Privacy Statement - Sunbeam House Services

SHS Privacy Statment

Privacy Statement

Sunbeam is committed to respecting your privacy and protecting your personal information

Introduction

Sunbeam House Services (SHS) provide services to adults with Intellectual disabilities. Our registered office is Sunbeam House Services, Southern Cross House, Southern Cross Business Park, Boghall Road, Bray, Co Wicklow A98 RH93, and we are a company limited by guarantee - Registered in Ireland - Registered No. 76504. CHY No. 6559. CRA No. 20012328.

SHS is the legal entity which determines the purposes and means of the processing of personal data for all SHS services users and employees. We take your privacy seriously. This Privacy Statement explains why and how we will use the personal information that we have obtained from you or others with whom we share it and the rights you have in connection with the information we use.

This statement describes the way we handle and use the personal information that we obtain from all the different interactions you may have with us.

For the purpose of the General Data Protection Regulation (the GDPR), the data controller is SHS.
Our Data Protection Officer ("DPO") is Asta Keil, Sunbeam House Services, Ballyraine Campus, Vale Road, Arklow, Co. Wicklow, Ireland. Y14 XY75. Email dpo@sunbeam.ie

Glossary of Terms and Definitions

Terms	Definitions
CCTV	Means closed-circuit television and is commonly known as video surveillance. CCTV networks are commonly used to detect and deter criminal activities, but they may have other uses.
Compliance with a Legal Obligation	This is one of the lawful bases that an organisation may rely on when processing personal data. For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare Act 2005 and, as a result, are legally required to process your personal data.
Consent	This is one of the lawful bases that an organisation may rely on when processing personal data. For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare Act 2005 and, as a result, are legally required to process your personal data.
Cookies	Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work or work more efficiently, as well as to provide information to the owners of the site.
Data Controller	Means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor	This means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Processor Agreement	This means a specific data sharing agreement that data controllers are obliged to have in place with any data processors they engage with.
Data Protection Laws	This means for the purposes of this document, the collective description of the GDPR and any other relevant data protection laws that SHS complies with. Irish Data Protection Act 2018 and the General Data Protection Regulation (EU) (2016/679)
General Data Protection Regulation 2016/679 (GDPR)	Is also known as the GDPR. This is a data privacy regulation applicable to all EU member states.
International Data Transfers	This Means data transfers that take place outside the EU, EEA and non-adequate countries that have not been recognised as having similar data protection legislation to that of the EU/EEA.
Legitimate Interest	This is one of the lawful bases that an organisation may rely on when processing personal data. Legitimate interest covers a wide range of interests such as the organisation, third party, and commercial or for wider societal reasons.
Performance of a Contract	This is one of the lawful bases that an organisation may rely on when processing personal data. For example, an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee data in an employment context.
Processing	Means any operation or set of operations which are performed on personal data or on sets of personal data, whether manually or by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data	Means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, by any reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Safeguards or Security Measures	This means the different controls and processes an entity may put in place to protect your data while at rest or in transit.
Special Category Data	This means certain types of sensitive personal data which are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as "special categories" of personal data. The following are examples of special category data: Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Biometric data Health data Data concerning a natural person's sex life or sexual orientation.
Vital Interest	This is one of the lawful bases that an organisation may rely on when processing personal data. It means interests that are essential for someone's life and generally only apply to matters of life and death.

Personal Information SHS Collects

SHS obtain your personal data if:

You apply for a job with us.
You avail of our services.
You are an employee: We also may hold a limited amount of personal data about employees' family members, including your children.
Potential clients who are in the process of being referred to SHS.
Parent/Guardian/Carers etc., of potential clients and service users.
You Volunteer
People who apply to become a volunteer with us.
Service suppliers and contractors.
For payroll processing and other employee benefits processing
Conducting investigations under SHS policies
Conducting health and risk assessments

The personal data relating to the people we provide services to is gathered by SHS from a variety of sources, including but not limited to: The individual, a family member, other services providers, a referring GP, hospital or consultant. We only collect personal information which is required, and that is relevant for the purposes for which they are intended. Depending on the services the individual receives from us, this may include special category personal data such as information relating to health. This information is collected by SHS in a variety of manners, including but not limited to collected directly by our employees, consultants, GPs or other healthcare professionals who refer clients to SHS or who are involved in the care, treatment and support of the individual.

We may request that other healthcare providers, such as other hospitals and pharmacies, provide us with data relating to clients if required to improve the quality of our services. In cases of emergency, we may receive your data from emergency services, such as An Gardaí Siochana, the ambulance services, or the fire brigade services. Once again, we receive this data purely for the purpose of ensuring the care and support we provide to you is of the highest standard. The type of personal data we collect about you depends on whether you are an employee, volunteer client or family member etc.

The personal data that we process specifically for clients:

Name
Address
Date of birth
Phone number
Gender
Marital Status
Medical records
Reasons for referral
Medical/Psychiatric history
Collateral history (where the client cannot give information themselves for various reasons, a collateral history may be taken from a close family member, friend or witness.)
Pharmacy name and contact details
Medications/treatment received to date
Information that you give us when you enquire about services at SHS or become a recipient of our services, such as your name, address, and contact details (including email address and phone number).
The name and contact details (including phone number) of your relatives.
Any information you include in correspondence you send to us or in forms you submit to us at SHS.
Details of your medical history such as details and records of treatment and care, notes, and reports about your health, such as allergies or health conditions, including information relating to any clinic visits and medicines administered.
Information relating to your health, including mental health, diagnosis information, medication details; medical records; services provided by us; admission/discharge to SHS and other services; clinical consultation recordings; current/future residential/day service provision and history; multidisciplinary team reports.
In some circumstances, individuals may disclose data relating to their relatives and other third parties.
Information relating to your religious beliefs.
Details of your sexual orientation where you inform us of same in the course of providing healthcare services.
Financial information such as your payment card details and, in relation to certain refunds, your bank account details.
Other relevant information from people who care for you and know you well, e.g., health professionals, relatives, and carers.
Your identification information when exercising the rights that you have in relation to our processing of your personal information.
Information about complaints and incidents.
Information obtained from surveys that you have taken part in.
Information that you give us when you submit a question/comment in relation to our services.
Information collected by our SHS Social Workers.

The personal data that we process specifically for employees:

For the purpose of various processing activities essential to running the organisation, including but not limited to the following processing: Recruitment, Garda vetting, Employee Time Management, Payroll, Disciplinary, Trust in Care, Grievances, Dignity at Work, Workplace accidents, Workplace Relations Complaints (WRC), Performance Management and Media/Public Relations we hold the following data about employees:

Contact details
Date of Birth,
Name
Address
Gender
Financial Information
Work performance-related information, including time and attendance, absenteeism and the views and opinions that others may have about you
Images of you
Gender and Marital Status
Family members
Information about any Offences you may have committed due you the Garda Vetting process
Photographic identification
Proof of current address
Race/Ethnicity/Nationality
Referee contact details
Salary details
Staff Children's DOB and their names
Your personal email address
Immigration Status
Health Data - Data concerning health
Details of your car used for work purposes, including Insurance, driving licence, penalty points and road traffic offences or convictions.
Other information that you give us when applying for a job with SHS

Other personal data that we process (not exhaustive) list:

Footage captured from our CCTV operation, which is in use at some of our facilities for health, safety, and security purposes.
Video footage of training and practice in skills and competencies.
Information you give us when you publish public comments on our social media pages, e.g. Facebook.
Cookies on our website https://sunbeam.ie/cookie-policy

We also collect, where necessary, some of the above information for past employees, potential employees, students, volunteers and other 3rd parties.

Why is the information collected?

SHS collects the information in order to deliver and improve our services. The information is used for:

Providing our clients with health and social care services.
To support the placement of students and trainees who may have access to your medical records. All staff are required to comply with the General Data Protection Regulation and SHS policies & procedures.
To communicate with you as part of our relationship with you.
To administer and improve internal operations, including troubleshooting and data analysis.
To deliver information about our services, where you have subscribed or consented to receive same.
To comply with applicable laws and regulations.
To carry out satisfaction and experience surveys.

Will my personal data be transferred outside of the European Economic Area (EEA)

We use analytics tools to collect information about your use of this website. Anonymised data may be transferred to the United States of America (USA). But we have anonymised IP addresses for analytics purposes on this website which means that no individual can be identified by their IP address.

Where is the information obtained from?

Directly from the individual – client (Data Subject)
Family members
Referring GP; and/or Hospitals and service providers (where you are being referred to us from a hospital or service provider).
Internal staff, associated providers, contractors, investigators etc., when the data subject is in receipt of their services.

Use of your personal data

We use your personal information for a variety of reasons. We rely on different grounds to process your personal information, depending on the purposes of our use. We use your personal information in the following ways:

Where you provide consent: - We may use and process your personal information for the following purposes where you have consented for us to do so, e.g., media content (media content may include photos and videos of you). You may withdraw your consent at any time. If you wish to withdraw consent, please contact the relevant Client Service Manager for clients, HR@sunbeam.ie for employees or the Data Protection Officer at DPO@sunbeam.ie for more information.
Where necessary to comply with SHS legal obligations: - This may include but is not limited to:

Record keeping of health and social care services provided to you.
Record keeping that is related to the exercise of your rights.
Safeguarding incidents.
Handling and resolution of compliments and complaints.
To comply with law enforcement requests.
Regulatory requirements, e.g. Employment law, HIQA regulations, and The Health Act.

When required to pursue a legitimate interest: - There may be times when it is necessary to process your personal data in pursuit of a legitimate interest; for example:

When the process is required to support your enquiry.
When necessary to provide health and social care services.
To comply with a request from you in connection with the exercise of your rights.
Processing is necessary for SHS to operate and administrative and technical aspects of running an efficient and effective organisation.
For the prevention of fraud and other criminal activities.
For network and information security, in order for us to take steps to protect your information against loss or damage, theft, or unauthorised access.
To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings.

Where necessary for SHS to fulfil its contractual duties: - SHS will use your personal information where this is necessary to perform its contractual duties.
Where the processing is in your vital interest: - SHS will use your personal information where this is in your vital interest.

The Legal Basis for Processing Data

The Irish Data Protection Act 2018 and the GDPR (Regulation EU 2016/679) require that the processing of personal data shall meet certain justifiable criteria to allow for the processing of personal health data. Health data falls under the banner of special categories of personal data. This means that SHS shall outline in explicit terms the justification for the processing of personal data relating to staff, clients, visitors, vendors, and contractors. The table below illustrates the types of data SHS processes and the legal basis for processing that data as required by the General Data Protection Regulation, Regulation (EU) 2016/679.

Type of Personal Data Processed	Purpose of Processing	Lawfulness of processing
Client Data [1]	Necessary to support the administration of clients, treatment care and support in SHS. To provide health-related and social care services.	Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. For the establishment, exercise, or defence of legal claims. For compliance with certain legal obligations to which SHS is subject. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Employee Data [2]	Necessary to support the administration of employee records in SHS. Allows SHS to manage the employment relationship between staff and SHS.	Performance of a contract [3] Compliance with a Legal Obligation [4] Legitimate Interest [5]
Students and Trainees Data [6]	SHS supports the placement of students, trainees and volunteers. SHS collects personal information of students, trainees and volunteers on placement for the primary purposes of providing the placement and facilitating assessment. The purposes for which SHS uses the personal information of students, trainees and volunteers include: Managing the individual's placement. Ensuring the quality and safety of care provided to clients. Insurance purposes. To ensure SHS holds relevant contact information. Satisfying its legal obligations, including obligations under any placement agreement.	Performance of a contract
Financial Data [7]	Required for providing a service and billing. Staff payroll.	Performance of a contract Compliance with a Legal Obligation
Health Data [8]	Necessary to provide client care treatment and support in SHS. Review the care provided by audit or service evaluation. To help in decision-making about your care and ensure that your care and treatment are safe and effective. To work effectively with other organisations that may be involved in your care.	Special Categories [9] data are processed under Article 9 of the GDPR: Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Audits	To review care, treatment and support provided to improve service quality and ensure services meet future needs. To ensure compliance with regulatory bodies.	Compliance with a Legal Obligation. Legitimate Interest.
CCTV [10] Covert Surveillance [11]	SHS uses CCTV for the purpose of maintaining the safety and security of its staff, clients, visitors, and other attendees. CCTV may also be requested by Law Enforcement Agencies, such as An Garda Siochana, for "preventing, detecting, investigating or prosecuting criminal offences".	Safety, Health and Welfare Act 2005. Performance of a contract. Legitimate Interest. Section 41 (b) of the Irish Data Protection Act 2018.
Contractors [12]	SHS may provide or allow access to personal information for the provision of professional services to SHS.	Peformance of a contract.
Health Research Data	To identify clients who might be suitable for clinical trials/research. SHS promotes research, and there are strict regulations surrounding research and how it may be conducted. Suitable participants will be given full information about the research/trial and will be asked to provide their consent to participate. To identify the client that might be suitable for clinical trials/research. Any participation in a trial or research study must have consented.	Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018). Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Other Uses	In order to provide the best possible environment in which to support you, we may also use your personal information where necessary for: Activities such as quality assurance processes, accreditation, audits, risk and claims management, client experience, satisfaction surveys and staff education and training. Invoicing, billing, and account management, including storage of provider details on SHSs billing systems, transmission to Insurers and processing by billing companies. The purpose of complying with any applicable laws. The purpose of sending you standard reminders, for example, for appointments, by text message or email to the number or address which you have provided to us. We may anonymise or aggregate the personal information that we collect for the purpose of service management, monitoring, planning, and development.	Legitimate Interest. Compliance with a Legal Obligation.

[1] Client data includes (but is not limited to) the following:	name, address, DOB, contact details (phone, mobile, email), dates of appointment, and health information.
[2] Employee data includes (but is not limited to) the following:	name, address, DOB, contact details (phone, mobile, email), HR records, PPSN, bank details, P60, tax information and tax status, grievances, performance reviews, sick notes, medical leave and COVID 19 Vaccination Status as per public health advice.
[3] Performance of a contract:	Is one of the lawful bases that an organisation may rely on when processing personal data. For example, an employer and an employee will engage in an employment contract for the purpose of managing the employment relationship. This contract will justify the processing of employee data in an employment context.
[4] Compliance with a legal obligation:	This is one of the lawful bases that an organisation may rely on when processing personal data. For example, an organisation may be legally required to comply with health and safety standards such as the Safety, Health and Welfare at Work Act 2005.
[5] Legitimate Interest:	This is one of the lawful bases that an organisation may rely on when processing personal data. This will involve a balancing exercise that takes into consideration both the aims and objectives of the SHS and the rights and freedoms of the data subject(s).
[6] Students, Trainees and Volunteers:	SHS may have access to your personal information for the purpose of the placement
[7] Financial data includes (but is not limited to) the following:	invoicing, billing, and account management.
[8] Health Data includes (but is not limited to) the following:	diagnosis, medical records and assessments, medical/physical history and medication details, reports for carers/guardians, assistive technology needs and personal care needs, notes and reports and medications.
[9] Special Category Data	This means certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as "special categories" of personal data. They include the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data concerning a natural person's sex life or sexual orientation.
[10] CTV Operations:	This means closed-circuit television and is commonly known as video surveillance. "Closed-circuit" means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike "regular" TV, which is broadcast to the public at large. CCTV networks are commonly used to detect and deter criminal activities and record traffic infractions, but they have other uses.
[11] Cover Surveillance:	This is a form of hidden monitoring practice that involves the use of CCTV.
[12] Contractors:	This Means third parties engaged by SHS to carry out specific tasks or functions on our behalf.

Information Sharing

We may disclose your personal information outside SHS in limited circumstances. If we do, we will put in place appropriate controls and data sharing agreements that require recipients to protect their personal information unless we are legally required to share that information. Any contractors or recipients that work for us will be obliged to follow our instructions. We do not sell your personal information to third parties.
We may disclose your information to our third-party service providers, agents, and subcontractors (Suppliers) for the purposes of providing services to us or directly to you on our behalf. We may share your personal data with our selected suppliers and contractors to provide you with our services. For example, these may include:

Health professionals, independent consultants, and other hospitals that require your personal data as part of the provision of medical treatment.
IT service providers that either host or have access to our data as part of their product offering.
Regulatory bodies such as HIQA, the Revenue Commissioners, and the Health and Safety Authority, where we are obliged to make data available as required. This includes exchanging information with other entities and organisations for the purposes of fraud protection and credit risk reduction.
Any party whom you have given us permission to speak with (family, friends or otherwise) regarding your care and support.
The relevant person, where you are not in a situation to grant us permission.
GPs and other healthcare professionals involved in your treatment.
Healthcare specialists/providers whose opinion/services may aid us in an effective medical diagnosis and/or care service.
Billing agencies engaged by your consultant or other healthcare professionals involved in your care.
Legal representatives, as necessary.
Statutory bodies and health boards as required by EU and Irish law.
Auditors to measure compliance with SHS policy and accreditation standards.

We take steps to ensure that any third-party providers who handle your information comply with data protection legislation and protect your information to the same extent that we do. We only disclose personal information, which is necessary for them to provide the service they are undertaking on our behalf. We will aim to anonymise your information or use aggregated non-specific data sets where possible.

We may also disclose your personal information to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property or safety of our clients or others.

The table below illustrates the categories of third parties we share personal data with:

Category of Third Party	Description of Services Provided	Lawful Basis for Processing
IT Service Providers	System-based processing of personal and/or health details as part of the individual's care support and/or organisational/operational requirements. E.g. cloud hosting services; the National Incident Management Systems (NIMS), National Ability Support System (NASS) application development and support services; IT Infrastructure services; email services and cloud hosting services.	Performance of a contract. Legitimate Interest. Compliance with a Legal Obligation.
Legal/Professional Advisors	The provision of business consulting, audit, and legal services, including access to and analysis of personal data as part of SHS initiatives, statutory audits, legal claims, and ad-hoc consultancy advice.	Performance of a contract. Legitimate Interest.
Transport, Storage & Shredding	The provision of courier services for the transportation of physical documents to and from suppliers. Storage and destruction of physical files for operational and regulatory purposes.	Performance of a contract. Compliance with a Legal Obligation.
Outsourced Service Providers	The external processing of personal data to external providers where SHS does not have either the expertise, capacity, or demand to provide the processing required.	Performance of a contract.
Regulatory Bodies	Provision of personal data as required to satisfy obligations, audit, and mandatory reporting purposes with bodies such as HIQA, SHS, The State Claims Agency, and the Health & Safety Authority.	Compliance with a Legal Obligation. Performance of a contract. Legitimate Interest.
Security & Maintenance	CCTV Cameras are in operation both inside and outside of select SHS premises in order to protect our staff, the individuals supported by our services, visitors, and property.	Compliance with a Legal Obligation. The performance of a Contract. Legitimate Interest.
Law Enforcement Agencies	To assist law enforcement agencies in their efforts to prevent, detect, investigate, or prosecute criminal offences.	Compliance with a Legal Obligation. Section 41 (b) of the Irish Data Protection Act.
Your Local Doctor (GP)	Sometimes your local doctor will contact SHS for additional information about your care. In this situation, we will only release information to the doctor whom you have specified as your local doctor on your admission form.	Consent.
Other Health Service Providers	If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your care, we will provide a copy of your record to that medical practitioner or health care facility provided this request is processed in the correct manner and with your knowledge.	Consent. Vital Interest.
Relatives, personal carers and/or significant other(s)	We may provide information about your health to your spouse or partner, parent, child, other relatives, close personal friends, guardians, legal representative, or a person exercising your power of attorney under an enduring power of attorney or whom you have appointed your enduring guardian unless you tell us that you do not wish us to disclose your personal information to any such person.	Power of Attorney. Enduring Power of Attorney. Legal guardian. Assisted decision making (Capacity) Act 2005. Compliance with a Legal Obligation. Consent.

Information Retention

We are obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate operational purposes. Other information will be retained for no longer than is necessary for the purpose for which it was obtained by us or as required or permitted for legal, regulatory, fraud prevention, and legitimate operational purposes. We will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which it was collected or as per the legislative retention period.

International data transfers

SHS is accredited by The Council on Quality and Leadership "CQL". CQL is the only 3rd party with whom SHS shares data that operate outside of Europe. All information you provide to us is stored on our secure servers, which are located within the European Economic Area (EEA). SHS ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law. This is because some countries outside of the EEA do not have adequate data protection laws equivalent to those in the EEA.

Automated decision-making and profiling

SHS does not use automated decision-making or profiling.

Your rights with regard to your personal data

As a data subject, you have right in relation to your personal data; this includes the right to:

Access your data
The right to be informed concerning the processing of your personal data.
The right to have your data rectified.
The right to have your data erased if there are no conflicting laws or legitimate interests of the organisation.
The right to data portability (have your data transferred in a commonly used and machine-readable format.)
The right to object to processing.
The right to restrict processing.
The right to withdraw consent where consent is the basis for processing your personal data.
The right to lodge a complaint with the Data Protection Commission. To lodge a complaint, please click here

Noting there are times when restrictions to those rights apply.

For full and current details of your rights and restrictions under GDPR, please visit the Irish Data Protection Commissioners site at this link http://www.dataprotetion.ie/Your Rights under the GDPR | Data Protection Commissioner

You may exercise any of the above rights by contacting the SHS Data Protection Officer (DPO); see contact details below. When exercising your right to a Subject Access Request, please contact the DPO. You may be invited to provide us with the following:

Identify the records or information that you require.
Provide full personal contact details.
Provide a copy of one form of identification, i.e., passport or driver's licence

Data Security

We take the security of your personal information seriously and use a variety of measures based on good industry practice to keep it secure. Nonetheless, transmissions over the internet and to our website and our social media pages may not be completely secure, so please exercise caution. When accessing links to other websites, their privacy policies, not ours, will apply to your personal information.

We employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction, and damage.

SHS will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We use technology such as firewalls, encryption, mobile device management and multifactor authentication to keep your data safe. We also have policies and procedures for staff in relation to access control and passwords.

Our sites and social media pages may contain links to other websites run by other organisations which we do not control. This statement does not apply to those other websites, so we encourage you to read their privacy statements. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content, or thoroughness. Your disclosure of personal information to third-party websites is at your own risk.

Social Media Channels

If you are logged into your social media account when you access the HSE website, then the social media account provider may be able to associate your account with the pages on the SHS website that you visit. They do not do this on behalf of the SHS but for their own purposes. You should make yourself aware of the privacy policies of the social media providers that are present on our website. For all cookies that SHS does not control, i.e. 3rd party cookies, please refer to their respective Privacy Policies.

You can find out more about the policies of these social media channels here:

Social Media Channel	Policy	Opt-out
Facebook	Privacy Policy \| Cookies \| GDPR Compliance	Opt-out options
Instagram	Privacy Policy \| Cookies \| GDPR Compliance	Opt-out options
LinkedIn	Privacy Policy \| Cookies \| GDPR Compliance	Opt-out options
Twitter	Privacy Policy \| Cookies \| GDPR Compliance	Opt-out options
YouTube	Privacy Policy \| Cookies \| GDPR Compliance	Opt-out options

Your rights pertaining to your data

Under the Data Protection Law, you have certain rights. Please send your request to dpo@sunbeam.ie

The right to withdraw consent
The right of access
The right to erasure
The right to rectification
The right to data portability
The right to object
Notification of data breaches
The right to lodge a complaint with a supervisory authority

For more information about your GDPR rights, please visit https://www.dataprotection.ie/

Updates to this Privacy Statement

This notice may change from time to time, and any changes will be posted on our site and will be effective when posted. Please review this notice each time you use our site or our services. This notice was last updated on 04 Jul 2022.

Making a complaint

If you are unhappy with the way that we have processed your personal data, please contact the SHS Data Protection Officer (DPO).

The SHS DPO can be contacted directly by email at dpo@sunbeam.ie.
If we are unable to resolve your complaint, then you have the right to lodge a complaint with our supervisory authority, the Data Protection Commission and the HSE Data Protection Officer. You can lodge a complaint if:

We are unable to resolve your complaint about how your personal data is being processed.
You are not happy with how your complaint has been handled.

SHS DPO Contact Details

Address: Data Protection Officer, Sunbeam House Services, Ballyraine Campus, Vale Road, Arklow, Co. Wicklow, Ireland. Y14 XY75

| Phone: +353 (0)1 286 8451 | Email: dpo@sunbeam.ie |