ICAS World and its subsidiary companies and branches (referred to as “ICAS” in this policy) supports organisations through the promotion of the health and wellbeing of their employees, while at the same time improving productivity and reducing absence. We have been an Employee Assistance Programme (EAP) provider since 1987 and today, we are one of the major global players in the sector. We are committed to ensuring your privacy and personal information is protected.
Data protection law gives individuals certain rights about the way in which their personal data is processed. If organisations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and the courts.
When ICAS processes personal data, this activity and the personal data in question are covered and regulated by data protection law. The General Data Protection Regulation (“GDPR”) (EU) 2016/679 (“GDPR”) is a regulation in European Union law on data protection and privacy for all individuals within the European Union, and the UK has retained a version of it. The Protection of Personal Information Act 2013 (“POPIA”) is a South Africa law on data protection and privacy for all individuals within South Africa. Both laws address the transfer of personal data outside their borders.
This Policy describes how personal data must be processed to meet ICAS’s data protection standards and to comply with privacy laws and regulations. Additional instructions and / or guidelines regarding personal data processing activities at ICAS are provided to ICAS employees in internal policies.
ICAS must take proper steps to ensure that it processes personal data on an international basis in a safe and lawful manner. ICAS has therefore developed policies and procedures to ensure appropriate governance and compliance with such data privacy laws, including GDPR and POPIA. Such framework shall apply to all personal data processing activities conducted by ICAS globally.
Below is the summary of basic data protection principles that ICAS must observe when it processes personal data.
How do we collect your personal
We collect personal information directly from you:
We also collect your personal information from many different sources including third parties such as:
What personal information do we collect?
As the data controller / responsible party, joint data controller and/or data processor / operator, ICAS processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice:
How do we use your personal information?
We use your personal information to provide you with the services you require based on your situation. So, if you have a problem, we make sure the right network of providers and specialists are in place. However, there are many other reasons why we use your personal information.
Under data protection laws we need a reason to use and process your personal information and this is called a legal basis. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (such as details about your health, sexual orientation or criminal offences) we must have an additional legal ground for such processing. Legal grounds are as follows.
The right to access your personal information
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. In Europe, there will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible. For requests for access to medical records, we will provide a summary of clinical interactions.
The right to rectification
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it.
The right to erasure
In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request. Please note that if you withdraw your consent we may not be able to provide you with the services you have requested.
Right to restriction of processing
In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.
Right to data portability
In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.
Right to object to direct marketing
You can ask us to stop sending you marketing messages at any time.
Right not to be subject to automated-decision making
Some of our decisions are made automatically by inputting your personal information into a system or computer and the decision is calculated using certain automatic processes rather than our employees making those decisions.
The right to withdraw consent
For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note in some cases we may not be able to deliver the services you require if you withdraw your consent.
The right to make a complaint
You have a right to complain to the relevant regulator at any time if you object to the way in which we use your personal information. More information can be found on regulators’ websites — the Information Commissioner’s Office website https://ico.org.uk/ for the UK, the Information Regulator’s website for South Africa https://www.justice.gov.za/inforeg/
Who do we share your personal information with?
ICAS and its employees (including new hires, individual contractors and temporary staff) that process personal data worldwide must comply with, and respect, this Policy when processing personal data as a controller and / or processor, irrespective of the country in which they are located.
ICAS reserves the right to change, modify or update this Policy at any time. Please review it frequently for any updates. If you do not agree with our privacy practices, please do not provide us with personal information.
By using the services, you are representing to ICAS that you have reached the age of majority in the jurisdiction in which you reside, such as you can lawfully enter into agreements with ICAS and provide your informed and express consent with respect to ICAS’s collection, use and disclosure of your personal information and personal health information (if applicable). If you have not reached the age of majority in the jurisdiction in which you reside, you may not sure or access our services or otherwise share your personal information of personal health information with us, unless your parent or another personal lawfully entitled to give or refuse consent in the place of your parent has provided us with express consent on your behalf.
If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact the ICAS Data Privacy Office at the address below who will either deal with the matter or forward it to the appropriate person or department within ICAS.
Please note that in some cases we may not be able to comply with a request relating to your rights under this policy for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make within one month and if we can’t comply with your request, we will tell you why. In some circumstances exercising some of these rights (including the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean we are unable to continue providing you the services you have selected and may therefore result in the cancellation thereof.
Attention: Ayjan Cunningham – Data Privacy Officer
Address: ICAS International Holdings Ltd, 85 Gresham Street, London, EC2V 7NQ
To log a Data Subject Access Request, e-mail firstname.lastname@example.org (Europe) or email@example.com (South Africa). Note that we will require proof of identification (passport or driver’s license) and a utility bill to confirm that you are the Data Subject.
Additional terms may apply to you based upon the country you reside in or the services you use. Please click the region or state that applies to you to learn more about additional terms and rights that may apply to you.
The GDPR and PIPEDA are aligned in numerous respects. Both pieces of legislation establish accountability as a fundamental principle and impose similar obligations regarding territorial and material scope, implementation of security measures, and breach notification requirements.
1. Principal 2 – Purpose Limitation
Subject to Section 6 of the Quebec Privacy Act, information held and processed by ICAS will be done so on the basis of Consent from the data subject except:
a: if there is a serious and legitimate reason to not obtain consent and either of the following conditions are fulfilled:
(i) the information is collected in the interest of the person concerned and cannot be collected from that person in due time;
(ii) collection from a third person is necessary to ensure the accuracy of the information, or
b: if the collection is otherwise authorised by law.
2. Principal 8 – Ensuring adequate protection for trans-border transfers
3. Principal 9 – Safeguarding the use of sensitive personal data
In respect of personal information obtained from Quebec residents, where personal information is transferred to third party service providers, ICAS shall use safeguards to ensure that such third party service providers will take necessary security measures with respect to the protection of personal information that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
4. ICAS’s sub-processors (subsidiaries), as set forth in Principle 8 of this policy, are third parties under Applicable Data Protection Law, with whom ICAS has entered into a written contract that includes terms substantially similar to this policy. ICAS has conducted appropriate due diligence on its sub-processors.
5. ICAS will ensure that the appropriate technical and organizational measures as set forth in Principle 6, clause 2 (Security) of this policy are adhered to.
6. Consent to the Collection, Use, and Disclosure of Personal Information.
By using the services, you are representing to ICAS that you have reached the age of majority in the Canadian province in which you reside, such that you can lawfully enter into agreements with ICAS and provide your informed and express consent with respect to ICAS’s collection, use, and disclosure of your personal information and personal health information. If you have not reached the age of majority in the Canadian province in your province of residence, you may not use or access our services or otherwise share your personal information or personal health information with us, unless your parent or another person lawfully entitled to give or refuse consent in the place of your parent has provided us with express consent on your behalf.
8. Our Data Protection Officer is available to facilitate requests for access or correction to users own personal information and to describe how you can file a complaint with the applicable regulator regarding our handling of your personal health information where required by law: