Data Protection Statement

This Data Protection Statement provides information about the ways in which the Health and Safety Authority collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by the Health and Safety Authority where data subjects contact, or request information from the Health and Safety Authority directly, and also personal data received by the Health and Safety Authority indirectly, and as set out below.

 

Health and Safety Authority

Who we are

The Authority has a number of major roles;

  • The Authority has responsibility for ensuring that workers (employed and self-employed) and those affected by work activity are protected from work related injury and ill-health. We do this by enforcing occupational health and safety law, promoting accident prevention, and providing information and advice across all sectors.
  • The Authority is the lead National Competent Authority for a number chemical regulations including REACH (Registration, Evaluation, Authorisation and Restriction of Chemicals) Regulation and Seveso II Directive. Our responsibility in this area is to protect human health (general public, consumers and workers) and the environment, to enhance competitiveness and innovation and ensure free movement of chemicals in the EU market.
  • The Authority is also a key agency involved in market surveillance and ensuring the safety of products used in workplaces and consumer applications.
  • INAB, a Committee of the Health and Safety Authority is the national body with responsibility for the accreditation of laboratories, certification bodies and inspection bodies.

Controller contact details

The Health and Safety Authority, is the controller for the personal data it processes. You can contact the Health and Safety Authority in a number of ways, which are set out on the contact page of our website.

DPO contact details

In accordance with Article 37 of the GDPR, the Health and Safety Authority has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data by the Health and Safety Authority, you can do so by e-mailing dpo@hsa.ie 

 

Purpose of Processing By The Health and Safety Authority

The Health and Safety Authority processes personal data for a number of different purposes, which arise from its statutory powers, functions and duties.

The Health and Safety Authority’s statutory powers, functions and duties derive from varies pieces of legislation pertaining to health, safety and welfare at work, chemical safety, dangerous goods transport and market surveillance.

There are a wide range of activities that fall under our remit including:

  • Promotion of good standards of health and safety at work;
  • Inspection of all places of work and monitoring of compliance with health and safety laws;
  • Investigation of serious accidents, causes of ill health and complaints;
  • Undertaking and sponsoring research on health and safety at work;
  • Developing and publishing codes of practice, guidance and information documents;
  • Providing an information service during office hours;
  • Developing new laws and standards on health and safety at work

 

Some examples of the purposes for which the Health and Safety Authority may collect personal data in accordance with its functions are:

  • Complaint handling - including personal data received from a data subject directly where the data subject makes a complaint to the Health and Safety Authority; personal data relating to a data subject received by the Health and Safety Authority from an a duty-holder such as an employer about which the Authority has received a complaint; and personal data relating to a data subject received by the Health and Safety Authority from a complainant.
  • Inquiries and investigations - including personal data received from data subjects directly; and personal data received from a duty-holder eg an employer, which is the subject of an inquiry or investigation. This will also include personal data received by the Health and Safety Authority in its role as a ‘competent authority’ under Part 5 of the 2018 Act (‘Processing of Personal Data for Law Enforcement Purposes’).
  • Recording of Incident Report Forms and Dangerous Occurrence notifications and other statutory notifications required under various pieces of legislation for which the Authority is the enforcing body.
  • Taking enforcement action, where necessary;
  • Taking prosecution action, where necessary;
  • Promoting awareness and providing information to employers, duty-holders; members of the public and students in relation to safety, health and welfare guidance and legislation;
  • Service providers and suppliers – including personal data obtained from service providers or suppliers engaged by the Health and Safety Authority;
  • Job applications – including personal data received from persons applying for roles within the Health and Safety Authority; and
  • Conferences and events – including personal data relating to attendees at conferences and events organised by the Health and Safety Authority.

 

What Personal Data Does The Health and Safety Authority Process?

Personal data

As set out above, the Health and Safety Authority processes personal data. This includes, as set out above, personal data received by the Health and Safety Authority where data subjects contact, or request information from, the Health and Safety Authority directly, and personal data received by the Health and Safety Authority indirectly.

The personal data that we process includes (i) basic personal information, such as a data subject’s name / surname; date of birth; employment information; (ii) contact information, such as a data subject’s postal address, email address and phone number(s); and (iii) any other personal data that is provided to the Health and Safety Authority during the course of the performance of its functions. Incident investigation can result in details including qualifications, training, employment status, pay slip, and injuries being processing, further details can be found on the inspection and investigation privacy statement.

Special category data 

The Health and Safety Authority also processes special category data. This data may be provided to us as part of a complaint or incident investigation. Such special category data may include personal data relating to trade union membership or data concerning health.

Data relating to criminal convictions and offences

In the course of performing its functions, the Health and Safety Authority also occasionally processes personal data relating to criminal convictions and offences.

 

How Does The Health and Safety Authority Collect Personal Data? 

Phone Calls:

The Health and Safety Authority does not audio record or retain audio recordings of phone conversations except for phone calls to the HSA Contact Centre, low call number. These recordings are retained for 6 weeks. The calls are recorded for the purpose of training and quality and for verifying information relating to complaints received. Phone calls to direct dial numbers are not recorded. Outgoing phone calls are not recorded. Where an individual contacts the Health and Safety Authority by phone, caller numbers are automatically stored on the recipient phone in the Health and Safety Authority for a limited period of time in a list of inbound and outbound calls. All calls to the Contact Centre or calls made in relation to enforcement or inspection activities are logged on our internal database. During the course of dealing with a query, complaint or other matter, the Health and Safety Authority may record personal data received by it during the course of phone calls in the form of notes or a summary of the call may be entered on our GeoSMART database.

Emails:

All emails sent to the Health and Safety Authority are recorded, forwarded to the relevant section of the Health and Safety Authority and are stored for the purposes of the matter/case file to which the email relates. The sender’s email address will remain visible to all staff tasked with dealing with the query. 

Post:

All post received by the Health and Safety Authority is scanned, forwarded to the relevant section of the Health and Safety Authority and stored for the purpose of the matter to which the post item relates.

Social Media:

The Health and Safety Authority also receives personal data through its social media interactions on Twitter, LinkedIn and Instagram. The Health and Safety Authority operates social media accounts on these platforms in support of its functions to promote awareness of, and compliance, with health and safety legislation. Messages or posts received by the Health and Safety Authority on these social media platforms are viewed by the Health and Safety Authority but the personal data contained in the messages/posts are not logged or stored other than on the relevant social medial platform, and no further processing of such personal data is carried out by the Health and Safety Authority.

CCTV:

CCTV is in operation at our offices, further details of which are contained in a separate CCTV policy. The purpose for our processing of personal data collected by the CCTV in operation at our offices, is for security and safety. CCTV footage is retained by the Health and Safety Authority for only a limited period of time.

Website:

The Health and Safety Authority website, www.hsa.ie and our other ancillary websites uses certain cookies. A separate Cookie Policy is available which sets out what cookies are placed on the website and what information they collected.

.

What Is The Legal Basis For The Processing Of Personal Data By The Health and Safety Authority?

The legal basis for the processing of personal data by the Health and Safety Authority will depend on the legislative framework that applies and the purpose for which the processing is being carried out.

GDPR

Where the Health and Safety Authority is processing personal data for the purpose of the performance of its functions as set out in health and safety legislation, the primary legal bases under the GDPR are:

Article 6(1)(e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Other applicable legal bases under the GDPR which may apply to processing carried out by the Health and Safety Authority include:

(iii) where the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) GDPR). (An example of where this legal basis may apply is where the Health and Safety Authority collects personal data for inclusion in contact lists arising from contact with media practitioners (journalists, PR representatives) and at conferences or events;

(iv) where the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR). (An example of where this legal basis may apply is in the case of the Health and Safety Authority’s engagement with third party service providers); and

(v) where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6(1)(f) GDPR).  Article 6(1)(f) will only apply to processing by the Health and Safety Authority that is not carried out in the performance of its tasks.

 

Law Enforcement Directive (‘LED’)

The LED deals with the processing of personal data for ‘law enforcement purposes’ by data controllers which fall within the definition of being a ‘competent authority’ for the purposes of the LED, as transposed into Irish law by, inter alia, Part 5 of the 2018 Act.

Section 70 of the 2018 Act defines the scope of processing of personal data which falls within that part of the Act. It states that Part 5 of the Act applies to processing of personal data carried out “for the purposes of (i) the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of threats to public security, or (ii) the execution of criminal penalties…”

The term ‘competent authority’ is defined in Section 69 of the Data Protection Act 2018 as being, inter alia, “a public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security”.

For certain processing activities which it carries out, the Health and Safety Authority is a ‘competent authority’ for the purposes of Part 5 of the 2018 Act.

In terms of the legal basis for processing of personal data by the Health and Safety Authority as a ‘competent authority’, Section 71(2) of the 2018 Act provides that the processing of personal data (for the purposes of the LED) shall be lawful where, and to the extent that:

  • it is necessary for the performance of a function of a controller for one of the purposes specified in Section 70 (as referred to above).

 

Who Are The Recipients Of Personal Data Processed By The Health and Safety Authority?

 

Disclosure to third parties

Personal data collected by the Health and Safety Authority is held confidentially and is not shared by the Health and Safety Authority with any third parties, with the following exceptions:

  • Where the sharing of the personal data is necessary for the performance by the Health and Safety Authority of its functions. This may arise, for example, in the context of incident or dangerous occurrence investigations, for the purposes of prosecuting offences, or as directed by a Coroner or other legal obligations. More information is provided in the additional privacy statements.
  • For the purpose of co-operation with other competent authorities or law enforcement agencies. In certain circumstances, the Health and Safety Authority must cooperate with and assist other competent authorities or law enforcement agencies.
  • For the purpose of legal proceedings. In the event that an investigation by the Authority is prosecuted any information, documents or submissions provided by an individual, may be made public in open court.
  • In the case of service providers or suppliers to the Health and Safety Authority. The Health and Safety Authority uses data processors to provide certain services to the Health and Safety Authority. The Health and Safety Authority requires such processors to abide by certain terms to protect any personal data which is processed by the service provider/supplier during the course of providing the service, in accordance with the requirements set out at Article 28(3) of the GDPR.

 

How Long Does The Health and Safety Authority Retain Personal Data?

The retention periods for personal data held by the Health and Safety Authority are based on the purpose for which the personal data is collected and processed and on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action. Detailed record management policy and procedures have been implemented which set out the retention period for our electronic and physical files. If you require more information on what the retention periods of data held about you, please contact our DPO at dpo@hsa.ie

 

Your Data Protection Rights

Under data protection law, data subjects have certain rights. 

Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by the Health and Safety Authority.

The data subject rights are:

  1. The right to be informed about the processing of your personal data;
  2. The right to access your personal data;
  3. The right to rectification of your personal data;
  4. The right to erasure of your personal data;
  5. The right to object to processing of your personal data;
  6. The right to restrict processing of your personal data;
  7. Rights in relation to automated decision making, including profiling.

 

Restriction of data subject rights in certain circumstances

Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the 2018 Act contains certain provisions dealing with the restriction of rights of data subjects, in particular Sections 59, 60 and 61, which give further effect to the provisions of Article 23.

If you require further information in relation to your data subjects rights regarding your personal data that is held by the Health and Safety Authority, you can contact our Data Protection Officer (DPO) at dpo@hsa.ie

 

Your Right To Complain

In the event that you wish to make a complaint about how your personal data is being processed by the Health and Safety Authority or how your complaint has been handled, you have the right to lodge a complaint directly with the Data Protection Commission at:

Data Protection Commission,

21 Fitzwilliam Square South

Dublin 2

D02 RD28

Ireland

+353 (057) 868 4800 / (076) 110 4800

info@dataprotection.ie

 

Changes To Our Data Protection Statement

This Data Protection Statement is kept under regular review and is therefore subject to change.