Data Protection Policy
Navigate Up
Sign In

Data Protection Policy

Directorate for Health Information and Research


Purposes for Processing

The Directorate for Health Information and Research, henceforth DHIR, is the Data Controller for a number of processing operations within the health sector in Malta in the public interest. DHIR implements the provisions of the General Data Protection Regulation (EU) 2016/679 of the European Union, hence forth referred to as the GDPR in conjunction with the local legislation implementing this regulation, Data Protection Act 2018 CAP586.​

DHIR collects and processes information on data subjects in the execution of its role of providing a service to its clients and to fulfil its portfolio of responsibilities entrusted to it within the ambit of the Health Act, Public Health Act, Statistics Act and applicable EU Public Health Statistics regulations.​

In this regard the DHIR is responsible for secondary processing of personal data and is required to access personal data from public and private health care entities as well as notifications by health professionals. For this purpose, Subsidiary Legislation 528.10​ issued under the Health Act CAP 528, stipulates the regulatory framework through which secondary processing of data in the health sector can take place. 

All data processed is in accordance with the aforementioned Acts and regulations.

Further information about our activities, the registers we manage and the surveys we are responsible for can be found on our homepage​

Recipients of Data

Personal data supplied to DHIR is processed by DHIR employees in a confidential manner in the course of executing their duties. Processing is carried out by warranted health professionals or public services employees working under the direct supervision of warranted health professionals. All DHIR employees are bound with a confidentiality agreement.


Sharing your information

We do not, and will not, sell any of your personal data to any third party. We do however share data for research purposes as follows.

Wherever possible, access to health records is given in anonymised, pseudonymised or aggregate format. In rare and exceptional circumstances, we give access to personal data for the purpose of research activities where these are manifestly in the public interest and the research objectives cannot be achieved using anonymised or pseudonymised data. In these very rare situations, access is conditional to approval by the Health Ethics Committee when the research is carried out within the health entities falling under the responsibility of the Ministry for Health and by the relevant recognised academic research ethics committee where the research is carried out under the supervision of an academic institution. In all other instances, access to our data will only be given if you explicitly consent for this to be given.

Your rights

You enjoy several rights relating to your personal information:

You are entitled to know what information is being kept by DHIR about you, the reason why, who has access to it and how it is kept.

In this regard, requests to access personal data must be made in writing and addressed to the Data Protection Officer, Directorate for Health Information and Research, 95 G’Mangia Hill, Pieta PTA 1313 or via email on [email protected]. To process your request, we will ask you to send us proof of identity so that we can be sure we are releasing your personal data to the right person. This identification document will be returned to you by MFH when submitting the reply in writing.

Additionally, you have the right as data subject to request that information be amended, erased or not used in the event that the data held is incorrect. In this regard, MFH will take the appropriate corrective action in the event that it is proved that the information held is incorrect.

MFH aims to comply as quickly as possible with requests for access to personal data and will ensure that it is provided within 30 days.

Security of your Personal Data

Your data is held within the Government information management system. We take the following steps to ensure the highest possible level of security for your data.

1.     Use of secure servers;

2.     Use of firewalls;

3.     Use of encryption;

4.     Information access controls;

5.     Use of back-up systems;

How to contact us

We are always happy to hear from you, whether to make a suggestion but especially if you feel we can do better.

If you have any questions about this Privacy Policy, or if you wish to make a complaint about how we have handled your personal information, please contact us at:

Directorate for Health Information and Research

95, G’Mangia Hill

Pieta PTA 1313

We have appointed a Data Protection Officer who may be contacted here: [email protected].