DATA PROTECTION POLICY
The aim of the Data Protection Policy is promote best practice on data gathering and storage and to ensure SII respects an individual’s fundamental right to privacy. This applies to all personal data of all our clients, employees, donors and volunteers. Throughout this policy clients, employees, donors and volunteers will be referred to as the Data Subject. The Data
Subject is an individual who is the subject of personal data. The policy covers the protection of all SII’s databases, including manual and computerised personal information and is governed by the Data Protection Act, 1988 subsequently amended in 2003 and General Data Protection Regulation (GDPR).
In compliance with our obligations under this Act, it is the policy of SII to ensure that appropriate measures are in place for the collection, storing and access monitoring of personal information. SII and its employees, volunteers have a responsibility to protect the personal information of all individual’s they engage with or information they encounter in the course of their duties.
It is SII’s policy to ensure that information collected on our Data Subjects will be in accordance with data protection principles and we will:
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to an individual, on request
All information is collected and processed lawfully, fairly and in a transparent manner. It is collected for the specified and legitimate purpose to provide support services to SII members who have sustained a spinal cord injury and their families. Information is also collected on volunteers who support the SII Activities program and fundraising campaigns by volunteering at various events. Information is also collected on individuals who have made donations, purchased tickets for events or otherwise supported SII by making donations.
Information collected and recorded must comply with the procedures on data protection established under this policy. SII’s Data Subjects are informed of the gathering and recording of their personal data. Their consent to SII to hold personal information is sought as a matter of priority. In relation to SII Clients written consent is required at the point of access to our supports and services. In relation to children (under the age of 18) written consent is required by parent or authorized holder of parental responsibility over the child. Volunteers information is collected as part of the volunteer vetting and induction process. Donors will be advised their donation will be recorded for audit purposes and retained on SII’s donor database.
SII’s Community Outreach Team may collect sensitive personal data about an individuals’ health when he/she speaks, emails or sends enquiries to them. This information will be used to answer questions and give advice or support.
SII does not collect sensitive personal data relating to convictions, offences or related security measures for service users. SII does have a legal basis to request employees and volunteers to complete Garda Vetting process prior to employment /engaging / volunteering in activities that involve service users including children. This is in line with HSE and NRH requirements and The National Vetting Bureau (Children & Vulnerable Persons) Act 2012 – 2016. Garda Vetting is done through on-line process using TP agency, Walk. Walk is authorised to administrator GV on behalf of SII. Walk forward completed Garda Vetting Certificate to nominated person in SII (Ops Mgr). All Garda Vetting Certificates are kept in locked cabinet and Ops Mgr and CEO only have access to cabinet.
SII strives to ensure that all data is accurate and kept up to date and makes all reasonable efforts to ensure that any data that is inaccurate are erased or rectified without delay. Data is processed in a manner that ensures appropriate security of personal data, including protecting against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical organisational measures.
SII does not obtain personal data from any source other than the Data Subject. In the event such personal data is obtained, SII will provide the Data Subject with information on the identity of the Controller or Data Protection Officer (where appropriate) along with the purpose of the processing for which the personal data was intended as well as the legal basis for the processing.
SII collects data and information for the following purpose:
- To monitor service use and to profile common issues arising among our clients, as well as using data for service evaluation and development, statistical and policy analysis, research and funding Information retained includes contact details, service use records and non-clinical injury details for statistical analysis.
- Attendance and attendance related records, appraisal and performance details, contact and next of kin details, payroll and data required for statuary
- Contact details, record of payments, contributions and donations for audit, statuary and fundraising
- Contact details, activity participation and related records and data required for statuary purposes, including Garda Vetting certificates.
SII takes precautions including organizational, technical, and physical measures, to help safeguard against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data we process or use. All SII databases are password protected and only authorised employees and Garda Vetted Volunteers are allowed access to the content. Employees are responsible for the use of the facilities granted in their name. The employee will be held responsible for any abuses taking place using the employee’s name and password.
Database Access controls are in place and each employee is allocated access based on their job role.
To maintain maximum protection employees should change their password on a regular basis, make it difficult to guess and above all, it is the responsibility of each employee to protect the privacy of their password and not to share their password with anyone, write it down or give it out over the phone.
Sharing of passwords is a serious breach of data security and will result in disciplinary action against the employee involved. Any employee that suspects their password integrity has been compromised, should immediately change their password, notify their manager and the IT department. In general do not leave your computer unattended without securing the session by logging off.
SII will ensure that information will not be put to any use other than the original purpose for which it was gathered and for which consent was given. This policy will ensure that SII’s client’s rights under the law are upheld by:
- Ensuring that individuals are made aware of the right to be informed that information is collected, who is collecting it and the purpose for which it is
- Ensuring that an individual’s written consent is obtained prior to recording and holding In the case of children and young persons, a parent or guardian can give consent on behalf of the child or young person.
- We do not sell, trade or otherwise transfer to outside parties personally identifiable information. Information will only be shared with selected third party service providers, contracted by SII to assist in issuing print media and fundraising campaigns. Information will not be shared with any other organization, other than with Data Subjects permission, or where required by law.
Data entry and retrieval of computerised information is controlled and allocated on a needs basis. Changes to the access level requires departmental management approval.
- Community Outreach Officers, have access to all client data for clients.
- Resource Centre Co-Ordinators and Garda vetted Volunteers, have restricted access to client information and .
- Administration Management, have access to all records for statistical data gathering, performance analysis and system
SII employees should only access records as required in the performance of their duties. Access to records for non-work related reasons is strictly prohibited. Employees should not share any data with other employees unless it is in performance of their employment duties or share data with any third party unless the Data Subject has given consent and the disclosure is approved in advance by the employee’s manager.
Client information cannot be passed to any external agency unless the request is received in writing and the client has given written consent in advance and the disclosure is approved in advance by the employee’s manager. The written agency request, written consent from the client and the data disclosed must be retained. Confidential material should not be sent by email unless it is encrypted.
A small amount of limited personal use of phone, e-mail and internet facilities is permitted if such use does not otherwise infringe on the daily business of SII or infringe on SII’s Data Protection Policy. Refer to Section 19.0 IT & Communication, Email & Internet Policy for further details.
To support SII’s business management, reputation and facilitate data protection compliance, user activity is monitored on the Client, Donor and Volunteer Databases, Computer Network, E-Mail, Internet, Internal Phone System, and Business Mobile Monitoring will be proportionate and balanced between the risk protections of SII and the legitimate privacy of employees.
To ensure fair processing and access to client, donor and volunteer data, user activity will be recorded to facilitate compliance, process review and for audit purposes.
The IT department does not normally read an employee’s emails or open email boxes or data folders except:
- Where the screening software or a complaint from an individual indicates that a particular mailbox or folder contains material which is dangerous or
- Where a legitimate business reason exists to open the email or folder
Opening an employee’s email or folder requires authorisation by the employee’s manager on a case by case basis. The email, hard disk, network drive and relevant backups may be accessed. Refer to Section 19.0 IT & Communication, Email & Internet Policy for further details.
Network resources such as storage space and capacity to carry traffic are not unlimited and as such are monitored to ensure SII gets the maximum benefit from the resources available.
Refer to Section 19.0 IT & Communication, Email & Internet Policy for further details.
To maximize resources and ensure the cost effectiveness of SII internal incoming and outgoing calls and business mobile phone calls are regularly checked. Refer to Section 19.0 IT & Communication, Email & Internet Policy for further details.
Data will be retained for no longer than is necessary for the purpose of which it was collected and as outlined below. The removal of database records will be the responsibility of the IT department.
Client data will be retained until the client requests its removal or is deceased at which point client is marked as deceased and removed from active database.
Employee records will be retained in accordance with SII’s statuary requirements. Recruitment records for unsuccessful candidates will be retained for a period of 12 months.
Contact details will be retained for a period of three years or as long as the donor continues to donate to SII. Payment, contribution and donation records will be retained in accordance with audit and statuary requirements.
Volunteer records will be retained in accordance with SII’s statuary requirements. When the Volunteer period ends, records will be retained for a period of 12 months.
Every individual has the right to have any inaccurate information rectified or erased and to have personal data taken off a direct Mail, Email or SMS Text list. All direct Mail, Email or SMS Texts sent will contain an option for the recipient to ‘Unsubscribe’.
Right To Be Forgotten
Individuals also have the right to be forgotten and to restrict the use of personal data in certain circumstances.
An individual is entitled to request the removal of all their personal data retained by SII. An individual making a request to have their personal information removed must:
- Apply to the CEO of SII in writing
- Give any details which might be needed to help SII identify him or her and locate all the information SII may keep
An individual is entitled to request a copy of all their personal data retained by SII. Access by an individual to Third Party information will not be allowed under this policy without the express consent of the data subject.
The individual is entitled to:
- A copy of the data
- A description of the purposes for which it is held
- A description of those to whom the data may be disclosed (if applicable)
- The source of the data
- Where the data is stored