Privacy Notice – BSO Clinical Education Centre


1. Introduction

The Business Services Organisation (BSO) has been established to provide a broad range of regional business support functions and specialist professional services to the health and social care sector in Northern Ireland. More detailed information about different aspects of our work can be found on our website. BSO recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Key legislation includes:

  • the Data Protection Act 1998 (DPA)
  • the General Data Protection Regulations (GDPR)
  • the Access to Health Records (Northern Ireland) Order 1993 (AHR)
  • the Freedom of Information Act (2000) (FOI)
  • the Environmental Information Regulations (2004) (EIR)
  • the Human Rights Act 1998 (HRA)
  • relevant health service legislation, and the
  • common law duty of confidentiality
The Clinical Education Centre (CEC) is a unit within the Business Services Organisation (BSO)

2. Your Information

The Clinical Education Centre (CEC) uses personal information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you of:

  • What personal information we collect
  • Why we need your data
  • Who it will be shared with
  • How long it will be kept for
The Clinical Education Centre (CEC) is a unit within the Business Services Organisation (BSO)

2.1 What types of personal data do we handle?

The Clinical Education Centre process personal information in relation to course bookings. This information includes:

  • Names, addresses, telephone numbers and email addresses
  • Employment details
  • Attendance information (e.g. programmes attended and results)
  • Disability details (if applicable)
  • Dietary requirements

2.2 Why we need your data

When you book onto a CEC programme we will use your details to:

  • Deliver our contract to provide training to you;
  • Contact you with regard to any matter arising from your booking or attendance at our event;
  • Distribute a delegate list to teaching staff (this could be a member of CEC teaching staff or an external provider); and
  • To issue attendance reports to customers (i.e. monthly attendance reports are issued to SLA clients who are the 5 HSC Trusts, Northern Ireland Hospice and Southern Area Hospice).
  • From time to time an employer may request details of course attendance by their staff. We will disclose this information only where the employer has paid for the course or has allowed staff time to attend for this purpose.
  • CEC also use course booking information and online evaluation information (which includes your personal data) for quality assurance and management information purposes. This information is shared within HSC and with those parties who provide education on our behalf.
Information processed for the above purposes is therefore lawful under Article 6 of GDPR:
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation

2.3 How will we use information about you?

CEC will use the above information to monitor trends and for the purpose of providing an efficient service, and for the purposes of analysing trends and organisational learning.


If you book a certificated/ accredited course (e.g. MAPA. KUF) we may need to pass on your details to the accrediting/endorsing bodies so they know you have attended through the CEC but also to check if you’re are eligible/required to sit their exams.

2.4 Sharing your information

In addition to the above, BSO/CEC may also be obliged to provide personal information to another statutory organisation (such as a Police Force, Health Regulator or Investigatory Body), or via a Court Order. Information processed for this purpose is therefore lawful under Articles 6(1)(c), 6(1)(d) and 6(1)(e) of GDPR:

  • 6(1)(c) – Processing is necessary for compliance with a legal obligation
  • 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
  • 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
In order to provide you with a good service, e.g. if you have special requirements, we may pass on your basic details to the course venue/course tutor but only to make your attendance as comfortable as possible. BSO will not sell, assign, disclose or rent your personal data to any other external organisation or individual.

2.5 Retaining Information

CEC will only retain information for as long as necessary, in line with the Department of Health (DoH) Good Management, Good Records (GMGR).


For further information, please refer to the following DoH link:

2.6 Right to be forgotten

Under GDPR, individuals have a right, in some circumstances, to have information held about them deleted. CEC will facilitate any requests to delete personal information held about an individual who has submitted a request under the above-mentioned disclosure legislation. Corporate Services will, however, retain an anonymised version of such requests in line with Section 2.5 (above).


Where information has been processed and/or shared information in line with Section 2.4 (above), CEC will not comply with a request for erasure as the information is being processed under Articles 6 of GDPR.

3. Security of your information

BSO is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:

  1. All BSO staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
  2. Everyone working for the HSC is subject to the common law duty of confidentiality;
  3. Staff are granted access to personal data on a need-to-know basis only;
  4. BSO has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Personal Data Guardian (PDG) who is responsible for the management of employee and any patient information/confidentiality. Deputy SIROs have also been appointed in directorates and local Information Asset officers (IAOs) have been appointed as part of its Information Governance arrangements. BSO is also currently also considering the appointment of a Data Protection Officer (DPO);
  5. All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;
  6. A range of policies and procedures are in place
  7. CEC have in place a number of technical, physical and managerial procedures to safeguard and secure the information we collect.

4. Receiving Information

4.1 How can you access your personal information?

DPA and GDPR give you the right to access information that BSO holds about you. Subject Access Requests must be made in writing. You will need to provide:

  • adequate information (for example full name, address, date of birth) so that your identity can be verified and your information located
  • an indication of what information you are requesting to enable us to locate this in an efficient manner
BSO aims to comply with requests for access to personal data as quickly as possible, and normally within a calendar month of receipt unless there is a reason for delay that is justifiable under GDPR.


We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know.

4.2 Freedom of Information

The Freedom of Information Act 2000 provides any person with the right to obtain information held by BSO, subject to a number of exemptions.

4.3 Complaints about how we process your personal information

If you are dissatisfied with how BSO is, or has been, processing your personal information, you have the right to advise BSO of this in writing.

5. Contact Details

Any request for information, or complaints, should be submitted in writing. Contact details are as follows:

You may also submit requests or complaints to:
Corporate Services
6th Floor
2 Franklin Street
Belfast BT2 8DQ

6. Changes to our privacy notice

We keep our Privacy Notice under regular review and we will place any updates on this document.