Effective Date: 1st July 2024

Company: Obsidian Homecare Services Ltd, trading as Obsidian Healthcare Recruitment
Registered in the Republic of Ireland
CRO No.: 768132
Registered Office: 3rd Floor, 40 Mespil Road, Dublin 4, Ireland, D04 C2N4

1. Purpose
1.1. Overview
The purpose of this Privacy Notice is to outline how Obsidian Healthcare Recruitment (“we”, “us”, “our”) collects, processes, stores, and shares personal data in connection with occupational health services. This includes pre-employment health assessments, fitness-to-work evaluations, and ongoing occupational health monitoring.

1.2. Scope
This Notice applies to all individuals undergoing occupational health assessments through Obsidian Healthcare, including prospective employees, current staff, contractors, and candidates referred to us by healthcare providers or other employers.

1.3. Legislation
We process personal data in accordance with:
- The General Data Protection Regulation (GDPR) (EU) 2016/679;
- The Data Protection Act 2018 (Republic of Ireland);
- Applicable health and safety legislation;
- Relevant employment and labour law requirements in Ireland.

1.4. Queries and Complaints
If you have questions or concerns regarding how your personal data is processed, please contact our Data Protection Officer (DPO):

Data Protection Officer
Obsidian Healthcare Recruitment
3rd Floor, 40 Mespil Road, Dublin 4, Ireland, D04 C2N4
Email: gdpr@obsidianhealthcare.ie
Telephone: +353 [Insert Number]

If you remain dissatisfied, you have the right to lodge a complaint with the Data Protection Commission:

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Email: info@dataprotection.ie
Telephone: +353 57 868 4800 / +353 761 104 800

2. How We Collect Your Personal Data
2.1. Direct Collection from Data Subjects
We collect personal data directly from individuals through:
- Online or paper-based occupational health forms;
- Questionnaires and declarations;
- Direct interviews, assessments, or consultations with our occupational health team;
- Communication via email, phone, or messaging apps.

2.2. Collection via Employers or Third Parties
We may receive personal data from your employer, prospective employer, or their representatives, including:
- Employee referral for pre-employment or ongoing occupational health assessments;
- Medical reports from affiliated clinics or health practitioners;
- Documentation for compliance, certification, or verification purposes.

2.3. Automated or Systematic Collection
Where applicable, we may collect personal data through secure online systems or portals designed for scheduling, managing, and documenting occupational health assessments.

3. What Personal Data We Collect
3.1. Identification Data
- Full name, date of birth, gender (if relevant to assessment), address, and contact details.

3.2. Medical and Health Data (Special Category Data)
- Fitness-to-practice and fitness-to-work certificates;
- Vaccination and immunisation records;
- Medication details, allergies, and medical conditions relevant to work;
- Drug and alcohol screening results;
- Occupational health examination outcomes, including restrictions or accommodations.

3.3. Employment-Related Data
- Job title, department, or role;
- Working patterns or hours relevant to occupational health assessment;
- Relevant employment history if provided for risk assessment purposes.

3.4. Sensitive Identifiers
Any additional health, disability, or special requirements disclosed by the individual for the purpose of occupational health compliance and safety.

4. How We Use Your Personal Data
4.1. Occupational Health Assessments
- We use your personal data to:
- Assess your fitness to perform job functions safely;
- Identify any accommodations or restrictions necessary to comply with health and safety legislation;
- Provide your employer with legally compliant occupational health reports and recommendations.

4.2. Administrative Purposes
- Scheduling and tracking occupational health assessments;
- Maintaining secure and auditable records;
- Compliance with statutory requirements, including health and safety obligations.

4.3. Legal Basis for Processing
- Explicit Consent: For processing special category health data;
- Legal Obligation: To comply with employment and health & safety law;
- Performance of a Contract: Where assessments are a pre-condition for employment or placement;
- Legitimate Interests: Only where necessary for workplace health, safety, and operational efficiency, and not overridden by the rights of the data subject.

5. Data Retention
5.1. Retention Periods
- Occupational health records for employed staff: 10 years from the date of assessment;
- Pre-employment assessments for unsuccessful candidates: 1 year;
- Health records used for statutory compliance may be retained as required by Irish law beyond these periods if necessary for legal defense or regulatory obligations.

5.2. Deletion and Anonymisation
Data no longer required will be securely deleted or anonymised in accordance with industry best practice and GDPR standards.

6. Data Sharing
6.1. Employer / Prospective Employer
We provide fitness-to-work reports and necessary recommendations to the employer or prospective employer for lawful purposes.

6.2. Health Professionals and Clinics
Data may be shared with affiliated occupational health physicians, nurses, and laboratories to facilitate assessments and testing.

6.3. Government and Regulatory Authorities
We may disclose personal data where required by law, including to the Data Protection Commission, Health and Safety Authority, or other statutory bodies.

6.4. Service Providers
Third-party providers may be engaged for IT, data storage, document handling, and assessment facilitation, under strict data processing agreements ensuring GDPR compliance.

6.5. Business Transfers
In the event of a merger, sale, or transfer of the company, personal data may be among the assets transferred, subject to appropriate confidentiality and legal protections.

7. International Transfers
7.1. Personal data may occasionally be transferred outside the European Economic Area (EEA), including to service providers, with appropriate safeguards such as:
- European Commission Standard Contractual Clauses;
- Adequacy decisions where applicable.

8. Data Subject Rights
8.1. Right of Access – You can request details of personal data we hold about you and the purposes of processing.
8.2. Right to Rectification – You can request corrections to inaccurate or incomplete data.
8.3. Right to Erasure – You may request deletion where processing is based on consent or where data is no longer necessary, subject to legal obligations.
8.4. Right to Restriction – You can request that processing is restricted under certain circumstances (e.g., dispute over accuracy).
8.5. Right to Data Portability – You may request your data in a structured, machine-readable format where processing is based on consent or contract.
8.6. Right to Object – You can object to processing based on legitimate interests or direct marketing.
8.7. Right to Withdraw Consent – Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
8.8. Right to Object to Automated Decision-Making – You may object to decisions solely based on automated processing that have legal or significant effects; currently, no automated decision-making is employed.

To exercise any rights, contact: gdpr@obsidianhealthcare.ie. Proof of identification may be required.

9. Security of Personal Data
9.1. We implement administrative, technical, and physical measures to protect personal data against unauthorized access, disclosure, loss, or destruction.
9.2. Physical records are stored securely in accordance with Garda Vetting Bureau standards where relevant.
9.3. Electronic records are encrypted and access-controlled.

10. Changes to this Notice
10.1. We reserve the right to modify this Privacy Notice to reflect changes in law, business practices, or data processing activities.
10.2. Updates will be published on our website, and the effective date will be revised. Users are encouraged to review the Notice regularly.