GENERAL DATA PROTECTION REGULATIONS
The GDPR 2016 replaces the EU Data protection Directive of 1995 and supersedes the laws of individual member states that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to endure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
As part of our normal everyday operations, CWHT gathers and uses certain information about individuals. This can include names, addresses, employer’s names, PPS numbers and certain results of medical tests performed with the individual’s consent.
This policy describes how this data is collected, handled and stored to meet the data protection standards and to comply with the applicable law(s).
This is any information relating to an identified or identifiable person.
An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as name, an ID number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data.
This is personal data revealing racial or ethnic origin, trade-union membership, biometric data, or data concerning a person’s health.
Purpose of this Policy
• Complies with data protection law and follows best practise,
• Protects the rights of staff, customers and partners,
• Is open and transparent about how it processes and stores individual’s data,
• Protects itself from the risks of a data breach.
Data Protection Law
The Data protection acts 1998 and 2003 describe how organisations must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or otherwise.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles.
These require that data must:
• Be processed fairly and lawfully,
• Be obtained only for specific, lawful purposes,
• Be adequate, relevant and not excessive,
• Be accurate and kept up to date,
• Not be held for any longer than necessary,
• Processed in accordance with the rights of data subjects,
• Be protected in appropriate ways,
• Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
PEOPLE, RISKS AND RESPONSIBILITIES
This policy applies to:
• The head office and all divisions of CWHT.
• All staff of the CWHT.
• All contractors, suppliers and other parties working on behalf of the CWHT.
It applies to all data which the CWHT holds relating to identifiable individuals, even if that information falls outside of the Data Protection Acts 1998 and 2003.
This data can include:
• Full names of individuals,
• Postal addresses,
• Personal e-mail addresses including individual’s full names,
• Telephone numbers and any other information relating to individuals.
Data Protection Risks
This policy has been put in place to offer our clients full transparency and to protect the CWHT from data security risks, including,
• Breaches of confidentiality, either deliberate or accidentally,
• Failing to offer individuals a choice as to how we use data relating to them,
• Reputational damage CWHT could suffer should hackers successfully gain access to sensitive data.
Everyone who works for the CWHT has responsibility for ensuring data is collected, stored and handled appropriately. Each employee who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
The Board of Trustees is ultimately responsible for ensuring that the CWHT meets its legal obligations.
GENERAL STAFF GUIDELINES
The only people permitted to access data covered by this policy, are those who need it to conduct their work.
• Data will not be shared informally.
• CWHT provides appropriate training to staff to help them understand their responsibilities when handling data.
• Employees will keep all data secure.
• Strong passwords must be used and they should never be shared.
• Personal data will not be disclosed to unauthorised people, either within the organisation or externally.
• Data will be regularly reviewed and updated if found to be out of date, or no longer required, will be deleted.
• Employees can seek advice from the appropriate authority if they are unsure about any aspect of data protection.
HOW DO WE COLLECT YOUR PERSONAL DATA?
We collect personal data in one way:
Personal data is supplied by our clients freely and voluntarily on a standard CONSENT FORM which all clients must complete, prior to receiving our health assessment.
This includes the client’s name, address, date of birth, mobile phone number, employer’s name, PPS number and trade or profession.
Medical test results are written into our HEALTH ASSESSMENT BOOKLET which is returned to the client.
NO MEDICAL DATA IS HELD BY US.
We use and store the personal data of individuals within supplier organisations in order to facilitate the receipt of goods and services We also hold financial details, including bank identifier codes, so that we can pay you for goods and services. We deem all such activities to be necessary within the range of our legitimate interests as a recipient of goods and services.
Completed job applications or CVs for the purposes of gaining employment with CWHT
are retained for two years.
Personal data from other sources;
We occasionally receive personal data about Clients, Suppliers or Job Applicants from other sources. Depending on the relevant circumstances and applicable local laws and requirements, these may include personal data received in the following situations:
CV referees may disclose personal information.
Visitors are advised that each time they visit the CWHT Website, two general levels of information about their visit can be retained.
The first level comprises statistical and other analytical information collected on an aggregate and non-individual specific basis of all browsers who visit the site. The second is information which is personal or particular to a specific visitor who knowingly chooses to provide that information.
The statistical and analytical information provides general and not individually specific information about the number of people who visit this Website; the number of people who return to this site; the pages that they visit; where they were before they came to this site and the page in the site at which they exited. This information helps us monitor traffic on our Website so that we can manage the site’s capacity and efficiency. It also helps us to understand which parts of this site are most popular and generally to assess user behaviour and characteristics in order to measure interest in and use of the various areas of the site.
Through this Website you may have an opportunity to send us information, such as through the "registration" pages or any other area where you may send e-mails.
By choosing to participate in these, you will be providing us with some level of personal information relating to you or your company.
This information will only be used by this site for the purposes for which it was provided by you, verification purposes and statistical analysis, and marketing and administration purposes.
The website does not collect any personal data about you apart from information which you volunteer (for example, by emailing us, or registering with us). Any information which you provide in this way is not made available to any third parties and is used by this site only in line with the purpose for which you provided it.
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach.
If you suspect any misuse, loss of, or unauthorised access to your personal information please let us know immediately. Details of how to contact us can be found at the end of this policy.
We continuously assess and delete data to ensure it not held for longer than necessary.
STORAGE AND TRANSFER OF DATA.
• An approved and nominated third party data storage facility,
• An approved and nominated cloud-based storage/ software provider.
• Ensure that personal information receives an adequate level of protection, we have put in place control measures with our approved third-party suppliers, who may have access to personal data, to ensure that it is treated by those third parties in a way that is consistent with the law on data protection.
In certain circumstances, we ask for client’s consent for the purpose of providing a medical health screen and occasionally to assess client eligibility to be considered for benevolence.
Depending on exactly which service we are providing, this consent will be clear and unambiguous.
Article 4(11) of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
This means that:
- You have to give us your consent freely, without being put under any type of pressure.
- You should have control over which processing activities you consent to
- you need to take positive and affirmative action in giving us your consent
• We always ask clients to sign a dotted line on a hard copy application form.
• We keep records of the consents given in this way.
Right to withdraw consent:
Where we have obtained consent to process personal data for certain activities, clients may withdraw this consent at any time and we will cease to carry out the particular activity.
Personal data is of no value to CWHT unless we can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by private email as this form of communication is not secure.
- Data must be encrypted before being transferred electronically. .
- Personal data should never be transferred outside of the European Economic Area.
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
What are the lawful bases for processing?
Article 6(1)(f) of the GDPR states that we can process your data where it "is necessary for the purposes of the legitimate interests pursued by [us] or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data."
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply for us to use personal data.
a) Consent: the individual must have given clear consent to process their data for a specific purpose,
b) Contract: the processing is necessary to execute a contract with the individual, or because they have made a specific request.
c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations),
d) Vital interests: the processing is necessary to protect someone’s life,
e) Public task: the processing is necessary to perform a task in the public interest or for other official functions, and the task or function has a clear basis in law,
f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Who do we share your personal data with?
We may occasionally have to share data with some or all of the following:
Tax, audit, or other authorities, when we believe in good faith that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation).
Third party service providers who perform functions on our behalf such as lawyers, auditors and accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems.
Third party outsourced IT and document storage providers where we have an appropriate processing agreement (or similar protections) in place.
Remote consultant GP and Cardiologist for the purposes of reviewing customer/ client health screening results.
The law requires that the CWHT take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all employees who work with data to take reasonable steps to ensure personal data is kept as accurate and up to date as possible.
Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
Staff should take every opportunity to ensure data is updated.
Data should be updated as inaccuracies are discovered.
DATA SUBJECT ACCESS REQUESTS
Clients have rights relating to how personal data is used including the right:
• To ask for access to the information held.
• To change the information if it is inaccurate.
• To delete information (your right to erasure).
• To ask us to limit what we use your data for.
• To have personal data moved to another IT environment in a safe and secure way.
• To make a complaint.
Any individual can request CWHT to confirm what information is held about them.
They can request us to modify, update or Delete such information.
CWHT may ask for proof of identity and for more information about a request.
If CWHT provides a client with access to the information held, no payment will be looked for unless the request is "manifestly unfounded or excessive".
If further copies of the information is sought, a nominal amount may be charged where legally permissible.
Where CWHT is legally permitted to do so, they may refuse a request. If they refuse a request, a valid reason will be given.
The data controller will aim to provide the relevant data within 30 days.
All individuals who are the subject of personal data held by CWHTare entitled to:
Ask what information is held about them and why,
Ask how to gain access to it,
Be informed of how to keep it up to date,
Be informed of how CWHT is meeting its data protection obligations.
Subject access requests from individuals should be made by email.
Addressed to the data controller at email@example.com
RIGHT to ERASURE.
Clients have the right to request that we erase personal data in certain circumstances. Normally, the information must meet one of the following criteria:
The data is no longer necessary for the purpose for which we originally collected and/or processed it;
Where previously given, the client has withdrawn consent to us processing data, and there is no other valid reason for us to continue processing.
The data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
It is necessary for the data to be erased in order for CWHT to comply with its legal obligations as a data controller; or
if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
Please note that CWHT complies with local law requirements regarding data subject right to erasure and may refuse a request in accordance with local laws.
CWHT can only refuse to comply with a client’s request for one of the following reasons:
• To exercise the right of freedom of expression and information
• To comply with legal obligations or for the performance of a public interest task or exercise of official authority.
• For public health reasons in the public interest.
• For archival, research or statistical purposes.
• To exercise or defend a legal claim.
Data destruction – while we will endeavour to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists on an archive system, this cannot be readily accessed by any of our operational systems, processes or Staff.
DISCLOSING DATA FOR OTHER REASONS
In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, CWHT will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the Trustee Board and from the company’s legal advisers where necessary.
CWHT U39 Parkwest Enterprise Centre Lavery Ave Dublin 12.
Policy prepared by: Brian Daly – Chief Executive Officer.- brian.D@cwht.ie