HSENI privacy notice

Part of: Information access

This Privacy Notice from the Health and Safety Executive for Northern Ireland (HSENI) tells our customers and service users how we process your personal data in accordance with our legal obligations under the Data Protection Act (DPA) and the UK General Data Protection Regulation (UK GDPR).

HSENI is committed to building trust and confidence in our ability to keep your information secure and our Privacy Notice explains how we do this.

Who we are

The Health and Safety Executive for Northern Ireland (HSENI) is an executive non-departmental public body sponsored by the Department for the Economy (DfE).

HSENI is the lead body responsible for the promotion and enforcement of health and safety at work standards in Northern Ireland.

HSENI Privacy Policy

Our lawful basis for processing your information.

HSENI’s functions are set out in the Health and Safety at Work Northern Ireland Order 1978. In carrying out these functions, we necessarily collect information on businesses and individuals. You might also provide us with information by using this website, for example, by giving us feedback or sending a query or request to us. HSENI is registered as a data controller under the Data Protection Act 2018 and is under a legal duty to protect any personal information we collect and we will only use that information in accordance with the law.

Data Protection Principles

The Data Protection Act 2018 and the UK General Data Protection Regulation ensure that we comply with six data protection principles.

HSENI has adopted the following principles to govern its collection and processing of Personal Data:

  1. Process all personal information lawfully, fairly and in a transparent manner
  2. Collect personal information for a specified, explicit and legitimate purpose
  3. Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected
  4. Ensure the personal information is accurate and up to date
  5. Keep your personal information for no longer than is necessary for the purpose(s) for which it was collected
  6. Keep your personal information securely using appropriate technical or organisational measures

Your rights and The Law

Under UK GDPR legislation, your privacy is protected by law. The law states that we can use your personal information only if we have a proper grounds for doing so. This includes sharing your information with other Organisations.

The reasons why HSENI may process your personal information are:

  • when it is our legal duty to do so
  • to fulfil a contract we have with you
  • when it is in our legitimate interest
  • When we pursue a public task
  • whenever you give us explicit consent to use your information

Below is a list of the ways that we may hold your personal information, and which of the reasons we rely on to do so.

If at any point you believe the information we process on you is incorrect, you can ask to have this information corrected.

Description Types of personal information Reason

RIDDOR reports – The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (Northern Ireland) 1997, places a legal duty on employers, self-employed people and people in control of premises to report:

  • work-related deaths
  • major injuries or over-three-day injuries
  • work-related diseases
  • dangerous occurrences (near miss accidents)

1. Name of person making the report
2. Person making the report – their job title
3. Person making report – their telephone number
4. Person making report – their email address
5. Signature of person making the report
6. Name of injured party/deceased
7. Address of injured party/deceased
8. Home phone number of injured party/deceased

LEGAL
Reporting of Injuries, Diseases and Dangerous Occurrences (Amendment) Regulations (Northern Ireland) 2004

Regulation 32 of the Electricity Safety, Quality and Continuity Regulations (Northern Ireland) 2012 (ESQCR) places a duty on those working on, or owning power network apparatus such as generators, distributors, meter operators and others to report injuries, near misses, fires or explosions which have occurred as a result of work on or near to electrical systems by others, or incidents arising from leisure and other non-work activities in proximity to electrical plant, or from equipment failure

1. Name of person making the report
2. Person making report – their job title
3. Person making report – their telephone number
4. Person making report – their email address
5. Signature of person making the report
6. Name of person(s) involved
7. That person’s telephone number
8. That person’s email address

LEGAL
The Electricity Safety, Quality and Continuity Regulations (Northern Ireland) 2012 – Notification under regulation 32(2)(a)

The Radiation (Emergency Preparedness and Public Information) Regulations (Northern Ireland) 2001 (REPPIR) requires that operators or carriers who handle or transport radioactive substances in excess of the threshold quantities specified in schedule 2 of REPPIR, carry out a risk assessment (termed a hazard identification and risk evaluation, or ‘HIRE’) and send a report of the assessment to HSENI. Operators must do this twelve months before the work is to be undertaken, whilst carriers must notify 28 days before – unless agreed beforehand by HSENI

1. Name of person making the report
2. Person making report – their role
3. Person making report – their telephone number
4. Person making report – their email address
5. Signature of person making the report.

LEGAL
Schedule 5 of the Radiation (Emergency Preparedness and Public Information) Regulations (Northern Ireland) 2001 (REPPIR)

The NI10 form should be completed and submitted by the client to HSENI in order to notify new construction projects as defined in the CDM regulations

1. Client name
2. Client email address
3. Client address and postcode
4. Client telephone number
5. Client signature plus printed name

LEGAL
Regulation 6 of the Construction (Design and Management) Regulations (Northern Ireland) 2016

Asbestos Notification – Non-Licensed
All non-licensed work needs to be carried out with the appropriate controls in place. However, for some types of work, employers must meet additional requirements. This is known as notifiable non-licensed work or NNLW, and requires employers to notify work with asbestos to the relevant enforcing authority

1. Name of person making notification
2. That person’s email address
3. That person’s phone number

LEGAL
Regulation 9 of the Control of Asbestos Regulations 2012

Asbestos Notification – Licensed – ASB5NI
When any licensed asbestos work is being undertaken, the licensed contractor has to notify the Health and Safety Executive (HSE) at least 14 days before the proposed work is due to start

1. Name of person making notification
2. That persons email address
3. That person’s phone number

LEGAL
Regulation 9 of the Control of Asbestos Regulations 2012

Application for a license to carry out Asbestos work (or to renew a license)

1. Name of person making the application
2. That person's email address
3. That person’s phone number
4. Names of Directors and Senior Managers

LEGAL
Regulation 8 of the Control of Asbestos Regulations 2012

Witness statements

1. Name of statement maker
2. Age of statement maker (over 18)
3. Name of statement taker and may contain various third party names of individuals and other associated details

CONSENT*
These are given voluntarily but the legalisation which gives us the right to do this is Article 22 of the Health and safety at Work (NI) Order 1978

Inspector notebook entries

May contain various third party names of individuals and other associated details

LEGAL
Article 22 of the Health and safety at Work (NI) Order 1978

Incident reports

1. May contain various third party names of individuals and other associated details
2. May contain doctor’s reports
3. May contain post mortem reports
4. May contain personal details about many parties
5. Could contain photographs

LEGAL
Article 22 of the Health and safety at Work (NI) Order 1978.

ECHR Act. Art2

Investigation files

1. May contain various third party names of individuals and other associated details
2. May contain doctor’s / medical reports
3. May contain post mortem reports
4. May contain personal details about many parties
5. May contain photographs which in which third parties can be identified

LEGAL
Article 22 of the Health and safety at Work (NI) Order 1978.

ECHR Act. Art2.

Complaints about unsafe work activities

1. Name of person making the complaint
2. That person's email address
3. That person’s phone number

CONSENT
We will hold personal details about the complainant (although a high proportion will be anonymous)

PUBLIC TASK
Regulation 3 of the Health and safety at Work (NI) Order 1978

Service Level Complaints

1. Name of person making the complaint
2. That person's email address
3. That person’s phone number

May contain names of third parties, photographs etc.

CONSENT
We will hold personal details about the complainant

This list is not exhaustive and you should also be aware that (depending on the circumstances) various other pieces of Legislation are used to collect information which falls within the definition of personal information. A full list of the Legislation available to HSENI is available on our website.

Special categories of personal data

We may process special categories (as defined in Article 9 of the General Data Protection Regulation) of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • trade union membership

What information do we collect about you?  

We collect information about you if you are an employee of HSENI; if you report a workplace health and safety problem; are involved in a workplace health and safety incident; submit a complaint or request workplace health and safety advice. We also collect information about you when you subscribe to services; place an order for products and voluntarily provide feedback. Website usage information is collected using cookies.

How do we obtain this information?

Information is given to us voluntarily by you; under a statutory or contractual obligation (e.g. under the RIDDOR legislation) or is provided to us by other government departments; regulators and enforcing authorities so we can fulfil our public functions.

How do we share your information and why

In order to carry out our functions and respond to enquiries effectively, we will sometimes need to share information with other government departments, the emergency services, law enforcement agencies, public authorities (such as local authorities and the Northern Ireland Environment Agency) and organisations acting on our behalf. However, we will only do this where it is permitted by law and where appropriate controls are in place.

We also sometimes use other organisations to process personal data on our behalf. Where we do this, they are required to follow the same rules and information security requirements as us, and are not permitted to reuse the data for other purposes.

Research is also undertaken to help meet HSENI's business objectives and we may use your information to help us improve our understanding of health and safety risks and how to control them. The data will not be used in relation to decisions that affect individuals.

How do we protect your information and how long do we keep it?

We operate a Retention and Disposal Schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of the disposal period.

“In determining retention periods we consider the amount, nature, and sensitivity of personal data, the potential risk of harm from unauthorised use or disclosure of them, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements”.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the Investigations for law enforcement purposes section of the notice.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

If you wish to make a request please contact us at DPO@hseni.gov.uk or write to us at the following address

Data Protection Officer
Health and Safety Executive for N.I
83 Ladas Drive
Belfast
BT6 9FR

We may ask you for proof of identity. Please be aware that if we are processing your information in relation to our law enforcement functions or public tasks, it may not always be possible to fulfil requests to delete or rectify personal information.

Cookies and log files

HSENI puts small files (known as ‘cookies’) onto your computer to collect information about how you browse the site.

Cookies are used to:

  • measure how you use the website so it can be updated and improved based on your needs
  • remember the notifications you’ve seen so that we don’t show them to you again

What happens when I link to another site?

HSENI contains links to other websites, both those of government departments and of other organisations. This privacy policy applies only to our site. When you move to another site, read the privacy statement of any site that collects personal information.

We do not pass on any personal information you have given us to any other site.

You can read more on how HSENI uses cookies at

Failure to provide personal information

If you fail to provide certain information when required to do so, HSENI may not be able to process your request or we may be prevented from complying with our legal or regulatory obligations. We will tell you when you are obliged to provide information and the consequences of not doing so.

Changes to this privacy policy and contact for further information

We keep our privacy notice under regular review. This privacy notice was last updated in December 2021.

Regularly reviewing this page ensures you are always aware of the information we collect, how we use it, and under what circumstances, if any, we will share it with other parties.

Significant changes to the HSENI Privacy Notice may also be communicated by e-mail, by private correspondence or by the provisions of physical copies of any updated notice.

You can contact the HSENI’s Data Protection Officer via the following e-mail address:

Or write to us at the address provided below:

Data Protection Officer
Health and Safety Executive for N.I
83 Ladas Drive
Belfast
BT6 9FR

Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to complain to the Information Commissioner’s Office.

You can go online to www.ico.org.uk/concerns or by calling 0303 123 1113.

HSENI and the National Fraud Initiative

HSENI has a duty to protect public funds and to this end may use information provided for prevention and detection of fraud. HSENI participates in the National Fraud Initiative (NFI), an exercise that matches electronic data within and between audited bodies to prevent and detect fraud. The use of data for these purposes does not require the consent of the individuals concerned under the Data Protection Act 2018. However, it is controlled to ensure compliance with data protection and human rights legislation.

For more information on the National Fraud Initiative visit the GOV.UK website:

Level 2 – Fair Processing Notice – NFI 2016/17

The Health and Safety Executive for Northern Ireland is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Comptroller and Auditor General audits the accounts of this NDPB. The Comptroller and Auditor General is also responsible for carrying out data matching exercises under his powers in Articles 4A to 4G of the Audit and Accountability (Northern Ireland) Order 2003.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The Comptroller and Auditor General currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Comptroller and Auditor General for matching. Details are set out in the NIAO’s website.

The use of data by the Comptroller and Auditor General in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under the Data Protection Act 2018 .

Data matching by the Comptroller and Auditor General is subject to a Code of Practice. This may be found atv the following link:

For further information on the Comptroller and Auditor General’s legal powers and the reasons why he matches particular information, see the Level 3 notice on the NIAO website at:

For further information on data matching at the Health and Safety Executive for Northern Ireland contact Louis Burns on the following contact number:

  • 028 9054 6830