Background to the General Data Protection Regulation (GDPR)
The GDPR 2016 replaces the EU Data protection Directive of 1995 and supersedes the laws of individual member states that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to endure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
As part of our normal everyday operations, Healthcare Screening Ireland (HCSI) needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards and to comply with the applicable law(s).
Personal Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Purpose of this Policy
Data Protection Law
The Data protection acts 1998 and 2003 describe how organisations - including HCSI - must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collectws and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that data must:
This policy applies to:
It applies to all data that the organisation holds relating to identifiable individuals, even if that information falls outside of the Data Protection Acts 1998 and 2003. This data can include:
Data protection risks
This policy has been put in place to offer our customers full transparency while also helping to protect HCSI from data security risks, including,
Everyone who works for HCSI has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, the board of directors is ultimately responsible for ensuring that the Cruinn Group meets its legal obligations.
We collect personal data in two primary ways:
Personal data that you the Employee,Customer, Supplier or Job Applicant proactively gives to us i.e. name, address, e-mail address, CVs etc.
Personal data that we receive from other sources such as websites, colleagues, referees etc.
Personal Data you give us -
HCSI needs to know certain information about you in order to provide the following:
Customer – to ensure that we provide you with the best service possible, we store your personal data and/or the personal data of individual contacts at your organisation as well as keeping records of our conversations, meetings, registered jobs and placements. From time to time, we may also ask you to undertake a customer satisfaction survey. We think this is reasonable – we deem these uses of your data to be necessary for our legitimate interests as an organisation providing various recruitment services to you.
Suppliers – we use and store the personal data of individuals within your organisation in order to facilitate the receipt of services from you as one of our Suppliers. We also hold your financial details, so that we can pay you for your services. We deem all such activities to be necessary within the range of our legitimate interests as a recipient of your services.
Job applicant – completed job applications or CVs for the purposes of gaining employment with Cruinn Group.
HCSI, in addition to the above, also needs to gather special category personal data such as medical or health data. This data is gathered directly from the customer in advance of completing a screen and even more gathered through the process of the screen i.e. results from tests conducted. This data is a compulsory part of the service being provided.
Personal data we receive from other sources -
We also receive personal data about Customers, Suppliers or Job Applicants from other sources. Depending on the relevant circumstances and applicable local laws and requirements, these may include personal data received in the following situations:
Visitors are advised that each time they visit the HCSI Website, two general levels of information about their visit can be retained.
The first level comprises statistical and other analytical information collected on an aggregate and non-individual specific basis of all browsers who visit the site. The second is information which is personal or particular to a specific visitor who knowingly chooses to provide that information.
The statistical and analytical information provides general and not individually specific information about the number of people who visit this Website; the number of people who return to this site; the pages that they visit; where they were before they came to this site and the page in the site at which they exited. This information helps us monitor traffic on our Website so that we can manage the site’s capacity and efficiency. It also helps us to understand which parts of this site are most popular and generally to assess user behaviour and characteristics in order to measure interest in and use of the various areas of the site.
Through this Website you may have an opportunity to send us information, such as through the "registration" pages or any other area where you may send e-mails, provide feedback, etc. By choosing to participate in these, you will be providing us with some level of personal information relating to you. This information will only be used by this site for:
The website does not collect any personal data about you apart from information which you volunteer (for example, by emailing us, or registering with us). Any information which you provide in this way is not made available to any third parties and is used by this site only in line with the purpose for which you provided it.
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach.
If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Details of how to contact us can be found at the end of this policy.
We continuously assess and delete data to ensure it not held for longer than necessary.
HCSI Special category “sensitive” data will be retained for a period up to and including 7 years. All data will be handled through normal security mechanisms to ensure that access is restricted.
We want to make sure that your data are stored and transferred in a way which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
To ensure that your personal information receives an adequate level of protection, we have put in place appropriate control measures with our approved third party suppliers who may have access to your personal data with to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the law on data protection.
In certain circumstances, we are required to obtain your consent for the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent or soft opt-in consent.
Article 4(11) of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." In plain language, this means that:
We will keep records of the consents that you have given in this way.
Marketing - We have already mentioned that, in some cases, we will be able to rely on soft opt-in consent. We are allowed to market products or services to you which are related to the products or services we provide as long as you do not actively opt-out from these communications.
Right to withdraw consent:
Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
Personal data is of no value to HCSI unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
Article 6(1)(f) of the GDPR says that we can process your data where it "is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data."
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Where appropriate and in accordance with local laws and requirements, we may share your personal data, in various ways and for various reasons, with the following categories of people:
The law requires that HCSI take reasonable steps to ensure data is kept accurate and up to date.The more important it is that the personal data is accurate, the greater the effort HCSI should put into ensuring its accuracy.It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
You have various rights relating to how your personal data is used including the right:
If an individual contacts the company requesting this information, this is called a subject access request.
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or Delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is "manifestly unfounded or excessive". If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
The data controller will aim to provide the relevant data within 30 days.
All individuals who are the subject of personal data held by HCSI are entitled to:
Subject access requests from individuals should be made by email, addressed to the data controller at email@example.com. The data controller can supply a standard request form, although individuals do not have to use this.
Right to erasure:
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
Please note that we comply with local law requirements regarding data subject right to erasure and may refuse your request in accordance with local laws.
We would only be entitled to refuse to comply with your request for one of the following reasons:
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to Delete the relevant data.
Data destruction – while we will endeavour to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists on an archive system, this cannot be readily accessed by any of our operational systems, processes or Staff.
We may share personal data outside the EU, however we will always ensure that this is done in compliance with the relevant laws.
We ensure that any transfer of data outside the EU is undertaken using legally compliant transfer mechanisms and in accordance with the GDPR.
When we transfer personal data outside of the EU, we generally rely on the Standard Contractual Clauses under Article 46.2 of the GDPR adopted by the EU Commission however we may also rely on some of the other legally compliant transfer mechanisms.
In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, HCSI will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Cruinn Group Data Protection Officer/ Data Controller: firstname.lastname@example.org,
Policy prepared by: Brian Ronan – Quality Manager - email@example.com.
How to contact your local supervisory authority
Details of your local supervisory authority:
The Office of the Data Protection Commissioner. They can be contacted in the following ways:
- Portarlington Office (Postal Address): Canal House, Station Road, Portarlington, R32 AP23, County Laois, Ireland.
The benefits of health screening can be felt by both the employer and the employee alike. Health screening is an effective way of increasing employee morale, and leads to reduced sickness and levels of absenteeism.
Smoking Cessation Programmes, Carbon Monoxide Lung Analysis, Cardiovascular Risk Assessment, Alcohol Awareness/Risk Assessment, Spirometry, Celiac Testing, Weight and Stress Management.