Data Protection Policy

Introduction

GIVE is subject to the General Data Protection Regulation (GDPR) EU2016 and sets out hereunder its policy on Data Protection in compliance with the requirements of GDPR. 
During the course of GIVE’s activities GIVE may collect, store and process personal information about volunteers, directors and donors and with past volunteers who may wish to continue their association with GIVE. GIVE also maintains ongoing liaison with the Catholic Education Secretariat (CES) and other stakeholders / business contacts in The Gambia and in Ireland and holds phone numbers and email addresses on an ongoing basis in respect of these contacts.   
Everyone has rights with regard to how their personal information is handled. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Acts 1988 -2003 and in the General Data Protection Regulation (GDPR) which came into force on the 25th May 2018. GIVE is committed to complying with its legal obligations in respect of all personal data it handles.
The Data Protection Acts 1988 and 2003 provide exemption from registration with the Office of the Data Commissioner for certain categories of organisations such as (1) those “not established or conducted for profit and that are processing data related to their members and supporters and their activities” (2) “companies that only process personal data relating to shareholders, directors or other offices of the company with a view to compliance with the Companies Acts. SI 657 of 2007. GIVE is an organisation covered by the exemption clauses referenced above and is not registered with the Data Commissioner.
This policy sets out GIVE’s rules on data protection and the conditions it applies in relation to the collecting, obtaining, handling, processing, storage, access to and destruction of personal information. It outlines the eight enforceable principles of good practice under GDPR.
 

Definition of Data Protection terms

For clarification purposes GIVE sets out a definition of data protection terms.
Data is information which is stored electronically, on a computer or in a paper-based filing system.
Data subjects for the purpose of this policy include all living individuals about whom GIVE holds personal data.
GDPR: General Data Protection Regulation
Personal Data means data relating to a living individual who can be identified from that data and other information that is in, or likely to come, into the possession of the data controller. 
Data Protection Officer is the person in GIVE responsible for data protection compliance. 
Data users are those in GIVE whose work involves using personal data. Data users have a duty to protect the information they handle by following GIVE’s data protection and security policy at all times.
Processing of data means performing any operation or set of operations on data, including:

• Obtaining, recording or keeping data,
• Collecting, organising, storing, altering or adapting the data,
• Retrieving, consulting or using the data
• Disclosing the information or data by transmitting, disseminating or otherwise making it available,
• Aligning, combining, blocking, erasing or destroying the data.

Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health condition, criminal convictions or alleged commission of an offence. Sensitive personal data may only be processed under strict conditions and will usually require the express consent of the person concerned.

Eight principles of Data Protection.
GIVE will adhere to the eight principles of Data Protection as follows:

• GIVE will obtain and process information fairly
• GIVE will keep information for one or more specified, explicit and lawful purposes
• GIVE will use and disclose data only in ways compatible with these purposes
• GIVE will keep data safe and secure
• GIVE will ensure that the data is adequate, relevant and not excessive
• GIVE will keep data accurate, complete and up-to-date
• GIVE will retain data for no longer than is necessary for the purpose(es) for which it was collected
• GIVE will provide a copy of his/her personal data to that individual on request.

The implementation of Data Protection Policy
In recruiting volunteers to take part in its programmes in The Gambia GIVE invites written expressions of interest from the widest possible field, mainly but not exclusively, from retired teachers or from teachers on career break. Following receipt of such expressions of interest GIVE Management team issues a “Volunteer Application Form” to the interested person to be completed and returned to the GIVE office by a specified date. 

Volunteer Application Form

The information provided in the Volunteer Application Form is for the purposes of processing the application. The personal details which the applicant provides are (1) Name (as on Passport), (2) Address, (3) Mr/ Mrs / Ms, (4) Date of Birth, (5) Telephone numbers, (6) Nationality as per passport, (7) Passport Number, date of issue of passport and date of expiry, (8) email address, (9) Name of next of kin, relationship to next of kin and contact telephone no. for next of kin, (10) Third Level and other qualifications, (11) Work experience including voluntary work, (12) Health Information including medical conditions or special requirements, (13) authorisation to GIVE Foundation to make a data protection request under Section 4 of the Data Protection Acts to An Garda Síochána specifically an application to the Garda Vetting Unit, Thurles, Co. Tipperary for any data that it may hold relating to the named individual (14) the names and contact telephone numbers of two referees, one of whom must be a former employer and (15) Photograph.
Purposes: The information in the Volunteer Application Form is (a) to confirm identity, (b) to enable GIVE to assess the individual’s suitability to become a volunteer, (c) to enable GIVE management to contact volunteers regarding all aspects of the volunteering project, before, during and after the programmes in The Gambia (d) to process flight tickets (e) to procure appropriate accommodation in The Gambia (f) to secure travel insurance for volunteers on the GIVE programmes and (g) to enable GIVE Team leaders and co-ordinators to handle medical needs and other critical incidents involving volunteers while involved in the GIVE programme in The Gambia.
To whom may this information be disclosed: Selected relevant parts of the information which has been provided by applicants on the Volunteer Application Form may be disclosed to (1) those who have been appointed by GIVE to interview prospective volunteers to work on its programmes in The Gambia, (2) Travel Agents who process the travel arrangements of volunteers to and from The Gambia and Insurance companies who cover the travel insurance of volunteers (3) the National Vetting Bureau of An Garda Síochána and Volunteer Ireland (Daniel Collison) who coordinates the volunteer applications for Garda Vetting (4) Programme team leaders. 
The interview panels normally comprise three members drawn from GIVE Management Team and Board of Directors and Programme Co-ordinator/ team leaders. The Data Protection Officer shall ensure that the requirement to maintain confidentiality in respect of the information to which members of interview panels have access is explicitly stated to all such members upon their appointment to the interview panel. Upon completion of the interview process and consideration of applicants’ suitability for placement on the GIVE programme all information forms and records and notes of interview shall be handed to the chair of the interview panel to be securely saved in the GIVE filing system.
Information from the Volunteer Application Forms may be transposed by GIVE management team on to encrypted computer / Lap top system for processing and retention purposes.

Donations to GIVE

“Donors and volunteers are the lifeblood of all charities and the Office of the Data Protection Commissioner acknowledges their importance and the care that is taken by charities to manage and sustain these personal relationships, on a lifelong basis in some cases” [Data Protection in the Charity & Voluntary Sector Guidelines. April 2011 Office of the Data Protection Commissioner]
Section 848A of the Taxes Consolidation Act 1997 (TCA1997) provides for a scheme of tax relief for certain “eligible charities” and other “approved bodies” in respect of donations received on or after 6April 2001. This scheme is administered by the Charity Claims Unit in the Office of the Revenue Commissioners. Donations are made to GIVE to pursue its programmes by volunteers and others. In order to receive this tax relief from Revenue, GIVE requires its donors who are PAYE  taxpayers and who have donated over €250 in one year to complete the appropriate certificate supplied to them by GIVE. The completion of this certificate includes the provision of their Personal Public Service Number (PPSN) to GIVE and clarification as to whether they pay PAYE at the standard or higher tax rate. GIVE makes an application for tax relief by providing an annual set of returns containing the names, addresses, total amount of donation and the PPSNs of all eligible donors who exceeded the donation threshold within the given tax year. 
The completed certificates are held in a locked filing system in Club na Múinteoirí, 36 Parnell Square, to which only the Management team has authorised access. The PPSNs of donors are recorded and are held securely, encrypted and password protected. Restricted access to the records of donations and PPSNs is confined to members of the Management team and Finance Director on a strictly “need to know” basis.
Once the returns are made to Revenue and GIVE receives the relief due, the restricted access PPSNs and certificates are retained  for so long as required for auditing purposes.

Retention of data

Information provided on Volunteer Information Forms is deemed by GIVE to be relevant only to the particular year in which the form was submitted. During the year immediately following the programme in which volunteers participated they may receive updates / reports / newsletters from GIVE. Volunteers may be invited to continue their association with GIVE and to receive such newsletters and promotion materials. For the purposes of maintaining this association with GIVE on an annual basis, volunteers expressly permit GIVE to retain contact details, such as name, address, telephone number. 
All volunteers who apply to participate as a volunteer on the GIVE programmes either first time or for a second or subsequent year shall complete a Volunteer Application Form in respect of that year. This information shall be retained by GIVE for a period of up to seven years from the expiration of the volunteer’s participation as a volunteer on the GIVE programme.
Other information, which is not necessary to maintain this association with GIVE, shall be deleted from the volunteer’s file within twelve months of the end of their participation on the GIVE programme. Paper documents containing such information shall be shredded or otherwise destroyed.

Rights for individuals under the GDPR

Any data subject (individual) may apply in writing to the Data Protection Officer, Michael Griffin, requesting access to the information which GIVE may hold about them. The Data subject shall be provided with their data in accordance with such request within 21 days of receiving the request. Sensitive personal information held by GIVE will be disclosed to the subject only in writing. In exceptional circumstances and only when the Data Protection Officer is satisfied that he/she has verified the identity of a subject caller on the telephone may contact details (Name, Address, Telephone and email address) be disclosed to the subject over the telephone.
A data subject may request the Data Protection Officer, Mr. Michael Griffin, to have inaccuracies corrected in their data. Where the request is for the deletion of a record rather than the correction of an inaccuracy the Data Protection Officer shall consult with the members of GIVE management team. In cases where the Data Protection Officer is satisfied that the purpose for which such record was first obtained no longer exists the record shall be deleted.
A data subject may object to having their data processed for direct-marketing purposes and the subject’s wishes in this respect shall be upheld by GIVE. 

Breach of Data

As soon as a data subject or a member of GIVE Management team or Board of Directors becomes aware that there may have been a breach of an individual’s personal data they shall immediately report it to the Data Protection Officer Mr. Michael Griffin.  The Data Protection Officer shall report the breach to the Data Protection Commissioner (DPC) within 72 hours. Such a breach may be accidental or it may be deliberate and corrective action shall be taken immediately by the Data Protection Officer to restore the security of the data. Where such breach can bring harm to an individual – such as identity theft or breach of confidentiality – the Data Protection Officer shall also report it to the individual (s) concerned. 
Review of Data Protection Policy.
GIVE will continue to review the effectiveness of this policy to ensure that it is achieving its stated objectives. It will do so on an annual basis and more frequently, if required, taking into account changes in the law and in GIVE organisation and its security systems.


Michael Griffin, Chairperson 2nd May, 2018.

Check Data Protection Policy Here