The Patient and Client Council (PCC), was established in 2009 as a powerful, independent voice for people in health and social care in Northern Ireland. More detailed information about different aspects of our work can be found on our website https://www.patientclientcouncil.hscni.net/
The PCC recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Key legislation includes:
- the General Data Protection Regulations (GDPR);
- the Access to Health Records (Northern Ireland) Order 1993 (AHR);
- the Freedom of Information Act (2000) (FOI);
- the Environmental Information Regulations (2004) (EIR);
- the Human Rights Act 1998 (HRA);
- relevant health service legislation; and the
- common law duty of confidentiality.
2. Your Information
The PCC uses personal information for a number of purposes. This Privacy Notice provides a summary of how we use your information. To ensure that we process your personal data fairly and lawfully we are required to inform you of:
- What personal information we collect;
Why we need your data;
How it will be used;
Who it will be shared with; and
How long it will be kept for.
2.1 What types of personal data do we handle?
PCC holds personal data for our:
Personal data on clients is held in a confidential database. Each record includes the
- Date of contact;
- Client’s name and contact details;
- Details of their complaint;
- Summary of each contact made with the PCC; and
- Correspondence relating to the client’s complaint.
The PCC has a Membership Scheme that holds contact details of members including: name, address, postcode, gender, date of birth, telephone number and e-mail address.
Personal and Public Involvement (PPI) activity and Research work.
The PCC produces a business plan every year detailing areas of health and social care that we plan to engage with the public. These topic areas are informed by PCC members and staff as well as evidence gathered by the PCC.
To fulfil the PCC’s business objectives we run various projects every year, many of which will involve direct engagement with the public. Engagement often occurs through surveys, interviews, focus groups or panels and events. Data collected through our engagement may include: email address, name, address, postcode, contact details, gender and age as well as people’s views about and experience of a particular health and social care issue. Depending on the type of event, we may take photos or videos – invitees will be notified of this in advance.
2.2 Why we need your data
The PCC has the following statutory functions in relation to health and social care in Northern Ireland:
(a) representing the interests of the public;
(b) promoting involvement of the public;
(c) providing assistance (by way of representation or otherwise) to individuals making or intending to make a complaint relating to health and social care for which a body to which this section applies is responsible;
(d) promoting the provision by bodies to which this section applies of advice and information to the public about the design, commissioning and delivery of health and social care; and
(e) such other functions as may be prescribed.
Information processed for the above purposes is therefore lawful under Article 6(1) (c) of GDPR:
• 6(1)(c) – Processing is necessary for compliance with a legal obligation ie to fulfil our statutory functions above.
2.3 How will we use information about you?
A record of each complainant is required so that PCC staff can fully assist, advise and pursue the complaint through the HSC complaints procedure stages.
Data from complaints will be anonymised and used by staff to identify trends such as identifying problems with a particular service or geographical area. This information will be shared with HSC decision makers to highlight areas of concern.
On signing up to the PCC Membership Scheme all potential members are asked to give their consent for the PCC to hold their personal data. This data is used to communicate with members through, Updates, the Member’s newsletter and e zine. Where consent is given, the PCC will occasionally use text messaging to remind members of events.
Members’ data is ONLY shared outside of the organisation for communication purposes ie where a member’s contact information is shared with an external mailing company to issue the quarterly newsletter for the purposes of sending the mail. In addition, members’ details are also transmitted to the EmailCenter system for emailing/texting. The agreements in place with these communication companies do NOT allow them to use your information for any other purpose.
The information held on the database is used by the PCC to monitor membership numbers enabling the PCC to identify gaps and work towards a Membership Scheme that is reflective of the Northern Ireland population.
Personal and Pubic Involvement (PPI) activity and /Research work:
Data is collected from service users and carers in a number of ways:
- Surveys (online and on paper)
- Focus groups
- Case studies*
*case studies are a detailed analysis of one-to-one interviews and present the person’s story/experience of health and social care services as a whole.
**a panel is a small number people brought together to gain their views on a particular service connected to a specific medical condition e.g. diabetes and podiatry services. The people on the panel will be those affected by the condition and/or their carer.
As stated in Section 2.1 the PCC engages with the public on a wide variety of issues and this is often done through surveys, interviews, focus groups or panels and events. The data we collect through our engagement activities is analysed to identify trends, service area problems or gaps so that the PCC can give a collective patients’ voice and make recommendations to improve future services. The information obtained from the data collected is anonymised before it is included in a published report so that participants cannot be identified.
Sometimes one-to-one interviews are used as case studies. Often people’s stories are very detailed and may mean the person could be identified. Where this does occur, we will always ask for the participant’s consent to publish an anonymised version of their story. If the participant does not give consent the story will not be published.
Members of the public can comment on weekly blogs posted by the PCC. We need your name and email address should we need verify any content. Comments will be sent to an administrator for approval before being added to the website. Whilst your details are for our records only and will not be used for another purpose, you should not that your name will appear alongside your comment.
2.4 Sharing your information
The PCC may also be obliged to provide personal information to another statutory organisation (such as a Police Force, Health Regulator or Investigatory Body), or via a Court Order. Information processed for this purpose is therefore lawful under Articles 6(1)(c), 6(1)(d) and 6(1)(e) of GDPR:
- 6(1)(c) – Processing is necessary for compliance with a legal obligation
- 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
2.5 Retaining Information
The PCC will retain the following types of record which include personal data:
- Complaint’s records;
- Information gathered through engagement/research work; and
The PCC will only retain information in line with the Department of Health (DoH) Good Management, Good Records (GMGR).
Information relating to requests for disclosure (i.e. Subject Access, FOI or EIR requests) will be kept for up to 3 years after last action, in accordance with Section J28 of GMGR.
Members can cancel their membership at any time. In doing so, their name and contact details are removed from the database.
Please note that details of access decisions taken and any redacted versions of documents released, as well as statistical data about the number of requests and outcomes may be retained for up to 10 years in accordance with Section J28 of GMGR.
Information relating to complaints will be kept as follows, in accordance with Section B of GMGR:
- Enquiries which do not give rise to formal complaints – 3 years,
- Correspondence, investigation and outcomes – 10 years.
For further information, please refer to the following DoH link: https://www.health-ni.gov.uk/topics/good-management-good-records
2.6 Right to be forgotten
Under GDPR, individuals have a right, in some circumstances, to have information held about them deleted. PCC will facilitate any requests to delete personal information held about an individual who has submitted a request under the above-mentioned disclosure legislation. PCC will, however, retain an anonymised version of such requests in line with Section 2.5 (above).
Where information has been processed and/or shared in line with Section 2.4 (above), PCC will not comply with a request for erasure as the information is being processed under Articles 6(1)(c) and/or 6(1)(d) and/or 6(1)(e) of GDPR.
3. Freedom of Information (FOI)/Subject Access Requests (SAR)/Complaints about the PCC
Details of FOIs, SARs and complaints are held for the following purposes:
- to comply with requests;
- for analysing trends; and
- organisational learning.
In exercising its functions, the PCC will process information provided by individuals for the management of our services in the provision of information under disclosure legislation (e.g. SARs and FOIs), and in the management of complaints.
The PCC has a statutory obligation to provide personal information to an individual or an authorised third party acting on their behalf on receipt of a SAR. As a public authority, the PCC also has a responsibility to provide applicants with responses to FOIs. Applicant’s details (names, correspondence addresses) will be retained by the PCC in order to enable compliance with FOI.
PCC also has a duty to investigate and provide a response to any complaint it receives about any of its functions. Data is held for learning and reporting purposes.
Information processed for the above purposes is therefore lawful under Article 6(1)(c) of GDPR:
6(1)(c) – Processing is necessary for compliance with a legal obligation.
4. PCC Staff
The information Corporate Services holds about its staff in order to perform its function in managing staff includes:
- names, addresses, telephone numbers, e-mail addresses;
- family details, for example next of kin details;
- employment details, for example, salary, HSC service information; sickness absence and other absence information; and
- details held in personnel files.
For further information staff should refer to a specific privacy notice developed for staff on the PCC web site.
5.0 Security of your information
PCC is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:
a. All PCC staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
b. Everyone working for HSC is subject to the common law duty of confidentiality;
c. Staff are granted access to personal data on a need-to-know basis only;
d. PCC has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Personal Data Guardian (PDG) who is responsible for the management of employee and any patient information/confidentiality. Local Information Asset officers (IAOs) have been appointed as part of the PCC’s Information Governance arrangements. The Business Services Organisation and the PCC have also appointed a Data Protection Officer (DPO) which is partly funded by the PCC;
e. All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;
f. A range of policies and procedures are in place.
g. Anti-malware and anti-spam software which up to now, has a 100% success rate against ransonware including Wannacry, has been deployed to the PCC desktops, laptops and tablets.
6.0 Receiving Information
6.1 How can you get access to your personal information?
DPA and GDPR give you the right to access information that PCC holds about you. SARs must be made in writing. You will need to provide:
adequate information (for example full name, address, date of birth) so that your identity can be verified and your information located
an indication of what information you are requesting to enable us to locate it in an efficient manner
PCC aims to comply with requests for access to personal data as quickly as possible, and normally within a calendar month of receipt unless there is a reason for delay that is justifiable under GDPR.
We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know.
6.2 Freedom of Information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by PCC, subject to a number of exemptions. Further information can be found at the Information Commissioners Office – https://ico.org.uk/media/for-organisations/documents/1213/personal-information-section-40-and-regulation-13-foia-and-eir-guidance.pdf
6.3 Complaints about how we process your personal information
If you are dissatisfied with how PCC is, or has been, processing your personal information, you have the right to advise PCC of this in writing.
You also have the option of making a complaint directly to the Information Commissioner’s Office (ICO) details below:
The Information Commissioner’s Office – Northern Ireland 3rd Floor 14 Cromac Place, Belfast BT7 2JB Telephone: 028 9027 8757 / 0303 123 1114 Email: firstname.lastname@example.org
7.0 Contact Details
Any request for information, or complaints, should be submitted in writing. Contact details are as follows:
Head of Development and Corporate Services
Patient and Client Council
8.0 Changes to our privacy notice
We keep our Privacy Notice under regular review and we will place any updates on this document.