Privacy Policy Statement for Independent Speech-Language Therapists of Ireland

 

When you register with Independent Speech-Language Therapists of Ireland (ISTI) you trust us with your information. This privacy policy is meant to help you understand what data we collect, why we collect it, and what we do with it. We have tried to make it as simple as possible but if you have any questions please contact us.

 

The Directors of ISTI perform the function of data controller and supervises the compliance with General Data Protection Regulation (GDPR) within the group.

 

1. Information we collect
2. Where we get our information
3. How we use the information we collect
4. Information we share
5. How and when consent is obtained
6. How we protect your data
7. Protecting your rights to data
8. Security of your personal data

 

1        Information we collect

 

ISTI holds personal data as part of providing a marketing and support service to Independent SLTs. The data follows under the following headings: Administrative records, and financial records. Other information may voluntarily be given by members to ISTI via their pages on the website www.isti.ie as part of marketing their own practices.

 

1.1      Administrative records

 

ISTI holds information regarding a member’s IASLT/CORU status, email, phone number, name, and practice name.

 

1.2      Financial records

 

A financial record pertains to all financial information concerning membership dues paid.  This can be membership history, receipts and invoices. Information will include name of bill payer, member name, address and record of invoices and payments made.

 

2        Where we get our information

 

Personal data will be provided by the member. This information will be collected as part of the membership form. IASLT or CORU registration may be validated or checked by ISTI as part of the membership process. All members must consent to this validation to be allowed join ISTI.

 

3        How we use the information that we collect

 

We use the information we collect to provide you access to your practice page on www.isti.ie, and to ensure prospective clients of yours that you have met the standards of CORU registration and are a legitimate professional in the field of Speech and Language therapy.

The information may also be used to inform and advise you of relevant issues, opportunities or changes in the field of Speech and Language therapy in Ireland that can affect your practice.

Information may also be used to help run ISTI member benefits, e.g. Journal clubs and CPD events.

 

3.1      Data retention periods

 

The retention periods are the suggested time periods for which the records should be held based on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.

 

3.1.1        Financial Records

ISTI keeps electronic records of financial data from our members.

Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally.

 

• Financial Data is kept for 6 years to adhere to Revenue guidelines.
• Financial Data (including non-payment of bills) can be given to Revenue at Revenue’s request.

 

3.1.2        Contact Data

Contact Data is kept for 6 years to allow processing of Financial Data if required once a member no longer wishes to join ISTI.

 

3.2      Exceptions

 

If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.

 

4        Information we share

 

We do not share personal information with companies, organisations and individuals outside of ISTI unless one of the following circumstances apply:

 

4.1      With your consent:

 

We will only share your Personal Identifying Information (PII) to third parties (including client opportunities) when we have express written permission by letter or email to do so.

 

Third parties may include: hospitals, GPs, other allied health professionals, educational facilities.

 

4.2      For legal reasons:

 

We will share personal information with companies or organisations outside of ISIT if disclosure of the information is reasonably necessary to:

• Meet any applicable law, regulation, legal process or enforceable governmental request.
• Meet the requirements of the Children First Act 2015.
• To protect against harm to the rights, property or safely of (name of business), our service users or the public as required or permitted by law.

 

4.3      To meet financial requirements:

 

ISTI is required to share Financial data with accountant Chris Walshe Ltd, to comply with local tax laws. ISTI is obtaining a copy of Chris Walshe Ltd’s own Data protection policy.

 

4.4      For processing by third parties/external processing

 

The following third parties are engaged for processing data:

 

Who	Type of data	Purpose
Charlotte Kitto, Webmaster, ISTI.ie	Contact Data, Membership information.	Updating website back and front. Processing and maintaining website data.
Chris Walshe Ltd. Accountant	Financial	Processing financial accounts for ISTI.
Dropbox Inc.	Contact, Files, backups.	Storage of ISTI committee minutes, working documents, etc.
Gmail	Email system	All correspondence between ISTI committee and 3rd parties.
Blacknight.ie	Website hosting	All data held on www.isti.ie, or processed via @isti.ie emails.

 

 

4.4.1        Transfer of personal data outside the European Economic Area (EEA):

Where transfer of data outside the EEA is needed, ISTI will ensure to use providers who adhere to GDPR requirements.

 

5        How and when we obtain consent

 

Consent is obtained at the time of a member requesting to join, or renew membership of ISTI.

 

6        How we protect your data

 

In accordance with the General Data Protection Regulation (GDPR), we will endeavour to protect your personal data in a number of ways:

 

6.1      By limiting the data that we collect in the first instance

 

All data collected by us will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes.  The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected which include, inter alia, the assessment, diagnosis and treatment of speech, language and communication disorders.

 

6.2      By transmitting the data in certain specified circumstances only

 

Data will only be share and transmitted, be it on paper, electronically only as is required, and as set out in section 3.

 

6.3      By keeping only the data that is required

 

When it is required and by limiting its accessibility to any other third parties.

 

6.4      By disposing of/destroying the data once the individual has ceased being a member of ISTI

 

Within 6 years of the last membership year, a member’s data will be destroyed. It will cease to be publicly available on www.isti.ie the same year membership ceases. Where data is required to be held by us for longer than the period of 6 years, we will put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These may include measures such as the encryption of electronic devices, pseudonymisation of personal data, and/or safe and secure storage facilities for paper/electronic records.

 

6.5      By retaining the data for only as long as is required

 

Which in this case is 6 years for circumstances in which retention of data is required in circumstances set out at part 1.1 above or in certain specific circumstances as set out at Article 23(1) of the GDPR.

 

6.6      By destroying the data securely and confidentially after the period of retention has elapsed.

 

This could include the use of confidential shredding facilities or, if requested by the individual, the return of personal records to the individual.

6.7      By ensuring that any personal data collected and retained is both accurate and up-to-date.

 

All ISTI members can amend their www.isti.ie profiles directly to ensure data retained is accurate..

 

7        Protecting your Rights to Data

 

Members have the right to request data held on them as per article 15 of GDPR. All member’s personal data is contained on www.isit.ie under each member’s listing, which they have access to amend, update, or remove from public view as applicable.

 

8        Security

 

All committee members of ISTI or those 3^rd parties recruited in a professional capacity are briefed on the proper management, storage and safekeeping of data.

 

All data used by ISTI data may be retained in any of the following formats:

1. Electronic Data
2. Physical Files

 

8.1      Data Security

 

ISTI understands that the personal data used in order to provide a service to members belongs to the individuals involved. The following outlines the steps which ISTI use to ensure that the data is kept safe.

 

8.1.1        Electronic Data

 

All electronic data is contained in the following systems:

ISTI.ie is physically located in located in Blacknight, Carlow, Ireland.
Gmail is physically hosted on Google’s Irish servers (but data transfer happens for back purposes outside EEA)

 

ISTI.ie
– This system is physically located in Carlow, Ireland.

• This system provider is aware of their requirements for GDPR compliance.

• The system has an external to ISTI administrator. The external administrator has access to member information in order to do their role.

• This system has a Live Update for security enabled.

• All ISTI committee members have read access to member records.

• All persons require a Log on and Password in order to write to the records.

• A copy of the files is not made on the users’ computer when in use.

• The data controller cannot remove or delete users.

• The data controller cannot change users’ passwords.

 

Gmail:
– This system is physically located in Ireland.

• This system provider is aware of their requirements for GDPR compliance.

• The system has an internal administrator.

• This system has a Live Update for security enabled.

• All committee members have write/read/delete access to records.

• All persons require a Log on and Password in order to access the records.

• A copy of the files is not made on the users’ computer when in use.

 

Dropbox:
– This system is physically located in USA.

• This system provider is aware of their requirements for GDPR compliance.

• The system has an internal database owner.

• This system has a Live Update for security enabled.

• All ISTI committee member have READ/WRITE/ DELETE access to records.

• All persons require a Log on and Password in order to access the records.

• A copy of the files are made on the users’ computer when in use.

 

8.1.2        Physical Files

 

Membership forms are kept for the year prior and the year of membership and is then securely destroyed.

 

8.2      Security Policy

 

8.2.1        ISTI understands that requirements for electronic and physical storage may change with time and the state of the art. As such, the data controller in ISTI reviews the electronic and physical storage options available to ISTI every 24 months.

 

8.2.2        All committee members are aware and briefed on and refresh the requirements for good data hygiene every 2 years. This briefing compliance is monitored by the ISTI data controller and includes, but is not limited to:

§     Awareness of membership data confidentiality.

§     The awareness of ISTI’s procedure should a possible data breach occur, either through malicious (theft) or accidental (loss).

 

 

Date of document: 24/05/2018

Review Date: ___ 2020