Data protection is the safeguarding of the privacy rights of individuals in relation to the processing, storage and security of their personal data. It is the policy of CCI to comply with the obligations of the Data Protection Acts 1988 and 2003, and now GDPR, and to ensure that all employees and volunteers are aware of their data protection responsibilities.
Employees, volunteers and service users supply CCI with personal information, and Data Protections legislation applies to this information. Data Protections law places obligations on the organisation and all employees who keep personal information. Every individual has the right to know what personal information is held about him / her. This Act applies to living persons.
Data Protection rights apply whether the information in held in paper based form, in electronic format, in manuals, or in photographs, video or digital images.
Manual files created before July 2003 are not subject to the full application of the Acts until October 24, 2017. However, those files are subject to access on request and security rulings apply to them.
Data Protection Rules
The key responsibilities for the organisation with respect to personal information are as follows:
- Data should be obtained and processed fairly.
- Data should be kept only for one or more specified and lawful purposes.
- Data should be processed only in ways compatible with the purposes for which it was given to the organisation originally.
- Data should be kept safe and secure.
- Data should be kept accurate and up-to-date.
- Data should be adequate, relevant and not excessive for the purpose(s) for which it is collected and processed.
- Data should not be retained for any longer than is necessary for the specified purpose(s).
- An individual will be given a copy of his/her personal data on request.
2. Policy Statement
With regards to its data protection responsibilities CCI will endeavour to:
- Comply with both the Data Protection Acts and good practice;
- Protect the privacy rights of services users, volunteers and employees in accordance with Data Protection Acts;
- Ensure that personal information in CCI’s possession is kept safe and secure;
- Support employees and volunteers to meet their legal responsibilities as set out under data protection rules;
- Respect individuals’ rights;
- Provide awareness training and support for employees and volunteers that process personal information.
3. Policy Purposes
The purpose of this Data Protection Policy is:
• To outline how this company endeavours to comply with the Data Protection Acts;
• To provide guidelines for employees and volunteers;
• To protect this from the consequences of a breach of its responsibilities.
4. Policy Scope
This Data Protection Policy applies to all employees and volunteers who handle personal data of service users, the people we support and / or employees.
5. Data Protection Principles
This company will endeavour to meet its obligations under the Data Protection Acts and apply the eight Data Protection Principles in how it stores and processes personal data and information.
5.1 Obtain and Process Data Fairly
At the time the personal data is being collected, an individual must be made aware of the following:
- What information is being collected and why it is being collected
- Who within this company will have access to the information
- How the information will be used and what third party disclosures are contemplated
- The consequences of not providing information (if any)
- Any statutory obligation that may arise to collect the information
- The person’s right to access the information, once collected, and the identity of the organisation collecting the information.
The individual must have given consent to the processing of the data. Processing means performing any operations or set of operations on data, including:
- Obtaining, recording or keeping data, collecting, organising, storing, altering or adapting the data; retrieving, consulting or using the data; disclosing the data by transmitting, disseminating or otherwise making it available; aligning, combining, blocking, erasing or destroying the data.
- However, there may be some situations where processing of data may be necessary without the explicit consent of the individual having been obtained:
- Compliance with a legal obligation;
- Protecting the vital interests of the person where the seeking of the consent of the person is likely to result in those interest being damaged;
- Preventing injury to, or damage to the health, of another person;
- For obtaining legal advice, or in connection with legal proceedings, or is necessary for purposes of establishing, exercising or defending legal rights.
5.2 Purpose(s) for which information is stored
This principle requires employees processing personal data to be aware:
- That an individual should know the specific reason/s why information is being collected and retained
- That the purpose for which the information is being collected is a lawful one
- Of the different categories of data which are held and the specific purposes for each.
5.3 Processing of Data
Data should be processed only in ways compatible with the purposes for which it was given to the organisation originally.
- Personal Data should only be used and disclosed in ways that are necessary or compatible with the original purpose for which it was obtained
- Employees are not to disclose any personal information to any third party without the consent of the individual to whom it refers
- Personal information should not be disclosed to staff or volunteers unless they have a legitimate interest in the data in order to fulfil official ISCC duties.
5.4 Data should be kept safe and secure
Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction.
- Access to information restricted to authorised employees on a ‘’need-to-know’’ basis.
- Computer systems must be password protected.
- Information held on computers must always be protected by a password to prevent unauthorised access.
- There must be back-up procedures in operation for computer-held data.
- Personal information on computer screens should only be visible to the computer user who must have the authority to access the information.
- Employees and volunteers must be aware of the organisation’s confidentiality and security policies and procedures and comply with them.
- Data must be securely disposed of when no longer required, or when the purpose for which the information was obtained is no longer current, relevant or valid.
- Premises must be secure when unoccupied and personal information should be securely locked away when not in use.
5.5 Data should be kept accurate and up-to-date
Personal information must be accurate. It is the responsibility for all employees who obtain or hold information to ensure that it is accurate and complete.
Where an individual data subject informs or advises this company of any errors or changes to their data, employees must amend the information accordingly, and as soon as is reasonably possible.
Manual and computer procedures must be adequate to ensure high levels of data accuracy and maintenance.
5.6 Data should be adequate, relevant and not excessive for the purpose(s) for which it is collected and processed
Only the information necessary to provide support or services should be collected and maintained. Periodic reviews should take place of any personal information already held, to ensure that it is adequate, relevant and not excessive for the purpose for which it was collected.
5.7 Data should not be retained for longer than is necessary for the specified purpose(s)
Data should be held for the length of time the purpose for which it was collected is valid. Once this data is no longer current or valid, it must be disposed of in a secure manner. Particular care is to be taken when shredding or incinerating paper-based or manual data and when disposing of laptops and computers.
Exceptions may apply from specific legislation which requires information to be retained for particular periods.
5.8 An individual will be given a copy of his / her personal data on request.
An individual about whom personal data is held is entitled to:
- A copy of the data held about him / her
- Know the purpose for processing his / her data
- Know the identity of those to who the data may be disclosed
- Know the source of the data, unless it is contrary to public interest
- Know the logic involved in automated decisions
- Have a copy of any data held in the form of opinions, except where such opinions were given in confidence
- Know the reasons for an access refusal
To make an access request the Data Subject must:
- Apply in writing which may be via email
- Give any details which might be needed to help identify the individual and locate the information kept about him/ her
- In response to a request for access to information this company must:
- Supply the information to the requester promptly and within one month of receiving the request, and
- Provide the information in a form which will be clear to the person.
- Rights of access can be refused if:
- Providing access will pose a serious threat to the life or health of any individual, including the requester,
- Providing access would have an unacceptable impact on the privacy of other individuals, or
- It is required or authorised by law.
Additional rights under the Data Protection Acts:
- Data subjects have the right to have any inaccurate information rectified or erased;
- Data subjects have the right to have personal data taken off a mailing list;
- Data subjects have the right to complain to the Data Protection Commissioner.
6. Procedure for dealing with a request under the Data Protection Acts
Upon receiving a data protection request, the following steps will be taken:
- Data protection request is forwarded to the CCI.
- CCI will check that the access request can be granted under the Data Protection Acts of 1998 and 2003.
- If access may not be granted under the Data Protection Acts, the person requesting access will be notified of this fact and informed of their right to seek access under the Freedom of Information Act.
- If access may be permitted under the Data Protection Acts the following actions will be taken:
- Date the access request
- Record and place on file any discussions concerning the requesting
- Record the date on the file that a decision will be forthcoming (30 dates)
- Check that the request comes within the scope of the Acts. It must be received in writing, reference made to the Data Protection Act, contain sufficient information to identify the records required, clearly identifies who is requesting the information. If a third party requests information their authority to do so must be clearly stated.
- CCI will send a letter or email acknowledging the access request and access fee to the person / third party making the request within 7 days. The letter will state the date when a decision on the access request will be made.
- If upon investigation it transpires that there is insufficient information to identify the records request, the person / third party making the request will be contact by CCI to inform them that the request will be suspended until clarifications are received. If despite receiving assistance to clarify the request, it is still not possible to identify the records requested, CCI can refuse to process the request. All steps taken to process the request will be clearly documented. The person / third party making the request will be informed of the circumstances leading to this decision.
- The decision-maker should agree the method of access to the records (writing letter via post or e-mail) and blank out any details / data which is considered to be non-disclosable under the Data Protection Acts.
- CCI reserves the right to restrict access to information under section 5 of the Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. no. of 1989),
7. Right of complaint to the Data Protection Commissioner
Any person may complain to the Data Protection Commissioner about the way in which their data protection request was handled.
8. Management of a Data Breach
Should a data breach occur, the following actions will be taken:
- Details of the data breach incident will be recorded by CCI. Details should include time and date the breach was reported, the circumstances, I.T. systems used, the data involved, the person to whom the breach was reported, time the breach was detected, if the data was encrypted and any corroborating material.
- The Chairperson of CCI will be informed. If required an emergency board meeting will be held to discuss the data breach incident. This meeting is to discuss the incident and risks arising from the incident.
- The Data Protection Commissioner will be informed.
- In consultation with the Office of the Data Protection Commissioner, a decision will be taken whether the circumstances require the person whose data has been breached to be notified.
- Other third parties such as An Garda Siochana may need to be notified to help minimise the consequences for the persons whose data has been breached.
- Subsequent to the breach a thorough evaluation of the incident will take place. This review will ascertain if the actions taken during the incident were appropriate and determine what steps should be taken to avoid a repeat of such data breach.
9. Policy Review
This Data Protection Policy will be subject to review every three years or in response to changes made to amendments to the Data Protection Acts.
10. GDPR Policy Update
GDPR was approved by the EU Parliament on 14th April 2016. Enforcement date was 25th May 2018.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. This Data Protection Policy will be subject to review every three years or in response to changes made to amendments to the Data Protection Acts.
Personal data allows people to access entertainment, products & services, but means people have to trust the organisations that their data is shared with. From May 25th 2018, the new EU General Data Protection Regulation, GDPR:
- Puts more responsibility on organisations using personal data
- Gives people more control over how their data is used
This applies to all to businesses, online service providers or public sector bodies that ask for personal data, including CCI. CCI must tell people clearly:
- How we will use the data
- How we will protect that data
- Only collect personal data that is needed to provide our service
- Ensure the collected data is not used or shared for other purposes
- Ensure data is protected from hacking or theft
- Ensure data is kept accurate and up to date
- Be able to demonstrate accountability for our data processing activities
How CCI achieve this:
- Become aware – All personnel in CCI are aware that the law is changing to the GDPR, and will factor this into our future planning. We will identify areas that could cause compliance problems under the GDPR. We will review and enhance our risk management processes, and build in GDPR compliance to all developments.
- Become accountable – We will make and maintain an inventory of all personal data we hold and examine it under the following headings:
- Why are we holding it?
- How did we obtain it?
- Why was it originally gathered?
- How long will we retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do we ever share it with third parties and on what basis might you do so?
- Communicate with staff and service users - Review all (including this document) current data privacy notices alerting individuals to the collection of their data. Check:
- Any gaps that exist between the level of data collection and processing CCI engages in.
- How aware we make your customers, staff and services users of this fact.
- If gaps exist, we will set about redressing them using the criteria laid out in “Becoming Accountable”, above.
- Before gathering data, (current legislation requires) that we notify our customers of our identity, our reasons for gathering the data, the use it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU.
- Understand Personal Privacy Rights - Review this procedure to ensure it covers all the rights individuals have, including how we delete personal data or provide data electronically and in a commonly used format. Rights for individuals under the GDPR include:
- subject access
- to have inaccuracies corrected
- to have information erased
- to know data retention period
- to object to direct marketing
- to restrict the processing of their information, including automated decision-making
- have data portability
- the same rights individuals enjoyed under the current Acts, but with these enhancements
- Understand Access Changes - Review and update procedures and plan how to handle access requests within the new timescales (one month, from current 40 day period). Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, CCI will have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. CCI will mitigate this by ensuring people can access their information easily online.
- Use customer consent – We will use customer consent when recording personal data, and will review how we seek, obtain and record that consent. Advance consent must be ‘freely given, specific, informed and unambiguous’. A customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They will know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent cannot be inferred from silence, pre-ticked boxes or inactivity. Controllers must be able to demonstrate that consent was given. CCI will review the systems for recording consent to ensure an effective audit trail.
- Processing children’s data - If work involves the processing of data from underage persons, CCI will ensure that we have adequate systems in place to verify individual ages and gather consent from guardians. It should be noted that consent needs to be verifiable, and therefore communicated in language they can understand.
- Understand DPIA (Data Protection Impact Assessments) - DPIA is the process of considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. GDPR introduces mandatory DPIAs for those oganisations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area. Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the Data Protection Commissioner (DPC) before engaging in the process. Organisations should start to assess whether future projects will require a DPIA and, if the project calls for a DPIA, consider:
- Who will do it?
- Who else needs to be involved?
- Will the process be run centrally or locally?
- Report breaches – CCI will ensure the right procedures are in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the DPC when they incur a personal data breach. However, GDPR will bring in mandatory breach notifications. All breaches must be reported to the DPC, within 72 hours, unless the data was anonymised or encrypted. Breaches that are likely to bring harm to an individual must also be reported to the individual. CCI will develop policies and procedures for managing data breaches.
- Employ a Data Protection Officer - The GDPR requires that some organisations must designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. This does not apply to CCI, but data protection governance will be the responsibility of the board of CCI.
- Cross border - GDPR includes a “One Stop Shop” (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data. The OSS will allow an organisation to deal with a single “Lead Supervisory Authority” (LSA) for most processing activities. Your LSA will be the supervisory authority of the country in which an organisation has its main establishment. The OSS will only apply to CCI if and when we engage in cross-border processing and be established in the European Union.
GDPR implementation and Data Protection at CCI is the responsibility of the board of CCI. Board members are:
- Bruno Lucas, Chairperson
- Ciarán Davis, Honorary Secretary
- Fergal Troy, Chartered Surveyor
This website might contain external links to other websites and the Society is not held responsible for the privacy policies of these other websites.
What type of information do we collect?
We will only collect personal data that is needed to provide our services to you. We will ensure the collected data is not used or shared for other purposes.
We will ensure where possible, data will be anonymised.
You may browse our site anonymously but certain functions and pages may be unavailable to you.
We collect information from you when you visit our website, register for our online community, place an order or make a donation, subscribe to our email newsletter, or fill out a form.
When making a donation, registering for a campaign or event on our website, as appropriate, you may be asked to provide personal details such as name, email address, postal address, phone number or payment information as needed.
What do we use your information for?
Any of the information we collect from you may be used in one of the following ways:
To provide IBD information and helpline service
We collect and store personal data in order to provide information and service for people affected by Colitis or Crohn’s.
Our helpline may collect sensitive personal data about your health when you speak, email or send enquiries. We will use this information to answer your questions and give advice or support.
We may also use this information for training, quality monitoring or evaluating the services we provide.
We may also collect and retain your data if you send feedback about any of our services or make a complaint.
To process payments, fulfil online orders and confirm transactions
Example: Donating or purchasing online, or paying for membership fee. We will use your information to complete your order and to follow up, where relevant or requested, by email, phone or post on any transactions and issue payment receipts.
To improve our website and provide a personalised experience for you
We continually try to improve our website based on the anonymous information and feedback we receive from you.
We want your visit to our website to be a useful one, making sure you are able to find the information that you’re looking for and that is relevant to you.
To keep you informed about what we’re doing in the fight against IBD
If you have signed up for Crohn's & Colitis email newsletter, you will receive this email when issued. At any time you can unsubscribe from receiving future emails by emailing firstname.lastname@example.org.
To let you know other ways you can get involved in our fundraising and campaigns:
From time to time we will use your postal address to send you updates on the impact of your donation, and let you know how you can get involved in our fundraising and campaigns.
We may also contact you by phone and email if you have given us consent to do so.
We will always respect your privacy and will always give you the option to stop hearing from us.
How do we protect your information?
We use a variety of security measures to securely process and keep your personal information safe when you interact with our website.
We use a secure server so that all supplied sensitive/payment information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider's database (Stripe Payments). Stripe is a PCI Service Provider Level 1 which is the highest grade of payment processing security. All credit card numbers are encrypted and safely stored in Stripe's state of the art data-centre. This ensures both the security and integrity of your information.
The Society takes, and will continue to take, all reasonable steps (which includes relevant technical and organisational measures) to guarantee the safety of the data you provide to us and we will only use the data for the intended purpose.
However, the nature of the internet is such that we cannot guarantee or warrant the security of any information you transmit to us via the Internet will be 100% secure.
Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your web browser (if you allow) that lets the sites or service providers systems to recognise your browser and capture and remember certain information.
This website uses Google Analytics to gather anonymous statistics about visitors to the site and which pages are visited.
If you prefer, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies via your browser settings. Like most websites, if you turn your cookies off, some of our services may not function properly.
However, you can still make a donation, place orders, and register for membership over the telephone on (01) 531 2983 (within Republic of Ireland).
Do we disclose any information to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information.
The information you provide when interacting with our website will be kept securely and used by the Crohn's & Colitis Ireland in order to make your interaction with the Society possible. Your information will not be shared with any organisation, other than with your permission, or where required by law.
Your personal information will not be held outside the EU.
We also reserve the right to enforce our site policies in order to protect our rights and the rights of other individuals in a manner that is safe and compliant with the law.
Non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses. For example, we may disclose the total number of visits to our website.
You control your information
Crohn's & Colitis Ireland is committed to upholding the rights of individuals and have processes in place for providing individuals' access to their personal information. A subject access request (SAR) is a request for access to the personal information that the Irish Society for Colitis & Crohn’s disease holds about you, which we are required to provide under the General Data Protection Regulation (GDPR) unless an exemption applies.
Under GDPR your other rights include :
- to have inaccuracies corrected
- to have information erased
- to know data retention period
- to object to direct marketing
- to restrict the processing of your information, including automated decision-making
- data portability
You can make any request in writing to the:
Crohn's & Colitis Ireland,
Carmichael Centre for Voluntary Groups
North Brunswick Street
Where requested, we will provide the following information:
- The purposes of the processing of your personal data;
- What kind of personal data is stored;
- Where this data is stored;
- How long your data is stored.
Your request will be completed in 30 days