Health and Social Care - Privacy Notice

The Department of Health and Social Care (DHSC) functions are primarily set out in the Manx Care Act 2021.

The duties and responsibilities of DHSC are:

• Promotion of comprehensive health and social care services
• Improvement in quality of services
• Promotion of autonomy
• Obtaining of appropriate advice
• Public involvement and consultation
• Promoting education and training (within health and social care)
• Reducing inequalities
• Candour (exercise of our functions in an open and transparent way)

Find out more about all our functions visiting DHSC's homepage. 

We respect an individual’s fundamental right to privacy and will only collect and use personal information when it is necessary and will do so in accordance with the Data Protection Legislation, the Human Rights Act 2001, the common law duty of confidentiality and in keeping with any relevant professional codes of conduct.

We use your personal information when we:

• Investigate complaints
• Undertake Regulatory functions under the Regulation & Inspection Team 
• Consult on future legislation, strategy or policy
• Deal with litigation or legal claims
• And our involvement with COVID-19

You can find out more about the use of your personal information by clicking on the links above. Our retention policy details how long we keep your personal information.

As from the 1 April 2021 the DHSC does not provide direct health or social care services and therefore does not hold or have any access to individual health or social care records.

You have certain rights when we use your personal information, including the right of access to that information.

If you would like access to your personal information, you can make a request:

• By emailing, or writing to our data protection officer
• By completing the online form
• Verbally to the data protection officer (but we recommend this is followed up in writing or by email)

You can also:

• Ask us to rectify inaccurate information.
• Ask us to stop processing information about you
• Ask us to erase personal data we hold about you
• Object to how we process your data.

No right is absolute and we may need to verify your identity.  More information about your rights can be found at: Your individual rights page.   

Cookies are small computer files that are used to track your use of a website. The DHSC website uses cookies; further information can be found on our Cookies page.

This privacy notice does not cover the links to other websites within this site. We encourage you to read the privacy statements on other websites you visit.

You can contact the DHSC’s data protection officer (DPO) if you need help with:

• understanding how we use your personal information,
• exercising your rights or
• making a complaint about the use of your personal information

Our DPO can be contacted as below:

We would like the opportunity to resolve any concerns before you take further action.

However, if we have been unable to do so, you have the right to make a complaint to the Information Commissioner’s office.

The Information Commissioner’s website contains general guidance about the data protection legislation, your rights, and how to make complaints to that office. Contact details for the Information Commissioner’s office are:

We keep our privacy notice under regular review. This privacy notice was last reviewed on 17 Janaury 2022

Isle of Man Freedom of Information Act 2015 ('FOIA')

The Freedom of Information Act 2015 (FOIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority.

Find out more information on the FOIA including how to make a request to us. You can also use this link to view previous requests and their responses.

We are the controller for the personal data you provide to us when making a FOI request to the DHSC.

Legal basis for processing your information

Our legal basis for processing your information when you make a request is:

• Article 6(1)(c) Legal obligation of the Applied GDPR applies, that the processing is necessary for the Department to comply with the law (not including contractual obligations)
  
  
• Article 6(1)(e) Public Task of the Applied GDPR applies, that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

We need your information in order to process and respond to you directly about your request and in some cases we may request proof of residency so that we comply with the FOI legislation.

Sharing information

FOI requests have to be submitted on a form prescribed by the Chief Executive Officer in order to be valid and you can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).

When we process your FOI request, we will use a system called iCaseworker which is administered by the Department of Home Affairs ('the processor'). This system stores information such as:

• Your name
• Your address
• Your telephone and email address
• Your company name, if you are requesting information on behalf of an organisation
• Your request – we do not recommend putting any personal information into your
  request, if you are not sure what to include in your request, please contact us on dhscicaseworkfoi@gov.im for assistance
• If requested proof of residency from you 

Only authorised staff from our Department can access your information and the processor (Department of Home Affairs - DHA) will only access your information on our written instructions. Details of their privacy notice can be found on DHA's website.

If you have been unhappy with a response we have provided and have exhausted our complaints procedure, you may complain about your request to the Information Commissioner's Office. In this case we will need to share information such as emails we have sent or received from you with them so that they can investigate the complaint.

Storing your information

Your personal information will be held in iCaseworker for 12 months after we have closed your request. After this time, the request will remain on the system, but all your personal information you provided at the time of the request will be deleted.

Unauthorised access to FOI requests

The Information Commissioner has investigated incidents of unauthorised access by one government employee to FOI requests during the period 1 April 2022 to 22 March 2023, which includes some requests that were submitted to Manx Care. If you are concerned that you may be affected by this, you can contact our Data Protection Officer for further information, the contact details are given below.

The Information Commissioner’s Office issued a news release on the 19 June 2023.

Your rights

Under Article 6(1)(c) data subjects have the right to:

• Be informed
• Right to access
• Right to rectification
• Right to restrict processing

The following rights do not apply:

• Right to erasure
• Right to portability
• Right to object

The following right is not applicable:

Right to be informed of automated decision making including profiling.

Data Protection Officer

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-DHSC@gov.im

Phone: +44 1624 685013

In writing to: 

Data Protection Officer,
Department of Health and Social Care,
1st Floor Belgravia House,
Circular Road,
Douglas,
IM1 1AE

Details of rights under the data protection legislation can be found in our general privacy notice at DHSC Privacy Notice.

Additional information 

Isle of Man Government Freedom of Information

Freedom of Information Act 2015 - legislation

Information Commissioner’s Office – Freedom of Information guidance page

Consultation on developing a National Autism Strategy

The Department of Health and Social Care (DHSC) is writing a National Autism Strategy. This strategy will help us to improve the way we support our autistic population and their families, by making sure services are provided fairly, effectively, and where they will do the most good.

Why your views matter to us

We are asking these questions because we want to hear about the experiences, needs and values of autistic people of all ages (adults and children), so that we can better understand how to support you across the course of your life. If you are on the autism spectrum (or think you may be but haven't been diagnosed), we want to hear from you. We also want to hear from carers, family and friends of autistic people.

Your information that may be collected

It is up to you whether you want to complete a form or use the Consultation Hub and you can answer as many, or as few, questions as you want. If you are not comfortable answering a question, you can skip it. Any answers you give us are important to for us to understand your experiences, needs and concerns, why? Because we care about your care.

We may collect:

• Your age – in years
• Your gender identity
• Your learning disabilities or needs
• Whether you work or are in education
• Your living arrangements
• Whether you receive support services or want to access them
• Your experiences of life on the Isle of Man with autism
• Your opinions about improving life on the Isle of Man for autistic people

Consultation Hub

If you answer our questions on the consultation hub, you will be asked if you would like a copy of your answers and you will need to provide your email address if you do. When we receive your answers at the end of the consultation, we will delete your email address from the records to make sure the response is anonymous.

How long we will keep your information for

If you fill in a paper copy of the form, we will keep it for one month after the consultation has finished. This is so that we can enter your answers into the Consultation Hub and the form will be securely destroyed after this time.

The Consultation Hub is run by Cabinet Office and their privacy notice and retention schedules can be found on the hub's website.

Your answers will be combined with the other responses from the consultation and won't be linked to you, this is so we can fully understand all responses whilst also respecting your right to privacy.

To ensure we fully anonymise all responses we follow the guidance issued by the UK Information Commissioner: Anonymisation: Managing Data Protection Risk Code of Practice.

Your rights

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-DHSC@gov.im
Phone: +44 1624 685013

In writing to:

Data Protection Officer, Department of Health and Social Care, 1st Floor Belgravia House, Circular Road, Douglas, IM1 1AE

Details of rights under the data protection legislation can be found in our general privacy notice on this page.

Isle of Man Independent COVID Review

The Independent Isle of Man Covid Review is an in-depth analysis of the Government's handling of the pandemic, which was set up following Tynwald's decision that a review was required. The Review Team operates at arms' length from Government and all other institutions, and the Chair alone determines who to speak to, and what material to gather. The Review will look at a wide range of matters including border closures, business support, financial support for individuals, the vaccination programme, school closures and so on. 

The focus of the Independent Review is the Government response to the pandemic. In order to evaluate that response, the Review will want to hear about the effect of Government decisions on individuals, schools, businesses and others. 

This is an Independent Review and not a Statutory Inquiry. A Statutory Inquiry, also called a Public Inquiry, is a specific type of investigation set down under the Inquiries (Evidence) Act 2003. Reviews and Inquiries are both independent processes to investigate an event or situation.

Sharing information

The law which allows the Department to share information with Cabinet Office for the purpose of the Independent Review is the Council of Ministers Information and Assistance Direction 2022 (SD No. 2022/0350), this is our lawful basis. 

Article 6(1)(c) Legal obligation of the Applied GDPR applies, that the processing is necessary for the Department to comply with the law (not including contractual obligations).

Your rights

Under Article 6(1)(c) data subjects have the right to:

• Be informed
• Right to access
• Right to rectification
• Right to restrict processing

The following rights do not apply:

• Right to erasure
• Right to portability
• Right to object

The following right is not applicable:

• Right to be informed of automated decision making including profiling

Data Protection Officer

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-DHSC@gov.im
Phone: +44 1624 685013

In writing to:

Data Protection Officer, Department of Health and Social Care, 1st Floor Belgravia House, Circular Road, Douglas, IM1 1AE

Details of rights under the data protection legislation can be found in our general privacy notice on this page.

Additional information

You can find out more information from:

• Independent COVID review Isle of Man  website
• Isle of Man Government website - Independent review in to COVID-19
  
  

Registration under the Medicines Act 2003

Under the Medicines Act 2003, all persons or bodies corporate who are manufacturing, distributing and selling or supplying medicinal products are required to register with us, unless an exemption applies.

We hold, maintain and publish the following registers:

• Register of Manufacturers
• Register of Wholesale Dealers (distributors)
• Register of Pharmacy Premises

If you are a person or body corporate who imports medicinal products or places medicinal products on the market, you are also required to obtain a license issued under the Act from us to permit you to carry out this activity. Any information processed to enable the issue of licences is dealt with in the same way as for registration under the Act.

How to register with us

You can submit a new registration at any time during the year.

Renewal of Registration

Each year we will review the existing register and we will send out a renewal form to all those currently registered with an invoice for payment of annual fees and you will have 30 days to complete the form and make your payment.

Your information that may be collected

The information we collect and process will be used for:

• administration of the registration and renewal process
  
  
• communicating between the Department and the registered individual or corporate body
  
  
• arranging for any inspection of the registered premises
  
  
• ensuring compliance with the requirements of the legislation

So that we can process your new registration or renewal of an existing registration, the following information is required:

• The name of the individual or body corporate who wishes to register
  
  
• The business and / or trading name
  
  
• The name of the responsible person
  
  
• The professional and/or educational qualifications of the responsible person
  
  
• The address of the premises which are to be registered
  
  
• The name or the persons responsible for each of the premises registered
  
  
• The professional and/ or educational qualifications of the person responsible for each registered premises
  
  
• A description of the type of activity to be carried out by the registered individual or corporate body
  
  
• The contact details for the registered person or body corporate e.g. telephone and/or email

Payment information

We will ask our processor, Treasury, to raise invoices and process your payment on our behalf. To do that we will need to share some of the information provided during the registration process, such as the name of the individual or body corporate, the business address and what the invoice is for. We will only share the minimum amount of information required for them to carry out this task.

Once you have completed the renewal form and submitted your payment, Treasury will notify us to confirm the payment has been received and we will continue the registration process. We do not hold any of your banking or payment information such as bank details or any other personal information relating to payments.

Information published by the Department

When the registration or renewal process is complete, we will update and publish a register as required by the Act. The Register contains:

• The business name of the registered individual or body corporate
  
  
• The name of the responsible person for the business
  
  
• Address of the registered premises
• A description of the type of activity to be carried out by the registered individual or corporate body
  
  
• Name of the person responsible for each premises
  
  
• The business contact telephone number of the registered individual or body corporate

How long we will keep your information for

We will keep the information you have provided as part of the registration process for ten years. Once Treasury have confirmed your payment has been processed, we will securely destroy our copy of your invoice.

For invoices issued by the Treasury for fees paid for the registration of pharmacy premises these will be held in line with their Privacy Notice and retention policy.

Freedom of information

Sometimes the Department may need to disclose information under the laws covering access to information such as to requests for information made under the Freedom of Information Act. We can only disclose identifiable personal information where it is lawful, fair and in the public interest to do so.

Your rights

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-DHSC@gov.im
Phone: +44 1624 685013

In writing to:

Data Protection Officer, Department of Health and Social Care, 1st Floor Belgravia House, Circular Road, Douglas, IM1 1AE

Details of rights under the data protection legislation can be found in our general privacy notice on this page.

The Department of Health and Social Care (DHSC) manages the HCTP. Therefore Department of Health and Social Care is the Data Controller and responsible for your personal data. We recommend you take some time to read this Privacy Notice and if you do not agree to it, please do not provide us with your personal data.

This Privacy Notice provides information on how we collect and process your personal data when you participate in an online survey, workshop, face-to-face or remote interview to help us collect feedback and improve how health and care is delivered across the island.

When we collect your personal data, we will

• only collect what we need and no more
• keep your information secure
• tell you how we will use your information
• delete your information when it is no longer needed
• only process your information in line with rules set out in the Data Protection Legislation

What this privacy notice explains

• What information is collected and why
• Who is collecting it
• How it is collected
• Why it is being collected
• How it will be used
• How long it will be kept
• Who it will be shared with
• How that information will be kept secure
• International transfers
• Your rights, choices, including how to access and update information

If we decide to change our Privacy Policy we will post changes to this Privacy Notice. If you have any questions or comments on this Privacy Notice please email the DHSC Data Protection Officer.

Contact the Data Protection Officer for the DHSC

DPO, Department of Health and Social Care,
1st Floor Belgravia House,
Circular Road, Douglas,
IM1 1AE, Isle of Man

Email: DPO-DHSC@gov.im
Phone: +44 1624 685013

How and why we ask you to share your personal data

We collect and process information, including personal data, to help us collect and collate feedback from service users and care professionals to improve the quality and design of health and care services across the island. We have designed our interviews, workshops and surveys to collect as little personal identifiers as possible and we will aggregate the information you have disclosed to us into reports, which will remove all personal data.

We collect and process information, such as your contact details, for organisational purposes, to plan and schedule workshops, interviews and surveys.

We may also collect and process information that may be considered as sensitive, such as physical or mental health information, when you’ve explicitly agreed to do so. We use your personal data in line with the rules set out in the Data Protection Legislation for the following reasons:

• Where you have agreed to the collection
  
  
• To allow the HCTP to communicate with you, for organising interviews, surveys and workshops, or when you have requested to be contacted by ourteams

Our legal basis for processing your information

We will only process your personal data if there is a legal reason for us to do so. We may rely on:

• Your consent – if we rely on your consent to process your information you may withdraw your consent at any time by contacting the Data Protection Officer 
  
  
• The need to meet a request you have made to be contacted in relation to the HCTP, where applicable

When you decide to provide information that is considered sensitive to us, such as health or care information, we rely on your explicit consent to collect and process this information. This is purely voluntary and optional, and you will always have the choice not to disclose your sensitive information to us.

Types of personal data we collect about you

Depending on the Project, we may collect, use, store and transfer different kinds of personal data about you that you provide to us directly as follows:

• Contact information: Name, email address, telephone number
• Health or care information: Diagnosis, health history and past care received
• Other information: Feedback, comments, complaints
• Identification information: Name, title, profession, professional address

How long we keep your personal data

We will only keep your information for the minimum time necessary. This may be to:

• To respond to an enquiry from you
  
  
• To collect and process the information you have provided us with in your feedback through online surveys, interviews and workshops

How we keep your personal data secure

The security and confidentiality of your information is very important to us. We will ensure that:

• We put safeguards in place to make sure your personal data is kept securely
  
  
• We only hold your information in secure, private folders with access strictly limited only to authorised staff responsible for the analysis or use of your data
  
  
• We maintain security of the systems which hold personal data in line with ISO27001 standard
  
  
• We comply with the requirements of the PCI Security Standards Council

How we share your personal data

We may share your information:

• With or between other Government Departments, Boards and Offices to provide a service or information you have requested
  
  
• With our data processors, such as Microsoft, for collecting and processing your personal data

We will not sell to, or share, your personal data with other companies, organisations or individuals. Your personal data will not be disclosed to any other third party without your prior consent or where we are required to do so by law. When we share your personal data with third parties, we will always ensure that appropriate contractual provisions are in place to protect your rights.

Your legal rights

To ask if we hold personal data about you

You can ask to see what information we hold about you by submitting a Subject Access Request (SAR) to the Department of Health and Social Care Data Protection Officer (DPO).

To request access to your personal data

Under the Data Protection Legislation, you have a right of access to your personal data and to check the accuracy of that data by making a Subject Access Request.

A SAR is made by contacting the Data Protection Officer of the Department, Office or Board that collects the information. 

To make a request of your personal data, contact the DHSC DPO whose contact details appear at the beginning of this Privacy Notice.

We may apply a charge in certain circumstances. We will respond to your request promptly and in any event within a maximum of 1 month, unless your request is complex or excessive. Depending on the circumstances, we may either extend this period for further 2 months, or refuse to respond to your request. We will always inform you of the status of your request within 1 month of receipt.

To review your personal data and ensure it is accurate

Where possible we will provide you with access to the information we hold about you so that you can view this information and provide a means for you to have this information changed if it is not accurate. 

Alternatively, you can ask for the information we hold about you to be amended by making a request to the Department of Health and Social Care's Data Protection Officer.

To withdraw your consent

The participation in the HCTP is purely voluntary and we rely on your consent to process your personal data. If you decide to withdraw your consent and stop participating in the programme, please contact the Department of Health
and Social Care Data Protection Officer. 

Please note that once the data is aggregated into reports, it will no longer be identifiable and withdrawing your consent will not affect the personal data lawfully collected.

To remove your personal data

You can request to remove the personal data about you. If you wish to exercise this right, please contact the Department of Health and Social Care's Data Protection Officer. 

Please note that once the data is aggregated into reports, it will no longer be identifiable and requesting to remove your data will not affect data that has been already anonymised.

To make a complaint

If you are not happy about the way we have handled your personal data you can submit a complaint to the Department of Health and Social Care's Data Protection Officer who will work with you to resolve any issues. 

The Information Commissioner is the independent authority responsible for upholding the public's information rights, promoting as well as enforcing compliance with the Island's information rights legislation. Further information can be found on the Information Commissioner's website. 

You have the right to request the Information Commissioner to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Data Protection Legislation.

Contact details

To exercise any of your rights listed above, or for any query, please contact the Data Protection Officer whose contact details appear at the beginning of this Privacy Notice.

Will this privacy notice change

This Privacy Notice may change. We will not reduce your rights under this Privacy Notice without your consent. If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice. 

This privacy notice was last updated in April 2024.