Your data matters to us

We would like take this opportunity to assure you that we have taken the necessary steps in preparing for GDPR and have reviewed our policy and procedures in line with the new regulations. You can find our updated privacy policy on our website. The policy covers how we use your data for communications, including how you can control the ways we keep in touch and how we make sure we keep your data safe. The National Office of Clinical Audit (NOCA) is a sub-department of RCSI, RCSI is the legal entity. Operational and technical safeguards are in place to ensure only NOCA staff have access to Clinical Audit data and communications data that NOCA holds. For specific GDPR questions see below:

The General Data Protection Regulation (GDPR) is essentially a new Data Protection framework that applies across the EU from 25 May 2018.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Under the General Data Protection Regulation (EU) 2016/679, NOCA is a “Controller” in respect to personal data that you provide to us. For information on GDPR, you can visit the Data Protection Commissioner website here

Under GDPR, ‘personal data’ means any information relating to an identifiable person (called a data subject) who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

We classify the personal data we hold in two ways: Audit data and Communication data
Audit Personal data – for the majority of our audits we use anonymised or pseudonymised data which means the only personal data will hold is the reference to the identifier. The link back to your identifier is held within the hospitals so we cannot identify you directly from within NOCA. The only exception to this is the Irish National Orthopaedic Register, in which we hold MRN, INOR ID, name, address, contact number and other health information.
For our Communication data, we have a number of NOCA Mailing lists which are used for the following:

  • To communicate with our audit teams in each hospital (you will be required to remain on this list, while assigned to work on that specific audit. If your role changes you will be removed from this list)
  • To keep you informed about our National Clinical Audits
  • To send you information such as events, publications and areas of professional interest relating to clinical audit
  • To send you our NOCA newsletter
  • To gain your feedback in surveys we issue from time to time
We only retain your personal information on our communication mailing lists for as long as you provide us consent to do so. You can opt out at any time by contacting or by clicking unsubscribe on our newsletter. Any information which you provide in this way is not made available to any third parties.

We do not share our mailing list but do on occasion send emails on behalf of others to the mailing lists, where the topic is healthcare related and relevant to the purpose of the mailing lists.

Security is a priority for us when it comes to your personal data. We’re committed to protecting your personal data and have appropriate technical and organisational measures in place to make sure that happens.
Information shared between your browser and our site is encrypted and secured using Secure Socket Layer (SSL/HTTPS) technologies, which creates a secure and encrypted medium of data transfer between your browser and our servers and adds a layer of security to prevent malicious attackers obtaining your personal data.
We also employ standard industry operating procedures and internal policies to ensure that your data remains secure, and continually monitor and improve the security of all hosting and storage infrastructure we use to store data.
Personal data provided for our mailing lists are held securely on servers and accessed from encrypted devices used by the NOCA Executive Team.

We will retain your information for as long as necessary to provide you with services, and to comply with our legal and regulatory obligations. We update our communication lists regularly and you can unsubscribe at any time.
In relation to audit data, we hold for the lifetime of the audit or until consent is withdrawn.
Our Data retention policy outlines the length of time we hold the data types for. We are committed to protecting your personal data to the very best of our ability and take the appropriate steps to do in collecting, storing and destroying your data.

You have the following rights under the GDPR, in certain circumstances and subject to certain exemptions, in relation to your personal data:

  • Right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
  • Right to rectification- you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
  • Right to erasure – you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
  • Right to restriction of processing or to object to processing – you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
  • Right to data portability – you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
In order to exercise any of the rights set out above, please contact us at
If we are processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal. If you are unhappy with how we process personal data, we ask you to contact us so that we can rectify the situation.
The Irish supervisory authority is the Office of the Data Protection Commissioner and you may lodge a complaint with them as a supervisory authority.

Yes you can. Under the General Data Protection Regulation (GDPR) (EU) 2016/679, you have certain rights to obtain a copy of the data held about you. Any such requests should be made in writing to the Information Manager, NOCA.

Please contact our Data Protection Officer by email at:
Or write to us and mark the letter
FAO: Data Protection Officer

Under the regulations data controllers have 30 days to provide the data.