HIA Privacy Statement
This statement describes how The Health Insurance Authority (the “HIA”) processes your personal information. Please take the time to read it carefully. You have a number of rights in relation to your personal information including the right to object to the processing of your personal information where that processing is carried out for the HIA’s legitimate interests.
General Privacy Statement
About the Health Insurance Authority
The HIA is a statutory regulator of the private health insurance market. The HIA was established by Ministerial Order on 1 February, 2001 under the Health Insurance Act, 1994 and operates in accordance with the provisions of this Act and the Health Insurance (Amendment) Acts (collectively “the Health Insurance Acts”). The Health Insurance Acts provide for the regulation of the business of private health insurance in Ireland following the enactment of the European Union "Third Non-Life Insurance Directive". The HIA is independent in the exercise of its functions which are provided for in the Health Insurance Acts.
The HIA is audited by the Comptroller and Auditor General and subject to the requirements thereof. The HIA is also subject to the corporate governance procedures of the “Code of Practice for the Governance of State Bodies” issued by the Department of Public Expenditure and Reform. The HIA is a public body to which the provisions of the Freedom of Information Acts and the Data Protection Acts apply.
The www.hia.ie website is maintained by the HIA. The HIA respects the rights of its users. Any personal information which you volunteer will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 – 2018 and the General Data Protection Regulation (GDPR) effective from the 25th May 2018.
The HIA has appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy statement and its approach to privacy. The Data Protection Officer is a designated position under Data Protection Legislation and their duties are defined under the legislation. If you have any questions about this privacy statement or data protection in general, including any request to exercise your rights, please contact the Data Protection Officer using the details set out below:
Data Protection Officer
The Health Insurance Authority
The purpose and basis for processing personal information
The HIA collects your information for a number of purposes and rely on a number of different bases to use personal information.
- Legitimate business interests
Where the HIA processes personal information for its legitimate interests, it will ensure that there is a fair balance between its legitimate interest and the individuals fundamental rights and freedoms.
The HIA may use personal information to manage its everyday business needs including accounting, internal reporting needs, market research, to progress and respond to queries, to ensure appropriate IT security and to prevent fraud, in our legitimate interest. The HIA’s legitimate interest is the effective management of the organisation and performance of its functions under the Health Insurance Acts.
The HIA may use personal information to update you on market or organisational developments where consent has been provided.
- The establishment, exercise or defence of legal claims
The HIA sometimes processes personal information, including sensitive personal information, such as information concerning health, trade union membership and criminal convictions/offences where it is necessary for the establishment, exercise or defence of legal claims.
- Professional service contract
When the HIA engages in a professional services contract it may be necessary to collect personal information in order to seek and receive instructions, to assess tenders and contracts, and in relation the operation of those professional services.
- Legal Obligation
Personal data on the health insurance population that is supplied to the HIA under Statutory Information Returns or under its functions in relation to the Risk Equalisation Scheme. The HIA may also collect personal data where it is legally obligated to such as the collection of taxes.
The HIA will, in certain circumstances, rely on explicit consent to process personal data, including, sensitive personal data for example when assisting a consumer with a health insurance query or complaint. This consent can by withdrawn at any time by using the contact details of the Data Protection Officer set out above.
Categories of data subjects
The HIA holds three categories of personal data:
- Data on current and previous employees and Authority Members;
- Data on consumers who call, visit or directly contact the HIA seeking advice or assistance through a case management system; and
- Data on individuals in the health insurance population that is supplied to the HIA under Statutory Information Returns or under its functions in relation to the Risk Equalisation Scheme.
Types of information collected and some examples of how it is used
The HIA may collect, use, store and transfer different kinds of personal information as follows and use it for a variety of different purposes and across various statutory/legal obligations, provision of services or the conduct of its business.
Information type: Address, email address, telephone numbers, contact details.
Example of how it is used: This information is used to provide services as instructed, to operate service contacts, to send out market information, and to respond to consumer queries.
Information type: Name, date of birth, PPSN, marital status, nationality, driving licence, passport.
Example of how it is used: This information is used to manage the organisation (payroll, HR and banking facilities), and to verify identity in certain circumstance.
Your information and third party service providers
Third party service providers
The HIA may share personal information with or provide access to personal data to third party service providers that perform services and functions at its direction and on its behalf such as lawyers, IT service providers, printers, shredding companies, and providers of security and administrative services.
An Garda Síochána, government bodies, or other government officials:
The HIA may share personal information with an Garda Síochána, or other government bodies or agencies including but not limited to the Revenue Commissioners, where required to do so by law.
The HIA may share your personal information with other Regulatory Authorities, where required to do so by law.
The HIA may provide personal information to third parties to facilitate your instructions to us, such as lawyers, parties to any professional claim, parties with whom the individual has a professional issue or complaint and third parties who you instruct us to communicate with on your behalf.
Duration of processing
The HIA will process (use/store) personal data only for so long as long as you require us, or as legally required or for a set retention period set out in the HIA Data Retention Policy.
Use of sub-processors
As part of service delivery and the operation of the HIA it is necessary for it to use sub-processors.
IT support is provided by parties external to the HIA. Some solutions used are cloud based and the need to rely on those systems varies depending upon the services delivered or organisational requirements.
All sub-processors are bound by the HIA to provide at least the same level of protection for personal data it does.
The HIA uses a number of suppliers to provide the organisation with IT and other associated services for the delivery of the business and services. In many cases, but only on an as required basis, the suppliers used will be granted access to the data held by the HIA in order to provide technical assistance or service. Such processing activities are not directly related to the organisations principal services and are considered ancillary.
As with many modern organisations, data may be transferred or processed subject to business needs. Data may be stored on HIA encrypted devices or by a processor on similarly secure devices. Appropriate technical measures have been put in place to ensure data remain secure irrespective of where it is processed.
The HIA may process personal data through appointed service providers worldwide. In the event this is necessary the HIA will ensure appropriate controls exist in the form of EU standard contractual clauses to protect personal data and data subject rights and freedoms.
Transfers outside the European Economic Area
The HIA may transfer personal data outside the European Economic Area. These countries do not always afford an equivalent level of privacy protection and in such circumstances specific steps are taken, in accordance with data protection law to protect personal information. In particular, for transfers of personal data, outside the EEA where there is no adequacy decision by the European Commission, the HIA may rely on contractual protection approved by the European Commission or the applicable safeguards under data protection law.
The HIA has put technological and organisational controls, including policies and procedures, in place to protect personal data from loss, misuse, alteration or unintentional destruction. HIA personnel who have access to the data have been trained to maintain the confidentiality of such information. Conditions to protect data to at least the same standard as the HIA does are cascaded to all our contractors, sub processors and suppliers.
The HIA carries out regular monitoring and testing of its security defences to ensure they continue to be effective against the latest threats.
Data transferred over the internet by us are protected using encryption technologies to ensure they remain secure.
Please note that no communications over the internet can be guaranteed as secure. Whilst we take appropriate steps to protect your data we cannot guarantee that it will remain secure in transit. Once data reaches your network it is your responsibility to ensure it remains secure.
Individuals have several rights under data protection law in relation to how the HIA uses personal information. Individual have the right free of charge to:
- Request a copy of the personal information held about them;
- Rectify any inaccurate personal data held;
- Erase personal information held.
- Restrict processing of personal information;
- Object to the HIA’s use of personal information for their legitimate interests;
- Receive personal information in a structured commonly used and machine readable format; and
- To have that data transmitted to another data controller.
These rights are in some circumstances limited by data protection legislation. If you wish to exercise any of these rights please contact the HIA’s Data Protection Officer using the contact details contained in Section 9 - Requesting Access, Rectification or Erasure of Personal Data - Request Form.
You also have the right to lodge a complaint to the Office of the Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois – firstname.lastname@example.org
The www.hia.ie website is maintained by the Health Insurance Authority. The HIA respects the rights of its users and does not collect personal information of any kind without your permission. Any personal information which you volunteer will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 - 2018.
Collection and use of personal information
The www.hia.ie website does not collect any personal data, apart from information that you volunteer; for example, when providing feedback or asking a question. Any information provided in this way is used only for the purpose it is provided.
To make this website work properly, the HIA sometimes place small data files called cookies on your device. Most websites do this.
What are cookies?
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
Google Analytics uses only first-party cookies for data analysis. This means that the cookies are linked to our website domain(s), and the HIA will only use that cookie data for statistical analysis related to browsing behaviour on our websites. If you choose, you can opt out by turning off cookies in the preferences settings in your browser. IP addresses are also truncated by the last octet prior to its storage using the "_anonymizeIp()" method.
You can opt-out from being tracked by Google Analytics by downloading and installing Google Analytics Opt-out Browser Addon for your current web browser: Google Analytics Opt-out Browser Add-on.
The following functional cookies allow the website to remember choices you make to provide enhanced, more personal features. The information these cookies collect may be anonymous and they cannot track your browsing activity on other websites. More information about these cookies are found in the relevant third party websites:
- Facebook.com – displays the HIA’s Facebook page
- Twitter.com - displays the HIA’s twitter feed
- linkedin.com – displays the HIA’s LinkedIn page
- Google+ - displays the HIA’s Google+ feed
How to control cookies
You can control and/or delete cookies as you wish - for details, see aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
Information the HIA routinely collect
- Statistical information (IP address and hostname, web browser version, pages visited etc.)
- The previous website address from which you reached us, including any search terms used
- Other information submitted in forms, for example if you submit your personal details when requesting a publication or asking a question
What we use the information for
Any personal information you provide will be used only for the purpose supplied. Your details will be deleted from the system after a set period of time. Any other information collected using cookies, is used only for analysing usage patterns, in order to guide us in improving the site.
The HIA will neither make attempts to identify individual visitors, nor associate the technical details listed above with any individual. It is our policy never to disclose such technical information in respect of individual website visitors to any third party unless obliged to disclose such information by a rule of law. The technical information will be used only for statistical and other administrative purposes.
You should note that technical details, which we cannot associate with any identifiable individual, do not constitute "personal data" for the purposes of the Data Protection Acts, 1988 - 2018.
Disclosure of Your Information
We will not use your personal information or data for a purpose other than the purposes for which you supplied it, and will not disclose it to any other person or organisation unless:
- The information is necessary to facilitate answering of a query or specific request, which you have made;
- We are required by law to do so such as the prevention, detection or investigation of offences;
- The assessment or collection of tax, duty or other money owed to the State;
- Where required to do so by law or court order;
- Where it is required for obtaining legal advice or for legal proceedings;
- There are reasonable grounds to believe that disclosure is necessary to prevent a threat to life or health; or
- That person or organisation is an agent or contractor providing a service to the HIA, who will be required to maintain the same or similar privacy principles as specified in privacy legislation; or
- You have given us consent to do so.
Implications of not providing information
Sharing information with us is in both your interest and ours.
We need your information in order to:
- Provide our services to you and fulfil our contract with you.
- Manage our business for our legitimate interests.
- Comply with our legal obligations.
Of course, you can choose not to share information, but doing so may limit the services we are able to provide to you.
- We may not be able to provide you with certain services that you request. We may not be able to continue to provide you with or renew existing services.
- When we request information, we will tell you if providing it is a contractual requirement or not and whether or not we need it to comply with our legal obligations.
Glossary of Technical Terms Used
The piece of software you use to read web pages. Examples are Microsoft Internet Explorer, Firefox, Mozilla, Safari and Opera.
The identifying details for your computer (or your Internet company’s computer), expressed in "internet protocol" code (for example 192.168.72.34). Every computer connected to the web has a unique IP address, although the address may not be the same every time a connection is made.
Small pieces of information, stored in simple text files, placed on your computer by a website. Cookies can be read by the website on your subsequent visits. The information stored in a cookie may relate to your browsing habits on the web page, or a unique identification number so that the website can "remember" you on your return visit. Generally speaking, cookies do not contain personal information from which you can be identified, unless you have furnished such information to the website.