Data Protection Regulations
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation on data protection and privacy for all individuals within the European Union. It came into force across the European Union on 25 May 2018.
This page includes information about the GDPR and how it may affect you where there are circumstances that the Irish Patients' Association (hereinafter referred to as the IPA) collects, holds and processes your personal data.
For more information about GDPR please visit www.dataprotection.ie or click the following link:
What does 'personal data' mean?
The term 'personal data' means any information concerning or relating to an living person who is either identified or identifiable (such a person is referred to as a 'data subject'). This could include your name, your address, your phone number, your email address, birth date or any form of identification, or online identifiers (such as IP address on the Internet).
The IPA provides independent advocacy supports to people who require information from us, or who may require our help in a variety of circumstances. Ordinarily, people who contact us are using (or have used) health services in Ireland, or they may be care-givers (carers) or parents/guardians of people who are using, or have used, health services in Ireland.
We collect, hold and process information, including some personal data about you. This allows us to provide our services to you more effectively. We understand that your personal data is important to you, and we have a responsibility to you regarding the information we hold about you, to ensure that the information we collect and use is done so proportionately, correctly and safely. We are committed to safeguarding your privacy and here we explain how we will handle your personal information.
Reasons why the IPA processes your data
We collect, hold and use personal data received about you to enable us to provide services to you.
The information about you, or the person you care for, normally comes from you directly. Some examples of how we receive such information include when you complete our online contact form for independent advocacy support, or if you email or text or phone us directly. The amount and type of information we hold on you depends on the services we are providing to you.
What data does the IPA collect?
The personal information the IPA collects might include names, e-mail addresses, postal addresses, telephone numbers and the nature of your enquiry. We may also collect sensitive personal information such as date of birth, ethnicity and other information required, and information about your advocacy needs, which may include details of a personal nature, if this is required for the purpose you have contacted the IPA.
Phone Calls To The IPA:
The IPA does not audio record or retain audio recordings of phone conversations.
Where an individual contacts the IPA by phone, caller numbers are stored in the IPA for a limited period of time in a list of contacts and inbound and outbound calls, but no further processing of this data (caller numbers) is carried out by the IPA.
During the course of dealing with a query, complaint or other matter, the IPA may record personal data received by it during the course of phone calls in the form of notes made on the relevant case file.
Phone Messages to the IPA (e.g. texts, WhatsApp etc.)
All phone messages sent to the IPA are recorded, forwarded to the relevant section of the IPA and are stored for the purposes of the matter/case file to which the message relates. The sender’s phone number and identification will remain visible to all staff or volunteers tasked with dealing with the query. Please be aware that it is the sender’s responsibility to ensure that the content of their messages does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
Emails to the IPA:
All emails sent to the IPA are recorded, forwarded to the relevant section of the IPA and are stored for the purposes of the matter/case file to which the email relates. The sender’s email address will remain visible to all staff or volunteers tasked with dealing with the query. Please be aware that it is the sender’s responsibility to ensure that the content of their emails does not infringe the law. Unsolicited unlawful material, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
Postage to the IPA:
All post received by the IPA is scanned, forwarded to the relevant section of the IPA and stored for the purpose of the matter to which the post item relates. Original hard copy versions of post items are retained for a period of six weeks and are then confidentially destroyed thereafter.
In addition to the scanned version of post items retained by the relevant section of the IPA, a master scanned copy of all post received is retained for a period of 12 months.
The IPA also receives personal data through its social media interactions on Twitter, LinkedIn, Facebook and Instagram, for example. The IPA operates social media accounts on these platforms in support of its functions (under Article 57, GDPR) to promote awareness of, and compliance, with patient advocacy and related matters. Messages or posts received by the IPA on these social media platforms are viewed by the IPA team. The personal data contained in the messages/posts may be logged or stored on a cloud based secure database, with consent, for up to 12 months.
Unsolicited unlawful material sent to us, or of which we are tagged in, together with the details of the sender, may be reported to An Garda Síochána and/or other relevant authorities and further emails from such recipients may be blocked.
What do the IPA use this data for?
If you have contacted us for advocacy support directly we will only use the information provided to help us work with you. We may also use the information to assist us to monitor the quality of our service.
Data Protection Principles
When we process your personal data we will do so in accordance with the data protection principles.
These principles are designed to protect you, and are as follows:
Lawful, Fair and Transparent Processing
Specified and Lawful Purpose
Minimisation of Processing
Security and Confidentiality
Liability and Accountability
We ensure that we will:
process your information lawfully, fairly and in a transparent manner
use your information for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with that purpose
only obtain adequate, relevant and limited information to allow us to carry-out the purpose for which it was obtained
ensure the information we hold about you is accurate and, where necessary, kept up to date
keep any information for no longer than necessary for the purposes for which it was collected
process your information in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
be responsible and accountable for handling, processing and collecting your data
What is the legal basis for processing the information?
The processing of ‘personal data’ needs to be done ‘lawfully’. There needs to be a ‘legal basis’ for processing the data. There are a number of conditions that, if they apply, means that the data is being processed ‘lawfully’. However, there are some exemptions to this.
For a more detailed explanation of the ‘legal basis’ for processing data and the principles of data protection click here
You have given consent to the processing of your personal data for one or more specific purposes.
Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. Processing is necessary for compliance with a legal obligation to which we are subject. Processing is necessary to protect your vital interests or the vital interests of another natural person. Processing is necessary for the performance of a task carried out in the public interest and processing is necessary for the purposes of legitimate interests.
Obtaining your consent
There are some circumstances where it is necessary for us to obtain your consent to collect, hold and process your personal data. This will be when we need the personal data to help us to deliver a service to you. This will normally be where we are providing independent advocacy support to you. You will normally be asked for your consent at the time that you contact us online.
In these circumstances your consent to process your personal data must be ‘specific, informed, active and affirmative’. This means that your consent must be clear and freely given by you after we explain what further processing we would like to do with your data. This means that you can make an informed decision about whether you consent to the processing or not.
You are in control and you can withdraw your consent at any stage by contacting the Data Protection Officer in the 'Details' section below. Please note that any processing that has taken place up to the time that you withdraw consent will be considered lawful.
Recording and managing your consent
Once your consent is obtained we will keep a record of when you gave your consent, the information that was provided to you and how you consented. Your consent will be reviewed periodically to ensure it remains appropriate, and, as previously stated, you have the right to withdraw your consent at any stage.
You have certain rights in relation to the personal information the IPA hold about you. These may include:
Right to be informed – you have a right to be told how we use your personal data. We communicate the right to be informed via this privacy notice.
Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to erasure (right to be forgotten) – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restrict processing – where certain conditions apply to have a right to restrict the processing.
Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing, the performance of a legal task and scientific or historical research.
Right to object to automated processing, including profiling.
The right to withdraw consent – If the legal basis for our processing of your personal information is consent then you have the right to withdraw that consent at any time.
There are circumstances where your rights will not apply, for example the right to erasure will not apply if your personal data is required for legal proceedings.
To fully understand your rights please use the following link:
Not all of these rights will necessarily apply to the personal data that the IPA holds. We do not use your personal data for direct marketing or research. We do not use your personal data for profiling purposes.
How to exercise your rights
You may exercise any of your rights in relation to your personal data by emailing us at email@example.com and including details of your Subject Access Request. We will respond to your request within 30 days.
We will only retain your personal data for as long as necessary and in accordance with our retention schedule. When your personal data is no longer needed it will be securely deleted, except where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
Any information that we collect and process about you is stored and transmitted within the European Economic Area only. Your personal information is stored online on a Cloud based secure server systems architecture.
We take the security of your personal data very seriously and have systems in place to make sure that the personal information is kept secure, accurate, and current. We will only hold your personal information for as long as is necessary for the purposes for which it was collected and it will be deleted in accordance with our data retention schedule.
We will not share your information with other parties other than for the purposes of providing the service you have contacted us about. If we do share your information, we will ensure you have provided written consent to enable us to do this, for example when a service transfers to another provider, or if you have agreed specific information can be used for a particular purpose.
What is a cookie?
A cookie is a small text file that may be stored on your computer or mobile device that contains data related to a website you visit. It may allow a website “remember” your actions or preferences over a period of time, or it may contain data related to the function or delivery of the site. Cookies can be set by the owner of the website or in some cases by third party services the website owner allows to present other information, run content or provide other functionality such as analytics.
You can adjust your cookie settings at any time using the 'Cookies Settings' box on the bottom of the screen on this website.
How are Cookies used on this site?
By clicking on buttons or links to third party sites or services, you will be redirected to an external site, which has its own cookie and privacy policies over which we have no control.
Within your browser you can choose whether you wish to accept cookies or not. Different browsers make different controls available to you and so we provide links below to popular manufacturers' instructions on how you can do this. Generally, your browser will offer you the choice to accept, refuse or delete cookies at all times, or those from providers that website owners use ("third party cookies"), or those from specific websites.
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the “last updated” date at the top of this notice.
The IPA's Data Protection Officer can be contacted as follows:
Attn of: Data Protection Officer
Subject: Query about Personal Data
If you wish to make a complaint about how we process your personal data, then in the first instance please contact the Data Protection Officer in the ‘Our details’ section above.
If you are still dissatisfied with how we have handled your complaint then you have the right to complain to the Data Protection Commissioner (DPC).
The DPC can be contacted as follows:
The Data Protection Commissioner
21 Fitzwilliam Square South
Telephone: 01 7650100 / 1800 437 737