Mid-West Spina Bifida & Hydrocephalus Association
Data Protection/Privacy Policy
Last Updated: 14/09/2018
Introduction
In this Privacy Policy, we explain how we collect personal information about you, how we use it and how you can engage with us about it.
Please be assured that the personal information you provide to us will be held legally, securely and in a compliant manner and that your information can only be assessed by those who require it for the delivery of our services.
Enquiries about this Data Protection Policy should be made to: Mid-West Spina Bifida Association, Delta Retail Park, Ballysimon Road, Limerick. Tel: 061 439990 or Mobile: 087 737 8875 or email: info@spinabifida.ie
We collect and use personal data information to provide the following services:
- The provision of Members Services which includes Physiotherapy, School visits and communications with Medical Professionals to meet our members needs according to the ethos of MWSB.
- To get and retain Clear and Opt-In Consent for the Clinical treatment of our members
The Provision of services to our Employees & Suppliers
- Customer Service, Enquiry Responses, Quotations and other follow up Information
- on your request
- To manage vendor accounts and for accounting (payment) purposes
- To comply with Regulations and Statutory Obligations
- To comply with requirements imposed by HSE, Charity Regulator and other mandatory government regulations
- To provide personnel, payroll and pension administration services in connection with our employees
- For provision of the enforcement of legal rights for the protection of both our interests
- For provision of Billing, Payment, Remittance or receipt/payment of money on your behalf
The Specific Details We Collect
- First Name, Last Name
- Contact information including email address and telephone number
- Company Role if Applicable
- Company or Home Address and Billing address
- Sign up time and date
- Banking Details (but we do not store sensitive payment data)
Sharing of Personal Data
The policy of Mid- West Spina Bifida Association is not to Share your Personal Data with 3rd Parties
However – from time to time – we may be required to pass your data to 3rd parties as outlined below.
Please note – this will be clarified to you at the time that the data is collected, and will either be done so as to provide you with a better service – or because it is legally required to do so.
- Specific Office based Staff will have access to your information to provide our members with physiotherapy and family support services including the various activities associated with MWSB Association
- They will also need to access your data to process the required paperwork and undertake the necessary administration such as Clinic appointments and cancellations/Attendance Logs etc.
- Specific Government Departments or 3rd Party Organisations may receive your data with your consent in relation to issue around the application, funding or payment of courses on your behalf.
- Revenue Commissioners may receive details for tax compliance reasons
- Our Accountants may receive details for Accounting, Audit and Regulatory purposes
Contractor & Third-Party Data Protection Compliance
We expect and actively require any Third Parties with whom we work to be compliant with their legal obligations under Data Protection.
It is our policy to require all contractors (or those who may come into contact with any Personal Data we hold), to show GDPR compliance via self-assessment and audit though our Supplier Data Protection Checklist.
We will store this checklist for the duration of our working relationship with that 3rd party (+ 12 months)
How we keep your Information Safe
IT
- Emails & other Electronic Data is stored in secure cloud system
- Database is a Cloud Based secure application
- Antivirus Software is used on all IT Systems
- Encryption is enabled on all systems holding Personal Data
- WIFI is secure
Document Storage
- Documents are stored in a locked Office in Individual Covered Files
- Data is managed Safely and not left in areas where non-relevant employees can access
- Any data which might be viewed as in any way sensitive is stored in securely locked cabinets within locked rooms.
Printing
- Printing is completed with Individual Employee Pin Codes to ensure only those who should have access to the printed do so and only data which Employee A prints, is accessible to Employee A
CCTV
- CCTV is in operation facing outwards at the main entrance for security reasons.
- Internally the CCTV is in operation in to monitor activity in the various rooms solely for security purposes. Should any intruders enter they would be readily identified.
- Sensitive areas such rooms for changing and examination are not covered by the CCTV Cameras.
Data Disposal
- It is our policy to engage with a GDPR Compliant Professional Shredding Company and safety/securely dispose of the Personal Data we hold to ensure compliance – see section on Data disposal
Calls relating to Personal Data
- If you contact us about your information, we may need to ask you to identify yourself and furnish proof of identity – this is to help protect your information.
How long do we keep your personal data?
- General Data Retention Policy (Members)
- General Data Retention Policy (Contractors/Trainers/Vendors): We retain
- personal data of the above for the duration of working relationship (+12 months)
- Legal Obligations: NERA & Revenue – 6 Years
What is the legal basis on which we gather and hold your information?
- Performance of a contract
- Legal obligation
- Protecting the vital interests of you or others
- Public interest
- Our legitimate interests
- Your consent
Disposal of Personal Data
Once the period of stated storage is complete or based on a Request to delete personal data (presuming we have no legal or statutory obligation to retain it) – it is our policy to have your personal date securely disposed of – through 3 monthly scheduled contracts with our professional shredding company.
Date will be securely deleted from the following media:
- Paper Based Files
- CRM & Database Systems
- Electronic Storage – including Hard Disks, External Hard Drives, Memory Sticks & Email
- Back-up Date will be deleted also in relation to these files.
Consent
Regarding our members only, sometimes we need your consent to use your personal information. This would already have been agreed by you (our Member) by signing various consent forms which you have previously filled in. We plan to contact you soon to update these consent forms. In the meantime, should you ever wish to change your mind, please feel free to let us know and we will update our records accordingly.
It is our policy to keep, in as far as is possible, a documented record of this consent.
What happens if things go wrong?
The DPO will conduct regular inspections and maintain a systematic audit schedule to monitor compliance and
The Mid-West Spina Bifida Association will actively record and report any Breaches in relation to Data Protection.
Any employee, client or 3rd party can alert the DPO to the breach, who will update the Breach Log before
identifying the breach type and evaluate any risk associated with the breach.
Where there is a possibility of risk, and where the personal data breached is neither Encrypted or Anonymised, the DPO will report the breach to the DPC. Depending on the severity/urgency of the risk – the DPO may also notify the data subject. This will be done as soon as possible – and within the required 72-hour limit.
Your Data Rights
You can exercise your rights by contacting us on 061 439990, emailing us at info@spinabifida.ie.ie or
calling into our Office – Mid-West Spina Bifida & Hydrocephalus Association, Delta Retail Park, Ballysimon Road, Limerick.
Whenever you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information.
Your right to obtain information cannot adversely affect the rights and freedoms of others. Therefore, we cannot provide information on other people without consent. (See Sharing of Data for further details)
We generally do not charge you when you contact us to ask about your information. However, if requests are deemed excessive or manifestly unfounded, we may charge a reasonable fee to cover the additional administrative costs or choose to refuse the requests.
Your information rights and how we can help ensure that you are aware of these rights, how you can exercise these rights and how we intend to deliver on your requests.
- You can ask us for a copy of the personal information we hold and further details about how we collect, share and use your personal information
- If you want to update or correct any of your personal details, please contact us at on 061 439990, emailing us atinfo@spinabifida.ie or calling into our Office – Mid-West Spina Bifida & Hydrocephalus Association, Delta Retail Park, Ballysimon Road, Limerick.
- Please be aware that you can change your mind wherever you have given us your consent, such as for direct marketing or processing your information.
- You may have the right to restrict or object to us processing your personal information. We will require your consent to further process this information once restricted. You can request restriction of processing where;
- The personal data is inaccurate, and you request restriction while we verify the accuracy
- The processing of your personal data is unlawful
- You oppose the erasure of the data, requesting restriction of processing instead
- You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing
- You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.
You may ask us to delete your personal information or we may delete your personal information under the following conditions:
The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
You withdraw your consent where there is no other legal ground for the processing
You withdraw your consent for direct marketing purposes
You withdraw your consent for processing a child’s data
You object to automated decision making
The personal data have been unlawfully processed
The personal data must be erased for compliance with a legal obligation.
You declare to us that you are no longer a client of ours.
Data Protection Feedback, Further Information & Complaints
If you have a complaint about the use of your personal information, please let a member of staff in our Office know, giving them the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, in writing and by email. We will fully investigate all the complaints we receive. We ask that you supply as much information as possible to help us resolve your complaint quickly.
You can also contact the Office of the Data Protection Commissioner in Ireland on the below details:
Visit their website www.dataprotection.ie.
Email info@dataprotection.ie
Phone on +353 (0)57 8684800 or +353 (0)761 104 800
Write to Data Protection Office, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21
Fitzwilliam Square, Dublin 2, D02 RD28, Ireland.
This Data Protection Policy will be reviewed regularly considering any legislative or other relevant developments.
We will inform you of any changes to our Privacy Policy in the future.