Privacy notice - information and analysis directorate

Contacts

Data Contoller Name: Department of Health

Public Health Information and Resource Branch

Castle Buildings

Stormont

BELFAST BT4 3SQ

Telephone: 028 9052 0500

Email: webmaster@health-ni.gov.uk

Data Protection Officer Name: Charlene McQuillan

Telephone: 02890522353

Email: DPO@health-ni-gov.uk

Who we are

IAD is responsible for compiling, processing, analysing, interpreting and disseminating a wide range of statistics covering health and social care.

The statisticians within IAD are outposted from the Northern Ireland Statistics & Research Agency (NISRA) and the statistics are produced in accordance with the pillars and principles set out in the Code of Practice for Statistics.

Being transparent and providing accessible information to individuals about how we may use personal data is a key element of the Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR).  IAD staff recognise the importance of protecting personal and confidential information in all that we do and take care to ensure legal compliance.

This Privacy Notice gives more specific details on how IAD processes personal data on behalf of the Department.

Why does IAD process personal information and what is our lawful basis for processing?

IAD analyses a wide range of health and social care information to provide statistical analysis and advice to ministers, policy makers, and commissioners of services, researchers, academia, special interest groups and the wider public. Data considered “Personal” is used for a number of functions as set out in Appendix 1.

The GDPR requires a lawful basis for processing personal data and in this case, Article 6(1)(e) applies: 

"Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

In the case of special categories of data, Article 9(2)(j) applies:

“Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).”

IAD processes information in order to fulfil its legal obligations, as well as obligations in the public interest.  Specifically this is under:

• The Health and Social Care (Reform) act (Northern Ireland) 2009, Section 2(2)

For more more detailed information on the personal information processed across IAD, please refer to Appendix 1.

Where do we get personal information from?

IAD receives personal information from a range of sources, namely:

• Health and social care (HSC) organisations
• other statutory bodies
• staff
• service users
• members of the public

How will we use personal information? 

Datasets compiled by IAD are used as follows:

• to monitor progress towards outcomes including the publication of official statistics
• to monitor performance and funding
• to assist in developing and evaluating policy
• to identify and assist development of good practice; and
• to support research

This may include linking or combining the information with other data, for example IAD link Children in Care data with DE data about the education of the children provided by their schools. This may also include linking the data through secure, anonymised means, with other datasets.

IAD will only use the identifiable aspects of the data to support the statistical and research processes required for any of the uses set out above, but will never use the identifiable aspects of the data nor process the data in such a way as to:

• affect any measures or decisions with respect to service users or their families; or
• identify any individual in any reports

For further information on how IAD processes personal information, please refer to Appendix 1.

Sharing personal information

We may sometimes need to share the personal information we process with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA).

For further information on the sharing of personal information across IAD, please refer to Appendix 1.

Retaining Information

IAD will only retain information for as long as necessary, in line with the Department of Health’s (DoH) approved retention scheduled - Good Management, Good Records (GMGR).

For further information, please refer to:

• Good management, good records

Individual Rights

The Rights of the individual with respect to GDPR are set out in the DoH Privacy Notice.

Under the Act, you have rights in relation to the information IAD holds about you. You can request access to the personal information that IAD holds about you by making a subject access request (SAR). However the Act does allow organisations to withhold access to personal data if they are held solely for statistics and research purposes. Details of personal information that IAD holds is set out in Appendix 1.

• You have the right to obtain confirmation that your data is being processed, and access to your personal data
• You are entitled to have personal data rectified if it is inaccurate or incomplete
• You have a right to have personal data erased and to prevent processing, in specific circumstances
• You have the right to ‘block’ or suppress processing of personal data, in specific circumstances
• You have the right to data portability, in specific circumstances
• You have the right to object to the processing, in specific circumstances
• You have rights in relation to automated decision making and profiling

Security of personal information

IAD is committed to taking all reasonable measures to ensure the security of all personal information it holds.  The following arrangements are in place:

• All IAD staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
• All IAD statisticians adhere to the Code of Practice for Statistics, which includes data governance principles;
• Staff are granted access to personal information on a need-to-know basis only;
• The DOH has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents,
• The DoH  has appointed a Personal Data Guardian (PDG) who is responsible for ensuring confidentiality and security of services user information within the organisation;
• The DoH has also appointed a Data Protection Officer (DPO), who provides full authoritative advice and recommendations in the field of Data Protection and facilitates compliance with the Accountability requirement of GDPR;
• All staff are required to undertake information governance training every 2 years.  The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information.

Transfers

Personal information held by IAD will not be transferred or stored outside the UK. However if in the unlikely event that any transfers of this information must be made then they will be carried out in full compliance with all aspects of the Data Protection Act.

How to complain if you are not happy with how we process your personal information

If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed, please contact the Department’s Data Protection Officer at the address above.

If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113

Email: casework@ico.org.uk

Website: Information Commissioner's Office

Changes to our privacy notice

IAD will keep this privacy notice under regular review and will place any updates on this document. (last Updated May 2018)