Introduction
1. The Department of Health (DoH) is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA) which will be referred to as Data Protection Legislation (DPL).
2. We will follow procedures to ensure that all employees, contractors, agents, consultants and other parties who have access to any personal information held by or on behalf of us are fully aware of and abide by their duties and responsibilities under the Act.
Statement of Policy
3. We need to collect and use information about people with whom we work in order to carry out our business and provide our services. These may include members of the public, current, past and prospective employees, clients, customers and suppliers. In addition, we may be required by law to collect, use and share information. All personal information, whether in paper, electronic or any other format, must be handled and managed in accordance with the DPL.
Data Protection Principles
4. We fully support and comply with the UK General Data Protection Regulation (UK GDPR) and the six key principles which lie at the heart of the general data protection regime. In summary, this means we must ensure that personal information is:
(i) processed lawfully, fairly and in a transparent manner;
(ii) collected for specified, explicit and legitimate purposes;
(iii) adequate, relevant and limited to what is necessary;
(iv) accurate and where necessary kept up to date;
(v) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed;
(vi) processed in a manner that ensures appropriate security of the personal data.
In addition to the above principles, ‘Accountability’ is central to UK GDPR and is considered the 7th principle by many, including the Information Commissioners Office (ICO). Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the ICO as regulator.
5. Our purpose for holding personal information, along with a description of the categories of people and organisations to which we may disclose it, are included on the Department’s Privacy Notice. There are also business specific privacy notices, which provide more detail about specific processing the Department is responsible for.
Disclosure of Personal Information
6. Strict conditions apply to the disclosure of personal information both internally and externally. We will not disclose personal information to any third party unless we believe it is lawful to do so. Respect to confidentiality will be given where appropriate. In certain circumstances, information relating to staff acting in an official capacity may be made available provided:
- we are required by law to do so; or
- the processing is necessary for the performance of a public task that the Department has a statutory power to carry out (see the Department's Public Task Statement); or
- the member of staff has consented to the disclosure; or
- the information is in a form that does not identify individual employees.
Handling of Personal Information
7. All staff must, through appropriate training and responsible management:
- fully observe conditions regarding the fair collection and use of personal information;
- meet our legal obligations to specify the purposes and lawful basis for which personal information is gathered and used;
- collect and process appropriate personal information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- ensure the accuracy and quality of personal information used;
- Where possible pseudonymise or anonymise personal identifiers within information held;
- apply strict checks to determine the length of time personal information is held;
- ensure that the rights of people about whom information is held can be fully exercised under the Act;
- take appropriate technical and organisational security measures to safeguard personal information;
- ensure that personal information is not transferred abroad without adequate safeguards;
- be responsible and able to demonstrate compliance with all of the above.
Compliance
The Department will ensure that:
- an expert Data Protection Officer (DPO) is appointed within the Department who will have specific responsibilities for Data Protection, as set out in the NICS DPO Job Specification;
- our purposes for processing personal data are clearly set out in Departmental Privacy Notices;
- all Subject Access Requests (SARs) will be dealt with in accordance with the Data Protection Act and within the one month limit established by the Data Protection Act 2018. For best practice the ICO have recommended that staff comply with requests for information within 28 calendar days;
- every year staff are reminded of their obligations and provided with DPA related mandatory online awareness training;
- everyone managing and handling personal information understands that they are directly and personally responsible for following good Data Protection practice;
- only staff who need access to personal information as part of their duties are authorised to do so;
- everyone managing and handling personal information is appropriately trained to do so;
- everyone managing and handling personal information is appropriately supervised;
- anyone wanting to make enquiries about handling personal information knows what to do;
- queries about handling personal information are promptly and courteously dealt with;
- methods of handling personal information are clearly described;
- a review and audit is made of the way personal information is managed;
- methods of handling personal information are regularly assessed and evaluated;
- a Departmental Information Asset Register (IAR) is maintained to record what personal information assets are held, how they are processed, maintained and managed.
9. To assist in achieving compliance, we have:
- appointed a Senior Information Risk Owner (SIRO) with overall responsibility for Data Protection within the organisation;
- appointed a Departmental Data Protection Officer (DPO) responsible for monitoring compliance; providing advice and guidance; dealing with escalated complaints from data subjects; liaising with the ICO and Departmental Solicitors on data protection issues;
- appointed Information Asset Owners (IAOs) at Head of Branch level who are responsible for managing their personal information assets locally and ensuring that staff adhere to this policy and undertake relevant training and awareness.
- appointed Local Information Managers (LIMs)/Data Protection Liaison Officers (DPLOs) in each of the Directorates to assist staff compliance with the data protection principles.
Staff Responsibilities
10. All staff have a responsibility to protect the personal information held by the Department. They will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- they are appropriately trained in the handling of personal information;
- paper and electronic records or documents containing personal/sensitive data are kept securely;
- personal data held on computers, mobile devices and computer systems is protected by individual strong passwords which, where possible, have forced changes periodically. Access controls should also be placed on electronic records containing personal and sensitive information.
11. If and when, as part of their responsibilities, staff collect information about other people, they must comply with the DoH Data Protection guidance. No one should disclose personal information outside this guidance or use personal data held about others for their own purposes.
Third Party Users of Personal Departmental Information
12. Any third parties who are users of personal information supplied by the Department will be required to confirm and demonstrate that they will abide by the requirements of DPL. There will be an expectation that these parties will audit their compliance with DPL and will provide assurances to the Department in this respect.
13. Responsibilities regarding DPL compliance must be covered off as part of any contracts, Service Level Agreements (SLAs), Data Sharing/Access Agreements (DSAs) and MOUs with third parties. For futher guidance, staff should contact the DPO at DPO@health-ni.gov.uk.
Policy Awareness
14. A copy of this policy statement will be given to all new members of staff and interested third parties. Existing staff and any relevant third parties will be advised of the policy which will be posted on our Internet and Intranet sites, as will any subsequent revisions. All staff and relevant third parties must be familiar with and comply with this policy at all times.