Data Protection – Fair Processing Notice – Operations (Services)

Who are we? The Alzheimer Society of Ireland (ASI) is a company limited by guarantee and a registered charity in the Republic of Ireland (CHY 7868).

What do we do? ASI works within communities across the country providing dementia related services such as day care, home care, respite, dementia advisors, support groups, social clubs and a national helpline. We process personal data (identifying information) and special category personal data (more sensitive data such as health information) to carry out this work. 

Who do we process data about? ASI processes data about service users and their carers/family members/representatives in order to provide health and social care services. 

What kind of data is processed by us? ASI processes personal data and special category personal data for the purpose of providing health and social care services. We will process all or some of the following data to create a service user file: Contact name, address, telephone number, email, health data, details for carer/family member/representative, photographs, life stories, attendance records, update reports for carers and details of payments (if relevant). For safety reasons, we will document any incident or accident. We may capture your image if a CCTV security system is in place at an ASI managed location. 

Where did we get your data from? We get your data when you or your carer, family member or representative, contact ASI to request that you become a service user. A health or social care professional may share your data with ASI by way of a referral. 

How do we process your data legally? In order to provide health and social care services: 

• ASI processes personal data on the legal basis of legitimate interests. (Article 6.1.f GDPR) It is within the legitimate interests pursued by ASI to efficiently and effectively manage our provision of health and social care for service users and their carers while ensuring compliance with duties of care and other obligations. 
• ASI processes personal data on the legal basis of a statutory obligation to which the data controller is subject. (Article 6.1.c GDPR) This occurs when a law dictates the processing of personal data. 
• ASI processes personal data or special category personal data on the legal basis of protecting the vital interests of the data subject or another natural person when that person is physically or legally incapable of giving consent.  (Articles 6.1.d & 9.2.c GDPR) This occurs when personal data and/or special category personal data relates to a service user or another relevant individual whose life is in danger.
• ASI processes special category personal data on the legal basis of the provision of health and social care. (Article 9.2.h GDPR) This occurs when the special category personal data solely relates to a service user who is availing of ASI services.
• ASI processes special category personal data on the legal basis of association / not-for-profit organisation. (Article 9.2.d GDPR) This occurs when the special category personal data solely relates to someone other than the service user, e.g. a carer, family member or representative who has regular contact with ASI. This data cannot be shared outside ASI without that individual’s consent.

How long do we retain your data? ASI keeps personal data and special category personal data for a range of periods. Our retention schedule, which is reviewed annually, details our current policies which are based on: 

• Statutory obligations; 
• Contractual obligations; 
• Quality assurance / best practice obligations set by state entities or regulatory bodies;
• Our view that retention is necessary for the original purpose or a compatible purpose; 
• Reasonable periods after the conclusion of engagements, for quality assurance or risk management. 
• On a case by case basis records may be retained for longer where they are required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation. Where records are subject to this kind of review, retention will be assessed annually. 

Where do we keep your data? Service providers contracted by ASI hold personal data in digital form in secure data centres inside the EU/EEA. The ASI IT Security and Usage policy details the internal security provisions in place. Hard copy data is stored in locked cabinets and secure rooms.

Do we share your data? In the context of service provision, we will share your data between ASI staff if you utilise more than one service. We may share your data with external health or social care professionals (e.g. doctors, public health nurses, social workers or physiotherapists) or relevant health or social care facilities in order for you to receive the best standard of care. ASI Dementia advisors are an exception to this as they do not share data with other ASI staff, nor with external health/social care professionals, unless you specifically request it. Legal obligations may dictate that ASI must share your data with state entities e.g. law enforcement or regulatory bodies. ASI receives HSE funding under Section 39 of the Health Act 2004 and as a result may be contractually obliged to share certain personal data. We will always prioritise your privacy by offering pseudonymised or anonymised data if we believe this should be sufficient. We also interface with third party service providers that can access your personal data. These situations are managed by data processor agreements which contain clear contractual safeguards. Finally, it should be noted that our staff are trained to respond in an emergency, or if they believe you could be in danger, and they will share your personal data in order to ensure your safety.

What are your rights? Individuals have rights over their personal data under EU and Irish Data Protection law. These rights are not absolute and qualifications or restrictions can apply. In summary your rights are: Right to be informed; Right of access; Right to rectification; Right to be forgotten/erasure; Right to restrict processing; Right to object; Right not to be subject to automated decision making and/or profiling; Right to portability. You also have the right to make a complaint to the Data Protection Commission [email protected] or to seek compensation through the courts. 

How can you contact the ASI Data Protection Officer? Address: DPO, The Alzheimer Society of Ireland, National Office, Temple Road, Blackrock, Co. Dublin. Email: [email protected]

Ends.