Data Privacy Statement
Cope Foundation takes your privacy seriously and, therefore, it is important that you know exactly what we do with your personal data.
This privacy statement is being provided to you in line with our obligations under the EU General Data Protection Regulation (GDPR), which came into force on 25th May 2018.
From that date, the GDPR, together with applicable Irish requirements, amends existing data protection law. It expects organisations like Cope Foundation to be accountable and transparent in how and why it uses your personal data.
The GDPR also gives you greater control over the use of your personal data, including a right to object to its use where that affects your rights and freedoms as an individual.
What information do we collect?
The following is a list of the type of personal data that Cope Foundation collects about you, depending on whether you are a person we support or your family/guardian, an employee/ volunteer, or people contracted for business/services:
- Information that identifies you, including contact information
- Information provided to us by others, such as health professionals, referee employment references;
- Special categories of personal data, such as that relating to your physical/mental health, social work information, psychological information, PPS number, financial/bank details, Garda vetting details;
- Personal data that you have consented for us to use.
How is your personal data collected?
We collect personal data about you when you avail of our services, through our interactions with you, when you complete our registration/administration forms, or where it is provided to us by others.
What are the legal bases for using (‘processing’) your personal data?
Any use of your personal data must have a legal basis. The bases under GDPR, which we, depending on the circumstances, may rely on include:
- Where you have consented to the processing of your personal data by us;
- When it is necessary to perform a contract or to take steps at your request (clearly with your knowledge and consent) before entering into a contract, such as a contract to provide you with services, or an employment contract;
- When it is necessary for Cope Foundation to comply with a legal obligation, such as reporting to a statutory or regulatory body. e.g. HIQA, Túsla, or law enforcement;
- When it is necessary to protect your vital interests in exceptional circumstances, such as in a case of a medical emergency;
- When it is necessary for the legitimate interests of Cope Foundation, except where those interests are overridden by your interests or your fundamental rights and freedoms. An example of Cope’s legitimate interest would be where we gather and process information in our endeavour to monitor and optimise our services to the people we support.
How we use you personal data
We will only use your personal data when the law permits us.
We may use your personal data for the following purposes:
- Providing you with services - we may process information about you when you avail of our services.
- Legal and Contractual obligations - we may process your data to comply with our legal and/or contractual obligations.
- Running our Foundation - we will process your data to monitor and improve the quality of our services and to meet certain legal and regulatory obligations that apply to our organisation, including administration, operations and security.
- Marketing - We will process your data when marketing the activities of our Foundation, running competitions, promotions, research and conducting surveys.
A cookie is a small piece of data that may be stored on your computer or mobile device. It allows a website “remember” your actions or preferences over a length of time.
Who may have access to your personal data?
Access to your personal data is strictly on a need-to-know basis. Unless there is another legal basis, your unambiguous consent will be sought before any third party is authorised to access it. Those authorised to access your personal data will vary, depending on whether you are a person supported by Cope Foundation or your family/guardian, a staff member or volunteer, or a person contracted for services.
Third parties who may be provided access to your personal data include the following:
- Cope Foundation administration staff;
- Cope Foundation healthcare professionals, including social workers, therapists, nurses, psychologists;
- External healthcare professionals, including physicians and psychiatrists;
- Staff/ Volunteers providing support to clients;
- Statutory and regulatory bodies;
- Banks, financial institutions, insurers, pension fund administrators;
- Cope Foundation’s legal advisors, as and when appropriate.
We require third parties to respect the security of your data and to treat it in accordance with the law.
All our third-party service providers are required to take appropriate security measures to protect your personal data. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
For how long will Cope Foundation hold your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal data are available in our records management policy.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
What rights do you have under the General Data Protection Regulation (GDPR)?
- Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.
- Your rights in connection with personal data
Under certain circumstances, by law you have the right to:
- Request access to your personal data.
- Request correction of the personal data that we hold about you.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request the restriction of processing of your personal data.
- Request the transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact our Data Protection Officer in writing.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
How we use particularly sensitive personal information
Special categories of particularly sensitive personal data require higher levels of protection.
We may process special categories of personal data where we need to carry out our legal obligations or where it is needed in the public interest
Less commonly, we may process this type of data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
We will use information about your physical or mental health, or disability status, to ensure your health and safety, when you are availing of our services and to ensure that we comply with the Equal Status Acts.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We may contact you by mail, email, telephone and social media about our products and services and, other events which might be of interest to you.
You may receive marketing communications from us if:
- you have requested to receive or consented to the receipt of information from us; or
- received services from us (and our marketing communications will only be in relation to similar services); or
- it is in our legitimate interest (which are not overridden by your interests),
and, in each case, you have not opted out of receiving the marketing communications
You will only receive electronic marketing communications under (b) above, where such services were received within the 12 months prior to the receipt of the communication.
You have the right to ask us to stop processing your personal data for direct marketing purposes. If you wish to exercise this right, please send an email to our Data Protection Officer.
Data Protection Officer
We have appointed a Data Protection Officer to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, please contact S. O' Flynn, Data Protection Officer at Cope Foundation, Bonnington, Montenotte, Cork T23 PT93 or telephone 021-4643360 or email firstname.lastname@example.org
How and to whom can you voice a concern or make a complaint?
You may voice a concern or make a complaint regarding the processing of your personal data to any Manager, Divisional Head, or if you prefer, directly to Cope Foundation’s Data Protection Officer.
You have the right to make a complaint at any time to the Data Protection Commission, the Irish supervisory authority for data protection issues. The Data Protection Commission can be contacted at the Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland or by e-mailing email@example.com
Changes to this Privacy Statement
We reserve the right to update this Privacy Statement at any time. We may also notify you in other ways from time to time about the processing of your personal data.