Privacy Notice

1.    Introduction

SAINT JOHN OF GOD HOSPITALLER SERVICES GROUP (SJOG) is committed to protecting the rights and privacy of all individuals, being service users, visitors, donors or any others.

This document sets out how we intend to capture, use and protect all personal data which SJOG collects and stores during the course of the relationship we established with you. We also want you to be clear as to what rights you can invoke in respect to the information we hold about you.

In this regard, it is important that you read this Privacy Notice and understand our use of your personal data.

This policy may be updated from time-to-time to reflect a changing environment, as required. The most recent version of this document can be found on our website: www.sjog.ie/data-protection

1.1      Company Information

References to “SJOG”, “us”, “our” and “we” refer to Saint John of God Hospitaller Services Group, and any of the associated companies within the Group Structure. The companies, as referred to under the term Group, are:

  • Saint John of God Hospitaller Services Group Clg
  • Saint John of God Research Foundation Clg
  • Saint John of God Housing Association Clg
  • Saint John of God Foundation Clg (Fundraising activities)

More information about SJOG can be found at https://www.sjog.ie/

1.2      Legislation

All personal data we gather will be “processed” in accordance with all applicable data protection laws and principles, including the EU General Data Protection Regulation 2018 and the Data Protection Acts 1988 and 2003.

1.3      Queries and Complaints

If you require further information about the way your personal data will be used, or if you are unhappy with the way we have handled your personal data and wish to contact us please submit your concerns to: dpo@sjog.ie.

The dpo@sjog.ie mailbox is managed by the SJOG DPO function and all correspondence received will be addressed accordingly, including oversight from the designated SJOG Data Protection Officer.

You have the right to lodge a complaint with the Office of the Data Protection Commission (DPC). To contact the DPC, please use the following details:

By letter:

  • Data Protection Commission
  • 21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland

Telephone:

  • +353 578 684 800
  • +353 761 104 800

Email: info@dataprotection.ie

Please note that we will take all appropriate steps to keep your personal data safe. In the unlikely event that we have a security breach, we will notify you without undue delay regarding the circumstances of the incident in accordance with our legal obligations.

2.    How do we collect information?

We collect personal data to provide our services to you. Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made a complaint or enquiry to us.
  • You have made an information request to us.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter.
  • You have applied for a job or secondment with us.
  • You have fundraised for the Foundation
  • You are representing your organisation.

3.    What do we use information for?

We use your personal information in order to provide the different services our organisation delivers through its many entities.

The following table is a non-exhaustive list which describes how we may use the personal data we gather for any or all the following purposes:

 

Process Description Lawful Basis for Processing
Handling Enquiries General enquiries are received from service users, their relatives, and other members of the public.

Service user’s data will only be disclosed on completion of identity verification.

The use of the data is in our legitimate interests as an organisation with oversight of healthcare services provided by our network.

The use of the data is necessary for the management of our services.

Contractor Visitor Sign-In Visitor data is recorded at our reception to keep a log of external parties who are operating within the premises. The use of the data is in our legitimate interests as an organisation.
Investigate Complaints Where complaints are received from service users or other members of the public, we will process the necessary data in order to investigate the complaint. The use of the data is necessary for the management of our services.

The use of the data is necessary to ensure high standards of quality and safety of health care.

System Maintenance  Sometimes user/staff data may be accessed during system repairs and updates, as required.

Service users’ data will also be used in order for the organisation to maintain system back-ups in the event of an IT system failure.

The use of the data is necessary for the management of services.

The use of the data is necessary to ensure high standards of quality and safety of health care.

CCTV Footage We operate a CCTV system on our premises to protect the safety and security of our staff, service users, visitors and property. The processing is in our legitimate interests as an organisation regarding safety and security.
Fundraising We process your contact and banking details when you make the decision of supporting our work with your donation. The use of the data is necessary in the context of a contractual relationship and to comply with regulatory requirements.
Allocation and maintenance of accommodation facilities  We collect data regarding the offering, selection and ongoing maintenance of housing facilities to suitable applicants/tenants.

The data is collected from the individuals themselves but also from the different representatives that could act on their behalf (relatives, local authorities, etc.).

This data will be used throughout the tenant’s relationship with the Association.

The use of the data is necessary for the performance of a contract to which the applicant/tenant is party.

4.    Who do we share information with?

There are various circumstances where we may share personal data with third parties. Generally, this includes your representatives and our representatives, and some pre-advised third parties.

We may from time to time disclose your information to the following categories of recipients:

  • Any party which you have given us permission to speak with (family, friends or otherwise)
  • Statutory bodies and regulators as required by EU and Irish law (such as revenue or enforcement agencies) as required by EU and Irish law (i.e. Local authorities, HSE, HIQA, and others)
  • Legal representatives, if necessary
  • Our Payment Service Providers, to the extent required for the purpose of processing your payment for a donation, or to address any queries/complaints that may arise from this process.

We take steps to ensure that any third-party partners who handle your information comply with data protection legislation and protect your information just as we do. We only disclose personal information that is necessary for them to provide the service that they are undertaking on our behalf. We will aim to anonymise your information or use aggregated non-specific data sets where possible.

On occasion we may transmit your data outside of the European Economic Area e.g. when using a cloud-based service provider. In such circumstances, we will ensure that the data is transferred in a secure manner, in accordance with data protection legislation.

If you would like more information about the relevant safeguards in place for the transfer of personal data to countries or companies outside the European Economic Area, please contact us using the details outlined in Section 1 above.

5.    What type of information is collected?

While the type of personal data may change occasionally, we believe it is important you are aware of the types of personal data we gather and use.

In providing some services or overseeing the services provided by our entities, we may collect many categories of personal data about service users, which may include sensitive data. The following table is a non-exhaustive list and provides an indication of the categories and types of personal data we use to perform our duties.

Please note that information listed under one category may be used for the performance of a task or in relation to activities under another heading or as outlined under Section 3.

 

Reason Type of Data Collected
Housing Applications and maintenance Identification and contact details, financial details, health details.
Service Quality Improvement Service user feedback, enquiries received, log of calls received, log of complaints received, adverse occurrence forms submitted.
Recruitment Information Provided on CV, Garda Vetting, Occupational Health Data, Verifications of References, Experience and Qualifications Provided, Visa/Immigration Documentation, Interview Notes.
Employment maintenance Contact Details, Date of Birth, Bank Details, Hours Worked, Sickness Details when Absent, Training Records and requirements, Performance Reviews
Occupational Health Occupational health related medical data
Quality Improvement Employee Feedback, Formal Enquiries Made
Fundraising Contact details, banking/payment details.
Security on premises CCTV footage, Area Access Log

6.    How long do we retain information?

We have a comprehensive record retention schedule and policy. When we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws, or the period required to defend ourselves against legal action.

The only exceptions to this are where:

  • the law requires us to hold your personal information for a longer period, or delete it sooner;
  • you exercise your right to have the information erased (where applicable as per section 8) and we do not need to hold it in connection with any of the reasons permitted or required under the law.

7.    Our website – Use of cookies

We use cookies to enhance the performance of our website and personalise your online experience.

What are Cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to work more efficiently, by remembering your actions and preferences (such as login, language, font size and other display preferences) if you’ve been to the website before, so you don’t have to keep re-entering them whenever you come back to the site.

They are also useful to provide information to the owners of websites. Cookies are used to measure which parts of the website people visit and to customise your experience, as well as to provide information that helps us monitor and improve the website’s performance.

Description of Cookies

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

First Party Cookies

The function of this type of cookie is to retain your preferences for our website. They are stored and sent between our servers and your computer’s hard drive. We collect this information anonymously, so it doesn’t identify anyone as an individual and no personal information is stored in our cookies. We always use cookie data in a responsible way. These cookies may be either Session or Persistent cookies.

Third Party Cookies

Some of the services and products within the pages of our website are provided by third parties who, in time, may set their own cookies to enable such services. These cookies are stored and sent between the third-party’s server and your computer’s hard drive. These cookies are usually persistent cookies. Because we don’t control the settings of these third-party cookies, we recommend that you visit the third-party website that has generated them for more information about how to manage them.

Third Party Cookies

We use cookies for the following purposes:

(a) authentication – we use cookies to identify you when you visit our website and as you navigate our website.

(b) status – we use cookies to help us to determine if you are logged into our website.

(c) personalisation – we use cookies to store information about your preferences and to personalise the website for you.

(d) security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally.

(e) advertising – we use cookies to help us to display advertisements that will be relevant to you.

(f) analysis – we use cookies to help us to analyse the use and performance of our website and services.

(g) cookie consent – we use cookies to store your preferences in relation to the use of cookies more generally.

Please refer to the tables below for more detail on cookies used within our website.

Necessary cookies

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

 

Cookie Name Used by Description Expiration
_cfduid Cloudflare Used by the content network, Cloudflare, to identify trusted web traffic. It does not contain any personal information. 1 year
ASP.NET_SessionId Website Used for authenticating a user’s session after logging in. Closes when the user exits the browser. It does not contain any personal information. End of session
ARRAffinity Website Tells our infrastructure which server to handle the request. It does not contain any personal information and is used only for analytical purposes. End of session
MemberLoggedIn Website A binary flag which stores whether a user is logged in or not. It does not contain any personal information. End of session
_stripe_sid Stripe Used by our payment provider, Stripe, in order to process payments on checkout. End of session
_stripe_mid Stripe Used by our payment provider, Stripe, in order to process payments on checkout. 1 year
nsr Stripe Used by our payment provider, Stripe, in order to process payments on checkout. End of session

Statistic cookies

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Cookie Name Used by Description Expiration
@@History/@@scroll|# Website Used by AppInsights to allow for monitoring of the platform database. It does not contain any personal information and is used only for analytical purposes. End of session
_ga and _gid Google Analytics Used to distinguish between website users in Google Analytics. 2 years
_gat Google Analytics Used to moderate calls to the Google Analytics service. It does not contain any personal information and is used only for analytical purposes. End of session
ai_session and ai_user Website Tracks users as they navigate the website predominately for infrastructure performance insights. It does not contain any personal information. End of session
p.gif Typekit Used by the font provider, Typekit, if you are using one of their fonts. Used for compliance and billing purposes only. It does not contain any personal information. End of session
__utma Google Analytics Stores the number of visits of a user, the time of their first visit, the previous visit, and the current visit. It does not contain any personal information and is used only for analytical purposes. 2 years
__utmz Google Analytics This performance cookie stores where a user came from (eg. search engine, search keyword, link). It does not contain any personal information and is used only for analytical purposes. 6 months
__unam ShareThis Set as part of the ShareThis service and monitors “click-stream” activity, e.g. web pages viewed, navigation from page to page, time spent on each page etc. The ShareThis service only identifies a user if they have separately signed up with ShareThis for a ShareThis account and given them consent. Checks how long a user stays on a site: when a visit starts and ends. It does not contain any personal information and is used only for analytical purposes. 14 months
cc_cookie_accept Website Stores whether the user has accepted the cookie message or not. It does not contain any personal information and is used only for analytical purposes. 365 days

 

Marketing cookies

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

 

Cookie Name Used by Description Expiration
 NID Google Registers a unique ID that identifies a returning user’s device. Can be used for targeted ads. It does not contain any personal information. 6 months
 collect Google Analytics Used to send data to Google Analytics a user’s device and behaviour. It does not contain any personal information.  End of session
 r/collect Doubeclick.net These cookies are managed by DoubleClick, an advertising platform we use to display adverts.  End of session
 IDE,  DSID,

_ct_rmm

Doubleclick.net These cookies are managed by DoubleClick, an advertising platform we use to display adverts.  2 years
 DisplayName Website  Keeps track of a donor’s preference to show their name during a Direct Debit.  End of session
VISITOR_INFO1_LIVE Youtube Used by Youtube if you’ve embedded a Youtube video in your posts. Tries to estimate a user’s bandwidth on pages with integrated Youtube videos. It does not contain any personal information. 179 days
 YSC Youtube Used by Youtube if you’ve embedded a Youtube video in your posts. Registers a unique ID to keep statistics of what videos from Youtube a user has seen. It does not contain any personal information  End of session

 

How to control cookies

You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can control and/or delete cookies as you wish – for details, see www.aboutcookies.org and www.allaboutcookies.org.

8.    What are your rights?

You have rights when it comes to your personal data. On receipt of a valid request to invoke your rights, we will do our best to adhere to your request as promptly as reasonably possible, however, please be aware that restrictions may apply in certain situations.

Right of Access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Right to Rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Right to be Erasure

You have the right to ask us to erase your personal information in certain circumstances.

Right to Restriction

You have the right to ask us to restrict the processing of your information in certain circumstances.

Right to Data Portability

You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Right to Object

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.

Right not to be subject to Automated Decision Making, including Profiling

You have a right not to be subject to a decision based solely on automated processing or profiling, where such decisions would have a legal effect or significant impact on you.

As a responsible organisation, we do not use automatic decision-making or profiling.

You can find more information on each of your rights and its applicability in our Privacy Statement

Where do I send requests?

When submitting your request, please provide us with information to help us verify your identity and as much detail as possible to help us identify the information you wish to access (i.e. date range, subject of the request).

Please send all your requests to dpo@sjog.ie

How long will a request take to complete?

Upon receipt of a request, we will have 30 days to provide a response, with an extension of two further months if required. If we require more time to deal with your request, we will notify you of the delay, and the factors responsible for the delay, within 30 days of the receipt of your request. If we refuse your request, we will notify you within 30 days of the receipt of your request accompanied by the reason for refusal.

You are entitled to contact the Data Protection Commission if we refuse your request.

How much does it cost to submit a request?

We will not charge a fee for any requests, provided we do not consider them to be unjustified or excessive. If we do consider requests to be unjustified or excessive, we may charge a reasonable fee (also applicable for multiple copies) or refuse the request.