IntroductionThe purpose of this document is to provide a concise policy statement regarding the Data Protection obligations of Fleming Medical. This includes obligations in dealing with personal data, in order to ensure that the organisation complies with the requirements of the relevant Irish legislation, namely the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003).
RationaleFleming Medical must comply with the Data Protection principles set out in the relevant legislation. This Policy applies to all Personal Data collected, processed and stored by Fleming Medical in relation to its staff, service providers and clients in the course of its activities. Fleming Medical makes no distinction between the rights of Data Subjects who are employees, and those who are not. All are treated equally under this Policy.
ScopeThe policy covers both personal and sensitive personal data held in relation to data subjects by Fleming Medical. The policy applies equally to personal data held in manual and automated form. All Personal and Sensitive Personal Data will be treated with equal care by Fleming Medical. Both categories will be equally referred-to as Personal Data in this policy, unless specifically stated otherwise.
This policy should be read in conjunction with the associated Subject Access Request procedure, the Data Retention and Destruction Policy, the Data Retention Periods List and the Data Loss Notification procedure.
Fleming Medical as a Data ControllerIn the course of its daily organisational activities, Fleming Medical acquires, processes and stores personal data in relation to:
• Employees of Fleming Medical
• Customers of Fleming Medical
• Third party service providers engaged by Fleming Medical
• Consumers engaging with Fleming Medical Apps
In accordance with the Irish Data Protection legislation, this data must be acquired and managed fairly. Not all staff members will be expected to be experts in Data Protection legislation. However, Fleming Medical is committed to ensuring that its staff have sufficient awareness of the legislation in order to be able to anticipate and identify a Data Protection issue, should one arise. In such circumstances, staff must ensure that the Data Protection Officer is informed, and in order that appropriate corrective action is taken.
Due to the nature of the services provided by Fleming Medical, there is regular and active exchange of personal data between Fleming Medical and its Data Subjects. In addition, Fleming Medical exchanges personal data with Data Processors on the Data Subjects’ behalf. This is consistent with Fleming Medical’s obligations under the terms of its contract with its Data Processors.
This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a Fleming Medical staff member is unsure whether such data can be disclosed.
In general terms, the staff member should consult with the Data Protection Officer to seek clarification.
Subject Access RequestsAny formal, written request by a Data Subject for a copy of their personal data (a Subject Access Request) will be referred, as soon as possible, to the Data Protection Officer, and will be processed as soon as possible.
It is intended that by complying with these guidelines, Fleming Medical will adhere to best practice regarding the applicable Data Protection legislation.
Third-Party processorsIn the course of its role as Data Controller, Fleming Medical engages a number of Data Processors to process Personal Data on its behalf. In each case, a formal, written contract is in place with the Processor, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Irish Data Protection legislation.
These Data Processors include:
• HR Department
• Marketing Department