DoH Data Protection policy statement

The Department of Health (DoH) is fully committed to complying with the Data Protection Act 2018 (DPA) which came into force on 25 May 2018.


DoH will follow procedures to ensure that all employees, contractors, agents, consultants and other parties who have access to any personal information held by or on behalf of us are fully aware of and abide by their duties and responsibilities under the Act.

Statement of Policy

We need to collect and use information about people with whom we work in order to carry out our business and provide our services.  These may include members of the public, current, past and prospective employees, clients, customers and suppliers.  In addition, we may be required by law to collect and use information.  All personal information, whether in paper, electronic or any other format, must be handled and managed in accordance with the DPA.

Data Protection Principles

We fully support and comply with the UK General Data Protection Regulation (UKGDPR) and the six principles of the Data Protection Act.  In summary, this means personal information must be:

(i)      processed fairly and lawfully and in a transparent manner

(ii)     collected for specified, explicit and legitimate purposes

(iii)    adequate, relevant and limited to what is necessary

(iv)    accurate and where necessary kept up to date

(v)    kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed

(vi)   processed in manner that ensures appropriate security of the personal data

Accountability is central to UKGDPR. Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator- the Information Commissioner’s Office (ICO).

Our purpose for holding personal information, along with a description of the categories of people and organisations to which we may disclose it, are included on the Department’s Privacy Notice.   

Disclosure of Personal Information

Strict conditions apply to the disclosure of personal information both internally and externally.  We will not disclose personal information to any third party unless we believe it is lawful to do so.  Respect to confidentiality will be given where appropriate.  In certain circumstances, information relating to staff acting in a business capacity may be made available provided:

  • We are required by law to do so
  • The processing is necessary for the performance of a public task that the Department has a statutory power to carry out (see the Department's Public Task Statement)
  • the member of staff has consented to the disclosure
  • the information is in a form that does not identify individual employees

Handling of Personal Information

All staff will, through appropriate training and responsible management:

  • fully observe conditions regarding the fair collection and use of personal information
  • meet our legal obligations to specify the purposes for which personal information is gathered and used
  • collect and process appropriate personal information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
  • ensure the accuracy and quality of personal information used
  • where possible pseudonymise or anonymise personal identifiers within information held
  • apply strict checks to determine the length of time personal information is held
  • ensure that the rights of people about whom information is held can be fully exercised under the Act
  • take appropriate technical and organisational security measures to safeguard personal information
  • Be responsible and able to demonstrate compliance with all of the above


DoH will ensure that:

  • an expert Data Protection Officer (DPO) is appointed within the Department who will have specific responsibilities for Data Protection, as set out in the NICS DPO Job Specification
  • our purposes for processing personal data are clearly set out in Departmental Privacy Notices
  • all Subject Access Requests (SARs) will be dealt with in accordance with the Data Protection Act and within the one month limit established by the Data Protection Act 2018.  For best practice the ICO have recommended that staff comply with requests for information within 28 calendar days
  • every 2 years staff are reminded of their obligations and provided with DPA related online awareness training
  • everyone managing and handling personal information understands that they are directly and personally responsible for following good Data Protection practice
  • only staff who need access to personal information as part of their duties are authorised to do so
  • everyone managing and handling personal information is appropriately trained to do so
  • everyone managing and handling personal information is appropriately supervised
  • anyone wanting to make enquiries about handling personal information knows what to do
  • queries about handling personal information are promptly and courteously dealt with
  • methods of handling personal information are clearly described
  • a review and audit is made of the way personal information is managed
  • methods of handling personal information are regularly assessed and evaluated
  • a Departmental Information Asset Register (IAR) is maintained to record what personal information assets are held, how they are processed, maintained and managed

To assist in achieving compliance, we have:

  • appointed a Senior Information Risk Owner (SIRO) with overall responsibility for Data Protection within the organisation
  • appointed a Departmental Data Protection Officer (DPO) responsible for monitoring compliance; providing advice and guidance; dealing with escalated complaints from data subjects; liaising with the ICO and Departmental Solicitors on data protection issues
  • appointed Information Asset Owners (IAOs) at Head of Branch level who are responsible for managing their personal information assets locally and ensuring that staff adhere to this policy and undertake relevant training and awareness
    • created a Data Protection Staff Manualproviding detailed guidance on Departmental data protection procedures
  • appointed Local Information Managers (LIMs)/ Data Protection Liaison Officers (DPLOs) in each of the Directorates to assist staff compliance with the data protection principles and adherence to the Staff Manual


[1] Please note the DPA Staff Manual is currently under review by IMB to ensure it complies with the DPA 2018, which received Royal Assent 23 May 2018. If staff have any queries regarding any aspect of DPA they should contact IMB.

Staff Responsibilities

All staff have a responsibility to protect the personal information held by the Department.  They will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

  • they are appropriately trained in the handling of personal information
  • paper and electronic records or documents containing personal/sensitive data are kept securely
  • personal data held on computers, mobile devices and computer systems is protected by individual strong passwords which, where possible, have forced changes periodically. Access controls should also be placed on electronic records containing personal and sensitive information

If and when, as part of their responsibilities, staff collect information about other people, they must comply with the guidance set out in our Data Protection Staff Manual.  No one should disclose personal information outside this guidance or use personal data held about others for their own purposes.

Third Party Users of Personal Departmental Information

Any third parties who are users of personal information supplied by the Department will be required to confirm and demonstrate that they will abide by the requirements of the Act.  There will be an expectation that these parties will audit their compliance with the DPA and will provide assurances to the Department in this respect.

Responsibilities regarding DPA compliance must be covered off as part of any contracts, Service Level Agreements (SLAs), Data Sharing/Access Agreements (DSAs) and MOUs with third parties.

Policy Awareness

A copy of this policy statement will be given to all new members of staff and interested third parties.  Existing staff and any relevant third parties will be advised of the policy which will be posted on our Internet and Intranet sites, as will any subsequent revisions.  All staff and relevant third parties must be familiar with and comply with this policy at all times.

Back to top