Data privacy and security is important to OnCore.
We will handle your Personal Data in accordance with Data Protection Legislation. “Data Protection Legislation” means the Data Protection Acts 1988 and 2003 and Directive 95/46/EC, any other applicable law or regulation relating to the processing of personal data and to privacy (including the E-Privacy Directive), as such legislation shall be amended, revised or replaced from time to time, including by operation of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) (and laws implementing or supplementing the GDPR).
Information we gather from you
We fully respect your right to privacy in relation to your interactions with the Service and endeavor to be transparent in our dealings with you as to what information we will collect and how we will use your information. Also, we only collect and use individual’s information where we are legally entitled to do so.
You may use forms on the “Contact” page and “Demo” page in order to register your demo request with us. The registration process asks for a name, phone number, and email address. When you visit our website, our servers automatically record information that your browser sends. These server logs may include information such as your web request, Internet Protocol address, browser type and settings, browser language, the address of the web page visited before using the Service, the date and time the website was used, information about browser configuration and plugins, language preferences and one or more cookies that may uniquely identify your browser. When you send email or other communication to OnCore, we may retain those communications in order to process your inquiries, respond to your requests and improve our Service (any Personal Data that we collect from you for these purposes is hereinafter referred to together as “Your Data”). OnCore is a Data Controller and / Processor (as defined in Data Protection Legislation) in respect of Your Data. The legal basis upon which we process Your Data is our legitimate interest to provide the Services to you.
Your Data is separate from and should be distinguished from User Uploaded Data. “User Uploaded Data” is data (which may include Personal Data) uploaded by you or others through “Contact” page. OnCore is a Data Controller and / Data Processor (as defined in Data Protection Legislation) in respect of the User Uploaded Data.
You can change your stated interests in respect of whether or not you wish to receive direct marketing from us by clicking ‘unsubscribe’ on any direct marketing electronic communication which you receive from us.
If you are aged 18 or under, please get your parent/guardian’s permission before you provide Your Data to us.
Why we collect/have access to your information
A cookie is a small text file that is placed on your device by a web server which enables a website to recognize repeat users, facilitate the user’s ongoing access to and use of a website and allows the website to track usage behavior and compile aggregate data that will allow content improvements and targeted advertising. We collate information on in relation to the Service, which is represented in aggregate format through cookies. They help us to improve our Service and to deliver many of the functions that make your browser experience more user friendly.
We may contact you:
- to respond to your queries about our services in respect to the choices you made on the Contact form.
- to provide you with information about our Service, activities, including sending e-newsletters or similar correspondence and updates or responding to any contact you have made with us, e.g. on our website, by email or via the ‘Contact’ facility.
Withdrawal of consents
In the case of User Uploaded Data, OnCore is the data controller and / processor – withdrawals of consent in respect of User Uploaded Data must be made by the relevant data subject to us, and we can then take action in relation to the processing of such User Uploaded Data – this in reality means that it may not be possible to continue to use the Service in respect of such User Uploaded Data.
Who we share your data with
Your Data may be transferred to, stored at, or accessed from a destination outside the European Economic Area (“EEA”) for the purposes of us providing the Service. It may also be processed by staff operating outside the EEA who work for us.
By submitting Your Data, you explicitly consent to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that Your Data is treated securely and in accordance with this Policy. The safeguards in place with regard to the transfer of Your Data outside of the EEA are the entry by us into appropriate contracts with all transferees of such data. All information you provide to us is stored on our (or contracted third party) secure servers.
How do we protect your personal information
We do our utmost to protect user privacy through the appropriate use of security technology. We restrict access to Your Data to employees, contractors and agents who need to know such Your Data in order to operate, develop or improve the services that we provide. We ensure that we have appropriate physical and technological security measures to protect your information; and we ensure that when we outsource any processes that the service provider has appropriate security measures in place. However, the Service may contain hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies, including cookies. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.
We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing of Your Data. In particular, we will consider the risks presented by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Your Data transmitted, stored or otherwise processed.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect Your Data, we cannot guarantee the security of any data transmitted to us and any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. To the extent permitted by law, we are not responsible for any delays, delivery failures, or any other loss or damage resulting from (i) the transfer of data over communications networks and facilities, including the internet, or (ii) any delay or delivery failure on the part of any other service provider not contracted by us, and you acknowledge that the Service may be subject to limitations, delays and other problems inherent in the use of such communications facilities. You will appreciate that we cannot guarantee the absolute prevention of cyber-attacks such as hacking, spyware and viruses. Accordingly, you will not hold us liable for any unauthorized disclosure, loss or destruction of Your Data arising from such risks.
We will notify serious data breaches in respect of Your Data to the DPC without undue delay, and where feasible, not later than 72 hours after having become aware of same. If notification is not made after 72 hours, we will record a reasoned justification for the delay; however, it is not necessary to notify the DPC where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A Personal Data breach in this context means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
We will keep a record of any data breaches, including their effects and the remedial action taken, and will notify you of any data breach affecting your Personal Data (which poses a high risk to you) when we are required to do so under Data Protection Legislation.
We will not be required to notify you of a data breach where:
- we have implemented appropriate technical and organizational measures that render the Personal Data unintelligible to anyone not authorized to access it, such as encryption; or
- we have taken subsequent measures which ensure that the high risk to data subjects is not likely to materialize; or
- it would involve disproportionate effort, in which case we may make a public communication instead.
In the event of a serious data breach in respect of User Uploaded Data, we will notify the relevant Data Controller of such breach as soon as reasonably practical.
Retention of personal data
In general, User Uploaded Data that you provide to us, and any logs created by us relating to User Uploaded Data, will be kept and stored for 365 days from the date of upload/creation, after which point OnCore may delete personal data.
Your Data will be kept and stored for such period as we deem necessary taking into account the purpose for which it was collected in the first instance and our obligations under Data Protection Legislation. This may include retaining Your Data as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.
Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Service, not to specifically analyze personal characteristics about you.
How to contact us
If you need to contact us with regard to any of your rights as set out in this Policy, all such requests should be made in writing by email to
Data privacy and security is important to OnCore Human Capital Management
Business Associate Agreement:
A Business Associate (BA) Agreement is the formal written contract between Business Associate and Covered Entity that requires Business Associate to comply with specified requirements related to PHI.
As per HIPAA rules, “Covered Entities are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.”
As a OnCore user, if you disclose any specific individually identifiable information or PHI with OnCore, then receipt and use of such information by OnCore under its agreements will make OnCore a “Business Associate” to you, as defined by HIPAA. Thus, in accordance to HIPAA, Covered Entity and OnCore must agree in writing in the form of a BA Agreement to comply with certain provisions relating to PHI’s uses, disclosures and safeguards.
The BA agreement applies to you only when you already are or become a Covered Entity as per HIPAA rules and OnCore is or becomes your Business Associate as defined by HIPAA. The agreement execution does not automatically entitle you to become a Covered Entity or OnCore to become a Business Associate.
The BA agreement will replace all other agreements between you and OnCore with respect to the subject matter therein, unless there is an otherwise written agreement between the two parties.
To get answer to any questions related to the Business Associate Agreement, please contact your OnCore representative.
Use and Disclosure of PHI
We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by the BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate the Privacy Rule.
In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.
We may also use PHI to report violations of law to appropriate federal and state authorities.
We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BA Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity.
Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting PHI over the Internet;
- Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
- Utilizing appropriate authentication and access controls to safeguard PHI;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.
Mitigation of Harm
In the event of a use or disclosure of PHI that is in violation of the requirements of the BA agreement, we will mitigate, to the extent practicable, any harmful effect resulting from the violation.
Such mitigation will include:
- Reporting any use or disclosure of PHI not provided for by the BA Agreement and any security incident of which we become aware to the Covered Entity; and
- Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.
Access to PHI
As provided in the BA Agreement, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.