You are here: Home » Our Trust » Accessing information » Protecting and using your information

Protecting and using your information

In order for Northern Health and Social Care Trust (Northern Trust) to help provide a service for you we need to know some information about you. Personal information that we process about you is governed by Data Protection legislation.

Page contents

What information is collected?
What do we do with your information?
Who will my information be shared with?
How will it affect me if I do not want to provide information?
Security of your information and retention period
Keeping your information up to date
Your rights
How do I see my information?
Complying with legislation
Where can I find out more information?

What information is collected?

We only collect the information we need to. This will include your name, address, date of birth, contact details and relevant health and social care history; this may include information for the purposes of financial assessments. We may need to collect information about you from other people, for example, your family, carers, other health professionals, or if necessary, other external agencies.

Health and Social Care Staff involved in your treatment and care may also collect information from other health professionals and organisations in line with legislation and data sharing requirements. This could include:

Your GP
Community pharmacists
Government agencies – Police Service of Northern Ireland (PSNI), Probation Board Northern Ireland (PBNI), Northern Ireland Housing Executive (NIHE), NI Prison Service
Commissioned services – Nursing homes, residential homes, charities

This list is not exhaustive.

How is it collected?

Information you provide to us is recorded in your personal paper file and also on our computer systems. This can include information you provide in person, on an official form (either online or in paper form) by telephone, or by information recorded on CCTV cameras (including body worn cameras) that operate within the Trust.

What do we do with your information?

We collect this information to assist and treat you and plan healthcare services for you. Other reasons your information may be used include:

To communicate with you by post, email, phone or text. This is to provide information about your appointments and ongoing care e.g. texts to remind you about your appointment date and time. Should you wish to opt out of reminder texts then please contact the relevant booking office or inform the receptionists when you attend the clinic. The Trust may also communicate with you through MyCare, if you have the MyChart app downloaded (available from mobile device app stores)
Helping to review the care given to you to ensure it is of the highest standard. This is done through internal audits, service user/carer feedback evaluations or external inspections of our services
Training and educating staff or for audit purposes
For research purposes (with your consent)
Looking after the health and social welfare of the general public
Investigating complaints or legal claims
Preparing statistics on the Trust’s activity and performance
Providing anonymised data, for example to the Department of Health (DoH), the Public Health Agency (PHA) and the Strategic Planning and Performance Group of the Department of Health for the planning of services

We may also use data in conjunction with emerging technological advancements. Prior to the implementation or change to data processing, we will ensure due diligence is applied before commencement.

Who will my information be shared with?

To help us provide the best care or service for you, we may need to share your information with authorised individuals directly involved in your health and/or social care. Your relatives, friends and carers may be given information about you, but only if you agree, or in circumstances where it is necessary to ensure your health and wellbeing, or where there are safeguarding concerns.

Your information may also be used in a way that does not identify you, for example, to help identify trends such as increases in certain diseases.

Health and Social Care staff involved in your treatment and care may share information with each other about you only when necessary. This could include:

Family practitioner services
Inpatient hospital staff
Outpatient hospital staff
Community services staff

This could include:

Your GP
Pharmacists
Doctors
Nurses
Social workers
Allied Health Professionals, like physiotherapists, occupational therapists, health visitors and other Health and Social Care professionals
Health and Social Care administrative staff

Health and Social Care staff involved in your treatment and care may also share information with other organisations in line with legislation and data sharing requirements. This could include:

Regulators – Regulation and Quality Improvement Authority (RQIA)
Government Agencies – Police Service of Northern Ireland (PSNI), Driver and Vehicle Licensing Agency (DVLA), Probation Board Northern Ireland (PBNI), Northern Ireland Housing Executive (NIHE)
Commissioned services – Nursing homes, residential homes, charities
National Registries– National Cancer Registry, National Joint Registry
Independent service providers
Other Health and Social Care organisations – Public Health Agency (PHA), Business Services Organisation (BSO), Department of Health (DoH), Northern Ireland Ambulance Service (NIAS)

This list is not exhaustive.

All Health and Social Care staff are obliged within their contracts of employment, professional codes of conduct and by the common law Duty of Confidentiality to ensure that all personal data is treated with the highest possible levels of confidentiality. Contractors and agency staff are also bound by contractual confidentiality obligations in line with data protection legislation.

There may be occasions where your information can be shared with other organisations without your consent but this will only happen when it is:

Required by law for example
Required by a court order
Necessary to detect or prevent crime, including allegations or suspicions of fraud
Necessary to protect the public from serious harm, e.g. the protection of vulnerable adults or Children.
Required for monitoring certain health conditions, e.g. by the Public Health Agency (PHA) or Department of Health
Monitoring of deaths, for example – review of hospital deaths or for organ donation purposes
Necessary for the provision of services and information may be shared with other health providers contracted/sub contracted to provide care on our behalf, such as the independent sector who will help to address waiting lists.
Necessary to communicate with service users – information may be shared with third party organisations contracted/ sub contracted by the Trust who will send our correspondence via post or electronic methods.
Necessary to share with other organisations where information is shared as part of a statutory/lawful process.

How will it affect me if I do not want to provide information?

It is important to remember that the purpose of using your information is to provide you with safe, fast and effective care. Not providing information may have a significant effect on the appropriate care and protection that we and others provide to you.

Security of your information and retention period

At the Northern Trust, we take your privacy seriously. Staff will only access your information on a strict ‘need to know’ basis, or when they are involved in your period of care. All staff have a legal duty to keep your information safe and confidential, as does anyone who receives information about you from the Trust. In line with legislation, the Trust has a range of measures and strict standards to protect paper and electronically held information.

We will not transfer your data to other countries outside the UK without an appropriate lawful basis for doing so and the information having been secured in a way that safeguards it during and after transfer to the country receiving it.

We will retain your information in line with specific guidance issued by the Department of Health in Northern Ireland. The length of time we keep your information for will depend on the types of records created for your care. If you want to find out more about how long your records are retained, you can ask staff or view the Good Management, Good Records guidance on the Department of Health website.

Keeping your information up to date

It is very important that the information we hold about you is correct and up to date. You can help us to do that by telling us of any changes. Please tell us if you move house, change your GP, change your name or telephone number.

To update your name or address, please visit the Business Service Organisation website. Alternatively, you can update your information whenever you present for provision of care at any Trust site.

Your rights

Data Protection legislation gives you the right to request copies of the personal information the Northern Trust holds about you and a right to take action to correct any factually inaccurate information. You also have a right to take action if you feel you have suffered damage and distress due to the Trust’s use of your information. Visit the Information Commissioner’s Office website for more information about your rights under the UK General Data Protection Regulation (UKGDPR).

Under the Data Protection legislation, data subjects have the following rights with regards to their personal information:

The Right to be Informed

The Northern Trust issues certain information about our data processing activities that affect you. This information is provided in this Privacy Notice.

The Right of Access

The Northern Trust, as the data controller, must provide you with:

confirmation that your data is being processed
access to your personal data

For further information on how to make a Subject Access Request: Access to personal information – Northern Health and Social Care Trust.

The Right to Rectification

You can ask the Northern Trust to correct personal information it holds about you to ensure your data is factually accurate. Please note, this only applies to matters of fact and not professional opinions, such as medical diagnosis.

The Right to Erasure

You have the right (under certain circumstances) to ask for your personal data to be erased where:

your personal data is no longer necessary in relation to the purpose for which it was collected/processed
you object to the processing and there are no overriding legitimate grounds for the processing
your personal data was unlawfully processed or should be erased to comply with a legal obligation

The Northern Trust can refuse to erase your personal data where it is processed:

to comply with a legal obligation or for the performance of a task of public interest
for the exercise or defence of legal claims
for purposes relating to health and social care, medical diagnosis, preventative medicine, in the area of public health, archiving in the public interest, scientific/historic research or statistics

The Right to Restrict Processing

You have the right (under certain circumstances) to restrict the processing of personal data held by the Northern Trust where:

you have contested its factual accuracy
you have objected to the processing and the Northern Trust is considering whether they have a legitimate ground which overrides this
processing is unlawful
the Northern Trust no longer needs the data but you require it to establish, exercise or defend a legal claim

The Right to Data Portability

The right to data portability allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This enables you to obtain and reuse your personal data across different services.

The right to data portability only applies:

to personal data that an individual has personally provided to the Northern Trust
where the processing is based on consent or the performance of a contract
where processing is carried by automated means (i.e. excluding paper files)

The Right to Object

You have the right (in certain circumstances) to object to processing of your personal data.

You can also object if the processing is for:

a task carried out in the public interest
the exercise of official authority vested in the Northern Trust
the Northern Trust’s legitimate interests (or those of a third party)

The right to object is not absolute and you must give specific reasons why you are objecting to the processing of your data. Please be aware that the Northern Trust would be able to continue processing your personal data if:

we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
the processing is for the establishment, exercise or defence of legal claims

Rights Relating to Automated Decision Making and Profiling

Automated decision-making takes place when an electronic system uses personal information to make decisions without human intervention.

At present, there are no fully automated decision making or profiling systems in use within the Northern Trust. This means that this right does not currently apply to any processing activities.

How do I see my information?

If you want to see the information we hold about you, or ask about how we use it, you can speak to the person in charge of your care or you can request a copy of your information. Further details are available on our website on how you can apply for a copy of your health and social care information.

Requests will be responded to as quickly as possible and usually within one month; however, the UKGDPR allows up to three months for providing a response to complex requests. Generally, there is no charge for copies of records except where the request is manifestly unfounded or excessive or is a repeat request.

There are occasions when other people have provided information relating to your care. In some cases, there may also be information in your notes about other people that is their personal information. We have a duty to keep certain information confidential and may not be able to share it with you.

Complying with legislation

The conditions that ensure that the Trust processes your personal information lawfully, fairly and in a transparent manner are set out in Article 6 and Article 9 of the UK General Data Protection Regulation. These conditions include, for example, complying with our legal obligations, to meet the vital interests of service users, for public health purposes and to fulfil our public duty to provide health and social care services and manage our systems.

Lawful Processing

To process personal data, the Northern Trust must have lawful grounds for processing as provided for in the UK GDPR.

The day-to-day processing of personal data relating to health care does not rely on consent. The most common lawful bases for processing in a health care setting are as follows:

Public Task in the Public Interest (Article 6(1)(e) UK GDPR)
Vital Interests (Article 6(1)(d) UK GDPR)

Under Article 9 of the UK GDPR, information specific to an individual’s health or social care treatment is categorised as “special category” data. This is afforded special protections under the legislation and an additional lawful basis is required for the processing of this data.

Collection of special category data in a health care setting commonly falls under one of the below Article 9 lawful bases:

Vital Interests (Article 9(2)(c) UK GDPR)
Public Interest (Article 9(2)(g) UK GDPR)
Provision of health or social care treatment or management of health and social care systems and services (Article 9(2)(h) UK GDPR)
Public Interest in the area of Public Health (Article 9(2)(i) UK GDPR)

Lawful Basis for Day-to-Day Service User Care

The Northern Trust collects your personal data in order to provide direct care and treatment. The lawful bases we use for this processing basis are:

Article 6(1)(e) Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

The Public Task Function is outlined in the Health and Social Care (Reform) Act (NI) 2009.

Article 9(2)(h): The provision of health or social care or treatment or the management of health or social care systems and services.

Note: The Northern Trust may on occasion rely on Legitimate Interests as a lawful basis of processing when not performing ‘core tasks’. When we do this, we will undertake a legitimate interest test.

Where can I find out more information?

If you want to know more about how we use your information, if you are unhappy with any aspect about how we use your information or comply with your request, you can contact the Trust’s Data Protection Office at the following address: