory requirements.

Once we determine that your personal data is no longer required, it will be securely and permanently deleted or anonymised in line with best practice and data protection obligations.

Your Rights in Respect to Personal Data

Under data protection law, you have the following rights:

• Right of access. You have the right to request a copy of the personal data we hold about you.
• Right to rectification. You have the right to have inaccurate or incomplete personal data corrected without undue delay.
• Right to erasure (right to be forgotten). You have the right to request the deletion of your personal data. Please note that this is not an absolute right and applies only in certain circumstances, such as where the data is no longer necessary for the purpose for which it was collected, where processing is unlawful, or where you withdraw consent and there is no other lawful basis for processing.
• Right to object. You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing or profiling.
• Right to data portability. You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where feasible. This right applies only where processing is carried out by automated means and is based on your consent or a contract.
• Right to restriction of processing. You have the right to request that we restrict the processing of your personal data in certain situations.
• Right to withdraw consent. Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.

Exercising Your Rights

You may exercise any of the above rights by contacting us at:

Contact Details

Data Protection Officer
UPMC Sports Surgery Clinic
Santry Demesne
Dublin 9
Email: dpo@upmc.ie

Subject Access Requests

Email: info@neurospine.ie

Right to Lodge a Complaint

If you have any concerns about how your personal data is being processed, you have the right to lodge a complaint with the Data Protection Commission (DPC) in Ireland:

Phone: +353 (01) 765 0100 / +353 (0761) 104 800
Email: info@dataprotection.ie
Website: https://www.dataprotection.ie

Changes to Our Privacy Policy

We keep our Privacy Notice under regular review and as a result it may be amended from time to time without notice. We encourage you to review this Privacy Notice regularly. Please review this notice each time you use our website or our services.

Who We Share Your Data With

We may share your personal data with the following categories of third parties where necessary to provide our services, comply with legal obligations, or support the operation of our practice.

Glossary of Terms

Personal Data

Any information relating to an identified or identifiable individual, such as name, contact details, or medical information.

Special Category Data

Sensitive personal data requiring additional protection, including health information, medical records, and clinical data.

Processing

Any operation performed on personal data, including collection, recording, storage, use, sharing, or deletion.

Data Controller

The organisation that determines how and why personal data is processed. In this case, Neurospine Ltd.

Data Processor

A third party that processes personal data on behalf of the Data Controller.

GDPR (General Data Protection Regulation)

EU legislation governing how personal data must be collected, used, and protected.

Data Protection Act 2018

Irish legislation that supplements GDPR and sets out national data protection rules.

Pseudonymisation

The processing of personal data so it cannot be attributed to a specific individual without additional information kept separately.

Consent

Freely given, specific, informed, and unambiguous indication of a person's agreement to the processing of their personal data.

Legitimate Interests

A lawful basis for processing personal data where it is necessary for the organisation's legitimate operations, provided it does not override your rights.

Data Subject

The individual whose personal data is being processed, such as a patient.