Department of Health (NI) Digital Health Identity Privacy Notice
This privacy notice explains how the Digital Health Identity (DHI) solution / service uses information about you and the ways in which we will safeguard your data.
Why do we collect your personal information?
The Digital Health Identity (DHI) solution / service has been developed as a tool to support secure access to online health and social care services, for citizens in NI. DHI matches citizens with a verified NI Direct Identity Assurance (NIDA) service account, to the details held by the Business Services Organisation (BSO), registered against that person’s ‘Health and Care Number’ (HCN). The Department of Health (DoH) does this so it can be sure that the person (accessing services or personal information) is who they say they are.
This privacy notice applies to DHI only. The privacy notice for NIDA is available via www.nidirect.gov.uk.
What Information do we process?
In order to match a NIDA account to a HCN, we use personal details associated with that NIDA account, comparing these with details held by the Business Services Organisation (BSO); assigned to your allocated ‘Health and Care Number’ (HCN). If your NIDA details match the BSO records, your NIDA account is matched to your HCN, and service access is granted automatically.
This information processed includes your HCN (if you already know it), email address, name, address, contact telephone number and date of birth.
If your details don’t match, access is not provided. Your application for access is held until someone can check your details; and ensure that only you are able to access the right service, and information. Access will only be granted once we are able to ensure that the details provided are valid, and that they can be matched to the correct HCN.
Once your NIDA account has been matched to the correct HCN, DHI will remember that match. The next time that you use the service, you will be able to get through automatically, unless your circumstances have changed. Changes may require you to go through the verification process once again.
How is my Personal Information Stored?
Your personal information is encrypted and stored in a protected database which is not accessible by other bodies and there are strict controls in place to ensure only authorised individuals can manage/administer the technical infrastructure supporting it.
Do you share my personal data with anyone?
DHI receives the NIDA account details that you have registered with. DHI does not share your health information with the Department of Finance, (who provide the NIDA service) or other government departments.
DHI will present your details, at the access point of each health and social care service that you wish to access, ensuring that you are correctly matched to only your personal information and services. The process means that you only see your personal information (and not that of other citizens accessing services); and that other citizens cannot see your information.
We share the minimum amount of personal detail with other health and social care services (you choose to access), solely for the purpose of verifying your identity and connecting your login NIDA account to those services you wish to use online. Data Sharing Agreements are in place specifying responsibilities of all parties who can view or process your information.
We use a third-party processor called Cranmore Consulting, (73 Church Avenue, Holywood, Co Down, BT18 9LM) to support the DHI service. The data is processed securely and they will not process the data for any other purpose. They are contractually obliged to comply with data protection legislation.
What is the lawful basis for processing your data?
You will have created a NI Direct account in order to access government services online. Your account enables you to transact with various business areas across NI departments and agencies. DHI processes your personal data for the performance of a task carried out in the public interest or the exercise of official authority vested in the data controller, in line with Article 6(1)(e) of the UK GDPR, and to fulfil our duties in the public interest in our function as a government department under Article 9(2)(g) of the UK GDPR.
Access to your information
You can, at any time, request a report on the personal information that we hold in DHI (in relation to you), by emailing DPO@health-ni.gov.uk.
How long do you keep my personal data?
We will only retain your data for as long as required for you to access services. Since the information supports your online account, we will only remove data if your account has not been used in 2 years, and in line with our Retention and Disposal Schedule, after which time it will be destroyed securely. (Details are available online: Good management, good records | Department of Health).
Your rights
Under data protection legislation, you have rights as an individual which you can exercise in relation to the information we process. To make a request for any personal information we may hold, or to raise an objection about the processing we carry out, you should put the request in writing and email it to DPO@health-ni.gov.uk or post it to the address provided below.
If, at any point, you believe the information we process on you is incorrect, you can ask to have this information corrected. If you decide you would like to have your account deleted, you can request its removal by email to DPO@health-ni.gov.uk. If you wish to raise a complaint about how we have handled your data, you can contact our Data Protection Officer who will investigate the matter.
DoH NI: Charlene Maher
Data Protection Officer
Annexe 3
Castle Buildings
Stormont
Belfast BT4 3SQ
Email: DPO@health-ni.gov.uk
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner at: casework@ico.org.uk or write to the Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated in December 2025.