THE GENERAL DATA PROTECTION REGULATIONS (GDPR

Circular Letter 0012/2024

To: The Managerial Authorities of Recognised Primary, Secondary,

Community and Comprehensive Schools

and

The Chief Executives of Education and Training Boards

THE GENERAL DATA PROTECTION REGULATIONS (GDPR) –

RESPONSIBILITIES OF DATA CONTROLLERS IN

RESPECT OF THE OCCUPATIONAL HEALTH SERVICE

(OHS)

1. Purpose of this Circular

1.1. The purpose of this Circular is to confirm the role and the relationship of

the Employer, Medmark Limited and the Department of Education as

Joint Data Controllers with regards to the processing of personal data

and special category personal data in relation to the Occupational Health

Service (OHS) for the purposes of Section 79 of the Data Protection Acts

1988 to 2018 and Article 26 of Regulation (EU) 2016/679 (GDPR).

1.2. It is a requirement under the GDPR that Joint Data Controllers set out

their respective responsibilities in a transparent manner by means of an

agreement and that is the purpose of this Circular.

1.3. Please ensure that the contents of this Circular are brought to the

attention of all members of the Board of Management/Education and

Training Board and all relevant employees (teacher, special needs

assistant and clerical officer/caretaker (employed under the 1978/79

Scheme)) in your employment, including those on leave of absence.

Further information is available from the Department of Education’s

website at www.gov.ie.

2. Definitions

2.1. “The Department” means the Department of Education;

2.2. The “parties” is a reference to the Employer, Medmark Limited and the

Department of Education as Joint Data Controllers under this agreement;

2.3. “The Data” means such personal information as is processed;

2.4. “GDPR” means the EU General Data Protection Regulation 2016/679;

2.5. The term “Article” refers to an article in the GDPR;

2.6. “Personal Data”, “Processing”, “Data Controller”, “Data Processor”, “Data

Subject” and “Personal Data Breach” have the meanings assigned to

them by Article 4 of the GDPR;

2.7. “Data Protection Acts” means the Data Protection Acts 1988 to 2018 and

any amendments thereto;

2.8. “The Act” means the Education Act 1998 as amended;

2.9. “Employee” means teacher, special needs assistant and clerical

officer/caretaker (employed under the 1978/79 Scheme) in approved

posts funded by monies provided by the Oireachtas;

2.10. “Employer” means an Education and Training Board (ETB) for vocational

schools/community colleges, community national schools and a Board of

Management/Manager in the case of primary (excluding community

national schools), voluntary secondary, community and comprehensive

schools. The ETB or Board of Management/Manager may delegate as

appropriate;

2.11. “Joint Data Controller” has the meaning given to it by Article 26 of the

GDPR, which is where two or more Data Controllers jointly determine the

purposes and means of processing;

2.12. “Occupational Health Service (OHS)” means a service which provides

independent medical advice on occupational health to the Employer;

2.13. “Special Category Personal Data” has the meaning given to it by Article 9

of the GDPR, which is personal data revealing racial or ethnic origin,

political opinions, religious or philosophical beliefs, or trade union

membership, and the processing of genetic data, biometric data for the

purpose of uniquely identifying a natural person, data concerning health

or data concerning a natural person’s sex life or sexual orientation;

2.14. “On Line Claims System (OLCS)” means the system for

recording absences and claiming substitution currently operating

in primary, voluntary secondary, community and comprehensive

schools.

3. Background and Introduction

Background, Subject Matter and Purpose of the Processing

3.1. The OHS is in place to provide employers with occupational health

advice in relation to pre-employment medical assessments and an

employee’s medical fitness for work under the terms and conditions of

the Sick Leave Scheme. The OHS provider, contracted by the

Department, is the sole recognised provider of independent medical

advice for employers.

As Data Controllers the Employer, Medmark Limited as the OHS provider

and the Department are all assigned responsibilities by the GDPR

relating to personal data held by them. Each Data Controller is expected

to comply fully with all such responsibilities.

Irrespective of the terms of this Joint Data Controller Agreement, a data

subject may exercise his/her rights in respect of and against each of the

Data Controllers including, but not limited to, those rights contained in

Articles 13 and 14 of the GDPR.

Where a data subject seeks to exercise his/her rights under the GDPR in

relation to the OHS process from a particular Data Controller, that Data

Controller shall deal with the request where it relates to the data held by

that Data Controller’s organisation.

The subject matter of the processing is personal data and special

category personal data in relation to the OHS.

The purpose of the processing is to provide occupational health advice to

employers which incorporates health management including Pre-

Employment Health Assessments, Sickness Absence Assessments,

Medical Assessments of Fitness for Work and Ill-Health Retirement

Assessments including facilitation of Critical Illness Provision appeals

and Ill-Health Retirement appeals for employees.

Type of Personal Data

3.2. The Employer holds personal data relating to the employee’s Sick Leave

record(s), the OHS referral record(s) and the OHS medical fitness to

work report(s).

Medmark Limited holds personal data relating to assessments of the

employee’s medical fitness to work which includes pre-employment

health assessments, sickness absences, assessment of applications for

access to Critical Illness Provisions and Ill-Health Retirement

assessments.

The Department holds the following data:

(i) Personal data relating to the employee’s Sick Leave records

(available on the Online Claims System (OLCS)), and Ill-Health

Retirement applications;

(ii) Statistical data collected from Medmark Limited in the form of

periodic reports. This data is anonymised, aggregate data, which

cannot be attributed to a specific data subject.

The categories of personal data processed by the Employer are:

 Name

 Date of birth

 PPSN

 Residential address

 Contact details

 Sick Leave records (Medical Information/Special category

personal data concerning health)

The categories of personal data processed by Medmark Limited are:

 Name

 Residential address

 Date of birth

 Medical information

 Special category personal data concerning health

The categories of personal data processed by the Department are:

 Name

 Date of birth

 PPSN

 Residential address

 Contact details

 Sick Leave records (available on the Online Claims System

(OLCS))

Category of Data Subject

3.3. Data Subject has the meaning given to it by Article 4 of the GDPR,

which is an identified or identifiable natural person. For the purposes of

this agreement it is any person referred to the OHS.

4. Functions and obligations of the Employer

4.1. The Employer is responsible for:

(i) Referring the employee to the OHS.

(ii) Seeking advice from the OHS.

(iii) Providing the employee with a copy of OHS referral and OHS ‘Fitness

to Work’ report.

(iv) Providing the employee with data relating to the employee’s Sick

Leave record(s).

(v) The ETBs hold personal data relating to the employee’s Ill-Health

Retirement applications.

Therefore, in relation to the personal data processed in these

circumstances, the Employer has the responsibility to comply with a data

subject exercising his/her rights under the GDPR.

4.2. In accordance with Article 6(1) and Article 9(2) of the GDPR, the

Employer in discharge of its obligations must have regard for:

 The Data Protection Acts; and

 The GDPR.

5. Functions and obligations of Medmark Limited

5.1. Medmark Limited is responsible for (i) Processing referrals from employers

and (ii) Determining appropriate retention criteria for personal data.

Therefore, in relation to the personal data processed in these

circumstances, Medmark Limited has the responsibility to comply with a

data subject exercising his/her rights under the GDPR.

5.2. In accordance with Article 6(1) and Article 9(2) of the GDPR, Medmark

Limited in discharge of its obligations must have regard for:

 The Data Protection Acts; and

 The GDPR.

6. Functions and obligations of the Department

6.1. The Department holds personal data relating to the employee’s Ill-

Health Retirement applications. Therefore, in relation to this personal

data, the Department has the responsibility to comply with a data

subject exercising his/her rights under the GDPR.

6.2. In accordance with Article 6(1) and Article 9(2) of the GDPR, Sections

7(1)c and 24(3) of the Education Act 1998, the Department in discharge

of its obligations must have regard for:

 The Data Protection Acts; and

 The GDPR.

7. Joint Data Controllers

7.1. Article 26 of the GDPR defines a joint controller as follows: “where two or

more controllers jointly determine the purposes and means of

processing, they shall be joint controllers”. The Employer together with

Medmark Limited and the Department are deemed to be Joint Data

Controllers in respect of the data processed for the purpose(s) set out

above. However, the respective roles and obligations of the parties differ

and as such need to be defined.

7.2. The purpose of this agreement is to define the relationship and

respective obligations to data subjects of the Employer, Medmark Limited

and the Department. In so doing the parties have determined their

respective responsibilities for compliance with the obligations under the

Data Protection Acts and GDPR, in particular as regards the exercising

of the rights of the data subject and their respective duties to provide the

information referred to in Articles 13 and 14 of the GDPR. The parties

understand that a separate Privacy Notice by each party is to be in place

for data subjects in relation to the OHS.

7.3. None of the parties to this agreement shall engage a data processor

without the agreement of the other parties.

8. Obligations of the Employer, Medmark Limited and the Department

as Joint Data Controllers

8.1. For the purposes of this agreement the parties jointly assume the role of

“Data Controller” within the definition of the Data Protection Acts and

shall have responsibility for ensuring compliance with the Data Protection

Acts and GDPR. Each party shall respond to requests made to that party

from data subjects regarding the data held by that party. Without

prejudice to the generality of the foregoing, the obligations of the parties

under this agreement shall extend to:

Data compliance

8.1.1. Compliance with relevant sections of the Data Protection Acts in

force from time to time.

8.1.2. Compliance with the GDPR.

Fair and Lawful Processing

8.1.3. Ensuring compliance with Section 71 of the Data Protection Acts

in respect of fair and lawful processing and Articles 5 (principles relating

to the processing of personal data), 6 (lawfulness of processing), 7

(conditions for consent) and 9 (processing of special categories of

personal data) of the GDPR.

8.1.4. None of the parties to this agreement shall transfer the personal

data to a third country outside of the European Economic Area without

the express consent of the other parties.

Data Subject Rights - Dealing with Requests under Article 15 - 22 of the GDPR

8.1.5. Dealing with requests under Articles 15 - 22 of the GDPR

regarding the rights of data subjects.

Transparency

8.1.6. Complying with Articles 13 and 14 of the GDPR in respect of

information to be furnished to individual data subjects.

Accountability

8.1.7. Maintaining suitable records to demonstrate compliance with the

GDPR and Data Protection Acts in accordance with Article 24 of the

GDPR.

Data Security & Data Breach

8.1.8. The use of appropriate security measures for the data as per

Article 32.

8.1.9. The notification of any data breach in accordance with Article 33

and where applicable, under Article 34.

8.1.10. Where a data breach occurs, the party whose breach of

security has resulted in the breach shall inform the other party without

undue delay and no later than 24 hours of becoming aware of the

breach.

Consultation with the Data Protection Commission

8.1.11. The parties shall collaborate in respect of communication

with the Data Protection Commission on the processing which is the

subject of this agreement. This includes the obligation to consult under

Article 36.

Data Protection Officer appointed under Article 37 of the GDPR

8.1.12. Contact details

The Data Protection Officer for Medmark Limited can be contacted at:

Data Protection Officer (DPO),

Medmark,

69 Lower Baggot Street,

Baggot Street Bridge,

Dublin 2,

D02 HW52.

Phone: 01-6761493.

Email: [email protected]

The Data Protection Officer for the Department can be contacted at:

Data Compliance & Support Section,

Department of Education,

Cornamaddy,

Athlone,

Co. Westmeath,

N37 X659.

Phone: +353(0)90 648 3908

Email: [email protected]

Disclosures

8.1.13. The parties will not disclose any of the personal data which they

process unless there is a legal basis for such disclosures and,

subject to any regulations restricting the data subject’s rights

under the Data Protection Acts, the data subjects will be

informed by the parties of these disclosures in advance.

Data Storage

8.1.14. Each party shall determine the retention period which is

necessary for any personal data which it processes.

9. Administrative Matters

9.1. The parties as Joint Data Controllers, shall:

9.1.1. Assume liability for all Data in respect of Sections 141, 142 and

143 of the Data Protection Acts, Articles 79 and 82 of the

GDPR and the Law of Torts.

9.1.2. Deal with all requests under Chapter 4 of the Data Protection

Acts regarding rights and the restriction of rights of data

subjects and Articles 13 to 22 of the GDPR. Responses thereto

shall be final, subject to review only by the Data Protection

Commissioner or Courts as appropriate.

9.1.3. A party that is demonstrably in breach of one of its obligations

under the agreement, thus causing the other parties to be held

liable by a third party for any damage, costs or interest

payments it has incurred, shall indemnify the other parties

against the claims brought by the third party and reimburse any

expenses the other parties may incur.

10. Contact Details for Data Subjects

10.1. Data subjects wishing to make contact with the data controllers can:

Contact the Employer i.e. the relevant recognised Primary, Secondary,

Community and Comprehensive School or the Chief Executive of the

relevant Education and Training Board.

Contact Medmark Limited at:

Data Protection Officer (DPO),

Medmark,

69 Lower Baggot Street,

Baggot Street Bridge,

Dublin 2,

D02 HW52.

Phone: 01-6761493.

Email: [email protected]

Contact the Department at:

Pension Unit,

Department of Education,

Cornamaddy,

Athlone,

County Westmeath,

N37 X659.

Phone: 090 648-4189

Email: [email protected]

11. Duration of Agreement

11.1. Save for any review undertaken, this Joint Data Controller Agreement will

remain in force between the Employer, Medmark Limited and the

Department for the duration of the Occupational Health Service Contract.

The agreement will be reviewed at the request of any party.

James Walsh Tara Carton

Principal Officer Principal Officer

Teacher/SNA Terms and Data Compliance & Support Section

Conditions Section

01 February 2024