top of page

Data Protection and Privacy Policy

1. Purpose and scope
This Policy explains how Carrig Occupational Health ("we", "us", "our") collects, uses, shares and protects personal data, including special category (health) data, when providing occupational health services. This may include assessments of employees or prospective employees at the request of an employer, and the preparation of medical advice and reports for employers or other service users (for example, insurers or legal representatives).

​

 

2. Who we are and how to contact us

​​​​

​

​

​

​

​​

​​

If you do not agree with the terms of this Policy, please contact us before using our services so we can explain what information we need and why.​

​​​

​

3. Definitions

  • Client (Employer): the organisation that engages us to provide occupational health services.

  • Employee Data: personal data shared with us by a Client (Employer), such as name, employee number, job role, location, referral details and absence information relevant to the referral.​​​​​​​​

  • Health Data: special category personal data relating to physical or mental health, including medical history, clinical notes, assessment forms, test results and our occupational health opinion.

  • Data Controller: the entity that determines the purposes and means of processing personal data (GDPR Article 4(7)).

  • Data Processor: an entity that processes personal data on behalf of a Data Controller.

 

 

4. What data we collect
Depending on the service, we may collect or receive:

  • Identification and contact details (for example: name, date of birth, address, email, telephone number).

  • Employment-related information provided by the employer (for example: job role, work location, referral details, sickness absence information relevant to the referral).

  • Health Data provided by you and/or your treating clinicians (with your consent where required), and generated during our assessment (for example: questionnaires, clinical history, examination findings, test results, and our occupational health opinion).

  • Administrative information (for example: appointment details, correspondence, and billing information where applicable).

​

​

5. How we collect your data

  • Directly from you (for example, forms you complete and information you provide during consultations).

  • From your employer/prospective employer (for example, referral information and role details).

  • From third parties acting on your behalf or with your permission (for example, treating clinicians, insurers or solicitors).

 

If you contact us by telephone, your phone number may appear in call logs on reception devices. We do not routinely record calls.
 

 

6. Why we process your data (purposes)
We process personal data for occupational health purposes, including to:

  • Arrange and provide occupational health assessments, health surveillance and related services.

  • Assess fitness for work, work capacity and/or workplace adjustments that may be required.

  • Provide occupational health advice and reports to the referring party (typically your employer).

  • Support statutory and workplace health and safety requirements where applicable.

  • Manage our operations (appointments, communications, quality assurance and governance).

  • Maintain appropriate records, handle complaints and respond to legal or regulatory requests.

 

 

7. Lawful bases for processing
We process personal data under one or more lawful bases in GDPR Article 6. Depending on the service, these may include:

  • Article 6(1)(b) - processing necessary for performance of a contract or to take steps at your request prior to entering into a contract.

  • Article 6(1)(c) - processing necessary for compliance with a legal obligation.

  • Article 6(1)(f) - processing necessary for legitimate interests (for example, ensuring safe and effective service delivery), provided those interests are not overridden by your rights.

 

Where we process Health Data (special category data), we rely on GDPR Article 9(2)(h) (preventive or occupational medicine, assessment of working capacity, medical diagnosis, provision or management of health care systems and services) and/or other applicable conditions in Article 9, together with relevant Irish data protection legislation.
 

​

8. Who is the Data Controller?
In the context of occupational health assessments arranged by an employer, we generally act as an independent Data Controller for the Health Data we collect and generate as part of our clinical assessment. Your employer will be a separate Data Controller for any personal data it processes in relation to your employment. In some service arrangements, we may act as a Data Processor for certain limited processing activities; where that applies, it will be governed by a written data processing agreement.
 

​

9. How we share your information
We share information only where it is necessary and proportionate to do so for the purposes of the service.

  • With the referring employer/prospective employer: we typically share a fitness for work opinion and functional recommendations. We do not disclose detailed medical diagnosis information unless it is necessary, relevant and you have provided appropriate consent, or an exception applies.

  • With service providers who support our operations (for example, secure IT and record systems), under contract and subject to confidentiality and data protection obligations.

  • With regulators, professional bodies, or law enforcement where required by law or to protect vital interests.

 

Reports and communications are shared using appropriate security measures (for example, encrypted email, secure portals, or secure file sharing) where available.

​

​

10. International transfers
We aim to store and process personal data within the European Economic Area (EEA). If an international transfer is required (for example, at an employer’s request), we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses and any supplementary measures required.
 

 

11. CCTV, photography and video

  • CCTV: We may operate CCTV at our premises for the safety of staff and visitors and for security of premises and assets. Footage is retained for a limited period (typically up to 30 days) unless required for an incident investigation.

  • Clinical photography: Where clinically appropriate, we may take photographs (for example, of injuries) to support an assessment or report. This will be explained to you at the time and recorded securely as part of the clinical record.

 

 

12. Your rights
You have rights under GDPR, including:

  • The right to be informed about how your data is used.

  • The right of access to your personal data (subject access request).

  • The right to rectification (to correct inaccurate or incomplete data).

  • The right to erasure in certain circumstances.

  • The right to restrict processing in certain circumstances.

  • The right to object to processing in certain circumstances.

  • The right to data portability where applicable.

 

Some rights are not absolute and may be subject to professional confidentiality obligations and legal exemptions.
 

 

13. Subject access requests
To request access to your personal data, please contact us at: [Insert SAR email address]. We will respond within the timelines set out in data protection law (typically one month), subject to verification of identity and applicable exemptions.
 

​​

14. Security

  • We use organisational and technical measures to protect personal data against unauthorised access, alteration, disclosure or loss.

  • Access to occupational health records is restricted to authorised staff and clinicians.

  • We manage personal data breaches in accordance with our incident management procedures and will notify the relevant supervisory authority and affected individuals where required.

 

 

15. Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, and in line with legal, regulatory and professional obligations. Retention periods may also be influenced by the employer’s requirements where appropriate.
Typical retention guidance (may vary by service and legal requirements):

​​​

​​

​​

​​​

​​​​

​​​​

​​​

​​​

​​​

​​​

​​​

​​​

​

​​​

​​​

16. Website data
Our website may receive limited technical information (for example, IP address, browser type, device information) as part of standard web hosting and security logs. If we use cookies or analytics tools, we will provide a cookie notice explaining what is used and how you can manage your preferences.
 

If you email us or submit a contact form, we will use the details you provide to respond to your enquiry and retain the correspondence in line with our retention approach.
 

​

17. Complaints
If you have concerns about how your personal data is handled, please contact us first so we can try to resolve the matter. You also have the right to lodge a complaint with the Irish Data Protection Commission.
 

Irish Data Protection Commission: dataprotection.ie
 

​

18. Changes to this Policy
We keep this Policy under review and may update it from time to time.

Captura de tela 2026-02-09 134736.png
Captura de tela 2026-02-09 135636.png

Website Privacy Notice

​

This Website Privacy Notice governs the manner in which the Practice [the Data Controller(s) are listed above] collects, uses, maintains and discloses information collected from users (each, a “User”) of this website (“Site”). Practice Ally Ltd (trading as GP Practice Ally) is employed by the Practice to be the Data Processor of this information via this website (you can read their Privacy Notice here). GP Practice Ally does not control any of the data collected by the Site. This Website Privacy Notice applies only to the Site and all services offered online by the Site.

​

While every effort is made to ensure the Site remains up to date, information on this website is for use as a general guide only, and is subject to change at any time. Please contact the practice if you require further information.

​

Data Collection

Each time any visitor uses the Site, we may collect one or both of two different types of information.

  • Non-individual specific statistics: The first type of information is statistical and analytical information collected on a non-individual specific basis about visitors to our website. We gather general information about how many visitors use the website, how many visitors return to the website, what pages they visit etc. This information lets us monitor traffic on the website so that we can manage its capacity, efficiency, design and content. It helps us to understand website traffic patterns and to know, for example, which parts of the website are the most popular/useful.

  • Personal information: The second type is information which is personal or particular to a specific visitor. This information is collected by specific request so you will be fully aware when you are providing this information to us. This might arise when you book an appointment online/email us etc.

 

Web browser cookies

Our Site may use “cookies” to enhance User experience. The User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. The User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

 

How we use collected information

The Practice collects and uses Users' personal information for the following purposes:

  • To administer services: We will use the information submitted via our various online service features to deliver the requested services where possible;

  • To send emails or SMS messages, where consent has been provided;

  • To personalise user experience: We may use information in the aggregate to understand how our Users as a group use the services and resources provided on our Site;

  • To improve our Site: We continually strive to improve our website offerings based on the information and feedback we receive from you;

  • To improve customer service: Your information helps us to more effectively respond to your pa service requests and support needs.

 

The email address Users provide will only be used to respond to their enquiries, and/or other requests or questions.

​

How we protect your information

While we adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access to your personal information, the Practice cannot guarantee the security of your personal information transmitted via our Site. Transmission of your personal information is at your own risk. Once we receive your personal information, we will use appropriate security measures to seek to prevent unauthorised access or disclosure.

​

Sharing your personal information

We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.

​

Third party websites

Users may find content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.

​

Changes to this Privacy Notice

The Practice has the discretion to update this Privacy Notice at any time. When we do, we will revise the updated date at the bottom of this page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this Privacy Notice periodically and become aware of modifications.

​

​

Last Updated: 10/12/2024

bottom of page