ICAS World and its subsidiary companies and branches (referred to as “ICAS” in this policy) supports organisations through the promotion of the health and wellbeing of their employees, while at the same time improving productivity and reducing absence. We have been an Employee Assistance Programme (EAP) provider since 1987 and today, we are one of the major global players in the sector. We are committed to ensuring your privacy and personal information is protected.
Data protection law gives individuals certain rights about the way in which their personal data is processed. If organisations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and the courts. When ICAS processes personal data, this activity and the personal data in question are covered and regulated by data protection law. The General Data Protection Regulation (“GDPR”) (EU) 2016/679 (“GDPR”) is a regulation in European Union law on data protection and privacy for all individuals within the European Union, and the UK has retained a version of it. The Protection of Personal Information Act 2013 (“POPIA”) is a South Africa law on data protection and privacy for all individuals within South Africa. Both laws address the transfer of personal data outside their borders.
ICAS must take proper steps to ensure that it processes personal data on an international basis in a safe and lawful manner. ICAS has therefore developed policies and procedures to ensure appropriate governance and compliance with such data privacy laws, including GDPR and POPIA. Such framework shall apply to all personal data processing activities conducted by ICAS globally.
Below is the summary of basic data protection principles that ICAS must observe when it processes personal data.
How do we collect your personal
We collect personal information directly from you:
We also collect your personal information from many different sources including third parties such as:
What personal information do we collect?
As the data controller / responsible party, joint data controller and/or data processor / operator, ICAS processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice:
How do we use your personal information?
We use your personal information to provide you with the services you require based on your situation. So, if you have a problem, we make sure the right network of providers and specialists are in place. However, there are many other reasons why we use your personal information.
Under data protection laws we need a reason to use and process your personal information and this is called a legal basis. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (such as details about your health, sexual orientation or criminal offences) we must have an additional legal ground for such processing. Legal grounds are as follows.
The right to access your personal information
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. In Europe, there will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible. For requests for access to medical records, we will provide a summary of clinical interactions.
The right to rectification
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it.
The right to erasure
In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request. Please note that if you withdraw your consent we may not be able to provide you with the services you have requested.
Right to restriction of processing
In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.
Right to data portability
In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.
Right to object to direct marketing
You can ask us to stop sending you marketing messages at any time.
Right not to be subject to automated-decision making
Some of our decisions are made automatically by inputting your personal information into a system or computer and the decision is calculated using certain automatic processes rather than our employees making those decisions.
The right to withdraw consent
For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note in some cases we may not be able to deliver the services you require if you withdraw your consent.
The right to make a complaint
You have a right to complain to the relevant regulator at any time if you object to the way in which we use your personal information. More information can be found on regulators’ websites — the Information Commissioner’s Office website https://ico.org.uk/ for the UK, the Information Regulator’s website for South Africa https://www.justice.gov.za/inforeg/
Who do we share your personal information with?
ICAS and its employees (including new hires, individual contractors and temporary staff) that process personal data worldwide must comply with, and respect, this Policy when processing personal data as a controller and / or processor, irrespective of the country in which they are located.
ICAS reserves the right to change, modify or update this Policy at any time. Please review it frequently for any updates.
If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact the ICAS Data Privacy Office at the address below who will either deal with the matter or forward it to the appropriate person or department within ICAS.
Please note that in some cases we may not be able to comply with a request relating to your rights under this policy for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make within one month and if we can’t comply with your request, we will tell you why. In some circumstances exercising some of these rights (including the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean we are unable to continue providing you the services you have selected and may therefore result in the cancellation thereof.
Attention: Ayjan Cunningham – Data Privacy Officer
Address: ICAS International Holdings Ltd, 85 Gresham Street, London, EC2V 7NQ
To log a Data Subject Access Request, e-mail email@example.com (Europe) or firstname.lastname@example.org (South Africa). Note that we will require proof of identification (passport or driver’s license) and a utility bill to confirm that you are the Data Subject.