version 1.2: 25 Aug 2019
This privacy notice tells you about the personal data that we use in our work. In processing personal data, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.
Who we are?
We are the Institute of Public Health in Ireland. Our address is 700 South Circular Road, Dublin.
You can contact our Data Protection Officer by post at the above address, by email at email@example.com or by telephone on +44 (0)2890 648494 or +353 (0)1 478 6300.
What we do?
The Institute of Public Health in Ireland (IPH) provides evidence, advice and leadership to promote health and wellbeing, and reduce health inequalities on the island of Ireland, North and South.
Established in 1998 and with offices in Belfast and Dublin, IPH is the recognised voice for public health evidence on the island of Ireland.
Committed to improving the health of communities across the island of Ireland, IPH works with partners at national and international level to provide evidence-based public health intelligence to help shape effective public health policies and interventions.
Our team works across professions, disciplines, sectors, organisations and jurisdiction to address these health inequalities and its avoidable impact on society. IPH connects networks of policymakers, researchers, public health practitioners and the voluntary and community sector who collectively work to reduce these inequalities.
What is personal data?
There are a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:
Personal data is defined as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
What personal data do we collect and process?
IPH collects and process personal data for a range of different purposes including:
- for the purposes of specific public health related projects that we undertake we collect and process personal data such as name, date of birth, medical conditions, life experiences and your opinions
- to meet obligations provided for in financial, employment and human resources legislation
- to communicate with interested individuals on topics relevant to public health via our newsletters and events we will collate and process your name, details relating to your work and contact details
- to facilitate and understand how people use of our websites and associated information systems we will collate only information that you proactively submit to us through the use of online forms
The type of personal data collated depends on the project or purpose for which it is required. However we ensure that we only collect data which is absolutely necessary and that we tell you the legal basis for processing that we are using for the processing of that data. In the case of employment, financial and Human Resources data the legal basis used is that it is necessary for the performance of a contract. For most other cases, we will seek your explicit individual consent to collate and use your personal data. Where that personal data pertains to health research and/or contains special category data such as information relating to your health, sexuality, political views etc, we will tell you the additional legal basis for processing we are using under the terms of the Health Research Regulations and Data Protection Act.
Usually, we collate personal data ourselves directly from you, however in some cases we may have your personal data provided to us by partner organisations working on public health related projects with us. If your personal data is provided to us by a partner organisation we will ensure that transfer has a legal basis under GDPR.
Principles of data protection
There are a number of fundamental principles upon which the GDPR is based. These are as follows:
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
IPH will ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.
Storage of your personal data, sharing your data and international transfers
All personal data held by IPH is stored on secure information systems and servers based inside the European Economic Area (EEA). We generally do not transfer personal data outside of the EEA however, if we do, those transfers of personal data outside the EEA (European Economic Area) will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. IPH will always inform data subjects when any international transfer (outside EEA) of their data will be taking place, and will outline the legal basis for this process.
Personal data held by IPH is only held for as long as necessary, either under law in the case of employee data, or until a project has been completed in the case of personal data collated for research purposes.
We may share personal data with partner organisations and individuals who we work with on specific projects. We will always tell you the organisations and individuals which we intend to share your data before you provide your personal data. Any data collated for the purposes of a project will only be used for that project.
Your rights as a data subject
You have rights under the GDPR. These consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Each of these rights are supported by appropriate procedures within IPH that allow the required action to be taken within the timescales stated in the GDPR.
You can exercise any of these rights by contacting our Data Protection Officer.
Data Protection Officer
Institute of Public Health in Ireland
700 South Circular Road
00353 1 478 6300
Your right to complain
If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint. However, you can also contact the Data Protection Commissioner:
The website of the Data Protection Commission: www.dataprotection.ie
Phone No: + 353 (0) 761 104 800
Lo Call: 1 890 252231
Data Protection Commission
21 Fitzwilliam Square South
We will update the version number and date of this document each time it is changed.