The Business Services Organisation (BSO) has been established to provide a broad range of regional business support functions and specialist professional services to the health and social care sector in Northern Ireland. More detailed information about different aspects of our work can be found on our website. http://www.hscbusiness.hscni.net/
BSO recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Key legislation includes:
- the General Data Protection Regulation 2016 (GDPR),
- the Access to Health Records (Northern Ireland) Order 1993 (AHR)
- the Freedom of Information Act (2000) (FOI),
- the Environmental Information Regulations (2004) (EIR),
- the Human Rights Act 1998 (HRA),
- relevant health service legislation, and the
- common law duty of confidentiality
The Clinical Education Centre (CEC) is a unit within the Business Services Organisation (BSO). BSO’s full Privacy Notice can be found here: http://www.hscbusiness.hscni.net
2. Your Information
The Clinical Education Centre (CEC) uses personal information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you of:
- What personal information we collect
- Why we need your data
- How it will be used
- Who it will be shared with
- How long it will be kept for
2.1 What types of personal data do we handle?
The Clinical Education Centre process personal information in relation to course bookings. This information includes:
- Names, addresses, telephone numbers and email addresses
- Employment details
- Attendance information (e.g. programmes attended and results)
- Disability details (if applicable)
- Dietary requirements
2.2 Why we need your data
When you book onto a CEC programme we will use your details to:
- Deliver training to you;
- Contact you with regard to any matter arising from your booking or attendance at our event;
- Distribute a delegate list to teaching staff (this could be a member of CEC teaching staff or an external provider); and
- To issue attendance reports to customers (i.e. monthly attendance reports are issued to SLA clients who are the 5 HSC Trusts, Northern Ireland Hospice and Southern Area Hospice).
- From time to time an employer may request details of course attendance by their staff. We will disclose this information only where the employer has paid for the course or has allowed staff time to attend for this purpose. This may, for example, include a request from a line manager (or senior member of staff) to provide all training attended by a member of staff.
- CEC also use course booking information and online evaluation information (which includes your personal data) for quality assurance and management information purposes. This information is shared within HSC and with those parties who provide education on our behalf.
Information processed for the above purposes is therefore lawful under Article 6 of GDPR:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation
- processing is necessary for the performance of a task carried out in the public interest
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
2.3 How will we use information about you?
CEC will use the above information to monitor/analyse trends and for the purpose of organisational learning and providing an efficient service.
CEC may contact you to discuss something raised in an evaluation. This is to ensure learning and to improve our service.
If a programme is subject to licence / accreditation processes (for example Hanen, SOMM) we may need to pass your details on to the relevant accrediting/endorsing body. This may be done in advance, or after you attend the CEC programme.
Your information may need to be shared with third parties who are quality assuring/evaluating the provision of education delivered by CEC.
On occasions we may contact everyone who has a profile on the CEC’s website. If you do not want to receive these emails please inform the CEC at the following email address: Enquiries@cec.hscni.net
2.4 Sharing your information
In addition to the above, BSO/CEC may also be obliged to provide personal information to another statutory organisation (such as a Police Force, Health Regulator or Investigatory Body), or via a Court Order. Information processed for this purpose is therefore lawful under Articles 6(1)(c), 6(1)(d) and 6(1)(e) of GDPR:
- 6(1)(c) – Processing is necessary for compliance with a legal obligation
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
In order to provide you with a good service, e.g. if you have special requirements, we may pass on your basic details to the course venue/course tutor but only to make your attendance as comfortable as possible. BSO will not sell, assign, disclose or rent your personal data to any other external organisation or individual.
2.5 Retaining Information
CEC will only retain information for as long as necessary, in line with the Department of Health (DoH) Good Management, Good Records (GMGR). For further information, please refer to the following DoH link: https://www.health-ni.gov.uk/topics/good-management-good-records
CEC training records are held for 10 years. Training records include attendance sheets, evaluations/feedback, training materials and training plans.
2.6 Right to be forgotten
Individuals have certain rights under GDPR, namely:
- The right to obtain confirmation that their personal information is being processed, and access to personal information
- The right to have personal information rectified if it is inaccurate or incomplete
- The right to have personal information erased and to prevent processing, in specific circumstances
- The right to ‘block’ or suppress processing of personal information, in specific circumstances
- The right to portability, in specific circumstances
- The right to object to the processing, in specific circumstances
- The rights in relation to automated decision making and profiling
Please click on the above links or refer to BSO’s Privacy Notice for further information.
3. Security of your information
BSO is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:
- All BSO staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
- Everyone working for the HSC is subject to the common law duty of confidentiality;
- Staff are granted access to personal data on a need-to-know basis only;
- BSO has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Personal Data Guardian (PDG) who is responsible for the management of employee and any patient information/confidentiality. Deputy SIROs have also been appointed in directorates and local Information Asset officers (IAOs) have been appointed as part of its Information Governance arrangements. BSO has also appointed a Data Protection Officer (DPO);
- All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;
- A range of policies and procedures are in place
- CEC have in place a number of technical, physical and managerial procedures to safeguard and secure the information we collect
4. Receiving Information
4.1 How can you access your personal information?
DPA and GDPR give you the right to access information that BSO holds about you. Subject Access Requests must be made in writing. You will need to provide:
- adequate information (for example full name, address, date of birth) so that your identity can be verified and your information located
- an indication of what information you are requesting to enable us to locate this in an efficient manner
BSO aims to comply with requests for access to personal data as quickly as possible, and normally within a calendar month of receipt unless there is a reason for delay that is justifiable under GDPR.
We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know. If you have a profile on the CEC website you can update your personal details by clicking on this link: http://cec.hscni.net/Account
4.2 Freedom of Information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by BSO, subject to a number of exemptions.
4.3 Complaints about how we process your personal information
If you are dissatisfied with how BSO is, or has been, processing your personal information, you have the right to advise BSO of this in writing.
5. Contact Details
Any request for information, or complaints, should be submitted in writing. Contact details are as follows:
- Subject Access Requests: firstname.lastname@example.org
- Freedom of Information Requests: email@example.com
- Complaints: firstname.lastname@example.org
You may also submit requests or complaints to:
2 Franklin Street
You may also contact the Data Protection Officer for the BSO directly:
- Email: email@example.com
- Tel: 02895 363666
6. Changes to our privacy notice
We keep our Privacy Notice under regular review and we will place any updates on this document.