Background to the General Data Protection Regulation (GDPR)
The GDPR 2016 replaces the EU Data protection Directive of 1995 and supersedes the laws of individual member states that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
As part of our normal everyday operations, HealthWatch needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees, and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards and to comply with the applicable law(s).
Personal Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
This data privacy policy ensures HealthWatch:
The Data protection acts 2018 describe how organisations, including HealthWatch, must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that data must:
It is important to point out that we may amend this Privacy Policy from time to time.
2.1 Policy Scope
This policy applies to:
It applies to all data that the organisation holds relating to identifiable individuals, even if that information falls outside of the Data Protection Acts 2018. This data can include:
2.2 Data protection risks
This policy has been put in place to offer our customers full transparency while also helping to protect HealthWatch from data security risks, including,
2.3 Responsibilities
Everyone who works for HealthWatch has some responsibility for ensuring data is collected, stored, and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
We collect personal data in two primary ways:
Personal data that you the Employee, Customer, Supplier or Job Applicant proactively gives to us i.e. name, address, e-mail address, CVs etc.
Personal data that we receive from other sources such as websites, colleagues, referees etc.
HealthWatch needs to know certain information about you in order to provide the following:
Employee – relevant personal data for the purposes of background checks, HR files and payroll.
Customer – to ensure that we provide you with the best service possible, we store your personal data and/or the personal data of individual contacts at your organisation as well as keeping records of our meetings.. From time to time, we may also ask you to undertake a customer satisfaction survey. We think this is reasonable – we deem these uses of your data to be necessary for our legitimate interests as an organisation providing various services to you.
Suppliers – we use and store the personal data of individuals within your organisation in order to facilitate the receipt of services from you as one of our
Suppliers. We also hold your financial details, so that we can pay you for your services. We deem all such activities to be necessary within the range of our legitimate interests as a recipient of your services.
Job applicant – completed job application or CV for the purposes of gaining employment with HealthWatch.
HealthWatch, in addition to the above, also needs to gather special category personal data such as medical or health data. This data is gathered directly from the customer in advance of completing a screen and even more gathered through the process of the screen i.e. results from tests conducted. This data is a compulsory part of the service being provided.
We also receive personal data about Customers, Suppliers or Job Applicants from other sources. Depending on the relevant circumstances and applicable local laws and requirements, these may include personal data received in the following situations:
Website users:
Visitors are advised that each time they visit the HealthWatch Website, two general levels of information about their visit can be retained.
The first level comprises statistical and other analytical information collected on an aggregate and non-individual specific basis of all browsers who visit the site. The second is information which is personal or particular to a specific visitor who knowingly chooses to provide that information.
The statistical and analytical information provides general and not individually specific information about the number of people who visit this Website; the number of people who return to this site; the pages that they visit; where they were before they came to this site and the page in the site at which they exited. This information helps us monitor traffic on our website so that we can manage the site’s capacity and efficiency. It also helps us to understand which parts of this site are most popular and generally to assess user behaviour and characteristics in order to measure interest in and use of the various areas of the site.
Through this Website you may have an opportunity to send us information, such as through the “contact us ” pages or any other area where you may send e-mails, provide feedback, etc. By choosing to participate in these, you will be providing us with some level of personal information relating to you. This information will only be used by this site for:
The website does not collect any personal data about you apart from information which you volunteer (for example, by emailing us, or registering with us). Any information which you provide in this way is not made available to any third parties and is used by this site only in line with the purpose for which you provided it.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or Data Controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach.
If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Details of how to contact us can be found at the end of this policy.
HealthWatch retains your Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required by law or to fulfil a legal obligation.
We continuously assess and delete data to ensure it not held for longer than necessary.
HealthWatch Special category “sensitive” data will be retained for a period up to and including 7 years. All data will be handled through normal security mechanisms to ensure that access is restricted.
In order to provide you with the best service and to carry out the purposes described in this Privacy Policy, your data may be transferred:
We want to make sure that your data is stored and transferred in a way which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
– by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by data controllers in the EEA to data controllers and processors in jurisdictions without adequate data protection laws; or
– transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
– where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer data outside the EEA in order to meet our obligations under that contract if you are a Client of ours); or
– where you have consented to the data transfer.
To ensure that your personal information receives an adequate level of protection, we have put in place appropriate control measures with our approved third party suppliers who may have access to your personal data to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the law on data protection.
In certain circumstances, we are required to obtain your consent for the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent or soft opt-in consent.
Article 4(11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In plain language, this means that:
– You have to give us your consent freely, without us putting you under any type of pressure;
– You have to know what you are consenting to – so we’ll make sure we give you enough information;
– You should have control over which processing activities you consent to and which you don’t.
– you need to take positive and affirmative action in giving us your consent – we’re likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
We will keep records of the consents that you have given in this way.
Marketing – We have already mentioned that, in some cases, we will be able to rely on soft opt-in consent. We are allowed to market products or services to you which are related to the products or services we provide as long as you do not actively opt-out from these communications.
Right to withdraw consent:
Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time, and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case, we will inform you of this condition.
Personal data is of no value to HealthWatch unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
Article 6(1)(f) of the GDPR says that we can process your data where it “is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data.”
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Where appropriate and in accordance with local laws and requirements, we may share your personal data, in various ways and for various reasons, with the following categories of people:
The law requires that HealthWatch take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort HealthWatch should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
You have various rights relating to how your personal data is used including the right:
If an individual contacts the company requesting this information, this is called a subject access request.
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
The data controller will aim to provide the relevant data within 30 days.
All individuals who are the subject of personal data held by HealthWatch are entitled to:
Subject access requests from individuals should be made by email, addressed to the data controller at data.controller@cruinn.ie. The data controller can supply a standard request form, although individuals do not have to use this.
Right to erasure:
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
Please note that we comply with local law requirements regarding data subject right to erasure and may refuse your request in accordance with local laws.
We would only be entitled to refuse to comply with your request for one of the following reasons:
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to Delete the relevant data.
Data destruction – while we will endeavour to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists on an archive system, this cannot be readily accessed by any of our operational systems, processes or
Staff.
We may share personal data outside the EU, however we will always ensure that this is done in compliance with the relevant laws.
We ensure that any transfer of data outside the EU is undertaken using legally compliant transfer mechanisms and in accordance with the GDPR.
When we transfer personal data outside of the EU, we generally rely on the Standard Contractual Clauses under Article 46.2 of the GDPR adopted by the EU Commission however we may also rely on some of the other legally compliant transfer mechanisms.
In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, HealthWatch will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Key information:
Data Protection Officer/ Data Controller: Lucian HUTANU Technical Director – lucian.hutanu@healthwatch.ie
Policy prepared by: Sinead Costello – Director -
How to contact your local supervisory authority
Details of your local supervisory authority:
The Office of the Data Protection Commissioner. They can be contacted in the following ways:
– Portarlington Office (Postal Address): Canal House, Station Road, Portarlington, R32 AP23, County Laois, Ireland.