Data Protection Statement


May 2018


1.                  Introduction
The Northern Ireland Social Care Council (NISCC) is the regulatory body for the social care workforce in Northern Ireland.  Its role is to register social workers, social care workers and those studying for the Degree in Social Work; to set standards for their training and practice and to support professional development across the workforce. 

NISCC is a non-departmental body sponsored by the Department of Health (NI) and was established under the Health and Personal Social Services Act (NI) 2001.  As a regulator of the social care workforce, NISCC must act in the public interest and maintain public trust and confidence in its system of regulation.  More detailed information about different aspects of our work can be found on our website. http://www.niscc.info

NISCC recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Key legislation includes:

·         the General Data Protection Regulation 2016 (GDPR),

·         the Access to Health Records (Northern Ireland) Order 1993 (AHR)

·         the Freedom of Information Act (2000) (FOI),

·         the Environmental Information Regulations (2004) (EIR),

·         the Human Rights Act 1998 (HRA),

·         relevant health service legislation, and the

·         common law duty of confidentiality

 

2.                  Your Information
NISCC uses personal information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you of:

·         What personal information we collect

·         Why we need your data

·         How it will be used

·         Who it will be shared with

·         How long it will be kept for

 

2.1       What types of personal data do we handle?

NISCC process personal information in its regulatory function to register the workforce which includes:

·         registration application details for example, names, addresses, any declarations made, email addresses, contact phone numbers (including mobile numbers);

·         details of registrants’ employers including employment history;

·         registration fee payments;

·         qualifications and awards;

·         allegations against a registrant, including decisions made.

                NISCC also holds a Public Facing Register online.  The Register discloses the following information on the website in relation to registrants –

·         First name and surname;

·         Town of employment;

·         Registration number;

·         Part of Register;

·         Status of Registration;

·         Information regarding sanctions imposed.

In relation to Freedom of Information Requests (FOIs), Subject Access Requests (SARs) and Complaints.  The information NISCC may hold includes:

·         names, addresses, telephone numbers, e-mail addresses;

·         details of a complaint made and related correspondence;

·         details held in personnel files and on the ICT HR system.

 

2.2       Why we need your data
NISCC has a legal obligation to hold your personal data in order to ensure your registration with NISCC and has a legal obligation to investigate and respond to complaints it receives in relation to a registrant.  The Health and Personal Social Services Act (NI) provides the legal framework that allows NISCC to establish Rules to aid the processing of dealing with allegations of impaired fitness to practise.

NISCC also has a duty to investigate and provide a response to any complaint it receives about any of its functions. 

Information processed for the above purposes is therefore lawful under Article 6(1)(c) of GDPR:

·         6(1)(c) – Processing is necessary for compliance with a legal obligation

 

In keeping with legislative obligations requiring NISCC to ensure on-going high standards of conduct, practice and training, NISCC will periodically process the data of existing registrants to communicate and promote information regarding these topics.

Information processed for the above purposes is therefore lawful under Article 6(1)(e) of GDPR:

·         6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority

 

In keeping with our need to achieve the lawful business objectives of our organisation, NISCC will periodically process the data of existing registrants to communicate information related to NISCC operational objectives and activities, as-well-as important Social Care sector information.

Information processed for the above purposes is therefore lawful under Article 6(1)(f) of GDPR:

·         6(1)(f) – Processing is necessary under the Legitimate Interests of the Controller

For more information please refer to our ‘Legitimate Interest Statement’.

 

2.3       How will we use information about you?
NISCC will use your information to ensure a registrants ability to be fit to practice and be held on the register (and in turn the Public Facing Register).  We will also use your information to keep you and your employer informed about the status of your registration (and renewal fee) and your education and development.  We will use anonymous data to review our performance and business trends.

 

2.4       Sharing your information
NISCC may also be obliged to provide personal information to another statutory organisation (such as a Police Force, Health Regulator or Investigatory Body), or via a Court Order.  Information processed for this purpose is therefore lawful under Articles 6(1)(c) and 6(1)(e) of GDPR:

·         6(1)(c) – Processing is necessary for compliance with a legal obligation

·         6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We may also share your personal information with appointed Committee panel members in the event of an allegation proceeding to that stage.  Details on what we disclose (and with whom) about registrants where an allegation has been made, or where such an allegation proceeds to a Fitness to Practise hearing is set out in our Disclosure Policy which can be found on our website.

 

2.5       Retaining Information

NISCC will only retain information for as long as necessary, in line with the Department of Health (DoH) Good Management, Good Records (GMGR).

For further information, please refer to the following DoH link:

https://www.health-ni.gov.uk/topics/good-management-good-records

 

3.                   Individual Rights
Individuals have certain rights under GDPR, namely:

·           The right to obtain confirmation that their personal information is being processed, and access to personal information

·           The right to have personal information rectified if it is inaccurate or incomplete

·           The right to have personal information erased and to prevent processing, in specific circumstances

·           The right to ‘block’ or suppress processing of personal information, in specific circumstances

·           The right to portability, in specific circumstances

·           The right to object to the processing, in specific circumstances

·           The rights in relation to automated decision making and profiling

 

4.                   Security of your information
NISCC is committed to taking all reasonable measures to ensure the security of all personal information it holds.  The following arrangements are in place:

a.                  All NISCC staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;

b.                  Everyone working for NISCC is subject to the common law duty of confidentiality;

c.                   Staff are granted access to personal data on a need-to-know basis only;

d.                  NISCC has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents. Local Information Asset officers (IAOs) have been appointed as part of its Information Governance arrangements. NISCC has also appointed a Data Protection Officer (DPO);

e.                  All staff are required to undertake information governance training every 2 years.  The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;

f.                    A range of policies and procedures are in place

5.                  Receiving Information

 

5.1       How can you get access to your personal information?

GDPR gives you the right to access information that NISCC holds about you.  SARs must be made in writing.  You will need to provide:

·         adequate information (for example full name, address, date of birth) so that your identity can be verified and your information located

·         an indication of what information you are requesting to enable us to locate this in an efficient manner

NISCC aims to comply with requests for access to personal data as quickly as possible, and normally within a calendar month of receipt unless there is a reason for delay that is justifiable under GDPR.

We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know.

 

5.2       Freedom of Information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by NISCC, subject to a number of exemptions.

 

5.3       Complaints about how we process your personal information

If you are dissatisfied with how NISCC is, or has been, processing your personal information, you have the right to advise NISCC of this in writing. 

 

6.                  Contact Details

Any request for information should be submitted in writing.  Contact details are as follows:

·         Subject Access Requests: dpa.bso@hscni.net

·         Freedom of Information Requests: foi.bso@hscni.net

 

You may also submit requests or complaints to:

Corporate Services

6th Floor

2 Franklin Street
Belfast
BT2 8DQ

 

            You may also contact the Data Protection Officer directly:

·           Email:       dpo.bso@hscni.net

·           Tel:           02895 363666

 

 

7.                   Changes to our privacy notice
NISCC will keep this Privacy Notice under regular review and will place any updates on this document.