1. HOW WE COLLECT AND USE YOUR PERSONAL DATA
Personal data is data that identifies you or can be used to identify or contact you and may include, for example, your name, address or e-mail address, occupation and photograph. In certain circumstances you will provide us with your personal data directly or your data may be supplied by your member organisation/business. Sensitive personal data includes data concerning health including lifestyle information which may include details about religion, marital status, family status and medical information such as relevant medical history, diagnostic information, test results or imaging. In this policy, any reference to personal data includes sensitive data.
Employment Health Advisors Limerick does not collect any personal data about you from our website, apart from information that you volunteer (for example by e-mailing us or by completing any of our on-line forms or physical application form).
Unlike most websites, EHA Limerick does not gather statistical and analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact you. We do not use any personal data for the purpose of automated decision-making or profiling.
Why we collect data
Any personal or sensitive data collected about you arises where we carry out reviews of an Employee or potential Employee at the request of their Employer, or where we are requested to provide a report or occupational medical advice by another service user, for example an Insurance Company or Solicitor. This data is stored on our system or data management system, in some cases a data management system of your Employer/potential Employer and other appropriate data management systems which may be paper based or electronic. We process your personal data in accordance with the aims of our service:
- Employees & Potential Employees – we collect personal and sensitive data about you for the purposes of completing health surveillance and/or medical assessment in the course of your employment or potential employment. Our work is carried out on behalf of your Employer or Prospective Employer in accordance with the terms and conditions of your employment or prospective employment. We are providing services that arise in the course of your employment i.e. there is no Doctor/patient relationship between us and you as an Employee or Prospective Employee of your Employer. If you are not satisfied that your Employer is legally entitled to reasonably require you to submit or undergo health surveillance and/or medical assessment or if you have any questions of concerns about your Employer’s entitlement to require you to undergo health surveillance and/or medical assessment, you should direct your question or concern to your Employer or Prospective Employer.
- The Provision of Occupational Health Services, Advice or Opinion – where we are requested to provide a report or occupational medical advice by a service user. For example, an Insurance Company or Solicitor instructed by a third party.
- When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists – i.e. where we are requested to provide a report or occupational medical advice requested by you or a third party acting on your behalf.
Your personal data will be processed for the following purposes:
- to provide the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services;
- to contact you in response to communications you might send us or to provide you with the information / service you have requested;
- to deliver relevant marketing information to you and to ensure that content from our website is presented in the most effective manner for you and for your computer;
- to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and
- to send you email alerts and newsletters that you receive as a term of your service level agreement or contract with us or that have opted-in to receive by filling in our online forms or contacting us by email or by other means. We also provide the facility to opt-out of receiving such communication on the site and within each such communication we send you.
We rely upon the following legal bases in controlling and processing your personal data:
- where such processing is necessary for the performance of your membership application or contract with us;
- where such processing is in our legitimate interests in conducting our business in a responsible and commercially prudent manner;
- to comply with our legal and regulatory obligations; and
- in limited circumstances, your explicit consent (where we have sought it and you have provided it to us), and in which case, you can withdraw your consent at any time.
We will not process your personal data for any of these purposes if to do so would constitute an unwarranted interference with your interests, rights and freedoms. We only collect the minimum amount of personal information necessary.
CCTV, Photography & Video Recording
We do not operate CCTV and/or video recording at our premises. In certain limited circumstances, we may take photographs of injuries for the purposes of providing the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services.
At any event or conference, we may organise, photography and/or video recording may take place. In accordance with the legitimate business and promotional interests of our business your image may be used in our publications and website. If you do not consent to this use, please advise a member of staff prior to or on arrival at the meeting and/or event. You will be advised whether it is possible to accede to your request. If it is not possible for us to confirm that your image will not be used in our publications and/or website, even in an inadvertent manner, we will offer you a refund of any attendance fee. We strongly advise that you make any such enquiry at the time of booking.
However, where our events and/or meetings are held in public venues and in accordance with the legitimate business and promotional interests of our business members of the press and press photographers/videographers are present, we do not control the publication of press photography and/or reporting.
The Requirement to process personal data.
The provision of your personal data for the purposes described above is a contractual requirement. In addition, we may need to process your personal data to comply with statutory requirements, such as keeping proper records of financial transaction. We cannot continue to facilitate and administer your service level agreement, contract or relationship with us, if you fail to provide your personal data for the purposes described above.
2. HOW IS YOUR INFORMATION SHARED?
Your information will be shared as required with relevant persons for legitimate and reasonable purposes i.e. our provision of the medical assessment, health surveillance, medical opinion or advice sought including assessing the working capacity of employees and the management of health or social care systems and services. We only collect and use your personal data when requested to do so by you, your Employer or Prospective Employer and then in the normal course, we only share relevant data we collect about you with your Employer or prospective Employer. [This will include routine health surveillance information including routine testing and reports and our opinion regarding your fitness for work, potential work and/or meetings]. We will only provide your full medical file to the Chief Medical Officer or appropriate registered Medical Practitioner or health professional nominated by your Employer or prospective Employer. In the ordinary course, this will include routine health surveillance information including routine testing and reports and our opinion regarding your fitness for work, potential work and/or meetings. We will only provide your full medical file to the Chief Medical Officer or appropriate registered Medical Practitioner or health professional nominated by your Employer or prospective Employer.
We may also process and share your data with our accountant(s) and other professional advisors when required, however such processing and sharing of personal data will not include medical information. Our service providers may only process the data of our members for the purpose of providing us with their services, and no other purpose. We may also share certain parts of your data when we are required to do so with competent regulatory authorities and bodies as requested or required by law.
Transfers of data outside the European Economic Area (EEA)
We transfer data to processors located outside the EEA. Your data may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. The safeguard we have put in place for this transfer is to enter into European Commission approved standard contractual clauses with the provider.
If you wish to receive more information relating to our Processors and/or transfers outside of the EEA, please contact us at the contact details at the start of this privacy notice.
3. WHAT ARE YOUR RIGHTS RELATING TO PERSONAL DATA?
- The Medical Assessment, Health Surveillance or Screening of Employees & Potential Employees – when we collect personal and sensitive data about you for the purposes of completing health surveillance and/or medical assessment in the course of your employment or potential employment, our work is carried out on behalf of your Employer or Prospective Employer in accordance with the terms and conditions of your employment or prospective employment. When we process your personal data in this manner, your Employer or Prospective Employer is the Data Controller and you should direct any request to access your information to your Employer. However, we will be happy to provide you with a copy of your data upon request but you should note that we are required to notify the Data Controller (i.e. you Employer or Prospective Employer) of your request.
- The Provision of Occupational Health Services, Advice or Opinion – when we process your personal data in the course of providing a report or occupational medical advice requested by another service user for example, an Insurance Company or Solicitor instructed by a third party, that Insurance Company or third party is the Data Controller and you should direct any request to access your information to that third party. If this assessment or report was requested in the course of legal proceedings, certain restrictions apply to the sharing of our report or assessment and you should consult your Solicitor in this regard.
- When our services are engaged by you, where no service level agreement or ongoing contractual relationship exists – i.e. when we control and process your data in the course of providing a report or occupational medical advice requested by you or a third party acting on your behalf, we are the Data Controller and we will be happy to provide you with a copy of your information upon request in compliance with your rights under Data Protection Law.
When we are the Data Controller, you may request information regarding personal data relating to you, how it is stored, how the data was collected, and for what purpose. If personal data is incorrect or incomplete, you may request for it to be corrected or supplemented. You may request that your data is deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. However, retention requirements shall be observed. You have the right to data portability i.e. you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine-readable format. If the very limited circumstances where we may be processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.
You may lodge a complaint with a supervisory authority. The Irish supervisory authority is the Data Protection Commission (https://www.dataprotection.ie/)
In order to exercise any of the rights set out above, please contact us at the contact details at the start of this privacy notice
4. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will retain your personal data (including sensitive data) on an ongoing basis, and in order for us to:
- fulfil the terms of our service level agreements or contracts;
- comply with our legal records retention obligations and for any extended period reasonably determined necessary;
- and/or to investigate or process complaints and/or defend or bring legal claims or complaints.
We will automatically delete your personal data once it is no longer required for these purposes. If you wish to request that your personal data is deleted in advance of our routine deletion or for further details of our data retention procedures, please send a request us to the contact details at the start of this privacy notice.
5. HOW DO WE KEEP YOUR PERSONAL DATA SAFE?
We take steps through organisational and technical measures to ensure that the personal and sensitive information we hold about you is held securely and to protect against the loss or misuse of your information. Any breach of your personal or sensitive data is notified and managed in accordance with our Data Breach Notification Procedure.