Skip to Main Content Skip to Site Map Skip to Accessibility Statement

Privacy Policy

BSO recognises the importance of protecting personal and confidential information in all that we do and all that we direct or commission, and takes care to meet its legal duties. Key legislation includes:

  • The UK General Data Protection Regulation (UK GDPR),
  • The Data Protection Act 2018,
  • the Access to Health Records (Northern Ireland) Order 1993 (AHR)
  • the Freedom of Information Act (2000) (FOI),
  • the Environmental Information Regulations (2004) (EIR),
  • the Human Rights Act 1998 (HRA),
  • relevant health service legislation, and the
  • common law duty of confidentiality.

For more information read our  PDF Version of the BSO privacy notice

1. Introduction
The Business Services Organisation (BSO) has been established to provide a broad range of regional business support functions and specialist professional services to the health and social care sector in Northern Ireland. More detailed information about different aspects of our work can be found on our website. http://www.hscbusiness.hscni.net/
BSO recognises the importance of protecting personal and confidential information in all that we do and all that we direct or commission, and takes care to meet its legal duties. Key legislation includes: UK General Data Protection Regulation (UK GDPR) UK Data Protection Act (2018) the Access to Health Records (Northern Ireland) Order 1993 (AHR) the Freedom of Information Act (2000) (FOI), the Environmental Information Regulations (2004) (EIR), the Human Rights Act 1998 (HRA), relevant health service legislation, and the common law duty of confidentiality.

2. Personal Information
BSO uses personal information for a number of purposes. This privacy notice provides a summary of how we use this information. To ensure that we process personal information fairly and lawfully we are required to advise: What personal information we collect Why we need this information How it will be used With whom it will be shared How long it will be kept for

2.1 What types of personal information do we handle?
BSO processes a range of personal information across its different business units. The information that BSO may hold includes:
• names, addresses, telephone numbers, e-mail addresses
• family details, for example next of kin details
• employment details, for example, salary, HSC service information, sickness absence and other absence information
• details held in personnel files
BSO also processes ’special categories’ of information:
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic or biometric information
• information concerning health
• medical records (including mental health)
• social care records
• information concerning sexual life / sexual orientation

For further information on the personal information processed across BSO’s business units, please refer to Appendix 1 in the supporting doc.

2.2 Why we need personal information
BSO processes information in order to provide a range of statutory functions, and functions that are within the public interest. BSO also processes personal information for legitimate private interests.
For further information on the personal information processed across BSO’s business units, please refer to Appendix 1 in the supporting doc.

2.3 Where we get this information from
The BSO receives personal information from a range of sources, namely:
• other HSC organisations;
• other statutory bodies;
• staff;
• service users;
• members of the public.

2.4 How will we use personal information?
BSO processes information in order to fulfil its contractual and legal obligations, as well as obligations in the public interest.
For further information on how BSO processes personal information, please refer to Appendix 1 in the supporting doc.

2.5 Sharing personal information
BSO may also be obliged to provide personal information to another statutory organisation (such as a Police Force, Health Regulator or Investigatory Body), or via a Court Order. BSO may also share personal information obtained from clients with counsel, 3rd party solicitors, courts and experts in the course of managing legal issues, as part of legal processes.
For further information on the sharing of personal information across BSO’s business units, please refer to Appendix 1 in the supporting doc.

2.6 Retaining Information
BSO will only retain information for as long as necessary, in line with the Department of Health (DoH) Good Management, Good Records (GMGR).
For further information, please refer to the following DoH link: https://www.health-ni.gov.uk/topics/good-management-good-records

3. Individual Rights
Individuals have certain rights under GDPR, namely:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
Further information on the above can be viewed via the Information Commissioner’s Office (ICO) website:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

4. Security of personal information
BSO is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:
a. All BSO staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
b. Everyone working for the HSC is subject to the common law duty of confidentiality;
c. BSO solicitors are required to comply with a professional duty of confidentiality in accordance with law society regulations;
d. Staff are granted access to personal information on a need-to-know basis only;
e. BSO has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents,
f. BSO has appointed a Personal Data Guardian (PDG) who is responsible for ensuring confidentiality and security of services user information within the organisation
g. BSO has also appointed a Data Protection Officer (DPO), who provides full authoritative advice and recommendations in the field of Data Protection and facilitates compliance with the Accountability requirement of GDPR;
h. All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of
their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;
i. A range of policies and procedures are in place.

5. Access to information

5.1 Subject Access Requests (SARs)
GDPR gives individuals the right to access information that BSO holds about them by submitting a Subject Access Request (SAR). You will need to provide:
• adequate information (for example full name, address, date of birth) so that identity can be verified and information located
• an indication of what information is being requested, to enable BSO to locate this in an efficient manner
BSO aims to comply with requests for access to personal information as quickly as possible, and normally within a calendar month of receipt unless there is a reason for delay that is justifiable under GDPR.
We want to make sure that personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know.

5.2 Freedom of Information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by BSO, subject to a number of exemptions.

5.3 Complaints about how we process personal information
If an individual is dissatisfied with how BSO is, or has been, processing their personal information, they have the right to advise BSO of this in writing.

6. Contact Details
SARs and complaints may be made in writing or verbally. Freedom of information requests must be made in writing. Contact details are as follows: Subject Access Requests: dpa.bso@hscni.net Freedom of Information Requests: foi.bso@hscni.net Complaints: complaints.bso@hscni.net
You may also submit requests or complaints to: Corporate Services
6th Floor
2 Franklin Street Belfast
BT2 8DQ

You may also contact the Data Protection Officer for the BSO directly: Email: dpo.bso@hscni.net
• Tel: 02895 363666

7. Changes to our privacy notice
BSO will keep this privacy notice under regular review and will place any updates on this document. For more information read our  PDF Version of the BSO privacy notice