Privacy Statement
You will find some materials relating to GDPR at the bottom of this page under the heading ‘Data Protection Resources’.
The Alzheimer Society of Ireland (The ASI) is a company limited by guarantee and a registered charity in the Republic of Ireland (Registered charity number 20018238).
The ASI works within communities across the country providing dementia-related services such as day care, day care at home, home care, social clubs, Alzheimer cafés, dementia advisors, community engagement and a national helpline. The ASI also advocates for the rights and needs of all people living with dementia and their carers or families. The ASI processes personal data (identifying information) and special category personal data (more sensitive data such as health information) to carry out this work. The ASI also operate additional departments such as training, research, fundraising, direct marketing, office administration, finance, risk & compliance, HR and administration including payroll and recruitment. The ASI manages relationships with corporate partners, contractors, volunteers, partner organisations, and liaises closely with the HSE, its main funding body.
The ASI processes personal data about employees, service users and their carers/family members/representatives, volunteers, donors, advocates, supporters, contractors, suppliers and employees in other health & social care providers, sponsor companies or partner organisations. ASI does not engage in automated decision-making.
The ASI processes different types of data depending on how and why you are interacting with us.
Purpose
|
Categories of data processed
|
---|---|
Health & Social care provision | Health data, contact names, addresses, telephone numbers, email, photograph, attendance records, and regular update reports for carers. |
Helpline | Contact names, addresses, telephone numbers, emails, and health data. |
Advocacy & Communications | Contact names, addresses, telephone numbers, email, social media identifiers, photographs, videos, and health data. |
Training | Contact names, addresses, email, assignments, training records, health data. |
Research | Contact names, addresses, telephone numbers, email, health data. |
Finance | Contact names, contact details, tax identifiers (e.g. PPSNs for employees / VAT number for service providers), bank details, timesheets, data associated with accounts receivable or accounts payable |
Corporate, Risk & Administration | Contact names, contact details, PPSNs for Board members, health data, locations, job titles |
Direct Marketing & Fundraising | Contact names, contact details, PPSNs for donors, bank details, health data (for event participants on occasion) |
Human Resources | Contact names, contact details, PPSNs for employees, CE scheme data, attendance/leave records, staff ID numbers, bank details, training records, references, CVs, Garda vetting information, passports, medical certificates and occupational health data |
Safety & Security | Occupational health data, accident & incident reports, safeguarding information, location data and CCTV footage |
Website management | Google Analytics data including IP addresses (see cookie policy), contact names, contact details and bank details if donation or ASI shop purchase made online. Social media Handles/profiles and postings to ASI platforms |
We receive data about you when: you apply for a position or come to work for ASI; you or your carer contact us to request you become a service user; a health or social care professional shares data with us by way of a referral; when you contact us to become a volunteer, donor, training course participant or advocate; when we complete a business transaction with you as a supplier of products/services; or as a customer of our online shop. We may have your personal data because your company or organisation has entered a partnership with ASI. In some circumstances data is publicly available and it is reasonable that an organisation such as ASI would process it, for example, if you are a journalist, medical expert, academic, politician, business leader, high net worth individual or celebrity
In each instance that ASI processes your personal data and/or special category personal data it is reliant on one of the following legal grounds depending upon how or why you are interacting with us. Under GDPR there are six distinct legal basis for the processing of personal data (Art. 6) and a further ten distinct legal basis for the processing of special category personal data e.g. more sensitive information such as health (Art. 9). ASI decides which legal basis is most suitable to align with each act of processing as set out below.
Purpose
|
Legal basis
|
---|---|
Health & Social care provision | Legitimate interests
Legal Obligation |
Helpline | Legitimate interests (Art.6)
● It is in the interests of ASI to provide a national helpline to provide support and information to persons with dementia and their families and carers. Compliance with a legal obligation (Art.6) Vital Interests (Art. 9) Provision of health and social care (Art. 9) Association/Not-for-profit organisation (Art. 9) |
Advocacy & Communications | Legitimate interests (Art.6)
● It is in the interests of ASI to promote the human rights and philosophical message of the charity across various media, through lobbying to secure change or developing partnership relationships. Consent (can be withdrawn at any time) Compliance with a legal obligation (Art.6) Explicit consent (can be withdrawn at any time) (Art.9) Association / Not-for-profit organisation (Art. 9) Data made public by the individual (Art.9) Archiving in the public interest / historical research (Art.9) |
Training | Legitimate interests (Art.6)
● It is in the interests of ASI to efficiently and effectively provide suitable training courses for our staff and for carers and family members of people with dementia. Necessary for execution of a contract (Art.6) Consent (can be withdrawn at any time) (Art.6) Data made public by the individual (Art.9) Explicit consent (can be withdrawn at any time) (Art.9) Association / Not-for-profit organisation (Art.9) Vital Interests (Art. 9) |
Research | Consent (can be withdrawn at any time) (Art.6)
Necessary for execution of a contract (Art.6) Legitimate interests (Art.6) ● It is in the interests of ASI to conduct research with ASI service-related data to formulate evidence-based policies. It is in the interests of ASI to collaborate with select external academic researchers, although research participant data is not shared with ASI. Compliance with a legal obligation (Art.6) Data made public by the individual (Art.6) Explicit consent (can be withdrawn at any time) (Art. 9) Vital Interests (Art. 9) |
Finance | Legitimate interests (Art.6)
● It is in the interests of the ASI to process information for general administration and audit compliance with accounting or revenue requirements. Compliance with a legal obligation (Art.6) Necessary for execution of a contract (Art.6) Employment law and social security (Art. 9) Defence of legal claims (Art.9) Provision of health and social care (Art.9) Explicit consent (can be withdrawn at any time) (Art 9) |
Direct Marketing & Fundraising | Compliance with a legal obligation (Art.6)
Consent (can be withdrawn at any time) (Art. 6) Legitimate interests (Art.6) ● It is in the interests of ASI to produce annual reports, strategic plans and other corporate policies, handle post, manage branch membership, compile and retain audit reports and other such documentation. Necessary for execution of a contract (Art.6) Explicit consent (can be withdrawn at any time) (Art.9) Provision of health and social care (Art.9) Exercise or defence of legal claims (Art.9) |
Fundraising | Consent (can be withdrawn at any time) (Art.6)
Compliance with a legal obligation (Art.6) Necessary for execution of a contract (Art.6) Legitimate interests (Art.6) ● It is in the interests of ASI to engage in postal direct marketing or develop sponsorship/partnership relationships. Association / Not-for-profit organisation (Art. 9) |
Human Resources | Necessary for execution of a contract (Art.6)
Compliance with a legal obligation (Art.6) Legitimate Interests (Art.6) ● It is in the interests of ASI to efficiently and effectively manage staff and ensure compliance with duties of care and other obligations. Field of employment law & social security legislation (Art. 9) Assessment of the working capacity of the employee (Art. 9) Association / Not-for-profit (Art.9) Vital Interests (Art. 9) Defence of legal claims (Art.9) Made public by the data subject (Art.9) |
Safety & Security | Legitimate Interests (Art.6)
● It is in the interests of the organisation to install CCTV systems when deemed necessary and proportionate and to process data about health and safety issues for the purposes of seeking legal advice or insurance risk assessments Compliance with a legal obligation (Art. 9) Defence of legal claims (Art. 9) Vital Interests (Art. 9) |
Online Management | Consent (can be withdrawn at any time) (Art.6)
Compliance with a legal obligation (Art 6) Necessary for execution of a contract (Art.6) Explicit consent (can be withdrawn at any time (Art.9) Data made public by the individual (Art.9) |
Individuals who engage with ASI fundraising, and potentially other departments, are automatically included in the charity’s direct marketing postal programme. To receive digital marketing materials or phone calls individuals must opt-in when invited. For operational purposes ASI may phone a donor if an issue arises around their donation. ASI provides opt-out/unsubscribe contact details on every electronic and postal communication in order to manage consent preferences. From time-to-time ASI fundraising engages in profiling using basic geo-demographic and/or other information which may indicate an individuals’ capacity to give. In addition, “wealth screening” may be conducted using publicly available information.
ASI keeps personal data and special category personal data for a range of periods. The ASI retention schedule, which is reviewed annually, details current policies which are based on:
● Statutory obligations such as requirements issued by Revenue.ie for financial records to be retained (6 years)
● Contractual obligations such as requirements from the HSE under service level agreements for client records to be retained (8 year from last contact);
● Quality assurance / best practice obligations set by state entities or regulatory bodies such as requirements under Health & Safety legislation to retain incident records (10 years);
● ASI’s view that retention is necessary for the original purpose or a compatible purpose such as retaining training records for an external individual (5 years from completion of last training module);
● For reasonable periods after the conclusion of engagements for quality assurance and risk management purposes such as ASI QSPD audits of ASI service locations (10 years).
On a case-by-case basis, records may be retained for longer where they are required for actual or potential legal actions or the management or mitigation of operational or strategic risks to the organisation. Where records are subject to this kind of review the ongoing retention will be assessed annually.
Sector leader service providers have been contracted and ASI data, in digital form, is stored in data centres in Ireland. All back up servers are located inside the EU. ASI IT oversee key security and usage procedures and policies relating to information security and devise clear instructions for staff. Cross border data transfers are limited in number but ASI does utilise several platforms, for example Meta / Facebook, which engage in data transfers from the EU to the US. ASI may also on occasion link with third party services such as fundraising platforms which also carry out international transfers. Individuals are encouraged to read and be satisfied with the privacy policies of each specific entity before providing their data. Hard copy records are also maintained by ASI. All sensitive files are stored in locked cabinets and secure rooms with restricted access.
In the context of service provision, ASI may share your data with external health or social care professionals or a relevant medical facility, including with HSE staff, in order for you to receive the best standard of care. We may be legally obliged to share your data with state entities, e.g. for employment or financial compliance. Relevant categories of recipients may include the tax authorities, government departments, law enforcement and regulatory bodies. ASI receives HSE funding under Section 39 of the Health Act 2004 and as a result may be contractually obliged to share certain data. ASI will always prioritise your privacy by considering whether the sharing of pseudonymised or anonymised data would be sufficient in the circumstances. ASI also contracts third party service providers to manage and store personal data. These situations are managed by data processor agreements which contain clear contractual safeguards. Finally, it should be noted that ASI staff are trained to respond in an emergency. If they believe you could be in danger they will share your personal data to ensure your safety.
Individuals have rights over their personal data under EU and Irish Data Protection law. These rights are not absolute, and qualifications or restrictions can apply. The most exercised right by individuals is the right of access. This is the making of a request by a data subject, which gives them the right to obtain – subject to certain restrictions provided for under the GDPR and the DPA 2018 – access to, and copies of, their own personal data, and other relevant information, free of charge and in an accessible form. A data controller must ensure that individuals whose data they are processing are facilitated in lodging access requests. A data controller must provide a response to an access request in a certain manner and within a certain time.
In summary, the rights that can be exercised by data subjects under data protection law also include: the right to be informed; right to rectification; right to be forgotten / erasure; right to restrict processing; right to object; right not to be subject to automated decision making and/or profiling; right to portability and the right to withdraw consent at any time. ASI is committed to helping individuals exercise their rights over their own data. Please contact the ASI DPO as set out below to exercise any of these rights or for further information. If you believe your data privacy rights have been infringed by ASI, you have the right to make a complaint to the Data Protection Commission using the contact details below. It may also be possible to seek compensation through the courts.
You can contact the ASI DPO by email: [email protected] or by post: DPO, Alzheimer Society of Ireland, National Office, Temple Road, Blackrock, Co. Dublin, A94 N8Y0. Telephone: (01) 2073800
You can contact the Irish data protection regulator, the Data Protection Commission by webform on its website www.dataprotection.ie by email: [email protected] or by post: 21 Fitzwilliam Square South, Dublin 2, D02 RD28 and Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Telephone (01) 765 01 00/1800 437 737
The ASI updates this main Privacy Statement periodically. Updates will be made available and, where appropriate, notified to you. Privacy Notice dated: October 2024