Privacy Policy

Data Privacy Policy

In its efforts to ensure data protection rights under the Data Protection Acts 1988 – 2018 (“DPA”) and the General Data Protection Regulations 2016 (“GDPR”), the Company has implemented this Privacy Notice, to outline the common rules for the collection, use and disclosure of the personal data held.

This Privacy Notice aims to ensure the transparency of the Company’s personal data processing activities regarding staff member’s medical information and the security measures in place to secure such information.

At all times, the Company is committed to good data protection practice and this notice should be read in conjunction with the Company’s Data Protection Policy.

While the Company is considered to be the data controller, it is understood that all the data collected is managed by the Occupational Health Department and is subject to the confidentially rules and ethics of the medical industry.

Scope

This policy applies to all members of staff employed by the Company who provided medial data to the Occupational Health Department.

Occupational Health Department: Processing Overview

No.

Activity

Information

1.     

Data controller

The Company is the data controller. 

 

2.     

Data points collected

The Occupational Health Department collects the following data points in respect of staff members

(a)  Name;

(b)  Address;

(c)   Date of birth;

(d)  Medical history;

(e)  Surgical history;

(f)   Medication;

(g)  Family medical history of relevance

 

3.     

Type of data collected

 

The following data sets are collected and processed by the Company and the Occupational Health Department:

(1)  Personal Data pursuant to Article 4 (1) of the GDPR (points A – C stipulated in the grid above);

(2)  Special Category Data pursuant to Article 9 (1) of the GDPR (points D – G stipulated in the grid above).

 

4.     

Reason why the personal data is being collected?

The Company and the Occupational Health Department collected this information to assess the medical status of the attending employee. In circumstances where the employee’s working capacity is required tio be assessed, said employee will be referred by the Company to the Occupational Health Department for assessment.

 

As part of the assessment, the data sets outlined, are required to be processed and stored, including relevant health and medical data.

 

Arising out of their assessment, the employee’s working capacity shall be determined.

 

The Company deems the collection of such data as a “necessary safety measure” in order to ensure the safety, health and wellbeing of the employee and a safe place of work pursuant to Section 8 of the Health, Safety and Welfare at Work Act, 2005 (as amended).

 

5.     

The usage for the personal data

Processing of these data points will allow for the following:

(1)  The Company to determine the fitness of the employee;

(2)  To ascertain the working capacity of the employee;

(3)  To determine whether the employee is required to take a course of action, rehabilitation, medical treatment and/or prescribed medication;

(4)  Upon confirmation of the employee’s working capacity, the outcome and recommendations shall be communicated to the relevant HR team for consideration;

(5)  To help the business better understand employee absences across the organisation and monitor trends across departments and the organisation as a whole.

6.     

Lawful basis for processing

Data shall be processed on the following grounds:

(1)  express consent of the data subject;

(2)  performance of the data subjects contract of employment;

(3)  necessary for the assessment of the employee’s working capacity;

(4)  compliance with health Safety, Health and Welfare at Work Act, 2005 (as amended);

(5)  vital interests of the data subject.

 

7.     

Who has access to the personal data and who will the information be shared with?

Active and current members of the Company's Occupational Health Department team.

With consent of the data subject, reports of data can be made available to people outside of the Company's Occupational Health Department team.

 

8.     

Third party processors

Personal data shall be shared with the following third parties:

(1)  Advanced Medical Systems (‘AMS’). AMS are the developers of the 'MedApp' occupational health software platform. The Company will maintain all personal data and health data on MedApp, for the purposes of maintaining, processing and storing the personal data and health data;

(2)  With the application of MedApp data will be stored and shared with a number of processors as described ta Schedule 1.

 

9.     

Retention of personal data

Data will be retained on the secure cloud portal, Amazon Web Services (AWS)

 

The duration of retention of the personal data may vary depending on the following:

·         Duration of the employment relationship;

·         Legal requirements for keeping the personal data;

·         Statute of limitations.

 

Retention and deletion of personal data and special category data shall at all times be in accordance with and subject to the Company’s Data Protection Policy.

10.   

Security measures

The Company and the Occupational Health Department have ensured the following safeguards are in place with the use of MedApp:

1.            Change Controls

1.1.        Processes and tools for the Secure Software Development Lifecycle (SDLC) are integrated with appropriate security check/controls and requirements, in order to ensure that new software/applications and changes to existing software/applications are designed and developed taking into consideration the requirements of embedded security.

2.            Data at Rest

2.1.        Databases are encrypted at rest using an AES-256 encryption algorithm.

3.            Physical Access Controls

3.1.        The MedApp system databases and application is on cloud storage with a region of storage set to Europe-Ireland.  Amazon Web Services (“AWS”) standards would apply for data centres.

4.            System Access Controls

4.1.        Unique logins are assigned to each user.

4.2.        MFA is enforced on AWS account logins.

4.3.        All existing AWS accounts are reviewed on an annual basis during the technology stack review. Actions are taken as a result of this review to delete users that no longer need access.

4.4.        Access authorization to production environments containing personal data should be given according to the "need to know" and “least privilege” principles.

4.5.        When creating a new account, or changing the password on an existing account, the user is required to enter the new password twice, both entries must be exactly the same. Passwords created must meet minimum complexity rules regarding length of password and combination of numbers, uppercase and lowercase letters.

4.6.        Policies and procedures are implemented to ensure the proper identification of users and administrators accessing system components managing personal data. All users are assigned with a unique user name before allowing them to access system components or personal data.

4.7.        Logic has been implemented on login and similar account access forms and processes that lock user account access for a period of time when suspicious behaviour regarding that account access has been detected.

5.            Data Access Controls

5.1.        Visibility of personal data must be limited to the sole set of information which is necessary for the single processing activities. No unnecessary personal data should be made available to users.

6.            Transmission Controls

6.1.        Data is encrypted in transit, transferred over HTTPS / TLS 1.3 using RSA encryption SHA-256

7.            Input Controls

7.1.        Pages and forms on MedApp system that are publicly available before logging in are protected from robot inputs by the implementation of a CAPTCHA solution. The implementation is designed to be non-distributive to humans while preventing automated processes from submitting forms.

8.            Data Backups

8.1.        The MedApp system uses AWS for application, files and database storage and backups. Backups are configured to be taken daily in the early hours of the morning (which is the period when the MedApp system is expected to be at its lowest level of activity). Backups are stored to a separate physical AWS data centre location.

8.2.        In the event of a major incident which requires data or file recovery, AMS have a disaster recovery runbook which will allow for an organized and process driven initial investigation and identification of the best course of recovery action to minimize the impact to the MedApp system users. A number of checkpoints are included in this recovery runbook to determine the appropriate course of action, key to such decisions are potential data loss and the application downtime (recovery execution time).

9.            Data Segregation

9.1.        Data and files on the MedApp system are logically separated by the use of a company unique identifying ID value and folder permissions structure.

9.2.        Each company using the MedApp system is assigned a specific subdomain URL, which relates to the company unique ID value; this subdomain URL can be used only by that company to access that version of the MedApp system (e.g. https://company1.medapp.ie).

9.3.        Each user account with access to the MedApp system is associated with a single company. User accounts access to files and data is limited to files assigned the company’s unique identifying ID value.

10.         Practical safeguards

10.1.     The Occupational Health Department shall ensure all members of staff responsible for handling the MedApp system receive adequate training in respect of the MedApp system.

10.2.     The Company have also ensured the data processing agreement governing the relationship between AMS and the Company, has been reviewed so as provide for adequate measures and security. More specifically, the Company negotiated the following safeguards that were omitted from the original draft of the processing agreement:

10.2.1. Notification by AMS within 24 hours in circumstances where a data breach occurs;

10.2.2. Notification by AMS within 72 hours where a data subject directly submits an Article 15 request to the processor;

10.2.3. Limited use of sub processors may only be used where the Company approves same in writing.

 

How to contact us?

In accordance with the rights of employee, as outlined in the Data Protection Policy, the Company will comply with all data protection rights in respect of the foregoing personal data. Such rights include rights to access, right to portability, right to rectify or request erasure or restriction of personal information. You may also object to the processing of personal data on grounds relating to your particular situation when the processing is justified by a legitimate interest. To exercise these rights or where employees wish to seek further information as to the processing of their personal data, employees may make contact with the Company.

 

Schedule 1: Sub Processors of AMS

 

Full Legal Name

Processing Activity

Category Processed

Data Points

Location of Processing

Glenbeigh Records Management

Digitisation for onboarding

Regular and Special Categories of Data

All data points to be processed in application.

Ireland

Amazon Web Services

Application, file, and database cloud hosting.

Regular and Special Categories of Data

All data points including unique employee identifier, name, contact details, and health conditions.

Ireland

Amazon SES (Subservice of AWS)

Email out of application.

Regular Personal Data

Contact details of attendee.

Ireland