Children's Health Ireland Privacy Notice
This privacy notice sets out how CHI processes all personal identifiable information that it generates and holds in the course of recruitment campaigns. It explains what personal information we collect as a data controller on data subjects, how we use it, who we share it with and the security in place to protect it. It also sets out the privacy rights that data subjects have under General Data Protection Regulation (GDPR) and Irish Data Protection legislation.
Who we are
The object of CHI is to improve, promote and protect the health, mental health and well-being of children in a manner that embodies the values of child-centred, compassionate and progressive care provided with respect, excellence and integrity and in doing so it shall have the right and responsibility to promote the culture and traditional principles of voluntarism in the conduct of its internal and external affairs.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. The Regulation and the Data Protection Acts confer rights on individuals in relation to the privacy of their Personal Data as well as responsibilities on those persons holding and processing such data.
Under the General Data Protection Regulation (GDPR), Personal Data is defined as:
“any information relating to an identified or identifiable natural person (data subject).
This definition provides for a wide range of personal identifiers to constitute Personal Data, including name, address and also electronic, manual and image data which may be held on computer or on manual files.
Legal basis for processing data
The Data Protection Act 2018 provides that the processing of personal data shall be lawful where such processing is necessary for the performance of a statutory function of a controller.
CHI shall appoint such and so many persons to be its employees using an appropriate and transparent recruitment and selection process, therefore, the processing of personal data necessary for this purpose is lawful as Article 6(1)(e) of the General Data Protection Regulation (GDPR) and Section 71 (2)(a) of the Data Protection Act 2018 apply.
Children’s Health Act 2018
GDPR , Article 4(1)
What records we hold:
- Identity Data: name.
- Contact Data: address, email address and telephone.
- Employment Data: This includes data that was provided to us through application for employment including;
- information on your interests and needs regarding future employment;
- education details;
- Website Data: Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website; information about how you use our website and services.
How long we will keep your data
1. CHI will not keep your personal data for any purpose for longer than is necessary and we will only retain the relevant personal information that is necessary in relation to the purpose.
2. If you tell us, at any time, that you no longer want to have an account, then we will delete your personal data from our records.
3. We will process personal data during the duration of any contract agreed with you.
The CHI has different categories of data subjects:
1. Data subjects are general candidates who are looking for temporary or permanent work;
2. Data subjects who work under a contractual arrangement with a third party;
There are different categories of data required between the differing data subject categories and only the information necessary to conduct the contractual relationship and perform the contract unique to each data subject will be collected.
We ensure that all data subjects’ rights are upheld to ensure complete transparency when it comes to how we manage process and retain your personal information.
By law, as a data subject, you have the right to:
- access and receive a copy of your personal data;
- seek to rectify or update any inaccurate personal information held;
- seek to have data deleted;
- object to the processing of data;
- right to withdraw consent;
- right to request restriction.
Your rights explained
- To be informed
You have the right to know what personal data is being collected, our identity and your data protection rights (as per this Privacy Notice).
- Subject access
You are entitled to know what personal information CHI holds belonging to you and to receive a copy of this information free of charge. If there are any restrictions your right of access, we will ensure that this clearly is explained to you.
- To have inaccuracies corrected
CHI will ensure that all the personal information we hold is accurate and up to date. In certain circumstances, you are entitled to have rectified any personal information belonging to you if it is incorrect or out of date.
- To have information erased
This is also known as the ‘right to be forgotten’; you have the right to have your data erased, without undue delay.
- Data portability
This right only applies where processing of personal data is carried out by automated means. You have rights to obtain and reuse your personal data for your own purposes across different services.
- To object to direct marketing
You have the right to object to direct marketing processing (which we do only with your consent) of your personal data where the processing relates to direct marketing.
- To restrict the processing of your information, including automated decision-making
You have a limited right of restriction of processing of your personal data by a data controller. You have the right to not to be subject to a decision based solely on automated processing.
Withdraw consent at any time
You can withdraw your consent where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. This only applies if consent is the basis on which we process your data.
In order to protect the privacy rights of data subjects, CHI:
- takes due care to protect personal information it holds from any loss, unauthorised access, modification, unauthorised use, disclosure and disposal;
- ensures accountability and transparency by maintaining a data inventory of all personal information processed for recruitment purposes;
- retains personal information for a necessary and defined period of time;
- has secure on-site and off-site storage facilities;
- carries out information governance compliance audits to monitor compliance with policies in relation to data protection matters
- has in place policies and procedures to protect data
- has in place appropriate staff training to ensure that all staff are aware of their responsibilities in relation to the gathering, using, storing and disposing of personal information during recruitment campaigns.
Subject Access Requests (SAR)
Among the rights conferred by the GDPR on ‘data subjects’ is the right to obtain a copy of their Personal Data which is being processed by CHI.
In order for CHI to identify and locate the Personal Data sought, you should complete and return our Subject Access Request Form (SAR) ensuring that you provide, in so far as is possible, details of your interaction with CHI.
Please note: As we need to verify the identity of anyone making a SAR, you will need to provide us with specific forms of identification (details contained in the SAR form).
Your SAR will be responded to within one month of the date of receipt or, where difficulty arises in the verification of your identity, within one month of identity verification.
You can also make a SAR by writing to CHI:
Data Protection Officer
Children’s Health Ireland,
Block A Herberton,
St James’s Walk,
Alternatively, please email firstname.lastname@example.org
Making a complaint
We hope you have found this Privacy Notice useful and we are always happy to hear your feedback. However, if you are unhappy with any aspect of how CHI has handled your personal information and would like to make a complaint, you can contact our Data Protection Officer by post, email or phone through the contact details below to have the matter reviewed.
If you are unhappy with the outcome of the investigation by our Data Protection Officer, you also have the right to make a complaint to the Data Protection Commissioner directly. Further information and advice about your rights can be obtained from the Office of the Data Protection Commissioner.
The Data Protection Commission’s website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from:
Data Protection Commission,
Canal House Station Road,
Portarlington R32 AP23
The Data Protection Commission may also be contacted by:
Phone: (0761) 104 800 or LoCall 1890 25 22 31