Members are encouraged to read this notice which sets out essential information about the personal data we collect from you, how we use and safeguard this information, who we share it with and why, and how long we will keep it on file. It also explains your rights, some of which are new, arising from the General Data Protection Regulation (GDPR) effective 25.05.2018
Please also bring this notice to the attention of anyone who is covered by your policy with the Prison Officers Medical Aid Society (the Society).
1. Who we are
The Prison Officers Medical Aid Society has been looking after the Health Insurance needs of its members since it was established on 4th June 1981 as a Restrictive Private Health Insurance Scheme. The Society is a “Restricted Membership Undertaking”, i.e. membership is restricted to serving and retired prison officers and their dependant spouses or partners and children. It is a non-profit, contributory medical insurance scheme. We have been providing reliable, value for money medical insurance for both in-patient hospitalisation and extensive outpatient benefits to members of the Prison Service for over 36 years. We endeavour to offer the most up to-date available technological advances in medical care . The Society is operated in accordance with Irish Health Insurance Legislation. Its licence is granted by the Health Insurance Authority and is renewable on a year to year basis.
2. Our approach to Data Protection
We have always appreciated your trust in us to collect, process and protect your personal information and we will continue to look after your information in a way that merits your trust. As a data controller, we are committed to meeting our obligations under the GDPR and have appointed a Data Protection Officer (DPO) who has oversight of our information practices and is responsible for ensuring your rights are fulfilled. The DPO is also a point of contact for members should you have any questions or concerns about your personal information.
You can contact our DPO at email@example.com or write to: Data Protection Officer, 397e North Circular Road Dublin 7, D07 TAC9.
3. The information we collect and hold about you and others covered by your policy
Most of the information we collect from you is personal, and some of it is very private to you, including information about your health and that of your family. This type of information is treated as a “special category”, meaning that we apply stringent safeguards against its improper use or disclosure.
We collect and store only the information that we need to look after your Health Insurance and this will include:
- Your personal identification and descriptors
- Full name/Maiden name/Signature
- Home address; email address; phone number and other contact information
- Age/date of birth
- Marital status
- Partner/spouse and dependents
- Pay number
- Tax Identification Number/PPS Number
- Proof of identity and address e.g. copy of driving licence/passport and utility bills
- IP address
- Biometric data including photographic ID, dental chart and voice (call) recordings
- Your health and related information
- Records of physical or mental illness or ill health
- Medical histories
- Information about injuries and accidents
- Records of treatments obtained by you
- Length of any stay in a hospital
- Other treatments or services received by you
- Previous insurance history
- Personal bank account or credit union account details
- Payroll details
- Other information relevant to a claim
Information about other persons currently or previously covered by your membership/policy
- Personal identification and descriptors, including the relationship to you as the policyholder, including:
- Full name and PPSN number of your spouse, partner, children or any others seeking insurance
- Verification of the age of a minor child, e.g. by provision of a birth certificate
- Health and related Information
- As above.
4. How we collect this information
We record and file the identification and contact information and other data that you input into our online or printed forms or provide to us over the phone when you join the Society.
We can only deal with and communicate with the member/policyholder, so when you contact us we may need to verify your identity, for example by asking you a security question or looking for some additional personal detail that only you would know.
When we need information about a family member or any other person(s) covered by your policy, we will obtain that information from you, as the member/policyholder.
We may record and/or make notes about phone conversations and will always let you know when we do this.
We may seek relevant information about your health, medical conditions and any treatments or other services received by you or other person(s) covered by your policy: this information will generally come from you, but we may also request and obtain it from your physician, a hospital or other treatment centre, or your family members. This type of information is needed to administer claims and is not used for any other purpose.
Our website makes limited use of ‘cookie’ technology. A cookie is a piece of text that our server places on your device when you visit our website. The type of cookie we use is “a non-persistent session enabler” which means it is used only to allow your device to communicate with the site while you log-in and use the site; the cookie expires when you log out of the site. We also collect the IP address of any device which is trying to connect with the site and use this to track successful or failed attempts at log-in to your account and the number of attempts made.
5. How we use your information
To process your information lawfully, we rely on one or more of the following legal bases: some information may be processed under more than one lawful basis:
- Provision of a policy of Health insurance or Health-related Insurance;
- Legal obligation;
- Our legitimate business interests;
- Your consent; and,
- Protecting the vital interests of you or others
We use information about you and others covered by your policy to:
- Set up, amend or renew your policy;
- Manage your Health Insurance policy;
- Set your subscription rate;
- Provide Health Insurance services to you as a member or former member;
- Process your Health Insurance claims and associated payments;
- Check and verify aspects of claims including treatments, duration of stays and convalescence options applied or utilised by Medical Service Providers;
- Respond to your requests and provide information;
- Respond to statutory obligations or requests from the courts and enforcement authorities;
- To audit Medical Service Providers
- Keep our records up to date to contact you when required and provide the best customer service;
- Produce internal management information to run our business and identify ways in which we can improve our services;
- Provide relevant information to other Health Insurance providers in the event of you switching provider; and;
- Perform any other Health Insurance related activities which we are obliged to undertake, or which we have gained your consent to perform
6. How we keep your information safe
We keep our computers, files and buildings secure. Hard copy files are kept in organised and secure storage areas with lockable cabinets and closed shelving. Claims are filed by Claim Number rather than by member/policyholder number, thus effectively pseudonymising them. We operate a clean desk policy in our offices.
Transit of paper files is strictly limited. Where necessary to have member information available for, e.g. off-site committee meetings, files are redacted where possible to ensure information is either anonymised or pseudonymised. Files in transit between our offices and such meetings are transported in locked bags or boxes. Meeting rooms are secured, and no member information is left in the open or on view to external parties.
Incoming post is brought directly to our office and opened by our staff. Outgoing post is brought to the post office by our own staff.
We follow the standard of encryption in transit and at rest. Electronic copy files are stored on our proprietary IT system which requires user authentication to access it. Back-ups of electronic files are stored securely off-site in fire-resistant storage. Laptops are encrypted at hard-drive level. Use of memory sticks and other portable drives is limited, restricted to management personnel, and all external drives are encrypted.
When you contact us by phone to ask about your information, we may ask you to verify your identity.
7. How long we keep your personal information for
To meet our legal and regulatory obligations, we hold your information while you are a member/policyholder and for a period of time after that. We do not hold it for longer than necessary. To help you understand how long we hold your data for, we have summarised our internal retention schedules below.
Please note that these retention periods are subject to legal, regulatory and business requirements, which may require us to hold the information for a longer period. For example, we must meet minimum retention standards for our Anti Money Laundering requirements; a prior claim may have a bearing on a current claim; legal cases can go on for protracted periods.
To meet such needs and to protect your interests as well as the Society’s interests, we may need to hold data for longer than our internal schedules dictate. However, we will not retain data that is no longer needed, and we continuously assess and delete data to ensure it is not held for longer than necessary.
|Document Type||Example Document||Retention Period|
|Details of Health Insurance Coverage with Society||Membership/policyholder details including details of persons Insured by the Society on Member’s Policy.||At least 20 years from cover ending with Society as per existing legislation (S.I. 312/2014).|
|Account and service information||Membership/policyholder account opening documents including documents required for adherence to law or regulations, e.g. AML documents, PPSN, proof of address||At least 6 years beyond account closure or the member/policyholder’s death|
|Account operation records including member/policyholder instructions, communications and complaints||At least 6 years beyond account closure or the member/policyholder’s death|
|Other records||Records relating to legal claims||At least 6 years beyond closure of the case|
|Revenue/Tax documentation||Tax Relief at Source information||At least 6 years beyond account closure or the member/policyholder’s death|
8. Your information and third parties
Where necessary we share your information with third parties. We expect these third parties to have the same levels of information protection that we have, and we require that they provide sufficient guarantees that the necessary safeguards and controls have been implemented to ensure there is no impact on your data rights and freedoms.
We share your personal information and personal information of other person(s) covered on your policy with hospitals and medical professionals/consultants when necessary to aid the efficient processing of claims.
We also have to share information with third parties to meet any applicable law, regulation or lawful request. In all such cases, we will only disclose the minimum amount of information required to satisfy our legal obligation.
In the event you switch to another insurer, we will share your information with the new insurer in accordance with the Health Insurance Act 1994 (Determination of Relevant Increase under section 7A and Provision of Information under section 7B) Regulations 2014 to confirm information that you have provided on taking out a policy with the new insurer; and Statutory Instrument No. 79/2015 – Health Insurance Act 1994 (Open Enrolment) Regulations 2015 to facilitate the determination of maximum waiting periods.
9. International transfers of data
We may transfer your personal information outside of the Republic of Ireland where necessary to administer or manage your health insurance or related claims, but we will not make such a transfer outside the European Economic Area (EEA).
10. Your personal information rights
This section sets out your rights, when they apply and our responsibility to you. The exercise of your rights might be subject to certain conditions and we might require further information from you before we can respond to your request. You may exercise your rights by contacting our Data Protection Officer at: DPO@pomas.ie or by writing to: Data Protection Officer, Prison Officers Medical Aid Society, 397e North Circular Road Dublin 7, D07 TAC9
Accessing your personal information
As a member/policyholder, you can ask us for a copy of the personal information we hold and further details about how we collect, share and use your personal information. You can request the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed.
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Updating and correcting your personal details
You can easily edit or update your contact information through the “Members” section of our website or by contacting us by email or letter. You will need your member number, your date of birth, your PPSN (Personal Public Service Number) and an email address to register, the first time you use the website. For subsequent visits to the website you will need your member number and a password to access the site and change your contact information online.
If you contact us over the phone to edit or delete your email or phone number, we will ask you questions in order to verify your identity.
Where we process your data solely on the basis of your consent, i.e. for direct marketing purposes or to obtain feedback from you about our services, you are entitled to withdraw your consent to such processing at any time. You can do this by contacting us by email or letter.
Restriction and objection
You may have the right to restrict or object to us processing your personal information. We will require your consent to further process this information once restricted. You can request restriction of processing where:
- The personal data is inaccurate, and you request restriction while we verify the accuracy;
- The processing of your personal data is unlawful;
- You oppose the erasure of the data, requesting restriction of processing instead;
- You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing;
- You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.
Deleting your information (right to be forgotten)
You may ask us to delete your personal information or we may delete your personal information under the following conditions:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent where there is no other legal ground for the processing;
- you withdraw your consent for direct marketing purposes;
- you withdraw your consent for processing a child’s data;
- you object to automated decision making;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.
Moving your information (your right to Portability)
Where possible we can share a digital copy of your information directly with you or another organisation. We will provide this information in a structured, commonly used and machine-readable format. Note, we can only share this information where it has been processed electronically (hard copy documents are excluded for portability) and was processed either under your consent or under the lawful basis of provision of a policy of Health Insurance or Health-related Insurance. In line with GDPR guidance, information that is processed to satisfy a legal obligation or that we process as part of our legitimate business interests, will not be regarded as portable (see section 5 “how we use your information”).
Your right to obtain information cannot adversely affect the rights and freedoms of others. Therefore, we cannot provide information on other people unless legally obliged to do so.
We generally do not charge you when you contact us to ask about your information. Per regulation, if requests are deemed excessive or manifestly unfounded, we may charge a reasonable fee to cover the additional administrative costs, or we may choose to refuse the requests.
11. Making a complaint
If you have a complaint about how we are using your personal information, please let us know, so that we have the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, by letter or by email. Please be assured that all complaints received will be fully investigated. You can register a complaint through our DPO and we ask that you provide as much information as possible to help us resolve your complaint quickly.
You can also complain directly to the Data Protection Commission, and their contact information is:
- Email: firstname.lastname@example.org
- Phone: +353 (0)761 104 800 or LoCall 1890 25 22 31
- Fax: +353 (0)57 868 4757
- Write to: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
12. Updates to this notice
We will make changes to this notice from time to time, particularly when we change how we use your information, or change our technology and products. You will find an up-to-date version of this notice on our website at www.pomas.ie/dataprotection or you can ask us for a copy.