ACCORD Dublin
Privacy Policy
This policy provides details of how we collect and use client data.
| 1 | Introduction
|
||||
| This is the Privacy Policy of ACCORD Dublin Catholic Marriage Care Service, which operates within the territory of the Roman Catholic Archdiocese of Dublin (referred to as ACCORD Dublin, us or we throughout this Policy). We take our obligations and responsibilities under Data Protection Law seriously. Accordingly, this policy provides details of the way in which we collect, use and otherwise process Personal Data in accordance with our obligations under Data Protection Law.
|
|||||
| 2 | Background and Purpose
|
||||
| 2.1 | The purpose of this Policy is to explain what Personal Data we process, how and why we process it. In addition, this policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we process data will evolve over time and we will update this policy from time to time to reflect changing practices.
|
||||
| 2.2 | In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various other points of data capture used by us (including for example, the ACCORD Dublin Staff & Volunteer Data Processing Notice, ACCORD Dublin booking and application forms, etc.).
|
||||
| 3 | What is personal data
|
||||
| Personal Data is any information relating to a living individual which either directly or indirectly allows for the identification of that individual. Personal Data is a broad concept which can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable. The type of Personal Data that ACCORD Dublin collects and processes is described in more detail in the table at Appendix II of this notice.
|
|||||
| 4 | ACCORD Dublin as a Data Controller
|
||||
| 4.1 | ACCORD Dublin acts as a data controller in respect of Personal Data provided to us by various individuals in connection with the administration of our various activities, which involve the processing of Personal Data of the following categories of individuals: | ||||
| a. | Participants in ACCORD Dublin Marriage Preparation Courses; | ||||
| b. | Participants in ACCORD Dublin Marriage and Relationship Counselling Services; | ||||
| c. | Employees and Board members; | ||||
| d. | Volunteers; | ||||
| e. | School teacher contact details who book ACCORD Dublin courses; | ||||
| f. | Donors and other supporters; | ||||
| g. | Business contacts, suppliers and service providers; and | ||||
| h. | Members of the public with whom ACCORD Dublin comes into contact from time to time (including those who write to us or email us).
|
||||
| 4.2 | ACCORD Dublin will in most cases collect Personal Data directly from such individuals but may also obtain Personal Data from others including: | ||||
| a. | Through our online Marriage Preparation booking form and where bookings are made by phone and email: | ||||
| b. | From individuals in the context of Marriage and Relationship Counselling Services (including where such information relates to third parties); and | ||||
| c. | Associates or volunteers (for example who may from time to time recommend a friend or relative for a role with ACCORD).
|
||||
| 4.3 | The table at Appendix II also describes in detail the particular purposes and lawful basis for ACCORD Dublin’s Processing Personal Data as required by Data Protection Law.
|
||||
| 5 | Purposes of Processing and Lawful Bases
|
||||
| 5.1 | ACCORD Dublin Processes Personal Data, in particular for the following purposes: | ||||
| a. | Marriage Preparation Courses: For the purpose of administering bookings for and scheduling of Marriage Preparation courses provided by ACCORD Dublin. This involves the Processing of contact details and related Personal Data which is based on the (explicit) consent of the participating individuals for the purposes of Art. 6(1)(a) and Art. 9(2)(a) of the GDPR and as necessary for the performance of the contract between ACCORD and the individuals for the purposes of Art. 6(1)(b) of the GDPR. | ||||
| b. | Marriage and Relationship Counselling Services: For the purpose of providing marriage and relationship counselling services to clients, it is necessary for ACCORD Dublin to collect and process Personal Data relating to those individuals for appointment scheduling and administration purposes. In connection with the provision of such services by trained ACCORD Dublin counsellors, this may involve the disclosure of a wide range of Personal Data by an individual, including special categories of Personal Data. Such data may be recorded by counsellors in their session notes which are stored securely by ACCORD Dublin. Such processing is based on the (explicit) consent of the individual for the purposes of Art. 6(1)(a) and Art. 9(2)(a) of the GDPR. | ||||
| c. | Schools Programme (Primary and Secondary): In the course of providing its various Relationship and Sexuality education programmes, it is necessary for ACCORD Dublin to process contact Personal Data including contact details of teachers, in the schools where such programmes are provided. Such processing is based on the legitimate interests of ACCORD Dublin and the individuals to whom such programmes are provided for the purposes of Art. 6(1)(f) of the GPPR. Having regard to the limited amount of data and its nature, ACCORD Dublin does not consider that its legitimate interests are overridden by the rights and freedoms of such third parties whose data is processed. | ||||
| d. | Employment/Volunteering: For a detailed description of ACCORD Dublin’s Processing of Personal Data in respect of employees, volunteers and other staff, please refer to ACCORD Dublin’s Staff & Volunteer Data Processing Notice. | ||||
| e. | Compliance with legal obligations: ACCORD Dublin is subject to a range of legal and regulatory obligations, which necessitates the processing of Personal Data, including under employment law, tax law, and health and safety law. In addition, ACCORD Dublin takes its child safeguarding and protection responsibilities and obligations extremely seriously.
In this regard, it is from time to time necessary for ACCORD Dublin, in accordance with ACCORD’s Policy on Confidentiality acting through its Designated Liaison Person or otherwise, to report certain matters to TUSLA, An Garda Síochána and, in certain circumstances, the Archdiocese of Dublin, where there are reasonable grounds for concern that a child may have been abused. For further information please refer to ACCORD Dublin’s Policy and Procedures on the Safeguarding of Children. Such processing is based on Art. 6(1)(c) of the GDPR as necessary for compliance with legal obligations to which ACCORD Dublin is subject. |
||||
| f. | Payment purposes: ACCORD Dublin processes Personal Data, including credit card details, for the purposes of processing payments for services provided by ACCORD Dublin. Such processing is based on Art. 6(1)(b) of the GDPR as necessary for the performance of relevant contracts between ACCORD Dublin and the recipients of ACCORD Dublin’s various services. | ||||
| g. | Marketing purposes: ACCORD Dublin may use Personal Data provided to us for the purposes of communication with service users in respect of other services being provided by ACCORD Dublin from time to time. Such processing of Personal Data shall be based on either ACCORD Dublin’s legitimate interests (under Art. 6(1)(f) GDPR) or on the consent of the recipients to receive such communications (under Art. 6(1)(a) GDPR) and shall be undertaken in accordance with applicable direct marketing rules (including respecting the right to opt-out). | ||||
| h. | Statistical analysis and research purposes: To enhance its own services and to gauge the demand and interest for certain other service offerings, ACCORD Dublin collects certain Personal Data for the purpose of undertaking statistical analysis of its service users and for related research purposes which are in ACCORD Dublin’s legitimate interest. Where ACCORD Dublin uses data for these purposes, in particular where such data includes special categories of Personal Data (such as religious denomination or beliefs), in accordance with Art. 9(2)(j) and Art. 89 of the GDPR and sections 42 and 54 of the Data Protection Act 2018 (the “DPA 2018”), ACCORD Dublin will endeavour to ensure that such data is processed subject to appropriate safeguards and in accordance with the principles of data minimisation, and to the extent feasible, anonymization. | ||||
| i. | Other: From time to time ACCORD will process Personal Data of other individuals, which may include business contacts, service providers and professions and will do so in accordance with this policy and ACCORD Dublin’s obligations under Data Protection Law. The appropriate lawful basis for such processing will be determined by reference the nature of the processing.
|
||||
| 6 | ACCORD Dublin and Data Processors
|
||||
| ACCORD Dublin will engage certain service providers to perform certain services on its behalf, which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of ACCORD Dublin and gives rise to a Data Controller and Data Processor relationship, ACCORD Dublin will ensure that such relationship is governed by a contract, which includes the data protection provisions prescribed by Data Protection Law. Data Processors are required to use Personal Data only in accordance with ACCORD Dublin’s instructions.
|
|||||
| 7 | Record Keeping
|
||||
| As part of our record keeping obligations under Art. 30 GDPR, ACCORD Dublin retains a record of the Processing activities under its responsibility. This comprises the following:
|
|||||
| Art. 30 GDPR Requirement | ACCORD’s Record | ||||
| Name and contact details of the controller.
|
ACCORD Dublin
Catholic Marriage Care Service Holy Cross Diocesan Centre Clonliffe Road Dublin DO3 P2E7 |
||||
| The purposes of the processing.
|
See Section 5 above. | ||||
| Description of the categories of data subjects and of the categories of Personal Data.
|
See Section 4 and 5 above. | ||||
| The categories of recipients to whom the Personal Data have been or will be disclosed.
|
See Section 11 below. | ||||
| Where applicable, transfers of Personal Data to a third country outside of the EEA.
|
See Section 13 below. | ||||
| Where possible, the envisaged time limits for erasure of the different categories of data.
|
See Section 12 below. | ||||
| Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
|
See Section 10 below.
|
||||
|
8 |
Special Categories of Data
|
||||
| 8.1 | ACCORD Dublin Processes Special Categories of Data (SCD) in the course of its day to day activities in engaging with clients in counselling services which may reveal Personal Data of a sensitive nature concerning physical / mental health, racial or ethnic origin, political opinions, sex life and sexual orientation, the commission of criminal offences and convictions as well as religious and philosophical beliefs. In doing so, ACCORD Dublin obtains the explicit consent of the individuals concerned in accordance with Article 9(2)(a) of the GDPR. This consent is obtained directly from the individuals who participate in ACCORD Dublin’s programmes and a signed consent form is collected.
|
||||
| 8.2 | In the case of SCD relating to employees and volunteers, this is governed by Article 9(2)(b) of the GDPR together with section 46 of the Data Protection Act 2018 (the DPA 2018) which permits the Processing of SCD where it is necessary for the exercise of rights and obligations under employment and social security law. Such processing of SCD will be subject to enhanced measures in accordance with Data Protection Law.
|
||||
| 8.3 | Under Article 9(2)(f) GDPR, SCD may be Processed where it is “necessary for the establishment, exercise or defence of legal claims” and this ground is amplified under the DPA 2018 which permits the Processing of SCD where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights (and which may include Processing in the context of disciplinary proceedings).
|
||||
| 8.4 | In the context of reporting certain matters to TUSLA, the Archdiocese of Dublin and An Garda Síochána it is necessary in certain circumstances for ACCORD Dublin to Process Personal Data concerning allegations of criminal wrongdoing. Such Processing is undertaken in accordance with ACCORD’s Policy on Confidentiality and undertaken under the control of official authority for the purposes of Art. 10 of the GDPR and section 55 of the DPA 2018, in order to comply with ACCORD Dublin’s statutory obligations under various child protection legislation (as more fully described in ACCORD Dublin’s Policy and Procedures on the Safeguarding of Children). These obligations may in certain circumstances takes precedence over any duty of confidentially that we owe to you as a service user.
|
||||
| 9 | Individual Data Subject Rights
|
||||
| 9.1 | Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the Data Subject Rights): | ||||
| a. | The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller); | ||||
| b. | The right of access to Personal Data; | ||||
| c. | The right to rectify or erase Personal Data (right to be forgotten); | ||||
| d. | The right to restrict processing; | ||||
| e. | The right of data portability; | ||||
| f. | The right to object exists in relation to automated decision making, including profiling, and where ACCORD Dublin relies on its legitimate interests to process Personal Data (for example, for marketing purposes); and | ||||
| g. | The right to withdraw consent exists for Processing based on Article 6(1)(a) or Article 9(2). This may be exercised at any time, without affecting the lawfulness of the processing before the withdrawal of consent.
|
||||
| 9.2 | These Data Subject Rights will be exercisable by data subjects subject to limitations as provided for under Data Protection Law. Individuals may make a request to ACCORD Dublin to exercise any of their Data Subject Rights by contacting Data Protection Officer: at dataprotection@dublin.accord.ie or write to: The Data Protection Officer, ACCORD Dublin, Holy Cross Diocesan Office, Clonliffe Road, Dublin 3. Requests will be dealt with in accordance with Data Protection Law.
|
||||
| 10 | Data Security and Data Breach
|
||||
| 10.1 | We have a range of technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. We also make use of data pseudonymisation in respect of SCD.
|
||||
| 10.2 | The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of “personal data breach” which means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by ACCORD Dublin. Any Personal Data breaches identified in respect of Personal Data controlled by ACCORD Dublin should be reported to the Data Protection Officer at by email to: dataprotection@dublin.accord.ie and by phone to 01 4780866 immediately so that an assessment can be made how to mitigate any associated risks and any reporting obligations can also be attended to. In some cases, breaches must be notified to the Data Protection Commission within 72 hours so time is of the essence in this regard.
|
||||
| 11 | Disclosing Personal Data
|
||||
| 11.1 | From time to time, we may disclose Personal Data to third parties (other than Data Processors), or allow third parties to access Personal Data which we Process (for example, where in accordance with ACCORD’s Policy on Confidentiality we are required to disclose certain information to law enforcement and other authorities). We may also share Personal Data with ACCORD Dublin affiliated organisations such as ACCORD CLG and ACCORD Northern Ireland (including on an anonymised basis for statistical analysis and related purposes), software and hardware providers, payment processors, and professional advisors and, in limited instances in accordance with ACCORD’s Policy on Confidentiality, with An Garda Síochána, the Archdiocese of Dublin and state agencies such as TUSLA.
|
||||
| 11.2 | We will not share Personal Data of participants in ACCORD Dublin services with commercial third parties and any sharing of anonymised data for research and/or statistical purposes will be subject to appropriate measures being in place.
|
||||
| 12 | Data Retention
|
||||
| We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Policy). For example, we will retain staff data for the length of the employment relationship plus a period thereafter (usually 7 years) to deal with any subsequent enquiries or claims. In relation to other types of Personal Data, the retention periods are assessed by reference to the particular processing purposes and are kept under periodic review.
|
|||||
| 13 | Data Transfers outside the EEA
|
||||
| ACCORD Dublin does not transfer Personal Data to countries outside the European Economic Area.
|
|||||
| 14 | Further Information/Complaints Procedure
|
||||
| For further information about this Privacy Policy and/or the Processing of Personal Data by or on behalf of ACCORD Dublin please contact Data Protection Officer: at dataprotection@dublin.accord.ie or write to: The Data Protection Officer, ACCORD Dublin, Holy Cross Diocesan Office, Clonliffe Road, Dublin 3. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact ACCORD in the first instance to give us the opportunity to address any concerns that you may have. | |||||
Most Revd Diarmuid Martin
Archbishop of Dublin
Chair, ACCORD Dublin
Date:
APPENDIX I – GLOSSARY
In this Policy, the terms below have the following meaning:
Data Breach means a breach, including any suspected breach, of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Data Controller means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Processor means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
Data Protection Law means the General Data Protection Regulation (No 2016/679) (GDPR) and the Data Protection Act 2018 and any other laws which apply to ACCORD Dublin in relation to the Processing of Personal Data.
European Economic Area or EEA means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Process and Processing are interpreted accordingly.
Special Categories of Personal Data (or SCD) are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.
APPENDIX II – CATEGORIES OF PERSONAL DATA
| Category of Data | Personal Data
|
Processing Purpose | Lawful Basis |
| Name and contact details (of couples booking on the Pre Marriage Course) | · Name
· Phone number · Email address · Address · Special needs requirements (dietary requirements / accessibility / visual / hearing needs)
|
Booking and scheduling | Consent and contractual necessity |
| Payment details (of couples booking on the Pre Marriage Course) | · Name
· Credit card details
|
Payment processing
|
Contractual necessity |
| Marriage counselling data | Information disclosed in the course of counselling sessions (including name, address, and contact details)
|
Counselling purposes | Explicit consent |
| Statistical / Research data | · bride and groom date of birth, parish, occupation, education, nationality and religion
· relationship length, cohabitation status and whether they have children |
||
|
Staff and volunteers
|
Name, address, contact
details, bank accounts for payment purposes hours worked, CPD attended, supervision attended, leave of absence information, retirement details, Garda Vetting related information |
|
|