Issues of concerns notified by the Data Protection Commissioner to the HSE

Data Protection


Issues of concerns notified by the Data Protection Commissioner to the HSE

August 2013



The Data Protection Commissioner has recently corresponded with the HSE in relation to issues of concern which has come to his attention through reporting of Data Protection Breaches.


The Data Protection Commissioner has requested that these matters are brought to the attention of all staff of the HSE and addressed as a matter of urgency.

Use of PPS Number


It appears that GP referral forms are requesting the PPS Number of patients being referred.  There is absolutely no necessity or any approval for the use of PPS Number in this manner.  All forms requesting PPS Number should be withdrawn from use immediately and replacement forms should not make reference/request the PPS Number.  The HSE has approval for use of PPS Number for the following HSE Schemes only:

§        Blind Welfare Allowance

§        Domiciliary Care Allowance

§        Dental Schemes

§        Drug Payment Scheme

§        European Health Insurance Card

§        GP Visit Card

§        Home Help Service

§        Immunisation Services

§        Inpatient Services

§        Institutional Assistances Services

§        Long-Term Illness Scheme

§        Maternity Cash Grant

§        Medical Card Scheme

§        Mobility Allowance

§        Motorised Transport Scheme

§        Nursing Home Support Scheme/Fair Deal

§        Ophthalmic & Aural Services

§        Outpatient Services

§        Primary Medical Certificate

The legislation governing the use of PPSN is contained in the Social Welfare Consolidation Act 2005 and the Social Welfare and Pensions Act 2007 and 2010.

Use of the PPSN for any other purpose is in breach of the Data Protection Acts.


Transmission/posting of sensitive personal information

Data Protection Commissioner has raised concerns where a number of items had contained insufficient postage and also incorrect or incomplete addresses which raised particular difficulties with regard to delivery by An Post.  The Data Protection Commissioner has raised particular concerns with regard to post between the GPs and HSE.


When posting sensitive personal information please


  • Ensure the envelope is well sealed and the correct name and full address is clearly indicated on the front of the envelope


  • Mark the envelope Private & Confidential or For Addressee Only to ensure that it is not opened inadvertently by anyone other than the intended recipient.


  • Where a franking machine is in use, the logo will contain an EFC identifier and in such cases the post office can identify the HSE Service from which the letters/packages originated, Return to Sender information should be contained on the envelope when postage stamps are used.


  • Ensure that sufficient postage is put on all letters/packages.


Documents/records which are to be shredded should be contained in bins marked specifically for Shredding.  These bins should be kept in a secure location or locked containers and arrangement made for shredding on a frequent basis.

Bins/bags which contain documentation/records for shredding should not be kept under desks.

Data Protection Breach Management

Should you become aware of a Data Protection Breach re loss of control of personal data, personal data lost/stolen, correspondence containing personal data been sent to the wrong person, please report same immediately to your line manager and complete a Data Protection Breach Management form and return same to your Area Office for Consumer Affairs.