Data Protection Policy


The South Eastern HSC Trust needs to collect and use personal information about people in order to operate. All individual staff members who access or use personal information must do so responsibly and in line with the legal requirements – the Data Protection Act 1998.

Failure by a staff member to comply with these requirements could result in disciplinary action, involvement of the PSNI, and in some cases, lead to potential criminal proceedings.

Understanding the relevant Trust policies, asking the right people for advice and taking personal responsibility for how you handle personal information, will help you to get it right and comply with Data Protection requirements within your day to day role in the Trust.


The Data Protection Act protects personal privacy and upholds individuals’ rights.


Yes! The Data Protection Act 1998 affects everyone who handles or has access to information about individuals. The Act also gives rights to the people the information is about.
By law, everyone in the workplace must follow the rules set out in the Act and help to protect individuals’ rights.


The Act helps make sure that information held on computer based systems and paper-based record systems is managed properly.
You must protect personal information by following the eight principles of The Data Protection Act 1998.


The Act is based on eight principles or rules for ‘good information handling’.

In summary, the data must be:

• Processed fairly and lawfully
• Processed for limited purposes and in an appropriate way
• Relevant and sufficient for the purpose
• Accurate and up to date
• Kept for as long as is necessary and no longer
• Processed in line with individuals’ rights
• Held securely
• Only transferred to other countries that have suitable data protection controls


Personal or sensitive information should always be kept secure,
whether paper or electronically held records.

Do not leave records unattended in areas where the public can access them.

If accessing electronic records on computer systems, angle the screen away from areas that are visited by non-Trust employees.

Don’t forget to activate your screen saver as soon as you plan to leave your work station (Ctrl + Alt + Del).


Using Trust systems gives you access to personal information
about many individuals.

Always log onto the network using your own username and password, but do not access information unless you have a legitimate business reason for doing so.

Remember it is a crime to access systems for your own purposes
e.g. Looking up a neighbor or relative’s test results, or your own!

Your logon details for Trust systems must not be disclosed
or shared with anyone else – it is your responsibility to keep them private!

There are easy, secure ways to give someone else access to your emails and files from their own account. Contact ICT for advice if you aren’t sure how.


Whilst technical controls are in place to help protect the network and information from malicious files or access, we also need you to be careful! Be extra cautious of suspicious emails or web links.

Even opening these emails or links can create problems that can lead to information being compromised.

Stay alert and report suspicious activity to the ICT Help Desk. The faster it is reported, the faster it can be dealt with.


Depending on your role, you may be required to handle enquiries or requests for personal information.

Did you know that you can breach the Data Protection Act if you give out information to someone who is not entitled to it?

Always check the person’s identity first and if you are unsure about
giving out the information, suggest they write in for it or take a number and call them back. Don’t let yourself be bullied or tricked into giving out the information – seek assistance from your line manager.

On those occasions where you need to leave a telephone message for someone on their home or mobile phone, leave your direct dial contact number and ask them to contact you – not the message itself.

Remember, the message could easily be picked up by someone else.


Social media offers a great way to communicate with friends, colleagues and other people, but there are risks and issues for both the individual and the Trust.

If you can be identified as a member of Trust staff when using social media, such as Facebook or Twitter, you must not mention any information relating to a patient/client.

Never post comments that others may find offensive, such as racist or sectarian remarks, or talk about the Trust or colleagues in a negative way.

This could result in disciplinary action being taken against you.

Always act in a professional and responsible way when using social media. If you don’t want your mother to see it, your manager to read it, or a newspaper to print it, then don’t post it.


When emailing sensitive or personal information to organisations external to the Trust, and who are not part of the HSCNI protected network, the data will be sent over the internet. Therefore, you must encrypt the information before sending.

Personal or sensitive information should never be emailed to your
home email account.

If you do work at home, request a secure access home working fob or access to FortiToken with the agreement of your manager. This will allow you to access your work computer at home (application form available on ICT portal).

When using Trust email, do not put a patient/client or staff name
in the ‘subject box’ of an email. Always check you have selected the correct person you intend the email to go to – one click and it is gone!


Electronic devices which are used to process personal or sensitive information must be securely erased before disposal or re-use. This includes devices like PC’s, laptops, mobile phones etc. and even some printers.

Using an authorised contractor means that the data is securely
erased and therefore sensitive information will be kept private and
not available on the internet!

Contact ICT Help Desk for advice on the correct disposal process
and authorized contractor(s).


Did you know that records are at their biggest risk when being transported outside the organisation?

‘Records’ also includes personal work diaries, reports, emails, correspondence, not just patient/client files.

The Trust Records Management Procedure requires records to be tracked out when they are ‘on the move’ and back in on their return.

On those occasions where you must take records home as part of
your job, put them in a ‘secure vessel’ (container or bag) and
place them in the boot of the car.

Remove the records into your home on arrival.

Beware! Never be tempted to leave records in your car overnight or leave them where they are visible – even for a short period.


1. Keep it secure
When handling personal or sensitive information, keep it secure, both during and after use. Never leave records, such as patient files, personal work diaries or appointment letters where they can be accessed or removed inappropriately.

2. A place for everything and everything in its place
If you write personal identifiable details, such as name, address,
date of birth, treatment etc. onto loose sheets of paper, this information belongs in the patient record or placed in the confidential waste, as appropriate, when no longer needed.

Loose sheets can be easily dropped or lost – would you like your sensitive information picked up by a member of the public?

If you discover personal information has been mis-filed into the wrong file, please notify your line manager.

3. Should I hand this information over?
Think! Before handing over personal or sensitive information just because someone has asked you for it.

Only staff who need the information for the purpose of their work, should have access to it.

Requests from patients/clients or staff, for information the Trust holds on them, must be made in writing to the Trust.

Contact the Information Governance Department for more information.

4. It only takes a moment
Some roles may involve handing a patient/client their own record, such as Antenatal Clinic appointments.

Always check it is the right file for the right patient. It only takes a moment and can avoid causing unnecessary distress to a patient/client.

5. Keep it current
Where possible, check that the patient/client address and contact number have not changed.

Personal information that is incorrect, inaccurate or out of date can result in delays to patient appointments or to sensitive information being opened by the wrong person. Help get it right every time!


As part of your job, you may need to send personal or sensitive information by post. Always write the full address. Do not be tempted to use abbreviations for Trust facilities, as this can be confusing.

Do you know what LAC or F&CC stands for? – Not everyone does!

If you post sensitive information outside the Trust, consider using an appropriate return address on the back of the envelope – this allows it to be returned if necessary and send via Special Delivery.


The Trust has a process for ensuring staff securely dispose of personal identifiable or business sensitive information appropriately. This is important so that the Trust can comply with its obligations under the Data Protection Act.

Disposing of this information into confidential waste bags helps ensure the information cannot be obtained or used inappropriately for identity theft and helps protect patients and staff members’ rights to privacy and confidentiality.

Confidential waste bags are located in every department across all Trust sites. You should retain the audit trail issued by the contractor.

You can also dispose of DVD’s/videos/laminates in a separate confidential waste bag, labelled appropriately. Remember to seal the bag promptly. Don’t leave the bags in corridors, foyers or hallways.


The Trust has a legal obligation to manage, retain and destroy its records in line with DHSS&PS guidelines.

There-fore all records within the Trust should be retained and destroyed in accordance with the Trust’s Retention and Disposal Schedule/Policy.

At time of publication, record disposal is now temporarily suspended due to the ongoing Historical Institutional Abuse Inquiry.


Personal/sensitive information should only be faxed in urgent cases, where there is no other suitable method of transferring the information.

A fax should never be sent just because it is the most convenient option.

Faxes containing personal/sensitive data, should be redacted (the personal identifiers removed) and the patient’s hospital number/unique identifying number and initials used instead. This helps keep the faxed information anonymous.

If you regularly fax to the same number, pre-programme this to reduce the risk of faxing to the wrong number.


If you are aware or suspect that a data breach has occurred, report it to your line manager immediately and complete a Trust incident form (IR1). The Trust’s Information Governance Department can be contacted for further advice and assistance.

If an electronic device has been lost or stolen, ensure the ICT Help Desk is notified immediately so that the device can be disabled and remotely wiped (where possible).

It is important the incident is appropriately dealt with as soon as possible, in order to minimize any potential distress to the people concerned.


The Freedom of Information (FOI) Act 2000 makes it easier for people to get information about the Trust. This law, which came into force on 1 January 2005, means that anyone, anywhere can ask for information we hold.

Under the Freedom of Information Act 2000, the Trust is legally committed to providing timely and accessible information to the public and responding to reasonable requests for information.

There are no time limits on how far back you can gain access to information, as long as we hold it on record.

If you are unsure about providing corporate information, contact the Information Governance.


For more information, contact:

The Information Governance Department
Lough House
Ards Community Hospital
Church Street
BT23 4AS

Tel: (028) 9151 2201


Scroll to Top