Data Controller Name: Department of Health (DoH)
BELFAST BT4 3SQ
Telephone: 028 9052 0500
Data Protection Officer Name: Charlene McQuillan
Description of our processing
The following is a broad description of the way the Department as a data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any specific privacy notices the organisation has provided, or contact the organisation to ask about your personal circumstances.
For the Department to process personal information we must have a lawful basis for doing so and at least one of the following must apply:
- Consent: an individual must give clear consent for us to process their personal data and then only for a specific purpose
- Contract: the processing is necessary for a contract the Department has with an individual, or because they have asked the individual to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for the Department to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for the Department to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
The processing that the Department carries out is most likely to fall under 3 and 5 above.
Why we might need to process your information
- To enable us to respond to correspondence about health and social care services users
- When making public appointments
- To carry out data matching under the national fraud initiative
- For the investigation, regulation and enforcement of illegal activities involving medicines and their availability, manufacture, import, sale and supply
- Health and social care related research purposes
- For the production of official statistics
- Supporting and managing our employees
- Maintaining our accounts and records
- The use of CCTV systems for crime prevention
- For official communications and publicity materials
What types of personal information we process
We process information relevant to the above reasons/purposes. This may include:
- personal details
- family details
- education, training and employment details
- financial details
- goods and services
- lifestyle and social circumstances
- visual images, personal appearance and behaviour,
- details held in the patients record
- responses to surveys
We also process sensitive classes of information that may include:
- racial and ethnic origin
- offences and alleged offences
- criminal proceedings, outcomes and sentences
- trade union membership
- physical or mental health details
- religious or similar beliefs
- sexual life
Who is the information processed about?
We process personal information about:
- you as a Health and Social Care (HSC) service user
- survey respondents
- professional experts and consultants
- individuals captured by CCTV images
Who is the information shared with?
We sometimes need to share the personal information we process with the individuals themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA).
The types of organisations we may need to share personal information we process with, for one or more reasons.
Where necessary, or required, we may share information with other organisations for the reasons included above in the ‘Why we might need to process your information section’. Some examples of the organisations we may have to share your information with include:
- HSC Service Providers
- family, associates and representatives of the person whose personal data we are processing
- current, past or potential employers
- healthcare social and welfare organisations
- suppliers, service providers, legal representatives
- auditors and audit bodies
- educators and examining bodies
- survey and research organisations
- people making an enquiry or complaint
- financial organisations
- professional advisers and consultants
- business associates
- police forces
- security organisations
- central and local government
- voluntary and charitable organisations
- Northern Ireland Fire and Rescue Service (NIFRS)
We may need to share information with these organisations for more than one reason and not all your personal information may need to be shared each time. We aim to minimise the personal information shared and the instances of sharing to what is needed for the specific purpose and in line with the Data Protection Act.
It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. However any transfers must be made in full compliance with all aspects of the Data Protection Act.
Retention of records
The Department will ensure compliance with Article 5(d) of GDPR which requires that personal data is erased without delay when no longer required. Effective management of records from when they are created, how they are stored and used, through to their disposal or archive is in place. The destruction of records is determined by the Department’s approved retention policy Good Management, Good Records (GMGR).
What rights do you have?
- You have the right to obtain confirmation that your data is being processed, and access to your personal data
- You are entitled to have personal data rectified if it is inaccurate or incomplete
- You have a right to have personal data erased and to prevent processing, in specific circumstances
- You have the right to ‘block’ or suppress processing of personal data, in specific circumstances
- You have the right to data portability, in specific circumstances
- You have the right to object to the processing, in specific circumstances
- You have rights in relation to automated decision making and profiling
How to complain if you are not happy with how we process your personal information
If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed, please contact the Department’s Data Protection Officer at the address above.
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Tel: 0303 123 1113
 personal data shall be: d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay