Manx Care Privacy Notice
This privacy notice explains what information Manx Care collects and what that information is used for.
This Privacy Notice applies to the Isle of Man Arm’s Length Body known as Manx Care.
Manx Care is committed to protecting your privacy and will only process personal confidential data in accordance with Data Protection Act 2018, the Data Protection (Application of GDPR) Order 2018, the Common Law Duty of Confidentiality and the Human Rights Act 2001.
Who are we?
Manx Care is a data controller for the purposes of the Data Protection Act 2018 and the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Manx Data Protection Legislation).
All data controllers must notify the IOM Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is R002977 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Contact details for our Data Protection Officer (DPO) are:
The Data Protection Officer (DPO) is responsible for:
- Monitoring compliance with data protection laws, our data protection policies, privacy awareness-raising, training, and audits
- Providing advice and information to Manx Care on our data protection obligations
- Being a single point of contact for our employees, our patients and service users (or any other individuals) and the ICO
We provide a comprehensive range of vital health and social care services that contribute to the health and social care wellbeing of our citizens.
These services include:
- General Practitioner and Dental Services
- Community Healthcare
- Hospital Healthcare
- Mental Healthcare
- Social Services for Adults and for Children and Families
- Specialist off-Island Care
Is there any automated processing of your information?
Automated decision making is the use of computer systems or definitions to apply rules to data in order to determine an outcome – credit ratings are an example of automated decision making. Manx Care does not use automated decision making as all decisions have human intervention.
Commissioning and Planning
Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).
The lawful basis for processing personal information is: 6(1)(c) ‘…for compliance with a legal obligation…’ Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it.
The lawful basis for processing personal data is: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Manx Care only receives anonymised information to assist with the above.
Due to the unprecedented circumstances of COVID-19 we are working hard to prioritise the delivery of essential front-line services to our most vulnerable people and communities.
Public authorities, especially those providing frontline and critical services, may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of Subject Access Requests. Your statutory rights are important to us and remain unchanged. Please note however that you may experience delays in our response to your request. We will inform you of any extension to the period for responding and the reasons for the delay.
If you are able to narrow the scope of your request that would be very helpful and may mean we can respond to you more quickly. In addition you may want to reconsider whether your request can be resubmitted at a later date once the impact of COVID-19 has eased.
We will be alert to any guidance from the regulator, the Information Commissioner, as the situation changes, to ensure that we comply with any guidance or changes to information rights.
For more information on Coronavirus (COVID-19), see gov.im/coronavirus.
The Information Commissioner has also provided guidance regarding exercising and complying with rights during COVID-19 crisis.
COVID-19 – Self isolation
During the COVID-19 Pandemic Manx Care requires anyone who has displayed symptoms which indicate COVID-19 infection, or any person who is high risk of exposure or transmission of the virus to the population to self-isolate
Under the Public Health Act 1990, Public Health Protection (Coronavirus) Regulations 2020 and Public Health Protection (Coronavirus) (Amendment) (No.13) Regulations 2021 (Public Health legislation), the Department of Health and Social Care (DHSC) has the ability to issue a formal ‘Direction’ to ensure persons are isolated to reduce the public health of COVID-19 and Manx Care will support the DHSC in carrying out these regulatory obligations.
Persons Directed to Isolate include:
Persons who are returning to the Island for a number of reasons (with relevant approvals / exemptions to travel in place) may be required to isolate and may be directed to do so. This includes persons arriving on the Island such as those travelling under the repatriation, key workers, patients returning to the Island after receiving healthcare in the UK or those persons permitted to travel for compassionate purposes.
Additionally anyone who is confirmed by 111 telephone advice service to have COVID-19 symptoms, or tested positive for COVID-19 will be required to self-isolate.
Self-isolation is one of the primary methods of controlling the transmission and therefore infection of the COVID-19 virus.
Information held about an individual required to isolate:
If you have been asked to self-isolate you will have provided information which may include:
- Your name, address, email address;
- Travel details (if you have recently arrived to the Island; this includes a questionnaire and as part of your repatriation this may include a health check;
- Contacts (to help Contact Tracing identify possibly infected persons) including places and people you may have come into contact with;
- Date of your first symptoms (by 111 phone advice service);
- COVID-19 positive test date
- Period of isolation (14 days) unique to your circumstances
- Names of other members of your household
This information will be stored in a secure database by the DHSC data processor and access to this information will be permitted by other relevant parties such as other Government Departments for public health and national security, to establish the isolation status of an individual and to manage public safety and public health risks. The DHSC needs this information so that it can meet its duties under the Public Health legislation, and so that you as a data subject also comply with the legislation and any directions made under them.
This information may also be shared with Manx Care in order to ensure your welfare which included access to essential food and medicine supplies and mental health support can be established whilst you are in self-isolation.
Under the Public Health legislation, we can process this information lawfully. Your information will be kept for the minimal amount of time necessary but no longer than 12 months following the date it was collected, or the expiry of the emergency, whichever is the later.
COVID-19 - 111 Helpline
If you have COVID-19 symptoms you are asked to ring the 111 helpline. The data collected via the helpline will be held by the Cabinet Office as the data controller.
Calls to the 111 phone service are recorded and stored securely. This information is only shared with others directly involved with your care.
You can find out more in the 111 Privacy Notice.
COVID-19 - Contact tracing
During the COVID-19 pandemic one of the ways the DHSC will protect the public from the virus is contact tracing. If you have been contacted it is because we have identified that you have been in close contact with someone who has this infection. This information will be stored by the Cabinet Office as the data controller.
The information regarding your test will be shared with Manx Care and will be kept on your medical record and will be retained as per the Retention of Record Policy for patient records.
COVID-19 Private COVID Test
Manx Care are able to provide under the National Health Service Act 2001 private services, which are chargeable. Access to a COVID-19 PCR private chargeable test (£50.00 per test, per person) can be provided by the Manx Care for the following individuals.
(1) individuals intending to receive private health and care treatment either on or off-island and who require a COVID-19 test prior to treatment
(2) pre travel (international) where passengers require a COVID-19 PCR test as part of the county border entry conditions
Access to the test require validation to ensure appropriate use of this service.
The administration of this service (booking of appointments, reporting of results and validation of travel) has been delegated to the COVID-19 111 Response and Contact Tracing Team (“COVID 111 Team”). Therefore, the Cabinet Office processes personal data provided by an individual on a consent basis to access a private chargeable COVID -19 test.
Manx Care will validate persons wishing to access a test in respect of private health and care treatment as this special category data will require a greater degree of confidentiality and will not therefore be disclosed further.
Data you provide to either Manx Care or the COVID 11 Team will include: name, date of birth, email and for validation purposes confirmation of health or care treatment and international travel arrangements.
The information you provide will be processed to assess validation and retained for a period of 4 weeks in all circumstances. Thereafter your name, date of birth and contact details will only be retained by the Cabinet Office as a record of your validation of eligibility for a test. These details will be retained for a period of 2 months. Thereafter re-validation of your request for a test is required.
Lawful basis for processing your information
We will only process your personal data if a lawful basis exists. Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
We may rely on:
- Your consent – if we rely on your consent to process your data you may withdraw your consent at any time by contacting our Data Protection Officer (DPO)
(For example - if you have consented to participate in medical research)
- The need to meet a legal obligation in carrying out statutory government functions
(For example – to provide you with Health or Social Care intervention, which by law we are required to do)
- The need to meet a request you have made for information or a service
(For example – if you requested help and assistance with your children from the Children’s and Families Division)
- The need to prevent or investigate suspected or actual violations of law
(For example – to assist the IOM Police for the prevention or detection of crime)
- The need to protect the public interest
(For example – investigation of Adult or Children’s safeguarding issues)
The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. For more information on retention by the Public Record Office.
How your records are used to help you
We use your records to:
- provide a good basis for any care or advisory services we provide to you
- allow you to work with us when we provide care or advice
- make sure your care is safe and effective, and the advice we provide is appropriate and relevant to you
- work effectively with others providing you with care or advice and make sure that appropriate information is available if you see another Social Worker, Doctor, Nurse or an external Health and Social Care provider
- train and educate our health and social care professionals
It is very important for your care that your details are accurate and up to date so we will often check with you at appointments or visits that your personal details are correct.
Sharing your information
If you are receiving care services from us, we may share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, staff training, research, audit and public health.
We would never share information that identifies you unless we have a fair and lawful basis such as:
- You ask us to do so
- We ask and you give us specific permission to do so (consented)
- We have to do so by law (e.g. when sharing information with the police may prevent a serious crime, or prevent harm to you or other people)
- We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality (e.g. when an infectious disease such as meningitis or measles may endanger the safety of others)
- To protect children and vulnerable adults (e.g. safeguarding)
- When a formal court order has been served upon us (e.g. the court orders us to release specific information)
Third parties that we may share your information with include; for example:
- UK NHS Trusts (if you are referred off island for specialist treatment)
- Veterans UK (if you have applied for a war pension through service injury)
- Law enforcement agencies (prevention or detection of crime)
- UK Office for National Statistics (ONS) (Public Health data sets)
- Other Health and Social Care Organisations involved in your direct care (GP’s)
- IOM Department of Health and Social Care (performance data)
- IOM Department of Education and Culture (school nurses or health visitors)
- Independent Review Body for Health and Social Services
- Mental Health Commission
- Local authorities (health assessments for alternative housing )
- Voluntary sector and contracted services (advice services)
Anyone who receives information from us also has a legal duty to keep it confidential.
Why we collect information about you
We aim to provide you with the highest quality of care. To do this we must keep records about you and about the health and social care we have provided, or plan to provide to you. In order to provide care we are required to collect personal and sensitive personal data, for example as below:
Any information relating to an identified or identifiable natural person for example:
- Identifier (e.g. NHS Number, Hospital Number)
- Online identifier (e.g. IP address, email address)
- Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (e.g. patient/service user)
Sensitive Personal Data
Data consisting of the following:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a natural person's sex life or sexual orientation
How long we keep your information
We make every effort to keep all the personal data we hold secure, whether held electronically or as paper copies. We also ensure that only members of staff with a legitimate reason to access your information have permission to do so.
Your information will only be kept for a specific amount of time after which it will be securely destroyed.
The Isle of Man Public Record Office holds selected records of Isle of Man public authorities that are of long-term historic and cultural value, for permanent preservation. Access to and the use of records at the Isle of Man Public Record Office is governed by legislation under the Public Records Act 1999 - more information on retention is available from the Public Record Office.
How we keep your information confidential
Everyone working for Manx Care has a legal duty to keep information about you secure and confidential and to make sure that anyone working with us also works to the same standards.
We follow the rules set out in the Data Protection Act 2018 and the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Manx Data Protection Legislation) and in professional codes of conduct to keep your information safe.
We assess ourselves regularly to make sure that we follow good practice and that the latest security measures are in place.
Your information rights
The impact of Covid-19 on our service standards has been set out above, however, your information rights remain as below:
- You have the right to know how we will use your personal information
- You have the right to see your care record. This is known as Right of Subject Access
- You have the right to object to us making use of your information
- You can ask us to change or restrict the way we use your information and we have to agree if possible
- You have the right to ask for your information to be changed, blocked or erased if it is incorrect
If you wish to access your records, or exercise any other of your rights above, please contact the Data Protection Officer (DPO):
Your right to complain
It is your legal right that if you wish to complain on how Manx Care processes your information you can contact the DPO-ManxCare@gov.im or submit a complaint to the following: