The following is a broad description of the way the Department as a data controller processes personal information

Being transparent and providing accessible information to individuals about how we may use personal data is a key element of the Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR). The Department of Health (DoH) is committed to building trust and confidence in our ability to process your personal information


Data Controller Name: Department of Health (DoH)
Castle Buildings

Telephone: 028 9052 0500


Data Protection Officer Name: Charlene McQuillan

Telephone: 02890522353


Description of our processing

The following is a broad description of the way the Department as a data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any specific privacy notices the organisation has provided, or contact the organisation to ask about your personal circumstances.

For the Department to process personal information we must have a lawful basis for doing so and at least one of the following must apply:

  1. Consent: an individual must give clear consent for us to process their personal data and then only for a specific purpose
  2. Contract: the processing is necessary for a contract the Department has with an individual, or because they have asked the individual to take specific steps before entering into a contract
  3. Legal obligation: the processing is necessary for the Department to comply with the law (not including contractual obligations)
  4. Vital interests: the processing is necessary to protect someone’s life
  5. Public task: the processing is necessary for the Department to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law

The processing that the Department carries out is most likely to fall under 3 and 5 above.

Why we might need to process your information

  • To enable us to respond to correspondence about health and social care services users
  • When making public appointments
  • To carry out data matching under the national fraud initiative
  • For the investigation, regulation and enforcement of illegal activities involving medicines and their availability, manufacture, import, sale and supply
  • Health and social care related research purposes
  • For the production of official statistics
  • Supporting and managing our employees
  • Maintaining our accounts and records
  • ​Financial forecasting, monitoring and planning
  • The use of CCTV systems for crime prevention and health and safety purposes
  • For official communications and publicity materials

What types of personal information we process

We process information relevant to the above reasons/purposes. This may include:

  • personal details
  • family details
  • education, training and employment details
  • financial details including employee salary details
  • goods and services
  • lifestyle and social circumstances
  • visual images, personal appearance and behaviour,
  • details held in the patients record
  • responses to surveys

We also process sensitive classes of information that may include:

  • racial and ethnic origin
  • offences and alleged offences
  • criminal proceedings, outcomes and sentences
  • trade union membership
  • physical or mental health details
  • religious or similar beliefs
  • sexual life

Who is the information processed about?

We process personal information about:

  • you as a Health and Social Care (HSC) service user
  • suppliers
  • employees
  • complainants
  • enquirers
  • survey respondents
  • professional experts and consultants
  • individuals captured by CCTV images

Who is the information shared with?

We sometimes need to share the personal information we process with the individuals themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA).

The types of organisations we may need to share personal information we process with, for one or more reasons.

Where necessary, or required, we may share information with other organisations for the reasons included above in the ‘Why we might need to process your information section’. Some examples of the organisations we may have to share your information with include:

  • HSC Service Providers
  • family, associates and representatives of the person whose personal data we are processing
  • staff
  • current, past or potential employers
  • healthcare social and welfare organisations
  • suppliers, service providers, legal representatives
  • auditors and audit bodies
  • educators and examining bodies
  • survey and research organisations
  • people making an enquiry or complaint
  • financial organisations
  • professional advisers and consultants
  • business associates
  • police forces
  • security organisations
  • central and local government
  • voluntary and charitable organisations
  • Northern Ireland Fire and Rescue Service (NIFRS)

We may need to share information with these organisations for more than one reason and not all your personal information may need to be shared each time.  We aim to minimise the personal information shared and the instances of sharing to what is needed for the specific purpose and in line with the Data Protection Act.


It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. However any transfers must be made in full compliance with all aspects of the Data Protection Act.

Retention of records

The Department will ensure compliance with Article 5(d) of GDPR[1]  which requires that personal data is erased without delay when no longer required.  Effective management of records from when they are created, how they are stored and used, through to their disposal or archive is in place. The destruction of records is determined by the Department’s approved retention policy Good Management, Good Records (GMGR).

[1] personal data shall be: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

DoH website and personal information

The DoH website uses leading technologies and encryption software to safeguard your data and keeps strict security standards to prevent any unauthorised access to it.

What information does the DoH website collect?

The Department collects three kinds of information from visitors to the website:

  • Feedback (through visitors emailing us);
  • Customer satisfaction surveys (via optional online surveys); and
  • Site usage information, using cookies and page tagging techniques including JavaScript.


If you email us from the DoH website, we will keep a record of your message for a maximum of three months after the conclusion of correspondence, for reference and audit purposes, after which it will be deleted.


This website and some of the tools and services we link to use cookies. You can find more information on these cookies on the following pages:

What happens when I link to another site?

This website contains links to other websites, both of government departments and other organisations. This privacy notice applies only to this site, so you should always be aware when you are moving to another site and read the privacy notice of any other site(s) which may collect personal information about you.

This website does not pass on to any other site any personal information you have given.

What happens when I come to this website site from another site?

Where you are directed to this website from another site (whether a third party site or a government site) we may receive personal information relating to you from the other site(s). You should read the privacy notices for these sites as these will govern the use of any personal information that you provide and which may then be provided to this website.

What rights do you have?

How to complain if you are not happy with how we process your personal information

If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed, please contact the Department’s Data Protection Officer at the address above.

If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113




Back to top