DATA PROTECTION AND PRIVACY POLICY

The purpose of our Privacy Policy is to outline how we deal with any personal and sensitive data we collect or process which may be provided to us by you and our service users. This may arise where we carry out reviews of an Employee or potential Employee at the request of their Employer, or where we are requested to provide a report or occupational medical advice by an employer or another service user.

Corporate Health Ireland (CHI) is a trading name of PAM Group an occupational health business based in the United Kingdom www.pamgroup.co.uk . We operate in Ireland as EHA Corporate Ltd and Shelomar Occupational Medicine Limited. Our registered addresses are 1st Floor, Block B, Heritage Business Park, Mahon Industrial Estate, Blackrock, Cork and 10/12 Exchange Place, IFSC, Dublin1, D01 N4X6 both of these companies are wholly owned subsidiaries of PAM Group.

By engaging with our provision of services or visiting this website, you are accepting the terms of this Data Protection and Privacy Policy. Any external links to other websites are clearly identifiable as such, and we are not responsible for the content or the privacy policies of these other websites. If you are not happy with the terms of this policy you should not use this website and you should inform the team at CHI immediately, as this may affect how CHI interacts with you as an individual and/or the provision of our services. Our Data Protection Officer is Fiona Sinclair, and you can contact us at dpo@chi.ie

CHI website contains links to other websites. Our privacy policy only applies to our websites if you click on to a link to another website, please read their privacy policy.

1. GENERAL STATEMENT

CHI respects your right to privacy and will not collect any personal information about you on this website without your clear consent. Any personal data that you provide to CHI, if retained, will be held on secure servers. No data transmission over the internet can be guaranteed to be 100% secure. However, we will take all reasonable steps (including appropriate technical and organisational measures) to protect your personal data.

This Policy will be continuously assessed against new technologies, business practices, regulatory changes and the evolving needs of our business and the services we provide. Any changes to this Data Protection and Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

CHI are committed to protecting the rights of the individual and acknowledge that any personal data of yours that we handle will be processed in accordance with the Data Protection Acts 1988-2018 (Ireland) and the European Union General Data Protection Regulations (2018). In addition, our registered health professionals will adhere to their professional standards with regards to confidentiality.

Definitions – within this policy the following definitions are made.

Corporate Health Ireland will be identified as CHI.

Client (Employer) Employee Data shall mean the data shared with CHI in the provision of the Services, including but not limited to, employee name, employee number, employee contact details and such other information necessary such as absence records, job role, job location necessary and relative to the referral made by your employer to Corporate Health Ireland.

Data Controller means a person or organisation who controls the purpose of and means by which personal data is processed. A Data Controller is responsible for complying with data protection regulations and remains accountable for the processing even if a third party carries it out on their behalf. The legal definition of a data controller is given in Art. 4 (7) GDPR.

Data Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

Health Data shall mean the name, address, date of birth, email, telephone numbers medical history, clinical information including notes and assessment forms, reports and medical data obtained, collected and processed (including for the avoidance of doubt the medical opinion and clinical assessment) by Corporate Health Ireland in the provision of the Services.

PAM Group a company registered in the UK with their office at Holly House, 73-75 Sankey Street, Warrington, Cheshire England WA1 1SL see www.pamgroup.co.uk

2. WHAT DATA DO WE COLLECT?

We hold your employer’s occupational health records; these are health and personal records that are held for your safety and wellbeing at work. Authorised healthcare professionals may only hold occupational health records.

The lawful reason for processing your data is set out in the Regulation (EU) 2016/679 (General Data Protection Regulation).

Article (6)(1)(b) Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; And or

Article 9(2)(h) of the GDPR, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Article 9(2)(i) processing is necessary for reasons of public interest in public health.

Data Protection Act (2018) s(50) processing data concerning health for the purpose of an insurance policy, health insurance and/or occupational pension.

Special category/ Sensitive information includes data concerning health, including lifestyle information which may include details about religion, marital status, family status and medical information such as relevant medical history, diagnostic information, test results, imaging, or medical photography.

If you have any questions of concerns about your Employer’s entitlement to require you to undergo health surveillance and/or medical assessment, you should direct your question or concern to your Employer or Prospective Employer.

3. HOW DO WE COLLECT YOUR DATA?

Most of the time, you will provide us with your personal data directly or your data may be supplied by your organisation/business. The information is shared either by your employer which can be in the form of a referral form or email when they book an appointment with CHI. We also collect information directly from you when you attend for an assessment, by completing a health form and through discussion with the health professional during a face to face or telephone consultation.

Where an individual contacts CHI by phone, caller numbers are automatically stored on the recipient phone in the reception for a limited period in a list of inbound and outbound calls, but no further processing of this data (caller numbers) is carried out by the CHI.

When dealing with a query, complaint or other matter, CHI may record personal data received during the course of phone calls in the form of notes made to be passed onto the relevant health professional, in the capacity of information relevant to an individual’s case or assessment the relevant notes are made within our occupational record system. CHI does not audio record or retain audio recordings of phone conversations.

Website

CHI does not collect any personal data about you from our website, apart from information that you volunteer (for example by e-mailing us or by completing any of our on-line forms or physical application form). We do not use any personal data for the purpose of automated decision-making or profiling.

4. WHY WE COLLECT YOUR DATA?

Any personal or sensitive data collected about you arises where we carry out reviews of an Employee or potential Employee at the request of your Employer, or where we are requested to provide a report or occupational medical advice by another service user, for example an Insurance Company or Solicitor. This data is stored on our system or data management system, in some cases a data management system of your Employer/potential Employer and other appropriate data management systems which may be paper based or electronic. We process your personal data in accordance with the aims of our service:

Employees & Potential Employees– data may also be used for statistics but will be anonymised if this is the case. Your personal information is shared with CHI by your employer/perspective employer such as recruitment team, human resources, or occupational health team on site. The data once gathered known as the ‘health data’ for which CHI determine the purpose and means of processing in agreement with your employer.

Health data is bound by the duties of confidentiality and under the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) (2019), it cannot be disclosed without consent with some exceptions, such as court order or under health and safety when the safety of yourself or others are at risk.

When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists– i.e., where we are requested to provide a report or occupational medical advice requested by you or a third party acting on your behalf.

5. PROCESSING YOUR DATA:

When your health data is processed for the purpose of delivering our services to you or on behalf of your employer CHI acts as a Data Controller. Your employer will also act as a separate Data Controller for personal identifiable data that they process in relation to their employees.

Your data may be processed by any worker or employee of CHI or PAM Group for the purposes of delivering or administering the services to you or our client. We will always process your personal data in accordance with this privacy policy and all applicable data protection laws.

We will not process your personal data for any of these purposes if to do so would constitute an unwarranted interference with your interests, rights, and freedoms.

CCTV, Photography & Video Recording

We do operate CCTV and/or video recording at our Cork premises. There are three cameras in total, at internal entrances of each floor and the purpose of recording is for the protection and safety of our staff and safety of CHI assets and Information. CCTV footage is retained by CHI for a period of 30 days. The legal basis of the processing is Article 6(1)(f), GDPR, which allows us to process personal data on the basis that it is necessary for CHI Legitimate interests.

We may take photographs of injuries for the purposes of providing the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services.

At any event or conference, we may organise, photography and/or video recording may take place. In accordance with the legitimate business and promotional interests of our business your image may be used in our publications and website. If you do not consent to this use, please advise a member of staff prior to or on arrival at the meeting and/or event. You will be advised whether it is possible to accede to your request. If it is not possible for us to confirm that your image will not be used in our publications and/or website, even in an inadvertent manner, we will offer you a refund of any attendance fee. We strongly advise that you make any such enquiry at the time of booking.

However, where our events and/or meetings are held in public venues and in accordance with the legitimate business and promotional interests of our business members of the press and press photographers/videographers are present, we do not control the publication of press photography and/or reporting.

6. HOW IS YOUR INFORMATION SHARED?

Your information will be shared as required with your employer for the purpose of providing our services including provision of the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services. We only collect and use your health data when delivering the services to your employer or prospective employer and then in the normal course, we only share relevant (in terms of fitness to work) data we collect about you with your employer or prospective employer. This will include routine health surveillance information including routine testing and reports and our opinion regarding your fitness for work, potential work and/or meetings. This is shared through a secure file share and is encrypted. We may also share certain parts of your data when we are required to do so with competent regulatory authorities and bodies as requested or required by law.

7. Transfers of data outside the European Economic Area (EEA)

CHI do not transfer data to processors located outside the EEA. Our data is stored in data centres in Ireland. For clients who use our UK services then that data may be stored in the UK. If CHI data is processed by our staff operating outside the EEA (i.e., the UK) who work for us or for one of our suppliers. The safeguard we have put in place for this processing is to always comply with Regulation (EU) 2016/679 (General Data Protection Regulation). They will only process your data in line with this policy.

Transfer may occur if your employer or prospective employer request a transfer of data who may be operating outside the EEA. CHI’s safeguarding for this transfer is to have a robust data protection agreement with employers/prospective employers.

If you wish to receive more information relating to our processors and/or transfers outside of the EEA, please contact us at dpo@chi.ie

8. WHAT ARE YOUR RIGHTS RELATING TO PERSONAL DATA?

You have certain rights under the GDPR which include the right to access, update, or object to the use of, your personal data; and to request information about the basis on which your personal data is processed.

8.1 The Medical Assessment, Health Surveillance or Screening of Employees & Potential Employees–

CHI processes personal and sensitive data about you for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work. Data may also be used for statistics but will be anonymised if this is the case.

Your personal information is shared with CHI by your employer/perspective employer. The data once gathered known as the ‘health data’ for which CHI determine the purpose and means of processing on behalf of your employer. Health data is bound by the laws of confidentiality and under the Guide to Professional Conduct and Ethics for Registered Medical Practitioners (Amended) 2019, it cannot be disclosed without your consent with some exceptions, such as court order or under Health and safety when the safety of yourself or others are at risk.

8.2 Access Requests for Medical Reports and Records-

Under GDPR and the Data Protection Acts, you may obtain a copy of correspondence/ communications to and from your employer including health referrals, emails and reports or certificates that outline your fitness to work or medical report furnished to your employer following your assessment. You should put your Subject Access Request in writing to sar@chi.ie

We are responsibility as the Data Controller under the terms of the Data Protection Act (2018) to release the report within one month of receiving a request in writing.

When we collect personal and sensitive data about you for the purposes of completing health surveillance and/or medical assessment in the course of your employment or potential employment, our work is carried out on behalf of your employer or prospective employer in accordance with the terms and conditions of your employment or prospective employment and to protect, maintain or restore your health and wellbeing.

8.3 The Provision of Occupational Health Services, Advice or Opinion

When we process your personal data in the course of providing a report or occupational medical advice requested by another service user for example, an Insurance Company or Solicitor instructed by a third party, that Insurance Company or third party is the Data Controller, and you should direct any request to access your information to that third party. If this assessment or report was requested in the course of legal proceedings, certain restrictions apply to the sharing of our report or assessment, and you should consult your Solicitor in this regard.

When we are the Data Controller, you may request information regarding personal data relating to you, how it is stored, how the data was collected, and for what purpose. If personal data is incorrect or incomplete, you may request for it to be corrected or supplemented.

You may request that your data is deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. Your employer or prospective employer will determine how long we retain your data for.

If the very limited circumstances where we may be processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.

9. SECURITY AND RETENTION OF YOUR PERSONAL DATA

We take steps through organisational and technical measures to ensure that the personal and sensitive information we hold about you is held securely and to protect against the loss or misuse of your information.

Your data is stored on our own company IT systems which is stored on our secure data servers operate by Amazon WorkSpace (AWS). CHI are accredited to ISO27001 information security standard. We have appropriate technical and organisational measures in place to protect your personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition, or access.

Any breach of your personal or sensitive data is notified and managed in accordance with our Data Breach Notification Procedure.

9.1 We will retain your personal data (including sensitive data) and medical records on an ongoing basis, and for us to:

  1. Fulfil the terms of our service level agreements or contracts.
  2. Inform a diagnosis of a latent condition, ensure your health and safety and protect your vital interests;
  3. Comply with our legal records retention obligations and for any extended period reasonably determined necessary.
  4. and/or to investigate or process complaints and/or defend or bring legal claims or complaints.

9.2 We will retain your health records on an ongoing basis. Your employer is responsible for determining the data retention period; However, we advise employers to follow these retention periods.

Management referral information will be held for 7 years after the cessation of employment (if notification of your perspective employer) or 7 years after last entry.

Health Surveillance health data will be held for 7 years after the cessation of employment. Audiograms and related health records will be held for 15 years after the cessation of employment.

Some Health data will be retained for up to 40 years in relation to health surveillance records as required by the Health and Safety Authority (HSA) or up to your 75th Birthday.

Seafarers- Approved Doctors are required to retain Forms 1 and 2 securely and confidentially for a period of 10 years after the assessment has been carried out. The Department of Transport, Tourism and Sport will monitor the certificates issued by Approved Doctors on a periodic basis using the online Seafarers Information System.

Pre- placement medicals will be discarded after 1 years if the employee doesn’t take up the offer of the job (on notification of your perspective employer). If the job is taken up it will be treated with the management referral information and retained for the same length of time.

Financial records are held for 7 years.

10. HOW TO CONTACT THE APPROPRIATE AUTHORITY:

You may lodge a complaint with a supervisory authority. The Irish supervisory authority is the Data Protection Commission (www.dataprotection.ie) To exercise any of the rights set out above, please contact us dpo@chi.ie

11. CHANGES TO OUR PRIVACY POLICY

CHI keeps its privacy policy under regular review and places any updates on this web page. The privacy policy was last updated October 2023.