DATA PROTECTION POLICY

THE INSTITUTE OF THE BLESSED VIRGIN MARY, IRISH PROVINCE

Contents

  1. Introduction
  2. Purpose
  3. Data Protection Principles
  4. Responsibilities
  5. Procedures and Guidelines
  6. Review

Introduction

Privacy and data protection rights are very important to the Institute of the Blessed Virgin Mary, Irish Province (hereafter referred to as IBVM, Irish Province).

The IBVM, Irish Province collects and processes personal information relating to its members[1], employees, contractors, volunteers (hereafter referred to as ‘staff’), and donors, in order to carry out its administrative and statutory functions. Data Protection legislation safeguards the privacy rights of individuals in relation to the processing of personal data.

The IBVM, Irish Province is both a data controller and a data processor, and undertakes that all processing and use of personal data will be in accordance with the obligations of relevant data protection legislation, i.e. EU General Data Protection Regulation (EU) 2016/279 (known as ‘GDPR’), (which will supersede Data Protection Act 1988, Data Protection (Amendment) Act 2003).

Any inquiries about this Data Protection Policy should be made to: Irish Province Office Administrator, Loreto House, Beaufort, Rathfarnham, Dublin 14 HEV2, Ireland, or to provadmin@loreto.ie.

[1] Please note that the terms “Member” and “Loreto Sisters” are interchangeable.

Purpose

This policy is a statement of the IBVM, Irish Province commitment to protect the rights and privacy of the personal data of individuals in accordance with GDPR

Review

This Data Protection Policy will be reviewed regularly in light of any legislative or other relevant development.

This policy was approved on 21 May 2018.

This policy will be reviewed within 12 months of approval.

 

Data Protection Principles & Compliance

The IBVM, Irish Province will comply with the following principles outlined in GDPR for the collection and processing of personal data:

  1. Lawful, Fair and Transparent Processing

The IBVM, Irish Province will obtain and process personal data with the consent of the data subject or on a clear legal basis and must clearly state the purpose and by whom personal data is processed. The processing of personal data may be necessary for the performance of the contract of employment, and care of members. Any information which falls under the definition of personal data and is not otherwise exempt will remain confidential and will only be disclosed to third parties with appropriate consent. (See IBVM, Irish Province Personal Data Consent Form, Irish Province Data Privacy Summary and Website Privacy Statement)

 2.Sensitive Personal Data

The IBVM, Irish Province in the care of its members and governance of the Institute is required to process sensitive personal data. GDPR defines sensitive personal data as data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings

Specified and Lawful Purpose

Personal data will only be kept for purposes that are specific, lawful and clearly stated.

The IBVM, Irish Province collects and uses personal data within the Institute for the following purposes:

  • For the care of our members, to support their spiritual and temporal welfare
  • To provide personnel, payroll and pension administration services
  • To perform accounting and other record-keeping functions
  • To support all our ministries
  • To communicate the work of the Institute (e.g. newsletters)
  • To manage information resources (e.g. access to our archival collections)

Where the IBVM, Irish Province engages a third party to provide services on its behalf, and where this service requires the service provider to process personal data, the IBVM, Irish Province is required by law to have a written contract (a data processing contract) in place with the service provider. At a minimum this contract must provide sufficient guarantees with regard to data protection compliance, including guarantees concerning the safety and security of data, auditing rights, cooperation concerning the rights and freedoms of Data Subjects, etc. The permission of the IBVM, Irish Province Leader and legal advice must be sought from the IBVM, Irish Province solicitor, before any such contract is agreed or approved.

Rights of Access to Information

Data subjects have the right of access to information held by the IBVM, Irish Province, subject to the provisions of GDPR. Any data subject wishing to access their personal data should put their request in writing to the Irish Provincial Offices.  The IBVM, Irish Province will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within one month. For further information please consult the IBVM, Irish Province Data Subject Access Request Forms & Procedures in this booklet.

 

  1. Minimisation of Processing

Personal data collected will be adequate, relevant and processed only as is necessary to comply with the purposes for which it was first collected.

  1. Accuracy

Personal data must be kept accurate and where necessary up to date. Any incorrect data will be rectified or deleted if it is known to be erroneous or obsolete.  The IBVM, Irish Province will endeavour to ensure that all personal data is accurate. Data subjects must notify the data processor of any changes to information held about them. (See IBVM, Irish Province Subject Access Policy & Procedures.)

  1. Storage Limitation

Personal data will be kept for no longer than is necessary for the original purpose for which it was obtained or processed. IBVM, Irish Province Records Retention Policy outlines the length of time for which material should be kept.  Some personal data may be kept permanently as archives, for statistical, scientific and historical research purposes or if it is in the public interest.

  1. Security and Confidentiality

Personal data will be kept safe and secure. The IBVM, Irish Province is responsible for ensuring adequate security structures to prevent unlawful or inadvertent processing, alteration or loss of the data. This will include ensuring the security of the premises, filing cabinets, clean desk policy as well as the safeguarding of electronic data through encryption and password protection.  In the event of a breach of personal data the IBVM, Irish Province will manage it in accordance with the IBVM, Irish Province Personal Data Breach Policy & Procedures.

  1. Liability and Accountability

The IBVM, Irish Province as both Data Controller and Data Processor will be required to demonstrate their compliance with the GDPR. This can be achieved through implementation of policies, guidelines and organisational training.

Further, detailed information on how the IBVM, Irish Province will ensure compliance with these principles can be found in the:

  • IBVM, Irish Province Data Protection Policy
  • IBVM, Irish Province Data Protection Guidelines
  • IBVM, Irish Province Personal Data Consent Form
  • IBVM, Irish Province Personal Data Breach Policy & Procedures
  • IBVM, Irish Province Data Subject Access Request Forms & Procedures
  • IBVM, Irish Province Privacy Notices
  • IBVM, Irish Province Records Management Policy
  • IBVM, Irish Province Records Retention Schedule

Responsibility

The IBVM, Irish Province Leadership Team has overall responsibility for ensuring compliance with GDPR and all other relevant data protection legislation. However, all staff and members who separately collect, control or process the content and use of personal data are individually responsible for ensuring compliance with GDPR and all other relevant data protection legislation.

The IBVM, Irish Province Leadership Team will ensure that all appropriate support, assistance, advice and training is provided to all offices, members and staff to ensure compliance with the legislation.

Best practice guidelines, policies and procedures have been prepared to assist staff and members in dealing with data protection issues in all aspects of their work.

The IBVM, Irish Province Leadership Team undertakes to review the Data Protection Policy and other relevant policies at regular intervals in order to ensure compliance with GDPR.

Procedures and Guidelines

The IBVM, Irish Province is firmly committed to ensuring personal privacy and compliance with all data protection legislation. In order to ensure the implementation of this policy and compliance, the following policies, procedures and guidelines have been prepared, and must be adhered to by all staff.

The following policies and procedures are available to all members and staff:

  • IBVM, Irish Province Data Protection Policy
  • IBVM, Irish Province Data Protection Guidelines
  • IBVM, Irish Province Personal Data Consent Form
  • IBVM, Irish Province Personal Data Breach Policy & Procedures
  • IBVM, Irish Province Data Subject Access Request Forms & Procedures
  • IBVM, Irish Province Privacy Notices
  • IBVM, Irish Province Records Management Policy
  • IBVM, Irish Province Records Retention Schedule

For Further Information

Any inquiries about this Data Protection Policy should be made to: Irish Province Office Administrator, Loreto House, Beaufort, Rathfarnham, Dublin 14 HEV2, Ireland, or to provadmin@loreto.ie.

This policy document will be reviewed and updated as required in line with any legislative or other relevant development.