DATA PROTECTION AND PRIVACY POLICY

The purpose of our Privacy Policy is to outline how we deal with any personal and sensitive data we collect or process which may be provided to us by you and/or our service users. This may arise where we carry out reviews of an Employee or potential Employee at the request of their Employer, or where we are requested to provide a report or occupational medical advice by another service user, for example an Insurance Company or Solicitor. EHA Corporate Ltd (Trading as CHI Cork) is a Limited Company. Our registered address is 1st Floor, Block B, Heritage Business Park, Mahon Industrial Estate, Blackrock, Cork. By engaging with our provision of services or visiting this website, you are accepting the terms of this Data Protection and Privacy Policy. Any external links to other websites are clearly identifiable as such, and we are not responsible for the content or the privacy policies of these other websites. If you are not happy with the terms of this policy you should not use this website and you should inform the Team at CHI Cork immediately, as this may affect how CHI Cork interacts with you as an individual and/or the provision of our services. Our Data Protection Officer is Fiona Sinclair and you can contact us at dpocork@chi.ie

GENERAL STATEMENT

CHI Cork respects your right to privacy and will not collect any personal information about you on this website without your clear permission. Any personal data that you volunteer to CHI Cork, if retained, will be held on secure servers. The nature of the Internet is such that we cannot guarantee or warrant the security of any information you transmit to us via the Internet. No data transmission over the Internet can be guaranteed to be 100% secure. However, we will take all reasonable steps (including appropriate technical and organisational measures) to protect your personal data. This Policy will be continuously assessed against new technologies, business practices, regulatory changes and the evolving needs of our business and the services we provide. Any changes to this Data Protection and Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

Corporate Health Ireland as both the Data Controller and Data Processor are committed to protecting the rights of the individual and acknowledge that any personal data of yours that we handle will be processed in accordance with the Data Protection Acts 1988-2018 including General Data Protection Regulations (GDPR) 2018. In addition, our registered health professionals will adhere to their professional standards with regards to confidentiality

Reference of Terms:
Corporate Health Ireland will be identified as CHI

  • Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  • The term Medical Data shall mean the medical history, medical information and medical data obtained, collected and processed (including for the avoidance of doubt the medical opinion and clinical assessment) by Corporate Health Ireland in the provision of the Services.
  • The term Client (Employer) Employee Data shall mean the data shared with Corporate Health Ireland in the provision of the Services, including but not limited to, employee name, employee number, employee contact details and such other information necessary, including by way of example only such other information such as absence records, job role, job location necessary and relative to the referral made by Client (your employer) to Corporate Health Ireland.

Data Controller/Processor relationship Summary:
The Parties acknowledge and agree that (to the extent applicable):

  • Client (your employer) acts as a Data Controller in respect of the Employee Data.
  • CHI acts as a Data Processor in relation to the Employer Employee Data.
  • CHI act as a Data Controller in relation to the Medical Data as defined above.

1. HOW WE COLLECT AND USE YOUR PERSONAL DATA

Personal data is data that identifies you or can be used to identify or contact you and may include, for example, your name, address or e-mail address, occupation and photograph. In certain circumstances you will provide us with your personal data directly or your data may be supplied by your member organisation/business. Sensitive personal data includes data concerning health including lifestyle information which may include details about religion, marital status, family status and medical information such as relevant medical history, diagnostic information, test results or imaging. In this policy, any reference to personal data includes sensitive data.

Website

CHI Cork does not collect any personal data about you from our website, apart from information that you volunteer (for example by e-mailing us or by completing any of our on-line forms or physical application form).

Unlike most websites, CHI does not gather statistical and analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact you.

We do not use any personal data for the purpose of automated decision-making or profiling.

Why we collect data

Any personal or sensitive data collected about you arises where we carry out reviews of an Employee or potential Employee at the request of their Employer, or where we are requested to provide a report or occupational medical advice by another service user, for example an Insurance Company or Solicitor. This data is stored on our system or data management system, in some cases a data management system of your Employer/potential Employer and other appropriate data management systems which may be paper based or electronic. We process your personal data in accordance with the aims of our service:

  1. Employees & Potential Employees
    • CHI collects data – personal and sensitive data about you for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
    • If you are not satisfied that your Employer is legally entitled to reasonably require you to submit or undergo health surveillance and/or medical assessment or if you have any questions of concerns about your Employer’s entitlement to require you to undergo health surveillance and/or medical assessment, you should direct your question or concern to your Employer or Prospective Employer.
    • Data may also be used for statistics but will be anonymised if this is the case.
    • Your personal information is shared with CHI by your employer/perspective employer such as Recruitment team, Human resources, Manager, Occupational health nurse on site.
    • The data once gathered known as the ‘medical data’ for which CHI determine the purpose and means of processing in agreement with your employer. Medical data is bound by the duties of confidentiality and under the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019, it cannot be disclosed without a patient consent with some exceptions, such as court order or under Health and safety when the safety of yourself or others are at risk.
    • Article 9(3) of General Data Protection Regulations (GDPR) makes provision when these data are processed by a “regulated” health professional. Which states that processing is permitted “when these data are processed under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies”
  2. The Provision of Occupational Health Services, Advice or Opinion – where we are requested to provide a report or occupational medical advice by a service user. For example, an Insurance Company or Solicitor instructed by a third party.
  3. When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists – i.e., where we are requested to provide a report or occupational medical advice requested by you or a third party acting on your behalf.

Your personal data will be processed for the following purposes:

  1. to provide the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services;
  2. to contact you in response to communications you might send us or to provide you with the information / service you have requested;
  3. to deliver relevant marketing information to you and to ensure that content from our website is presented in the most effective manner for you and for your computer;
  4. to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and
  5. to send you email alerts and newsletters that you receive as a term of your service level agreement or contract with us or that have opted-in to receive by filling in our online forms or contacting us by email or by other means. We also provide the facility to opt-out of receiving such communication on the site and within each such communication we send you.

We rely upon the following legal bases in controlling and processing your personal data:

  1. To comply with employer legal obligation such as health and safety, Duty of Care where employers have a duty to ensure employees’ safety, health, and welfare at work, as far as reasonably practicable. To prevent workplace injuries and ill-health, the employer must take certain actions.
  2. Additional Special category – Article 9(2)(h) specifically authorised processing of data as Occupational Medicine is a special category thus “processing is necessary for the purposes of Occupational Medicine” and Article 9(3) which states that processing is permitted When these data are processed by a “regulated” health professional
  3. where such processing is necessary for the performance of your membership application or contract with us; (Article 6 (b))
  4. where such processing is in our legitimate interests in conducting our business in a responsible and commercially prudent manner.
  5. to comply with our legal and regulatory obligations; and
  6. in limited circumstances, your explicit consent (where we have sought it and you have provided it to us), and in which case, you can withdraw your consent at any time.

We will not process your personal data for any of these purposes if to do so would constitute an unwarranted interference with your interests, rights and freedoms. We only collect the minimum amount of personal information necessary.

CCTV, Photography & Video Recording

We do not operate CCTV and/or video recording at our premises. In certain limited circumstances, we may take photographs of injuries for the purposes of providing the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services.

At any event or conference, we may organise, photography and/or video recording may take place. In accordance with the legitimate business and promotional interests of our business your image may be used in our publications and website. If you do not consent to this use, please advise a member of staff prior to or on arrival at the meeting and/or event. You will be advised whether it is possible to accede to your request. If it is not possible for us to confirm that your image will not be used in our publications and/or website, even in an inadvertent manner, we will offer you a refund of any attendance fee. We strongly advise that you make any such enquiry at the time of booking.

However, where our events and/or meetings are held in public venues and in accordance with the legitimate business and promotional interests of our business members of the press and press photographers/videographers are present, we do not control the publication of press photography and/or reporting.

The Requirement to process personal data.

The provision of your personal data for the purposes described above is a contractual requirement in the provision of Occupational health services. In addition, we may need to process your personal data to comply with statutory requirements, such as keeping proper records of financial transaction. We cannot continue to facilitate and administer your service level agreement, contract or relationship with us, if you fail to provide your personal data for the purposes described above.

2. HOW IS YOUR INFORMATION SHARED?

Your information will be shared as required with relevant persons for legitimate and reasonable purposes i.e. our provision of the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services. We only collect and use your personal data when requested to do so by you, your Employer or Prospective Employer and then in the normal course, we only share relevant data we collect about you with your Employer or prospective Employer. This will include routine health surveillance information including routine testing and reports and our opinion regarding your fitness for work, potential work and/or meetings. This is shared through a secure file share (SharePoint) or by encrypted password protected attachment.

We may also process and share your data with our accountant(s) and other professional advisors when required, however such processing and sharing of personal data will not include medical information. Our service providers may only process the data of our members for the purpose of providing us with their services, and no other purpose. We may also share certain parts of your data when we are required to do so with competent regulatory authorities and bodies as requested or required by law.

We reserve the right to transfer information (including your Personal Data) to a third party in the event of a restructuring of our organisation, provided that the third party has an equivalent privacy policy in place and all necessary legal requirements are complied with.

Transfers of data outside the European Economic Area (EEA)

We do not transfer data to processors located outside the EEA. Your data may be processed by staff operating outside the EEA who work for us or for one of our suppliers.  The safeguard we have put in place for this transfer is to enter European Commission approved standard contractual clauses with the provider.

If you wish to receive more information relating to our Processors and/or transfers outside of the EEA, please contact us at the contact details at the start of this privacy notice.

3. WHAT ARE YOUR RIGHTS RELATING TO PERSONAL DATA?

  1. The Medical Assessment, Health Surveillance or Screening of Employees & Potential Employees
    • CHI collects data personal and sensitive data about you for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
    • Data may also be used for statistics but will be anonymised if this is the case.

      Your personal information is shared with CHI by your employer/perspective employer such as Recruitment team, Human resources, Manager, Occupational health nurse on site.

      The data once gathered known as the ‘medical data’ for which CHI determine the purpose and means of processing in agreement with your employer. Medical data is bound by the laws of confidentiality and under the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019, it cannot be disclosed without a patient consent with some exceptions, such as court order or under Health and safety when the safety of yourself or others are at risk.

      Article 9(3) of General Data Protection Regulations (GDPR) makes provision when these data are processed by a “regulated” health professional. Which states that processing is permitted “when these data are processed under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies”

    • Correspondence/ communications to and from your employer including health referrals, emails and reports or certificates that outline your fitness to work you will need to seek directly from your employer or potential employer as the data controller of this information.

      When we collect personal and sensitive data about you for the purposes of completing health surveillance and/or medical assessment in the course of your employment or potential employment, our work is carried out on behalf of your Employer or Prospective Employer in accordance with the terms and conditions of your employment or prospective employment.

      Upon request but you should note that we are required to notify the Data Controller (i.e., you Employer or Prospective Employer) of your request.

  2. The Provision of Occupational Health Services, Advice or Opinion – when we process your personal data in the course of providing a report or occupational medical advice requested by another service user for example, an Insurance Company or Solicitor instructed by a third party, that Insurance Company or third party is the Data Controller and you should direct any request to access your information to that third party. If this assessment or report was requested in the course of legal proceedings, certain restrictions apply to the sharing of our report or assessment and you should consult your Solicitor in this regard.
  3. When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists – i.e. when we control and process your data in the course of providing a report or occupational medical advice requested by you or a third party acting on your behalf, we are the Data Controller and we will be happy to provide you with a copy of your information upon request in compliance with your rights under Data Protection Law.

When we are the Data Controller, you may request information regarding personal data relating to you, how it is stored, how the data was collected, and for what purpose. If personal data is incorrect or incomplete, you may request for it to be corrected or supplemented. You may request that your data is deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. However, retention requirements shall be observed. You have the right to data portability i.e., you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine-readable format. If the very limited circumstances where we may be processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.

You may lodge a complaint with a supervisory authority. The Irish supervisory authority is the Data Protection Commission (https://www.dataprotection.ie/ ).

In order to exercise any of the rights set out above, please contact us at the contact details at the start of this privacy notice.

4. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will retain your personal data (including sensitive data) on an ongoing basis, and in order for us to:

  1. fulfil the terms of our service level agreements or contracts;
  2. comply with our legal records retention obligations and for any extended period reasonably determined necessary;
  3. and/or to investigate or process complaints and/or defend or bring legal claims or complaints.

We will retain your medical records on an ongoing basis, and we will delete your personal data once it is no longer required for these purposes.

Retention periods are as follows:

  • Management referral information will be held for 7 years after the cessation of employment (on notification of your perspective employer) or up to 75th Birthday.
  • Clinical Records associate with Health Surveillance will be held for 7 years after the cessation of employment (on notification of your perspective employer) or up to 75th Birthday.
  • Pre- placement medicals will be discarded after 1 years if the employee doesn’t take up the offer of the job (on notification of your perspective employer). If the job is taken up it will be treated with the management referral information and retained for the same length of time.
  • 10- 40 years in relation to Health Surveillance Record as required by the Health and Safety Authority (HSA) or up to 75th Birthday.
  • Financial records are held for 7 years.
  • Unwanted records will be destroyed.

Can I ask to delete my personal data? You can submit a request to have your personal data deleted however this right is not an absolute right. In most cases we will be legally obliged to keep your data for a certain amount of time.

We will automatically delete your personal data once it is no longer required for these purposes. If you wish to request that your personal data is deleted in advance of our routine deletion or for further details of our data retention procedures, please send a request us to the contact details at the start of this privacy notice.

5. HOW DO WE KEEP YOUR PERSONAL DATA SAFE?

We take steps through organisational and technical measures to ensure that the personal and sensitive information we hold about you is held securely and to protect against the loss or misuse of your information.

Your data is stored on our own company IT systems which is stored on Amazon WorkSpace (AWS) and we also use Occupatioanl Health System- eOPAS which is managed by Civica. CHI and Civica are both ISO7001 information security accredited. We have appropriate technical and organisational measures in place to protect your personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition, or access.

Your reports , the health professionals opinion of your fitness to work, is shared with your employer through a secure file share system (SharePoint) for which there is limited access to persons who have been nominated by your employer.

Any breach of your personal or sensitive data is notified and managed in accordance with our Data Breach Notification Procedure.