HSENI privacy notice

Part of: Information access

This Privacy Notice from the Health and Safety Executive for Northern Ireland tells our customers and service users how we process your personal data in accordance with our legal obligations under the Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR).

HSENI is committed to building trust and confidence in our ability to keep your information secure and our Privacy Notice explains how we do this.

HSENI Privacy Policy Statement

Our lawful basis for processing your information

HSENI’s functions are set out in the Health and Safety at Work N.I. Order 1978. In carrying out these functions, we necessarily collect information on businesses and individuals. You might also provide us with information by using this website, for example, by giving us feedback or sending a query or request to us. HSENI is registered as a data controller under the Data Protection Act 2018 and is under a legal duty to protect any personal information we collect and we will only use that information in accordance with the law.

Your rights and The Law

Under GDPR legislation, your privacy is protected by law. The law states that we can use your personal information only if we have a proper grounds for doing so. This includes sharing your information with other Organisations.

The reasons why HSENI may process your personal information are:

  • When it is our legal duty to do so;
  • To fulfil a contract we have with you;
  • When it is in our legitimate interest;
  • When we pursue a public task; and
  • Whenever you give us explicit consent to use your information.

Below is a list of the ways that we may hold your personal information, and which of the reasons we rely on to do so.

If at any point you believe the information we process on you is incorrect, you can ask to have this information corrected.

Description Types of Personal Information           Reason                  

RIDDOR reports – The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (Northern Ireland) 1997, places a legal duty on employers, self-employed people and people in control of premises to report:

  • work-related deaths
  • major injuries or over-three-day injuries
  • work-related diseases
  • dangerous occurrences (near miss accidents)

1. Name of person making the report
2. Person making the report – their job title
3. Person making report – their telephone number
4. Person making report – their email address
5. Signature of person making the report
6. Name of injured party/deceased
7. Address of the injured party/deceased
8. Home phone number of injured party/deceased.

LEGAL
Regulation 3 - Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (Northern Ireland) 1997

Regulation 32 of the Electricity Safety, Quality and Continuity Regulations (Northern Ireland) 2012 (ESQCR) places a duty on those working on, or owning power network apparatus such as generators, distributors, meter operators and others to report injuries, near misses, fires or explosions which have occurred as a result of work on or near to electrical systems by others, or incidents arising from leisure and other non-work activities in proximity to electrical plant, or from equipment failure

1.   Name of person making the report
2. Person making report – their job title
3. Person making report – their telephone number
4. Person making report – their email address
5. Signature of person making the report
6. Name of person(s) involved
7. That person’s telephone number
8. That person’s email address.

LEGAL
The Electricity Safety, Quality and Continuity Regulations (Northern Ireland) 2012 – Notification under regulation 32(2)(a).

The Radiation (Emergency Preparedness and Public Information) Regulations (Northern Ireland) 2001 (REPPIR) requires that operators or carriers who handle or transport radioactive substances in excess of the threshold quantities specified in schedule 2 of REPPIR, carry out a risk assessment (termed a hazard identification and risk evaluation, or ‘HIRE’) and send a report of the assessment to HSENI. Operators must do this twelve months before the work is to be undertaken, whilst carriers must notify 28 days before – unless agreed beforehand by HSENI.

1. Name of person making the report
2. Person making report – their role
3. Person making report – their telephone number
4. Person making report – their email address
5. Signature of person making the report.

LEGAL
Schedule 5 of the Radiation (Emergency Preparedness and Public Information) Regulations (Northern Ireland) 2001 (REPPIR).

The NI10 form should be completed and submitted by the client to HSENI in order to notify new construction projects as defined in the CDM regulations. 

1. Client name
2. Client email address
3. Client address and postcode
4. Client telephone number
5. Client signature plus printed name

LEGAL
Regulation 6 of the Construction (Design and Management) Regulations (Northern Ireland) 2016.

Asbestos Notification – Non-Licensed
All non-licensed work needs to be carried out with the appropriate controls in place. However, for some types of work, employers must meet additional requirements. This is known as notifiable non-licensed work or NNLW, and requires employers to notify work with asbestos to the relevant enforcing authority.

1. Name of person making notification
2. That person’s email address
3. That person’s phone number

LEGAL
Regulation 9 of the Control of Asbestos Regulations 2012.

Asbestos Notification – Licensed – ASB5NI
When any licensed asbestos work is being undertaken, the licensed contractor has to notify the Health and Safety Executive (HSE) at least 14 days before the proposed work is due to start.

1. Name of person making notification
2. That persons email address
3. That person’s phone number

LEGAL
Regulation 9 of the Control of Asbestos Regulations 2012.

Application for a license to carryout Asbestos work (or to renew a license)

1. Name of person making the application
2. That persons email address
3. That person’s phone number
4. Names of Directors and Senior Managers

LEGAL
Regulation 8 of the Control of Asbestos Regulations 2012.

Witness statements

1.Name of statement maker
2.Age of statement maker (over 18)
3. Name of statement taker and may contain various third party names of individuals and other associated details

CONSENT*
These are given voluntarily but the legalisation which gives us the right to do this is Article 22 of the Health and safety at Work (NI) Order 1978

Inspector notebook entries May contain various third party names of individuals and other associated details.

LEGAL
Article 22 of the Health and safety at Work (NI) Order 1978

Incident reports

1. May contain various third party names of individuals and other associated details
2. May contain doctor’s reports
3. May contain post mortem reports
4. May contain personal details about many parties
5. Could contain photographs

LEGAL
Article 22 of the Health and safety at Work (NI) Order 1978.

ECHR Act. Art2

Investigation files

1. May contain various third party names of individuals and other associated details
2. May contain doctor’s / medical reports
3. May contain post mortem reports
4. May contain personal details about many parties
5. May contain photographs which in which third parties can be identified

LEGAL
Article 22 of the Health and safety at Work (NI) Order 1978.

ECHR Act. Art2.

Complaints about unsafe work activities

1. Name of person making the complaint
2. That persons email address
3. That person’s phone number

CONSENT
We will hold personal details about the complainant (although a high proportion will be anonymous).

PUBLIC TASK
Regulation 3 of the Health and safety at Work (NI) Order 1978.

Service Level Complaints

1. Name of person making the complaint
2. That persons email address
3. That person’s phone number

May contain names of third parties, photographs etc.

CONSENT
We will hold personal details about the complainant

This list is not exhaustive and you should also be aware that (depending on the circumstances) various other pieces of Legislation are used to collect information which falls within the definition of personal information. A full list of the Legislation available to HSENI can be found here  

What information do we collect about you?  

We collect information about you if you are an employee of HSENI; if you report a workplace health and safety problem; are involved in a workplace health and safety incident; submit a complaint or request workplace health and safety advice. We also collect information about you when you subscribe to services; place an order for products and voluntarily provide feedback. Website usage information is collected using cookies.

How do we obtain this information?

Information is given to us voluntarily by you; under a statutory or contractual obligation (e.g. under the RIDDOR legislation) or is provided to us by other government departments; regulators and enforcing authorities so we can fulfil our public functions.

How will we use information about you and who do we share it with?

In order to carry out our functions and respond to enquiries effectively, we will sometimes need to share information with other government departments, the emergency services, law enforcement agencies, public authorities (such as local authorities and the N.I. Environment Agency) and organisations acting on our behalf, and who may be based outside of the EU/EEA. However, we will only do this where it is permitted by law and where appropriate controls are in place.

We also sometimes use other organisations to process personal data on our behalf. Where we do this, they are required to follow the same rules and information security requirements as us, and are not permitted to reuse the data for other purposes.

Research is also undertaken to help meet HSENI's business objectives and we may use your information to help us improve our understanding of health and safety risks and how to control them. The data will not be used in relation to decisions that affect individuals.

How do we protect your information and how long do we keep it?

We operate a Retention & Disposal Schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of the disposal period.

Access to your information and correction

If you think we may hold your personal data and you want to see it, may already hold your personal data, and you want us to correct information that you believe is wrong, or if you want us to delete or stop processing it, please email the Data Protection Officer via the following email address - DPO@hseni.gov.uk - or write to us at the following address: -

Data Protection Officer
Health and Safety Executive for N.I.
83 Ladas Drive
Belfast
BT6 9 FR

We may ask you for proof of identity. Pease be aware that if we are processing your information in relation to our law enforcement functions or public tasks, it may not always be possible to fulfil requests to delete or rectify personal information.

Cookies and log files

HSENI puts small files (known as ‘cookies’) onto your computer to collect information about how you browse the site.

Cookies are used to:

  • Measure how you use the website so it can be updated and improved based on your needs;
  • Remember the notifications you’ve seen so that we don’t show them to you again.

What happens when I link to another site?

HSENI contains links to other websites, both those of government departments and of other organisations. This privacy policy applies only to our site. When you move to another site, read the privacy statement of any site which collects personal information.

We do not pass on any personal information you have given us to any other site.

Changes to this privacy policy and contact for further information

We keep our privacy notice under regular review. This privacy notice was last updated in May 2018

Regularly reviewing this page ensures you are always aware of the information we collect, how we use it, and under what circumstances, if any, we will share it with other parties.

You can contact HSE’s Data Protection Officer via the following email address – Liam.O’Neill@hseni.gov.uk or write to us at the address above.

Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to complain to the Information Commissioner’s Office.
You can go online to www.ico.org.uk/concerns or by calling 0303 123 1113.

HSENI and the National Fraud Initiative

HSENI has a duty to protect public funds and to this end may use information provided for prevention and detection of fraud. HSENI participates in the National Fraud Initiative (NFI), an exercise that matches electronic data within and between audited bodies to prevent and detect fraud. The use of data for these purposes does not require the consent of the individuals concerned under the Data Protection Act 1998. However, it is controlled to ensure compliance with data protection and human rights legislation.

For more information on the National Fraud Initiative visit the GOV.UK website:

Level 2 – Fair Processing Notice – NFI 2016/17

The Health and Safety Executive for Northern Ireland is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Comptroller and Auditor General audits the accounts of this NDPB. The Comptroller and Auditor General is also responsible for carrying out data matching exercises under his powers in Articles 4A to 4G of the Audit and Accountability (Northern Ireland) Order 2003.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The Comptroller and Auditor General currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Comptroller and Auditor General for matching. Details are set out in the NIAO’s website which can be accessed from the following link:

The use of data by the Comptroller and Auditor General in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Data matching by the Comptroller and Auditor General is subject to a Code of Practice. This may be found at www.niauditoffice.gov.uk

For further information on the Comptroller and Auditor General’s legal powers and the reasons why he matches particular information, see the Level 3 notice on the NIAO website at www.niauditoffice.gov.uk

For further information on data matching at the Health and Safety Executive for Northern Ireland contact Louis Burns on the following contact number:

  • 028 9054 6830