Privacy Notice – BSO Clinical Education Centre
The Business Services Organisation (BSO) has been established to provide a broad range of regional business support functions and specialist professional services to the health and social care sector in Northern Ireland. More detailed information about different aspects of our work can be found on our website. http://www.hscbusiness.hscni.net/ BSO recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Key legislation includes:
- the Data Protection Act 1998 (DPA)
- the General Data Protection Regulations (GDPR)
- the Access to Health Records (Northern Ireland) Order 1993 (AHR)
- the Freedom of Information Act (2000) (FOI)
- the Environmental Information Regulations (2004) (EIR)
- the Human Rights Act 1998 (HRA)
- relevant health service legislation, and the
- common law duty of confidentiality
2. Your Information
The Clinical Education Centre (CEC) uses personal information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you of:
- What personal information we collect
- Why we need your data
- Who it will be shared with
- How long it will be kept for
2.1 What types of personal data do we handle?
The Clinical Education Centre process personal information in relation to course bookings. This information includes:
- Names, addresses, telephone numbers and email addresses
- Employment details
- Attendance information (e.g. programmes attended and results)
- Disability details (if applicable)
- Dietary requirements
2.2 Why we need your data
When you book onto a CEC programme we will use your details to:
- Deliver our contract to provide training to you;
- Contact you with regard to any matter arising from your booking or attendance at our event;
- Distribute a delegate list to teaching staff (this could be a member of CEC teaching staff or an external provider); and
- To issue attendance reports to customers (i.e. monthly attendance reports are issued to SLA clients who are the 5 HSC Trusts, Northern Ireland Hospice and Southern Area Hospice).
- From time to time an employer may request details of course attendance by their staff. We will disclose this information only where the employer has paid for the course or has allowed staff time to attend for this purpose. This may, for example, include a request from a line manager (or senior member of staff) to provide all training attended by a member of staff.
- CEC also use course booking information and online evaluation information (which includes your personal data) for quality assurance and management information purposes. This information is shared within HSC and with those parties who provide education on our behalf.
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation
- processing is necessary for the performance of a task carried out in the public interest
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
2.3 How will we use information about you?
CEC will use the above information to monitor trends and for the purpose of providing an efficient service.
If a programme is subject to licence / accreditation processes (for example Hanen, SOMM) we may need to pass your details on to the relevant accrediting/endorsing body. This may be done in advance, or after you attend the CEC programme.
On occasions we may contact everyone who has a profile on the CEC’s website. This will be to inform you of changes being made to the website. If you do not want to receive these emails please inform the CEC at the following email address: email@example.com.
2.4 Sharing your information
In addition to the above, BSO/CEC may also be obliged to provide personal information to another statutory organisation (such as a Police Force, Health Regulator or Investigatory Body), or via a Court Order. Information processed for this purpose is therefore lawful under Articles 6(1)(c) and 6(1)(e) of GDPR:
- 6(1)(c) – Processing is necessary for compliance with a legal obligation
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
2.5 Retaining Information
CEC will only retain information for as long as necessary, in line with the Department of Health (DoH) Good Management, Good Records (GMGR).
For further information, please refer to the following DoH link: https://www.health-ni.gov.uk/topics/good-management-good-records.
CEC training records are held for 10 years. Training records include attendance sheets, evaluations/feedback, training materials and training plans.
2.6 Right to be forgotten
Individuals have certain rights under GDPR, namely:
- The right to obtain confirmation that their personal information is being processed, and access to personal information
- the right to have personal information rectified if it is inaccurate or incomplete
- the right to have personal information erased and to prevent processing, in specific circumstances
- the right to ‘block’ or suppress processing of personal information, in specific circumstances
- the right to portability, in specific circumstances
- the right to object to the processing, in specific circumstances
- the rights in relation to automated decision making and profiling
Please click on the above links or refer to BSO’s Privacy Notice for further information.
3. Security of your information
BSO is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:
- All BSO staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
- Everyone working for the HSC is subject to the common law duty of confidentiality;
- Staff are granted access to personal data on a need-to-know basis only;
- BSO has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Personal Data Guardian (PDG) who is responsible for the management of employee and any patient information/confidentiality. Deputy SIROs have also been appointed in directorates and local Information Asset officers (IAOs) have been appointed as part of its Information Governance arrangements. BSO is also currently also considering the appointment of a Data Protection Officer (DPO);
- All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;
- A range of policies and procedures are in place
- CEC have in place a number of technical, physical and managerial procedures to safeguard and secure the information we collect.
4. Receiving Information
4.1 How can you access your personal information?
DPA and GDPR give you the right to access information that BSO holds about you. Subject Access Requests must be made in writing. You will need to provide:
- adequate information (for example full name, address, date of birth) so that your identity can be verified and your information located
- an indication of what information you are requesting to enable us to locate this in an efficient manner
We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know. If you have a profile on the CEC website you can update your personal details by logging into your account.
4.2 Freedom of Information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by BSO, subject to a number of exemptions.
4.3 Complaints about how we process your personal information
If you are dissatisfied with how BSO is, or has been, processing your personal information, you have the right to advise BSO of this in writing.
5. Contact Details
Any request for information, or complaints, should be submitted in writing. Contact details are as follows:
- Subject Access Requests: firstname.lastname@example.org
- Freedom of Information Requests: email@example.com
- Complaints: firstname.lastname@example.org
2 Franklin Street
Belfast BT2 8DQ
6. Changes to our privacy notice
We keep our Privacy Notice under regular review and we will place any updates on this document.