DATA PROTECTION AND PRIVACY POLICY

The purpose of our Privacy Policy is to outline how we deal with any personal and sensitive data we collect or process which may be provided to us by you and/or our service users. This may arise where we carry out reviews of an Employee or potential Employee at the request of their Employer, or where we are requested to provide a report or occupational medical advice by another service user, for example an Insurance Company or Solicitor.

EHA Corporate Ltd (Trading as CHI Cork) and Shelomar Occupational Medicine Limited (Trading as Corporate Health Ireland CHI) are Limited Companies. Our registered addresses are 1st Floor, Block B, Heritage Business Park, Mahon Industrial Estate, Blackrock, Cork and 10/12 Exchange Place, IFSC, Dublin1, D01 N4X6

By engaging with our provision of services or visiting this website, you are accepting the terms of this Data Protection and Privacy Policy. Any external links to other websites are clearly identifiable as such, and we are not responsible for the content or the privacy policies of these other websites. If you are not happy with the terms of this policy you should not use this website and you should inform the team at CHI immediately, as this may affect how CHI interacts with you as an individual and/or the provision of our services. Our Data Protection Officer is Fiona Sinclair, and you can contact us at dpo@chi.ie

Privacy Policies of other websites:

CHI website contains links to other websites. Our privacy policy only applies to our website and if you click on to a link to another website, you should read their privacy policy

GENERAL STATEMENT

CHI respects your right to privacy and will not collect any personal information about you on this website without your clear permission. Any personal data that you volunteer to CHI, if retained, will be held on secure servers. The nature of the Internet is such that we cannot guarantee or warrant the security of any information you transmit to us via the Internet. No data transmission over the Internet can be guaranteed to be 100% secure. However, we will take all reasonable steps (including appropriate technical and organisational measures) to protect your personal data.

This Policy will be continuously assessed against new technologies, business practices, regulatory changes and the evolving needs of our business and the services we provide. Any changes to this Data Protection and Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

Corporate Health Ireland are committed to protecting the rights of the individual and acknowledge that any personal data of yours that we handle will be processed in accordance with the Data Protection Acts 1988-2018 including General Data Protection Regulations (GDPR) 2018. In addition, our registered health professionals will adhere to their professional standards with regards to confidentiality.

Reference of Terms: 

  • Corporate Health Ireland will be identified as CHI
  • Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  • The term Medical Data shall mean the medical history, medical information and medical data obtained, collected and processed (including for the avoidance of doubt the medical opinion and clinical assessment) by Corporate Health Ireland in the provision of the Services.
  • The term Client (Employer) Employee Data shall mean the data shared with Corporate Health Ireland in the provision of the Services, including but not limited to, employee name, employee number, employee contact details and such other information necessary, including by way of example only such other information such as absence records, job role, job location necessary and relative to the referral made by Client (your employer) to Corporate Health Ireland.
  • Data Controller/Processor relationship Summary: The Parties acknowledge and agree that (to the extent applicable):
  • Client (your employer or perspective employer) acts as a Data Controller in respect of the Employee Data.
  • CHI acts as a Data Processor in relation to the Employer Employee Data.
  • CHI act as a Data Controller in relation to the Medical Data as defined above.

1. WHAT DATA DO WE COLLECT?

CHI collected personal identification information such as name, telephone contact number, email address, home address, occupational role,

Special category/ Sensitive information includes data concerning health including lifestyle information which may include details about religion, marital status, family status and medical information such as relevant medical history, diagnostic information, test results, imaging, or medical photography.

In this policy, any reference to personal data includes sensitive data

2. HOW DO WE COLLECT YOUR DATA?

Most of the time, you will provide us with your personal data directly or your data may be supplied by your member organisation/business.

The information is shared either by your employer which can be in the form of a referral form or email when they book an appointment with CHI

We also collect information directly from you when you attend for an assessment, by completing a health form and through discussion with the health professional during a face to face or telephone consultation.

Where an individual contacts CHI by phone, caller numbers are automatically stored on the recipient phone in the reception for a limited period of time in a list of inbound and outbound calls, but no further processing of this data (caller numbers) is carried out by the CHI.

During the course of dealing with a query, complaint or other matter, CHI may record personal data received by it during the course of phone calls in the form of notes made to be passed onto the relevant health professional, in the capacity of information relevant to an individual’s case or assessment the relevant notes are made within out occupational record system. CHI does not audio record or retain audio recordings of phone conversations.

2.1 Website

CHI does not collect any personal data about you from our website, apart from information that you volunteer (for example by e-mailing us or by completing any of our on-line forms or physical application form).

Unlike most websites, CHI does not gather statistical and analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact you.

We do not use any personal data for the purpose of automated decision-making or profiling.

3. WHY WE COLLECT YOUR DATA?

Any personal or sensitive data collected about you arises where we carry out reviews of an Employee or potential Employee at the request of their Employer, or where we are requested to provide a report or occupational medical advice by another service user, for example an Insurance Company or Solicitor.  This data is stored on our system or data management system, in some cases a data management system of your Employer/potential Employer and other appropriate data management systems which may be paper based or electronic. We process your personal data in accordance with the aims of our service:

3.1 Employees & Potential Employees

  • 3.1.1 CHI collects data – personal and sensitive data about you for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
  • 3.1.2 If you are not satisfied that your Employer is legally entitled to reasonably require you to submit or undergo health surveillance and/or medical assessment or if you have any questions of concerns about your Employer’s entitlement to require you to undergo health surveillance and/or medical assessment, you should direct your question or concern to your Employer or Prospective Employer.
  • 3.1.3 Data may also be used for statistics but will be anonymised if this is the case.
  • 3.1.4 Your personal information is shared with CHI by your employer/perspective employer such as Recruitment team, Human resources, Manager, Occupational health nurse on site.
  • 3.1.5 The data once gathered known as the ‘medical data’ for which CHI determine the purpose and means of processing in agreement with your employer. Medical data is bound by the duties of confidentiality and under the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019, it cannot be disclosed without a patient consent with some exceptions, such as court order or under Health and safety when the safety of yourself or others are at risk.
  • 3.1.6 Article 9(3) of General Data Protection Regulations (GDPR) makes provision when these data are processed by a “regulated” health professional. Which states that processing is permitted “when these data are processed under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies”

The Provision of Occupational Health Services, Advice or Opinion– where we are requested to provide a report or occupational medical advice by a service user. For example, an Insurance Company or Solicitor instructed by a third party.

When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists– i.e., where we are requested to provide a report or occupational medical advice requested by you or a third party acting on your behalf.

4. PURPOSE FOR PROCESSING YOUR DATA:

The lawful bases under which Corporate Health Ireland processes personal data include:

  • Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 6(1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The lawful bases under which Corporate Health Ireland processes special category personal data include:

  • Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • Article 9(2)(b) processing is necessary for the purpose of carrying out obligations or rights of the data controller or the data subject in the field of employment law.
  • Section 45 of the Bill: processing data concerning health for the purpose of an insurance policy, health insurance and/or occupational pension; and/or
  • Article 9(2)(i) processing is necessary for reasons of public interest in the area of public health.

We will always process your personal data in accordance with this privacy notice and all applicable data protection laws.

We will not process your personal data for any of these purposes if to do so would constitute an unwarranted interference with your interests, rights and freedoms. We only collect the minimum amount of personal information necessary.

CCTV, Photography & Video Recording

We do operate CCTV and/or video recording at our Cork premises. There are three cameras in total, at internal entrances of each floor and the purpose of recording is for the protection and safety of our staff and safety of CHI assets and Information.

The legal basis of the processing is Article 6(1)(f), GDPR, which allows us to process personal data on the basis that it is necessary for CHI Legitimate interests.

CCTV footage is retained by CHI for a period of 30 days

We may take photographs of injuries for the purposes of providing the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services.

At any event or conference, we may organise, photography and/or video recording may take place. In accordance with the legitimate business and promotional interests of our business your image may be used in our publications and website. If you do not consent to this use, please advise a member of staff prior to or on arrival at the meeting and/or event. You will be advised whether it is possible to accede to your request. If it is not possible for us to confirm that your image will not be used in our publications and/or website, even in an inadvertent manner, we will offer you a refund of any attendance fee. We strongly advise that you make any such enquiry at the time of booking.

However, where our events and/or meetings are held in public venues and in accordance with the legitimate business and promotional interests of our business members of the press and press photographers/videographers are present, we do not control the publication of press photography and/or reporting.

5. HOW IS YOUR INFORMATION SHARED?

Your information will be shared as required with relevant persons for legitimate and reasonable purposes i.e., our provision of the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services. We only collect and use your personal data when requested to do so by you, your Employer or Prospective Employer and then in the normal course, we only share relevant (in terms of fitness to work) data we collect about you with your Employer or prospective Employer. This will include routine health surveillance information including routine testing and reports and our opinion regarding your fitness for work, potential work and/or meetings. This is shared through a secure file share (SharePoint) or by encrypted password protected attachment.

We may also process and share your data with our accountant(s) and other professional advisors when required, however such processing and sharing of personal data will not include medical information. Our service providers may only process the data of our members for the purpose of providing us with their services, and no other purpose. We may also share certain parts of your data when we are required to do so with competent regulatory authorities and bodies as requested or required by law.

We reserve the right to transfer information (including your Personal Data) to a third party in the event of a restructuring of our organisation, provided that the third party has an equivalent privacy policy in place and all necessary legal requirements are complied with.

  • Transfers of data outside the European Economic Area (EEA)

CHI do not transfer data to processors located outside the EEA.  The safeguard we have put in place for data for which CHI are controller is only stored within the EEA and we do not transfer or have any providers to date that are located outside of the EEA

If in the event that CHI data may be processed by staff operating outside the EEA who work for us or for one of our suppliers. The safeguard we have put in place for this transfer is to enter European Commission approved standard contractual clauses with the provider.

Transfer may occur if your employer or prospective employer request for transfer to personnel who may be operating outside the EEA and as data processor CHI’s safeguarding for this transfer is to have a robust data protection agreements with employers/prospective employers.

If you wish to receive more information relating to our Processors and/or transfers outside of the EEA, please contact us at the contact details at the start of this privacy notice.

6. WHAT ARE YOUR RIGHTS RELATING TO PERSONAL DATA?

You have certain rights under the GDPR which include the right to access, amend, update, restrict, delete, or object to the use of, your personal data; and to request information about the basis on which your personal data is processed.

  • The Medical Assessment, Health Surveillance or Screening of Employees & Potential Employees
    • CHI collects data personal and sensitive data about you for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
    • Data may also be used for statistics but will be anonymised if this is the case.
    • Your personal information is shared with CHI by your employer/perspective employer such as Recruitment team, Human resources, Manager, Occupational health nurse on site.
    • The data once gathered known as the ‘medical data’ for which CHI determine the purpose and means of processing in agreement with your employer. Medical data is bound by the laws of confidentiality and under the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019, it cannot be disclosed without a patient consent with some exceptions, such as court order or under Health and safety when the safety of yourself or others are at risk.

Article 9(3) of General Data Protection Regulations (GDPR) makes provision when these data are processed by a “regulated” health professional. Which states that processing is permitted “when these data are processed under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies”

6.2 Access Requests for Medical Reports

  • Under GDPR and the Data Protection Acts, you may obtain a copy of Correspondence/ communications to and from your employer including health referrals, emails and reports or certificates that outline your fitness to work or medical report furnished to your employer following your assessment. You should put your request in writing to the individual who commissioned Corporate Health Ireland to prepare the report. This is normally the HR Manager in a workplace.
    You will need to seek directly from your employer or potential employer as the data controller of this information.

The employer has responsibility as the Data Controller under the terms of the Data Protection Act to release the report within one calendar month of receiving a request in writing.

  • When we collect personal and sensitive data about you for the purposes of completing health surveillance and/or medical assessment in the course of your employment or potential employment, our work is carried out on behalf of your Employer or Prospective Employer in accordance with the terms and conditions of your employment or prospective employment.

However, we will be happy to provide you with a copy of your data (with the exception of any communications made to or received from your employer or potential employer in which case you will need to seek directly from your employer or potential employer as the data controller of this information) upon your written request.

  • The Provision of Occupational Health Services, Advice or Opinion– when we process your personal data in the course of providing a report or occupational medical advice requested by another service user for example, an Insurance Company or Solicitor instructed by a third party, that Insurance Company or third party is the Data Controller, and you should direct any request to access your information to that third party. If this assessment or report was requested in the course of legal proceedings, certain restrictions apply to the sharing of our report or assessment, and you should consult your Solicitor in this regard.
  • When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists– i.e. when we control and process your data in the course of providing a report or occupational medical advice requested by you or a third party acting on your behalf, we are the Data Controller and we will be happy to provide you with a copy of your information upon request in compliance with your rights under Data Protection Law.
  • When we are the Data Controller, you may request information regarding personal data relating to you, how it is stored, how the data was collected, and for what purpose. If personal data is incorrect or incomplete, you may request for it to be corrected or supplemented.

You may request that your data is deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply.

The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. However, retention requirements shall be observed.

You have the right to data portability i.e., you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine-readable format.

If the very limited circumstances where we may be processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.

Can I ask to delete my personal data? You can submit a request to have your personal data deleted however this right is not an absolute right. In most cases we will be legally obliged to keep your data for a certain amount of time.

We will automatically delete your personal data once it is no longer required for these purposes. If you wish to request that your personal data is deleted in advance of our routine deletion or for further details of our data retention procedures, please send a request us to the contact details at the start of this privacy notice.

  • Security and retention of your personal data

We take steps through organisational and technical measures to ensure that the personal and sensitive information we hold about you is held securely and to protect against the loss or misuse of your information.

Your data is stored on our own company IT systems which is stored on Amazon WorkSpace (AWS) and we also use Occupatioanl Health System- eOPAS which is managed by Civica. CHI and Civica are both ISO7001 information security accredited. We have appropriate technical and organisational measures in place to protect your personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition, or access.

Your reports , the health professionals opinion of your fitness to work, is shared with your employer through a secure file share system (SharePoint) for which there is limited access to persons  who have been nominated by your employer.

Any breach of your personal or sensitive data is notified and managed in accordance with our Data Breach Notification Procedure.

6.4.1 We will retain your personal data (including sensitive data) and medical records on an ongoing basis, and in order for us to:

  1. fulfil the terms of our service level agreements or contracts.
  2. Inform a diagnosis of a latent condition, ensure your health and safety and protect your vital interests;
  3. comply with our legal records retention obligations and for any extended period reasonably determined necessary.
  4. and/or to investigate or process complaints and/or defend or bring legal claims or complaints.

6.4.2     We will retain your medical records on an ongoing basis, and we will delete your personal data once it is no longer required for these purposes.

Retention periods are as follows:

  • Management referral information will be held for 7 years after the cessation of employment (if notification of your perspective employer) or 7 years after last entry or from last entry.
  • Medical Records associate with Health Surveillance will be held for 7 years after the cessation of employment (if notification of your perspective employer) or 7 years after last entry or from last entry.
  • Audiograms and related medical records will be held for 15 years after the cessation of employment (if notification of your perspective employer) or 15 years after last entry or from last entry.
  • Pre- placement medicals will be discarded after 1 years if the employee doesn’t take up the offer of the job (on notification of your perspective employer). If the job is taken up it will be treated with the management referral information and retained for the same length of time.
  • 10- 40 years in relation to Health Surveillance Record as required by the Health and Safety Authority (HSA) or up to 75th Birthday.
  • Financial records are held for 7 years.

How to contact the appropriate authority:

You may lodge a complaint with a supervisory authority. The Irish supervisory authority is the Data Protection Commission Homepage | Data Protection Commission

In order to exercise any of the rights set out above, please contact us at the contact details at the start of this privacy notice

Changes to our privacy policy

CHI keeps its privacy policy under regular review and places any updates on this web page. The privacy policy was last updated October 2022