Being transparent and providing accessible information to individuals about how NIAIC may use personal data is a key element of the Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR).
Data Controller Name:
Northern Ireland Adverse Incident Centre (NIAIC)
Address: Castle Buildings, Stormont BELFAST BT4 3SG
Telephone: 028 9052 3868
Data Protection Officer Name:
The NIAIC is committed to building trust and confidence in our ability to process your personal information.
The NIAIC will process your information to:
- to enable us to initiate a medical device or equipment manufacturer led investigation into the reported medical device or estates and facilities safety incident
- to inform the UK Competent Authority- the Medicines and healthcare Regulatory Agency (MHRA) about an adverse incident involving a medical device so as they can carry out their duties as the UK regulator for medical device safety
- to prevent reported incidents happening again and thereby improve patient safety
Description of our processing and our Lawful Basis for Processing
The following is a broad description of the way the NIAIC as a data controller processes personal information.
Data is received from a reporter, who may be a health professional or a private citizen, regarding an adverse incident with a medical device or estates and facilities equipment or plant. We process the data in the public interest so as to identify any possible learning from a suspected adverse incident that involved a medical device and thereby prevent reoccurrence and improve patient safety.
In processing the data the processing flow is as follows:
Reporter – NIAIC- MHRA- Device Manufacturer-NIAIC-Reporter.
Reporter – NIAIC- Equipment or Plant Manufacturer-NIAIC-Reporter.
For the NIAIC to process personal information we must have a lawful basis for doing so and at least one of the following must apply:
- Consent: an individual must give clear consent for us to process their personal data and then only for a specific purpose.
- Contract: the processing is necessary for a contract the Department has with an individual, or because they have asked the individual to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for the Department to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for the Department to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
The processing that the NIAIC carries out falls under item 5 above. Under the Health and Social Care Reform Act (2009) the Department has a duty to promote a system of healthcare designed to secure improvement in the treatment of illness. One of the ways the Department does this is by promoting the reporting and the investigation of adverse incidents involving a medical device or estates & facilities equipment and plant so as to identify learning and prevent possible reoccurrence of the incident.
Who’s personal information and what type of personal information do we process.
This information and data we process will include the following personal information:
For a Health Professional Reporter:
Name work email work address and work telephone number.
For a Private Individual Reporter:
Name, personal contact details including address (if provided), personal email address and contact telephone number.
Your personal data will be obtained from the completed adverse incident report form that you submit. We ask for these details so that we can acknowledge receipt of the report to you, enable organisations to get in touch if more information is needed in relation to any investigation and inform you of any outcome from the investigation Please note Incident report forms that are completed by health professionals should not include any patient identifiable information.
The information you provide will be kept safe, secure and confidential and will include the following personal details:
- Your name
- Personal email and contact telephone number
Who is the information shared with?
Personal information may be shared with other organisations, namely the MHRA, the medical device manufacturer and the health organisation where the incident occurred. The sharing of information is necessary so as the manufacturer and/or the MHRA can contact the reporter to seek additional information if required to help in any investigation. The health organisation is also informed so as they are aware of possible incidents involving a device, equipment or plant used or issued by them. In so doing we are required to comply with all aspects of the Data Protection Act (DPA) and GDPR.
The requirement to share any personal information from a private reporter will be assessed on a case by case basis. Private reporters personal data will not be passed to any organisation without your express permission or unless required by law. We aim to minimise the personal information that is shared and the instances of sharing information to only what is needed for the specific investigation.
It may sometimes be necessary to transfer personal information overseas. This may occur when a manufacturer contact is based in a country outside the EU. However any transfers must be made in full compliance with all aspects of the Data Protection Act and the General Data Protection Regulation (GDPR). Any transfers oversees are for the reason of processing for public interest covered under Article 49(1)(d) of the GDPR.
Retention of records
We will ensure that personal information is not retained for longer than necessary and have approved retention and disposal policies in place. The destruction of records is determined by the Department’s approved retention policy Good Management, Good Records (GMGR).
For incident reports from a healthcare professional that do not involve harm to a minor, records will be held for a period of ten years. Where an incident with a medical device involved harm to a minor, records will be retained for a period of 25 years. For incident reports completed by private reporters all records will be destroyed after one year and all personal data will be removed from the incident database upon closure of the incident.
What rights do you have?
- you have the right to obtain confirmation that your data is being processed, and access to your personal data
- you are entitled to have personal data rectified if it is inaccurate or incomplete
- you have a right to have personal data erased and to prevent processing, in specific circumstances
- you have the right to ‘block’ or suppress processing of personal data, in specific circumstances
- you have the right to data portability, in specific circumstances
- you have the right to object to the processing, in specific circumstances
- you have rights in relation to automated decision making and profiling
How to complain if you are not happy with how we process your personal information
If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed in the operation of NIAIC then please contact the Department’s Data Protection Officer at the address above.
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Tel: 0303 123 1113