HSE directorates/service areas must ensure that commercial service providers they contract, with direct or indirect access to patient or employee data, sign the HSE Service Provider Data Processing Agreement (DPA).
The DPA form is only intended to be completed by commercial third party service providers or suppliers who are providing contracted services to the HSE, and who will be processing personal data on behalf of the HSE. That is, those that are acting as a ‘data processor’ for the HSE.
This list includes, but is not limited to, commercial service providers who are responsible for the:
- supply, service and support of HSE clinical devices
- supply, management and support of HSE information systems
- provision of consultancy services
- provision of data management services - data collection, processing, storage, hosting, transfer, conversion, copying, transcription, disposal/destruction, archiving
The DPA must be completed by commercial third party service providers to the HSE who will be processing personal data on behalf of the HSE
Each HSE directorate/service area should ensure the signed copy is stored with the original procurement contract provided by the commercial service provider.
The DPA does not apply to:
- health service providers who are funded by the HSE. For example, voluntary hospitals and non-acute agencies, voluntary and community agencies funded under the Health Act 2004 and agencies funded under the Child Care Act 1991. These providers are covered by HSE service level arrangements.
- where the HSE is under a legal obligation to share patient information with an organisation or agency. For example National Cancer Registry Ireland.
eHealth keeps a list of commercial service providers who have signed the DPA form.
To request access to HSE-funded agency staff see usernames and emails to access the relevant form.
Before requesting an account or access to be given to a third party, see HSE ICT Policies
To request third party access to the HSE network, you must ensure a DPA is in place.
You must complete one or more of the following forms depending on requirements:
- HSE Service Provider Data Processing Agreement (DPA)
Must be completed for all third parties providing services to the HSE. Submit to Chris.Meehan@hse.ie (ICT senior security officer)
- HSE supplier IT security assessment questionnaire
Service providers supplying any other ICT-managed services (provision and support of IT equipment) must complete a security questionnaire in addition to the DPA. Submit to Chris.Meehan@hse.ie (ICT senior security officer)
- Third party standard account request form
To request a domain account for a third party provider. Log a ticket when the DPA is completed and received, and attach this form to a ticket
- Third party elevated admin account request form
To request an elevated admin account for a third party provider for access to a server or other IT resources. Log a ticket when the DPA is completed and received, and attach this form to a ticket
- Third party network access agreement
Log a ticket when the DPA is completed and received. You must complete this form if the third party wants to add a non-standard device to the HSE network. HSE funded agencies must complete this form when requesting a new domain account and include this with their Domain access and email address request form as part of a ticket
Requesting remote access for third parties to the HSE network
External third parties can access the HSE network remotely over Citrix Cloud
- to request access to Citrix Cloud, there must be an approved DPA in place for the external third party
- requests for third party access must have a HSE sponsor
- Healthirl domain account is required
- To request access to Citrix Cloud, log a ticket when the DPA is completed and approved
Citrix Cloud account restrictions
Restrictions are applied within the HSE Citrix Cloud environment by default, for example, restrictions for printing, in/outbound clipboard.
- an exemption request can be raised through the HSE sponsor to lift a restriction
- each request is reviewed on its own merit and requires a HSE sponsor and senior eHealth approval before a restriction can be lifted
- a Citrix Gateway Access Security Exemptions form is required to request an exception and can be included in a NSD Self Service ticket
- HSE sponsor requesting an exception to be added to a third party Citrix Cloud account
Citrix Cloud remote access request form
The Citrix Cloud remote access request form is used to request off-premise Citrix Cloud remote access to the HSE domain and IT resources.
The request must be completed by a HSE information owner or their nominee. Send completed forms to the National Service Desk.