Manx Care Privacy Notice
This privacy notice explains what information Manx Care collects and what that information is used for.
Manx Care is committed to protecting your privacy and will only process personal confidential data in accordance with Data Protection Act 2018, the Data Protection (Application of GDPR) Order 2018, the Common Law Duty of Confidentiality and the Human Rights Act 2001
Who are we?
Manx Care is a data controller for the purposes of the Data Protection Act 2018 and the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Manx Data Protection Legislation).
Manx Care is registered with the Information Commissioner’s Office. Our Register number is R002977 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
We provide a comprehensive range of vital health and social care services that contribute to the health and social care wellbeing of our citizens.
These services include:
- General Practitioner and Dental Services
- Community Healthcare
- Hospital Healthcare
- Mental Healthcare
- Social Services for Adults and for Children and Families
- Specialist off-Island Care
Lawful basis for processing your information
We will only process your personal data if a lawful basis exists. Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
We may rely on:
- Your consent – if we rely on your consent to process your data you may withdraw your consent at any time by contacting our Data Protection Officer (DPO)
(For example - if you have consented to participate in medical research)
- The need to meet a legal obligation in carrying out statutory government functions
(For example – to provide you with Health or Social Care intervention, which by law we are required to do)
- The need to meet a request you have made for information or a service
(For example – if you requested help and assistance with your children from the Children’s and Families Division)
- The need to prevent or investigate suspected or actual violations of law
(For example – to assist the IOM Police for the prevention or detection of crime)
- The need to protect the public interest
(For example – investigation of Adult or Children’s safeguarding issues)
The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. For more information on retention by the Public Record Office
How your records are used to help you
We use your records to:
- provide a good basis for any care or advisory services we provide to you
- allow you to work with us when we provide care or advice
- make sure your care is safe and effective, and the advice we provide is appropriate and relevant to you
- work effectively with others providing you with care or advice and make sure that appropriate information is available if you see another Social Worker, Doctor, Nurse or an external Health and Social Care provider
- train and educate our health and social care professionals
It is very important for your care that your details are accurate and up to date so we will often check with you at appointments or visits that your personal details are correct.
Sharing your information
If you are receiving care services from us, we may share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, staff training, research, audit and public health.
We would never share information that identifies you unless we have a fair and lawful basis such as:
- You ask us to do so
- We ask and you give us specific permission to do so (consented)
- We have to do so by law (e.g. when sharing information with the police may prevent a serious crime, or prevent harm to you or other people)
- We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality (e.g. when an infectious disease such as meningitis or measles may endanger the safety of others)
- To protect children and vulnerable adults (e.g. safeguarding)
- When a formal court order has been served upon us (e.g. the court orders us to release specific information)
Third parties that we may share your information with include; for example:
- UK NHS Trusts (if you are referred off island for specialist treatment)
- Veterans UK (if you have applied for a war pension through service injury)
- Law enforcement agencies (prevention or detection of crime)
- UK Office for National Statistics (ONS) (Public Health data sets)
- Other Health and Social Care Organisations involved in your direct care (GP’s)
- IOM Department of Health and Social Care (performance data)
- IOM Department of Education and Culture (school nurses or health visitors)
- Independent Review Body for Health and Social Services
- Mental Health Commission
- Local authorities (health assessments for alternative housing)
- Voluntary sector and contracted services
- Manx Care participates in a range of clinical outcome programmes under the management of HQIP
Why we collect information about you
We aim to provide you with the highest quality of care. To do this we must keep records about you and about the health and social care we have provided, or plan to provide to you. In order to provide care we are required to collect personal and sensitive personal data, for example as below:
Any information relating to an identified or identifiable natural person for example:
- Identifier (e.g. NHS Number, Hospital Number)
- Online identifier (e.g. IP address, email address)
- Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (e.g. patient/service user)
Special Category Data
Data consisting of the following:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a natural person's sex life or sexual orientation
How long we keep your information
We make every effort to keep all the personal data we hold secure, whether held electronically or as paper copies. We also ensure that only members of staff with a legitimate reason to access your information have permission to do so.
Your information will only be kept for a specific amount of time after which it will be securely destroyed.
Any enquiries should be made directly to the Data Protection Officer (details below).
The Isle of Man Public Record Office holds selected records of Isle of Man public authorities that are of long-term historic and cultural value, for permanent preservation.
Access to and the use of records at the Isle of Man Public Record Office is governed by legislation under the Public Records Act 1999 - more information on retention is available from the Public Record Office.
How we keep your information confidential
Everyone working for Manx Care has a legal duty to keep information about you secure and confidential and to make sure that anyone working with us also works to the same standards.
We follow the rules set out in the Data Protection Act 2018 and the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Manx Data Protection Legislation) and in professional codes of conduct to keep your information safe.
We assess ourselves regularly to make sure that we follow good practice and that the latest security measures are in place.
Your information rights
You have rights regarding your information, these rights vary depending on our reason for using use personal information.
Your data protection rights are:
- Your right of access - You have the right to ask us for copies of your personal information
- Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete
- Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances
- Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances
If you wish to access your records, or exercise any other of your rights above, please contact the Data Protection Officer (DPO)
Contacting the Data Protection Officer
Contact details for our Data Protection Officer (DPO) are:
+44 1624 650731
The Data Protection Officer (DPO) is responsible for:
- Monitoring compliance with data protection laws, data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits
- to advise on, and to monitor, data protection impact assessments
- Providing advice and information to Manx Care on our data protection obligations
- Being a single point of contact for our employees, our patients and service users (or any other individuals) and the ICO
Is there any automated processing of your information?
Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making. Manx Care does not use automated decision making as all decisions have human intervention.
Commissioning and Planning
Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).
The lawful basis for processing personal information is: 6(1)(c) ‘…for compliance with a legal obligation…’ Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it.
The lawful basis for processing personal data is: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Manx Care only receives anonymised information to assist with the above.
Contractors or Providers
Manx Care may enter into agreements with other organisations or contractors to provide services to Manx Care or to its patients and service users.
Manx Care will share the data necessary for the third party to carry out a particular task or to provide support to meet your health and social care needs.
The types of organisations we may pass your information to include:
- Providers of residential and nursing care services
- Providers of respite services
- Providers of community services with whom Manx Care has a contract with
- Other Local Authorities
- Isle of Man Post Office
Where an organisation is performing a very specific task on behalf of Manx Care they will only use the data for the purpose and in ways specifically directed by Manx Care. Appropriate safeguards such as a Data Processing Agreement or similar will be in place. The way the data will be used is set out in the agreement. Manx Care remains the controller of the data.
If an organisation is providing health or social care to patients or service users the way they use the data may be specifically directed by Manx Care, or the organisation may become a controller in its own right or joint controller of the data with Manx Care. There will be an appropriate agreement in place between Manx Care and the organisation.
Patient Transfer Service
Patients who require transport to and from a healthcare facility in the Island, Manx Care has entered into a contract with the Department of Infrastructure, Bus Vannin to provide this service.
To provide this service in a safe and effective way, Bus Vannin will need to process personal information and also information in relation to your health and care. This helps to ensure that the transport service can be conducted safely and that the patient’s needs and wellbeing are taken into account.
What kind of information will Manx Care share with Bus Vannin
- Date of birth
- Email address
- Details of your mobility and medical issues related to your journey
How patient records are kept confidential
Department of Infrastructure, Bus Vannin has a duty to:
- Maintain a full accurate record of the journey and any care given to a patient
- Keep records confidential, secure, accurate and accessible
- Dispose of your information confidentially when it is no longer needed
- Provide copies of information in an easy to understand format
Department of Infrastructure is registered with the Information Commissioner.
This sharing is based on the following lawful bases under data protection law:
- Article 6(1)(e) – for the performance of a task carried out in the public interest, or in the exercise of the official authority of the data controller;
- Article 9(2)(h) – the provision of health or social care or treatment or the management of health or social care systems
Bus Vannin may use your information to:
- Manage the Patient Transport Service effectively
- Provide you with a safe environment
- Protect the health of the general public, for example by reporting infectious diseases
- Help investigate any concerns or complaints a patient or their family may have
COVID 111 Team
The Covid 111 Team process personal data in relation to the vaccination programme.
Calls to the 111 phone service are recorded and stored securely. This information is only shared with others directly involved with your care.
You can find out more in the 111 Privacy Notice.
Why we collect your data
Manx Care collects data to help prevent, deter and detect crimes, and improve public safety and reassurance.
What is the legal basis for collecting and processing this data?
The legal basis for using your data in this way is as a public task. Processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
Information we may collect
Manx Care may collect geographical, personal and sometimes sensitive data obtained from CCTV cameras located in public areas of Manx Care facilities.
Do I have to provide this information, and what will happen if I don’t?
The data we collect using CCTV does not require prior consent as it would be impractical to request the consent of everyone observed through the CCTV cameras in public spaces, and also because the collection of this data is both in the public interest and may be required for the prevention and detection of crime.
If, when requesting access under your subject access rights, you do not provide your information, then we will not be able to process your request or search for your footage and provide it to you.
Who will your information be shared with?
Manx Care can only release CCTV footage under certain circumstances:
- Individuals can request footage of themselves. This will be handled as a Subject Access Request
- The Police may request footage as part of an investigation into an incident and in the course of preventing and detecting crime
- Insurance companies and solicitors can request CCTV footage when investigating an insurance claim
How long will you keep this information for?
We may retain data collected by CCTV for up to two years, although most CCTV data captured is overwritten automatically after 31 days.
How will my information be stored?
CCTV footage is stored on secure electronic, digital storage device. They are held in a restricted access area with high levels of data security.
Your right to complain
It is your legal right that if you wish to complain on how Manx Care processes your information you can contact the DPO-ManxCare@gov.im or submit a complaint to the following:
Privacy Notice in relation to Freedom of Information
Isle of Man Freedom of Information Act 2015 ('FOIA')
The Freedom of Information Act 2015 (FOIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority.
You can also use this link to view previous requests and their responses.
Manx Care are the controller for the personal data you provide to us when making a Freedom of Information (FOI) request to us.
Legal basis for processing your information
Our legal basis for processing your information when you make a request is:
Article 6(1) (c) Legal obligation of the Applied GDPR applies, that the processing is necessary for Manx Care to comply with the law (not including contractual obligations).
Article 6(1) (e) Public Task of the Applied GDPR applies, that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
We need your information in order to process and respond to you directly about your request. In some cases we may request proof of residency to ensure we comply with the Freedom of Information legislation.
FOI requests have to be submitted on a form prescribed by the Chief Executive Officer in order to be valid and you can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).
When we process your FOI request, we will use a system called iCasework which is administered by the Department of Home Affairs. The iCasework system is provided by a company called Civica UK Limited. Civica UK Limited act as a Processor. Civica UK Limited use the information held in the iCasework system for the purpose of providing a system to manage freedom of information request and to transfer this information to Manx Care. The information provided to Civica UK Limited will be kept secure and confidential.
iCasework stores the information you provided when making your FOI request and includes:
- Your name
- Your address
- Your telephone
- Your email address
- Your company name, if you are requesting information on behalf of an organisation
- Your request – do not put any personal information into your request, if you are not sure what to include in your request, please contact us on ManxCareiCaseWorkFOI@gov.im
- Proof of residency from you (if requested)
Only authorised staff from Manx Care can access your information. The processor (Department of Home Affairs - DHA) will only access your information on our written instructions, and for specific purposes. Details of their privacy notice can be found on DHA's website.
If you have been unhappy with the FOI response provided to you, details on how to submit a request for a review of the response are included in the response communication. If you are not satisfied with the result of the review, you then have the right to appeal to the Information Commissioner (ICO). In this case we will need to share information such as emails we have sent or received from you with the ICO so that they can investigate the complaint.
Storing your information
Your personal information will be held in iCasework for 12 months after we have closed your request or 36 months if the case is escalated to internal review. After this time, the details of the request will be retained within the iCasework software but all of the personal information you provided at the time of the request will be deleted.
Unauthorised access to FOI requests
The Information Commissioner has investigated incidents of unauthorised access by one government employee to FOI requests during the period 1 April 2022 to 22 March 2023, which includes some requests that were submitted to Manx Care. If you are concerned that you may be affected by this, you can contact our Data Protection Officer for further information, the contact details are given below.
Under Article 6(1) (c) data subjects have the right to:
- Be informed
- Right to access
- Right to rectification
- Right to restrict processing
The following rights do not apply:
- Right to erasure
- Right to portability
- Right to object
The following right is not applicable:
Right to be informed of automated decision making including profiling
Contacting the Data Protection Officer
Contact details for our Data Protection Officer (DPO) are:
+44 1624 650731
Contact details for the Isle of Man Information Commissioner (ICO) are: