The Northern Ireland Medical and Dental Training Agency (NIMDTA) was established to train postgraduate medical and dental professionals for Northern Ireland. More detailed information about different aspects of our work can be found on our website: http://www.nimdta.gov.uk. NIMDTA recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Key legislation includes:
- the UK General Data Protection Regulation (UK GDPR),
- the Data Protection Act 2018
- the Freedom of Information Act 2000 (FOI),
- the Environmental Information Regulations 2004 (EIR),
- the Human Rights Act 1998 (HRA),
- relevant health service legislation, and the
- common law duty of confidentiality
2. Your Information
NIMDTA uses personal information for a number of purposes. This Privacy Notice provides a summary of how we use your information, specifically in relation to its Moodle Learning Management System (LMS). To ensure that we process your personal data fairly and lawfully we are required to inform you of:
- What personal information we collect
- Why we need your data
- How it will be used
- Who it will be shared with
- How long it will be kept for
2.1 What types of personal data do we handle?
Within the LMS, NIMDTA processes personal information in relation to the functions it performs with regard to the management of postgraduate medical and dental education and training. The following information is mandatory for registration on the LMS:
- First name
- E-mail address
- Professional Registration Details (type and number)
Moodle also logs user activity. We will gather the following data via logs for each and every time you log into Moodle:
- Moodle Course ID (module code) of what you accessed
- Timestamp of when you accessed
- Action type (create, view, update, delete) of what you did
- Moodle object the action was on e.g. Quiz, File etc
- IP address of the logged-in user whilst doing that action.
Information about including grades, feedback comments, scores, completion data, access rights, group membership, contributions to courses, including contributions to chat rooms and discussion forums, ownership of resources, assignment/file submissions, text matching scores and evidence of participation in other Moodle-based activities is held within the Moodle system.
The LMS allows registered users to provide additional information, such as that listed below, however completion of this information is optional and at the discretion of each individual user:
- User Picture
- Mobile phone
2.2 Why we need your data
NIMDTA processes personal information provided by Doctors and Dentists in Training, their Trainers, and other Educator staff in relation to the statutory functions it performs with regard to the management of postgraduate medical and dental education and training within Northern Ireland. NIMDTA also processes information in relation to Dentists, Dental Care Professionals and General Practitioners in relation to Continuing Professional Development courses. This information is stored within the LMS, and is necessary in order for NIMDTA to carry out its statutory functions (which are noted above). Information processed for the above purposes is therefore lawful under Article 6 of UK GDPR as follows:
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
2.3 How will we use information about you?
Through the logs maintained by the Moodle LMS, a number of reports are generated that are accessible to the ‘administrators’ on each Moodle module. Moodle reports enable course administrators to monitor activity in the course and to see what resources in the course are or are not being accessed i.e. engagement with teaching materials. These may be used by course teams e.g. course administrators / creators and teachers/trainers to support your training and learning.
Moodle records and uses your personal information to:
- Provide you an account on, and identify you within, the LMS
- Provide you access to courses/sites within Moodle
- Provide you the ability to upload, amend and delete certain information within Moodle
- Provide you access to the information, resources and activities uploaded to Moodle
- Control access to different parts of the system.
- Help and support Moodle users
- For system administration and bug tracking
- Report on course, resource and activity access, activity completion, course completion and course data (such as grades, scores, submissions and content uploaded)
- For producing usage statistics for management and planning purposes
- For identifying and supporting users of specific bit functionality or area of the IT system e.g. relating to degradation/failure or change of functionality in the system
2.4 Collection and use of data from website users
When you access the Moodle LMS small amounts of information, including small files known as cookies, are sometimes placed on your device. These cookies are essential for the operation of the LMS.
There may be embedded media, such as YouTube or Vimeo videos, on some LMS Courses. The suppliers of these services may also set cookies on your device when you visit the courses where we have used this type of content. These are known as ‘third-party’ cookies. To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
2.5 Sharing your information
NIMDTA may share information on course completion and attendance where appropriate and necessary with third parties such as organisations that provide placements (HSC Trusts / GP Practices / Dental Practices / other bodies), Royal Colleges and Faculties, Medical Schools and regulatory / professional bodies such as the General Medical Council (GMC) and the General Dental Council (GDC).
The LMS is hosted and supported by a third party, Hubken Group. Hubken Group will only access the system and data for the purposes of providing ongoing support, to resolve any issues with the system or for specific users, and for the maintenance of the Moodle platform. There are contractual clauses in relation to the secure storage and processing of data which ensure that data will not be shared with any other organisations or services.
2.6 Retaining Information
NIMDTA will only retain information for as long as necessary, in line with the Department of Health (DoH) Good Management, Good Records (GMGR). For further information, please refer to the following DoH link: https://www.health-ni.gov.uk/topics/good-management-good-records
3. Individual Rights
Individuals have certain rights under UK GDPR, namely:
- The right to obtain confirmation that their personal information is being processed, and access to personal information
- The right to have personal information rectified if it is inaccurate or incomplete
- The right to have personal information erased and to prevent processing, in specific circumstances
- The right to ‘block’ or suppress processing of personal information, in specific circumstances
- The right to portability, in specific circumstances
- The right to object to the processing, in specific circumstances
- The rights in relation to automated decision making and profiling
4. Security of your information
NIMDTA is committed to taking all reasonable measures to ensure the security of all personal information it holds. The following arrangements are in place:
- All NIMDTA staff have contractual obligations of confidentiality, enforceable through disciplinary procedures;
- Everyone working for the HSC is subject to the common law duty of confidentiality;
- Staff are granted access to personal data on a need-to-know basis only;
- NIMDTA has appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Personal Data Guardian (PDG) who is responsible for the management of employee and any patient information/confidentiality. Local Information Asset officers (IAOs) have been appointed as part of its Information Governance arrangements. The Business Services Organisation (BSO), has appointed a Data Protection Officer (DPO) who also has responsibility for NIMDTA;
- All staff are required to undertake information governance training every 2 years. The training provided ensures that staff are aware of their information governance responsibilities and follow best practice guidelines to ensure the necessary safeguards and appropriate use of personal information;
- A range of policies and procedures are in place;
- There are contractual clauses with the LMS provider, Hubken Group, which states that data is hosted within UK datacentres. The datacentres hold ISO 27001, ISO 9001 and ISO 14001 certifications with on-site security and access control processes.
5. Receiving Information
5.1 How can you access your personal information?
DPA and UK GDPR give you the right to access information that NIMDTA holds about you. Subject Access Requests (SARs) may be made in writing or orally. You will need to provide:
- adequate information (for example full name, address, date of birth) so that your identity can be verified and your information located
- an indication of what information you are requesting to enable us to locate this in an efficient manner
NIMDTA aims to comply with requests for access to personal data as quickly as possible, and normally within a calendar month of receipt unless there is a reason for delay that is justifiable under UK GDPR. We want to make sure that your personal information is accurate and up to date. If you think any information is inaccurate or incorrect then please let us know.
5.2 Freedom of Information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by NIMDTA, subject to a number of exemptions.
5.3 Complaints about how we process your personal information
If you are dissatisfied with how NIMDTA is, or has been, processing your personal information, you have the right to advise NIMDTA of this.
6. Contact Details
Any request for information, or complaints, should be submitted in writing to firstname.lastname@example.org via the following address:
Complaints Officer NIMDTA – Corporate Services, Beechill House, 42 Beechill Road, Belfast, BT8 7RL
Requests / complaints submitted orally should be via 028 9040 0000.
You may also contact the Data Protection Officer directly:
- Email: email@example.com
- Tel: 02895 363666
7. Changes to our privacy notice
We keep our Privacy Notice under regular review and apply the appropriate updates.