Privacy Policy

1. Introduction

Data protection is the safeguarding of the privacy rights of individuals in relation to the processing, storage and security of their personal data. It is the policy of CCI to comply with the obligations of the Data Protection Acts 1988 and 2003, and now GDPR, and to ensure that all employees and volunteers are aware of their data protection responsibilities.

Employees, volunteers and service users supply CCI with personal information, and Data Protections legislation applies to this information. Data Protections law places obligations on the organisation and all employees who keep personal information. Every individual has the right to know what personal information is held about him / her. This Act applies to living persons.
Data Protection rights apply whether the information in held in paper based form, in electronic format, in manuals, or in photographs, video or digital images.

Manual files created before July 2003 are not subject to the full application of the Acts until October 24, 2017. However, those files are subject to access on request and security rulings apply to them.

Data Protection Rules

The key responsibilities for the organisation with respect to personal information are as follows:

Data should be obtained and processed fairly.
Data should be kept only for one or more specified and lawful purposes.
Data should be processed only in ways compatible with the purposes for which it was given to the organisation originally.
Data should be kept safe and secure.
Data should be kept accurate and up-to-date.
Data should be adequate, relevant and not excessive for the purpose(s) for which it is collected and processed.
Data should not be retained for any longer than is necessary for the specified purpose(s).
An individual will be given a copy of his/her personal data on request.

2. Policy Statement

With regards to its data protection responsibilities CCI will endeavour to:

Comply with both the Data Protection Acts and good practice;
Protect the privacy rights of services users, volunteers and employees in accordance with Data Protection Acts;
Ensure that personal information in CCI’s possession is kept safe and secure;
Support employees and volunteers to meet their legal responsibilities as set out under data protection rules;
Respect individuals’ rights;
Provide awareness training and support for employees and volunteers that process personal information.

3. Policy Purposes

The purpose of this Data Protection Policy is:
•   To outline how this company endeavours to comply with the Data Protection Acts;
•   To provide guidelines for employees and volunteers;
•   To protect this from the consequences of a breach of its responsibilities.

4. Policy Scope

This Data Protection Policy applies to all employees and volunteers who handle personal data of service users, the people we support and / or employees.

5. Data Protection Principles

This company will endeavour to meet its obligations under the Data Protection Acts and apply the eight Data Protection Principles in how it stores and processes personal data and information.

5.1 Obtain and Process Data Fairly

At the time the personal data is being collected, an individual must be made aware of the following:

What information is being collected and why it is being collected
Who within this company will have access to the information
How the information will be used and what third party disclosures are contemplated
The consequences of not providing information (if any)
Any statutory obligation that may arise to collect the information
The person’s right to access the information, once collected, and the identity of the organisation collecting the information.

The individual must have given consent to the processing of the data. Processing means performing any operations or set of operations on data, including:

Obtaining, recording or keeping data, collecting, organising, storing, altering or adapting the data; retrieving, consulting or using the data; disclosing the data by transmitting, disseminating or otherwise making it available; aligning, combining, blocking, erasing or destroying the data.
However, there may be some situations where processing of data may be necessary without the explicit consent of the individual having been obtained:
Compliance with a legal obligation;
Protecting the vital interests of the person where the seeking of the consent of the person is likely to result in those interest being damaged;
Preventing injury to, or damage to the health, of another person;
For obtaining legal advice, or in connection with legal proceedings, or is necessary for purposes of establishing, exercising or defending legal rights.

5.2 Purpose(s) for which information is stored

This principle requires employees processing personal data to be aware:

That an individual should know the specific reason/s why information is being collected and retained
That the purpose for which the information is being collected is a lawful one
Of the different categories of data which are held and the specific purposes for each.

5.3 Processing of Data

Data should be processed only in ways compatible with the purposes for which it was given to the organisation originally.

Personal Data should only be used and disclosed in ways that are necessary or compatible with the original purpose for which it was obtained
Employees are not to disclose any personal information to any third party without the consent of the individual to whom it refers
Personal information should not be disclosed to staff or volunteers unless they have a legitimate interest in the data in order to fulfil official ISCC duties.

5.4 Data should be kept safe and secure

Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction.

Access to information restricted to authorised employees on a ‘’need-to-know’’ basis.
Computer systems must be password protected.
Information held on computers must always be protected by a password to prevent unauthorised access.
There must be back-up procedures in operation for computer-held data.
Personal information on computer screens should only be visible to the computer user who must have the authority to access the information.
Employees and volunteers must be aware of the organisation’s confidentiality and security policies and procedures and comply with them.
Data must be securely disposed of when no longer required, or when the purpose for which the information was obtained is no longer current, relevant or valid.
Premises must be secure when unoccupied and personal information should be securely locked away when not in use.

5.5 Data should be kept accurate and up-to-date

Personal information must be accurate. It is the responsibility for all employees who obtain or hold information to ensure that it is accurate and complete.

Where an individual data subject informs or advises this company of any errors or changes to their data, employees must amend the information accordingly, and as soon as is reasonably possible.

Manual and computer procedures must be adequate to ensure high levels of data accuracy and maintenance.

5.6 Data should be adequate, relevant and not excessive for the purpose(s) for which it is collected and processed

Only the information necessary to provide support or services should be collected and maintained. Periodic reviews should take place of any personal information already held, to ensure that it is adequate, relevant and not excessive for the purpose for which it was collected.

5.7 Data should not be retained for longer than is necessary for the specified purpose(s)

Data should be held for the length of time the purpose for which it was collected is valid. Once this data is no longer current or valid, it must be disposed of in a secure manner. Particular care is to be taken when shredding or incinerating paper-based or manual data and when disposing of laptops and computers.

Exceptions may apply from specific legislation which requires information to be retained for particular periods.

5.8 An individual will be given a copy of his / her personal data on request.

An individual about whom personal data is held is entitled to:

A copy of the data held about him / her
Know the purpose for processing his / her data
Know the identity of those to who the data may be disclosed
Know the source of the data, unless it is contrary to public interest
Know the logic involved in automated decisions
Have a copy of any data held in the form of opinions, except where such opinions were given in confidence
Know the reasons for an access refusal

To make an access request the Data Subject must:

Apply in writing which may be via email
Give any details which might be needed to help identify the individual and locate the information kept about him/ her
In response to a request for access to information this company must:
Supply the information to the requester promptly and within one month of receiving the request, and
Provide the information in a form which will be clear to the person.
Rights of access can be refused if:
Providing access will pose a serious threat to the life or health of any individual, including the requester,
Providing access would have an unacceptable impact on the privacy of other individuals, or
It is required or authorised by law.

Additional rights under the Data Protection Acts:

Data subjects have the right to have any inaccurate information rectified or erased;
Data subjects have the right to have personal data taken off a mailing list;
Data subjects have the right to complain to the Data Protection Commissioner.

6. Procedure for dealing with a request under the Data Protection Acts

Upon receiving a data protection request, the following steps will be taken:

Data protection request is forwarded to the CCI.
CCI will check that the access request can be granted under the Data Protection Acts of 1998 and 2003.
If access may not be granted under the Data Protection Acts, the person requesting access will be notified of this fact and informed of their right to seek access under the Freedom of Information Act.
If access may be permitted under the Data Protection Acts the following actions will be taken:
Date the access request
Record and place on file any discussions concerning the requesting
Record the date on the file that a decision will be forthcoming (30 dates)
Check that the request comes within the scope of the Acts. It must be received in writing, reference made to the Data Protection Act, contain sufficient information to identify the records required, clearly identifies who is requesting the information. If a third party requests information their authority to do so must be clearly stated.
CCI will send a letter or email acknowledging the access request and access fee to the person / third party making the request within 7 days. The letter will state the date when a decision on the access request will be made.
If upon investigation it transpires that there is insufficient information to identify the records request, the person / third party making the request will be contact by CCI to inform them that the request will be suspended until clarifications are received. If despite receiving assistance to clarify the request, it is still not possible to identify the records requested, CCI can refuse to process the request. All steps taken to process the request will be clearly documented. The person / third party making the request will be informed of the circumstances leading to this decision.
The decision-maker should agree the method of access to the records (writing letter via post or e-mail) and blank out any details / data which is considered to be non-disclosable under the Data Protection Acts.
CCI reserves the right to restrict access to information under section 5 of the Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. no. of 1989),

7. Right of complaint to the Data Protection Commissioner

Any person may complain to the Data Protection Commissioner about the way in which their data protection request was handled.

8. Management of a Data Breach

Should a data breach occur, the following actions will be taken:

Details of the data breach incident will be recorded by CCI. Details should include time and date the breach was reported, the circumstances, I.T. systems used, the data involved, the person to whom the breach was reported, time the breach was detected, if the data was encrypted and any corroborating material.
The Chairperson of CCI will be informed. If required an emergency board meeting will be held to discuss the data breach incident. This meeting is to discuss the incident and risks arising from the incident.
The Data Protection Commissioner will be informed.
In consultation with the Office of the Data Protection Commissioner, a decision will be taken whether the circumstances require the person whose data has been breached to be notified.
Other third parties such as An Garda Siochana may need to be notified to help minimise the consequences for the persons whose data has been breached.
Subsequent to the breach a thorough evaluation of the incident will take place. This review will ascertain if the actions taken during the incident were appropriate and determine what steps should be taken to avoid a repeat of such data breach.

9. Policy Review

This Data Protection Policy will be subject to review every three years or in response to changes made to amendments to the Data Protection Acts.

10. GDPR Policy Update

GDPR was approved by the EU Parliament on 14th April 2016. Enforcement date was 25th May 2018.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. This Data Protection Policy will be subject to review every three years or in response to changes made to amendments to the Data Protection Acts.

Personal data allows people to access entertainment, products & services, but means people have to trust the organisations that their data is shared with. From May 25th 2018, the new EU General Data Protection Regulation, GDPR:

Puts more responsibility on organisations using personal data
Gives people more control over how their data is used

This applies to all to businesses, online service providers or public sector bodies that ask for personal data, including CCI. CCI must tell people clearly:

How we will use the data
How we will protect that data

CCI must:

Only collect personal data that is needed to provide our service
Ensure the collected data is not used or shared for other purposes
Ensure data is protected from hacking or theft
Ensure data is kept accurate and up to date
Be able to demonstrate accountability for our data processing activities

How CCI achieve this:

Become aware – All personnel in CCI are aware that the law is changing to the GDPR, and will factor this into our future planning. We will identify areas that could cause compliance problems under the GDPR. We will review and enhance our risk management processes, and build in GDPR compliance to all developments.
Become accountable – We will make and maintain an inventory of all personal data we hold and examine it under the following headings:
Why are we holding it?
How did we obtain it?
Why was it originally gathered?
How long will we retain it?
How secure is it, both in terms of encryption and accessibility?
Do we ever share it with third parties and on what basis might you do so?
Communicate with staff and service users - Review all (including this document) current data privacy notices alerting individuals to the collection of their data. Check:
Any gaps that exist between the level of data collection and processing CCI engages in.
How aware we make your customers, staff and services users of this fact.
If gaps exist, we will set about redressing them using the criteria laid out in “Becoming Accountable”, above.
Before gathering data, (current legislation requires) that we notify our customers of our identity, our reasons for gathering the data, the use it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU.
Understand Personal Privacy Rights - Review this procedure to ensure it covers all the rights individuals have, including how we delete personal data or provide data electronically and in a commonly used format. Rights for individuals under the GDPR include:
subject access
to have inaccuracies corrected
to have information erased
to know data retention period
to object to direct marketing
to restrict the processing of their information, including automated decision-making
have data portability
the same rights individuals enjoyed under the current Acts, but with these enhancements
Understand Access Changes - Review and update procedures and plan how to handle access requests within the new timescales (one month, from current 40 day period). Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, CCI will have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. CCI will mitigate this by ensuring people can access their information easily online.
Understand Legal Basis - Look at the types of data processing carried out, identify the legal basis for carrying it out and document it. Individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. CCI will explain their legal basis for processing personal data in their web privacy policy notice and when answering a subject access request. There has been a significant reduction in the number of legal bases any organisation may rely on when processing data. It will no longer be possible to cite legitimate interests. Instead, there will be a general necessity to have specific legislative provisions underpinning one or more of the methods organisations use to process data. If any categories can be eliminated it will be done. For the data that remains, CCI will consider whether it needs to be kept in its raw format, and how quickly we can begin the process of making it anonymous.
Use customer consent – We will use customer consent when recording personal data, and will review how we seek, obtain and record that consent. Advance consent must be ‘freely given, specific, informed and unambiguous’. A customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They will know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent cannot be inferred from silence, pre-ticked boxes or inactivity. Controllers must be able to demonstrate that consent was given. CCI will review the systems for recording consent to ensure an effective audit trail.
Processing children’s data - If work involves the processing of data from underage persons, CCI will ensure that we have adequate systems in place to verify individual ages and gather consent from guardians. It should be noted that consent needs to be verifiable, and therefore communicated in language they can understand.
Understand DPIA (Data Protection Impact Assessments) - DPIA is the process of considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. GDPR introduces mandatory DPIAs for those oganisations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area. Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the Data Protection Commissioner (DPC) before engaging in the process. Organisations should start to assess whether future projects will require a DPIA and, if the project calls for a DPIA, consider:
Who will do it?
Who else needs to be involved?
Will the process be run centrally or locally?
Report breaches – CCI will ensure the right procedures are in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the DPC when they incur a personal data breach. However, GDPR will bring in mandatory breach notifications. All breaches must be reported to the DPC, within 72 hours, unless the data was anonymised or encrypted. Breaches that are likely to bring harm to an individual must also be reported to the individual. CCI will develop policies and procedures for managing data breaches.
Employ a Data Protection Officer - The GDPR requires that some organisations must designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. This does not apply to CCI, but data protection governance will be the responsibility of the board of CCI.
Cross border - GDPR includes a “One Stop Shop” (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data. The OSS will allow an organisation to deal with a single “Lead Supervisory Authority” (LSA) for most processing activities. Your LSA will be the supervisory authority of the country in which an organisation has its main establishment. The OSS will only apply to CCI if and when we engage in cross-border processing and be established in the European Union.

GDPR implementation and Data Protection at CCI is the responsibility of the board of CCI. Board members are:

Bruno Lucas, Chairperson
Ciarán Davis, Honorary Secretary
Fergal Troy, Chartered Surveyor

Website Privacy Policy

Crohn's & Colitis Ireland respects your right to privacy and complies with its obligations under the General Data Protection Regulation (GDPR). The goal of this website privacy policy is to help you understand how the Society deals with any personal data you provide when you visit its website.

By visiting the www.iscc.ie website, you are accepting the terms of this website privacy policy.

This website might contain external links to other websites and the Society is not held responsible for the privacy policies of these other websites.

What type of information do we collect?

We will only collect personal data that is needed to provide our services to you. We will ensure the collected data is not used or shared for other purposes.
We will ensure where possible, data will be anonymised.
You may browse our site anonymously but certain functions and pages may be unavailable to you.

We collect information from you when you visit our website, register for our online community, place an order or make a donation, subscribe to our email newsletter, or fill out a form.

When making a donation, registering for a campaign or event on our website, as appropriate, you may be asked to provide personal details such as name, email address, postal address, phone number or payment information as needed.

What do we use your information for?

Any of the information we collect from you may be used in one of the following ways:

To provide IBD information and helpline service
We collect and store personal data in order to provide information and service for people affected by Colitis or Crohn’s.

Our helpline may collect sensitive personal data about your health when you speak, email or send enquiries. We will use this information to answer your questions and give advice or support.

We may also use this information for training, quality monitoring or evaluating the services we provide.

We may also collect and retain your data if you send feedback about any of our services or make a complaint.

To process payments, fulfil online orders and confirm transactions
Example: Donating or purchasing online, or paying for membership fee. We will use your information to complete your order and to follow up, where relevant or requested, by email, phone or post on any transactions and issue payment receipts.

To improve our website and provide a personalised experience for you
We continually try to improve our website based on the anonymous information and feedback we receive from you.

We want your visit to our website to be a useful one, making sure you are able to find the information that you’re looking for and that is relevant to you.

To keep you informed about what we’re doing in the fight against IBD
If you have signed up for Crohn's & Colitis email newsletter, you will receive this email when issued. At any time you can unsubscribe from receiving future emails by emailing info@iscc.ie.

To let you know other ways you can get involved in our fundraising and campaigns:
From time to time we will use your postal address to send you updates on the impact of your donation, and let you know how you can get involved in our fundraising and campaigns.

We may also contact you by phone and email if you have given us consent to do so.

We will always respect your privacy and will always give you the option to stop hearing from us.

How do we protect your information?

We use a variety of security measures to securely process and keep your personal information safe when you interact with our website.

We use a secure server so that all supplied sensitive/payment information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider's database (Stripe Payments). Stripe is a PCI Service Provider Level 1 which is the highest grade of payment processing security. All credit card numbers are encrypted and safely stored in Stripe's state of the art data-centre. This ensures both the security and integrity of your information.

The Society takes, and will continue to take, all reasonable steps (which includes relevant technical and organisational measures) to guarantee the safety of the data you provide to us and we will only use the data for the intended purpose.

However, the nature of the internet is such that we cannot guarantee or warrant the security of any information you transmit to us via the Internet will be 100% secure.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your web browser (if you allow) that lets the sites or service providers systems to recognise your browser and capture and remember certain information.

We use cookies to help us remember and process items in your shopping cart and compile anonymous data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

This website uses Google Analytics to gather anonymous statistics about visitors to the site and which pages are visited.

If you prefer, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies via your browser settings. Like most websites, if you turn your cookies off, some of our services may not function properly.

However, you can still make a donation, place orders, and register for membership over the telephone on (01) 531 2983 (within Republic of Ireland).

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information.

The information you provide when interacting with our website will be kept securely and used by the Crohn's & Colitis Ireland in order to make your interaction with the Society possible. Your information will not be shared with any organisation, other than with your permission, or where required by law.

Your personal information will not be held outside the EU.

We also reserve the right to enforce our site policies in order to protect our rights and the rights of other individuals in a manner that is safe and compliant with the law.

Non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses. For example, we may disclose the total number of visits to our website.

You control your information

Crohn's & Colitis Ireland is committed to upholding the rights of individuals and have processes in place for providing individuals' access to their personal information. A subject access request (SAR) is a request for access to the personal information that the Irish Society for Colitis & Crohn’s disease holds about you, which we are required to provide under the General Data Protection Regulation (GDPR) unless an exemption applies.

Under GDPR your other rights include :

to have inaccuracies corrected
to have information erased
to know data retention period
to object to direct marketing
to restrict the processing of your information, including automated decision-making
data portability

You can make any request in writing to the:

Crohn's & Colitis Ireland,
Carmichael Centre for Voluntary Groups
North Brunswick Street
Dublin 7
D07 RHA8

Where requested, we will provide the following information:

The purposes of the processing of your personal data;
What kind of personal data is stored;
Where this data is stored;
How long your data is stored.

Your request will be completed in 30 days

Online privacy policy only

This online privacy policy applies only to information collected through our website and not to information collected offline.

Your consent

By using our website, you consent to our website's privacy policy (this page).

Changes to our privacy policy

We reserve the right to make changes to our web privacy policy at any time without prior consultation; these changes will be posted on this page together with the privacy policy revision date.