Data Contoller Name: Department of Health
Information and Analysis Directorate
BELFAST BT4 3SQ
Telephone: 028 9052 0500
Data Protection Officer Name: Charlene McQuillan
Who we are
IAD is responsible for compiling, processing, analysing, interpreting and disseminating a wide range of statistics covering health and social care.
The statisticians within IAD are outposted from the Northern Ireland Statistics & Research Agency (NISRA) and the statistics are produced in accordance with the pillars and principles set out in the Code of Practice for Statistics.
Being transparent and providing accessible information to individuals about how we may use personal data is a key element of the Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR). IAD staff recognise the importance of protecting personal and confidential information in all that we do and take care to ensure legal compliance.
This Privacy Notice gives more specific details on how IAD processes personal data on behalf of the Department.
Why does IAD process personal information and what is our lawful basis for processing?
IAD analyses a wide range of health and social care information to provide statistical analysis and advice to ministers, policy makers, and commissioners of services, researchers, academia, special interest groups and the wider public. Data considered “Personal” is used for a number of functions as set out in Appendix 1.
The GDPR requires a lawful basis for processing personal data and in this case, Article 6(1)(e) applies:
"Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
In the case of special categories of data, Article 9(2)(j) applies:
“Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).”
IAD processes information in order to fulfil its legal obligations, as well as obligations in the public interest. Specifically this is under:
For more more detailed information on the personal information processed across IAD, please refer to Appendix 1.
Where do we get personal information from?
IAD receives personal information from a range of sources, namely:
- Health and social care (HSC) organisations
- other statutory bodies
- service users
- members of the public
How will we use personal information?
Datasets compiled by IAD are used as follows:
- to monitor progress towards outcomes including the publication of official statistics
- to monitor performance and funding
- to assist in developing and evaluating policy
- to identify and assist development of good practice; and
- to support research
This may include linking or combining the information with other data, for example IAD link Children in Care data with DE data about the education of the children provided by their schools. This may also include linking the data through secure, anonymised means, with other datasets.
IAD will only use the identifiable aspects of the data to support the statistical and research processes required for any of the uses set out above, but will never use the identifiable aspects of the data nor process the data in such a way as to:
- affect any measures or decisions with respect to service users or their families; or
- identify any individual in any reports
For further information on how IAD processes personal information, please refer to Appendix 1.
Sharing personal information
We may sometimes need to share the personal information we process with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA).
For further information on the sharing of personal information across IAD, please refer to Appendix 1.
IAD will only retain information for as long as necessary, in line with the Department of Health’s (DoH) approved retention scheduled - Good Management, Good Records (GMGR).
For further information, please refer to:
The Rights of the individual with respect to GDPR are set out in the DoH Privacy Notice.
Under the Act, you have rights in relation to the information IAD holds about you. You can request access to the personal information that IAD holds about you by making a subject access request (SAR). However the Act does allow organisations to withhold access to personal data if they are held solely for statistics and research purposes. Details of personal information that IAD holds is set out in Appendix 1.
- You have the right to obtain confirmation that your data is being processed, and access to your personal data
- You are entitled to have personal data rectified if it is inaccurate or incomplete
- You have a right to have personal data erased and to prevent processing, in specific circumstances
- You have the right to ‘block’ or suppress processing of personal data, in specific circumstances
- You have the right to data portability, in specific circumstances
- You have the right to object to the processing, in specific circumstances
- You have rights in relation to automated decision making and profiling
Security of personal information
IAD is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:
- All IAD staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
- All IAD statisticians adhere to the Code of Practice for Statistics, which includes data governance principles;
- Staff are granted access to personal information on a need-to-know basis only;
- The DOH has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents,
- The DoH has appointed a Personal Data Guardian (PDG) who is responsible for ensuring confidentiality and security of services user information within the organisation;
- The DoH has also appointed a Data Protection Officer (DPO), who provides full authoritative advice and recommendations in the field of Data Protection and facilitates compliance with the Accountability requirement of GDPR;
- All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information.
Personal information held by IAD will not be transferred or stored outside the UK. However if in the unlikely event that any transfers of this information must be made then they will be carried out in full compliance with all aspects of the Data Protection Act.
How to complain if you are not happy with how we process your personal information
If you are unhappy with any aspect of this privacy notice, or how your personal information is being processed, please contact the Department’s Data Protection Officer at the address above.
If you are still not happy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Tel: 0303 123 1113
Website: Information Commissioner's Office
Changes to our privacy notice
IAD will keep this privacy notice under regular review and will place any updates on this document. (last Updated May 2018)