ICAS International supports organizations through the promotion of the health and wellbeing of their employees, whilst at the same time improving productivity and reducing absence. We have been an Employee Assistance Program (EAP) provider since 1987 and today, we are one of the major global players in the sector. We are committed to ensuring your privacy and personal information is protected.
What is Data Protection Law?
Data protection law gives individuals certain rights about the way in which their personal data is processed. If organizations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and the courts. When ICAS International processes personal data, this activity and the personal data in question are covered and regulated by data protection law. The General Data Protection Regulation (“GDPR”) (EU) 2016/679 (“GDPR”) is a regulation in European Union law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.
What does this mean for ICAS International?
ICAS International must take proper steps to ensure that it processes personal data in a safe and lawful manner. ICAS International has therefore developed policies and procedures to ensure appropriate governance and compliance with such data privacy laws, including GDPR. Such framework shall apply to all personal data processing activities conducted by ICAS International, and its subsidiaries.
Data Protection Principles
Below is the summary of basic data protection principles that ICAS International must observe when it processes personal data.
Principle 1 – lawfulness of processing, fairness and transparency
- ICAS International will ensure that all processing is carried out in accordance with applicable laws.
- ICAS International will inform and explain to individuals, at the time when their personal data is collected, how their personal data will be processed.
Principle 2 – purpose limitation
- ICAS International will only obtain and process personal data for those purposes which are known to the individual or which are within their expectations and are relevant to ICAS International.
- ICAS International will only process personal data for specified, explicit and legitimate purposes and not further process that information in a manner that is incompatible with those purposes unless such further processing is consistent with the applicable law of the country in which the personal data was collected.
How do we collect your personal information?
We collect personal information directly from you:
- using our EAP services generally and which may be telephonically, via e-mail through the web, mobile or web applications, any other internet based application or in person;
- when you contract with ICAS International to provide services on our behalf or where we agree to provide services on your behalf;
- via cookies;
- through feedback forms;
- via our telephone calls with you;
- when you provide your details to us either online or offline;
- when you respond to any job advertisement or are employed by ICAS International.
Principle 3 – accuracy
- ICAS International will keep personal data accurate and up to date.
Principle 4 – data minimization
- ICAS International will ensure that data collected and processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
What personal information do we collect?
As the data controller, joint data controller and/or data processor, ICAS International may collect and process the following information about you:
- Personal information
- Email address, telephone number – ONLY if this information is relevant to solve a case (e.g. provision of contact details of affiliate, password to open encrypted documents). Any personal information will be deleted upon case closure by which the case is totally anonymized.
- factors specific to physical, physiological, economic, cultural or social identity;
- Sensitive personal information
- details of your current or former physical or mental health;
- details concerning sexual life or sexual orientation, for example marital status.
Principle 5 – limited retention of personal data
- ICAS International will only keep personal data for as long as is necessary for the purposes for which it is collected and further processed and to comply with our legal and regulatory obligations. The time we retain your personal information for, will differ depending on the nature of the personal information and what we do with it. In some cases, such as if there is a dispute or a legal action we may be required to keep personal information for longer.
- No personal data will be kept after case closure. The anonymized case information will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Principle 6 – security and confidentiality
- ICAS International will implement appropriate technical and organizational measures to ensure a level of security of personal data that is appropriate to the risk for the rights and freedoms of the individuals.
- ICAS International will ensure that providers of services to ICAS International also adopt appropriate and equivalent security measures.
- ICAS International will comply with data security breach notification requirements as required under applicable law.
- ICAS International will ensure that information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
How do we use your personal information?
We use your personal information to provide you with the services you require based on your situation. So, if you have a problem, we make sure the right network of providers and specialists are in place. However, there are many other reasons why we use your personal information.
Under data protection laws we need a reason to use and process your personal information and this is called a legal basis. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (such as details about your health, sexual orientation or criminal offences) we must have an additional legal ground for such processing.
- Processing is necessary for us to provide you with the services you require, such as assessing your need and setting you up as a user of the services and communicating with you.
- Where we have a legal or regulatory obligation to use such personal information, for example, when our regulators, and our data protection regulator, the Data Protection Officer (DPO) wish us to maintain certain records of any dealings with you.
- Where we need to use your personal information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves.
- Where we need to use your personal information for reasons of substantial public interest, such as investigating fraudulent or criminal activities.
- In certain instances, you may elect to use our EAP services anonymously. However, where necessary we will ask for your consent in relation to processing your sensitive personal information (such as health data) such as where you are in a safety critical role. This will be made clear when you provide your personal information. We will ask for your consent and explain why it is necessary. Without your consent in these circumstances, we may not be able to provide you with you may not be able to benefit from some of our services.
- Where you provide sensitive personal information about a third party we will ask you to confirm that the third party has provided his or her consent.
- Where we have appropriate legitimate business need to use your personal information such as maintaining our business records, developing and improving our products and services, all whilst ensuring that such business need does not interfere with your rights and freedoms and does not cause you any harm.
- Where we need to use your sensitive personal information such as health data because it is necessary for your vital interests, this being a life or death matter.
Principle 7 – rights of individuals
- ICAS International will adhere to the data subject rights procedure and will respond to any requests from individuals to access their personal data in accordance with applicable law.
- ICAS International will also deal with requests to rectify or erase inaccurate or incomplete personal data, or to cease processing personal data in accordance with the data subject rights procedure.