Last updated 19/09/2024

This statement relates to our privacy practices in connection with this Website. The Clanwilliam Institute is not responsible for the content or privacy practices of other websites. Any external links to other websites are clearly identifiable as such. 

By Using this Website You agree to the below. 

HyperText Transfer Protocol Secure (HTTPS) 

HyperText Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). Clanwilliam website is secured with the HTTPS certificate. The principal motivations for HTTPS are authentication of the accessed website, protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication,.In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor. 

The authentication aspect of HTTPS requires a trusted third party to sign server side digital certificates. HTTPS is now used more often by web users than the original non-secure HTTP, primarily to protect page authenticity on all types of websites; secure accounts; and to keep private user communications, identity, and web browsing.This will become especially important in year 2 when the forum (including user accounts and user generated content) will be integrated in the website. 

Clanwilliam also uses SSL certificate. 

How your personal information may be collected 

We obtain the categories of personal information listed above from the following categories of sources: 

  • Directly from You. For example, from the forms you complete on our Service, preferences you express or provide through our Service, or from your purchases on our Service. 
  • Automatically from You. For example, through cookies We or our Service Providers set on Your Device as You navigate through our Service. 

We collect information about visitors who comment on Sites that use our Akismet anti-spam service. The information we collect depends on how the User sets up Akismet for the Site, but typically includes the commenter’s IP address, user agent, referrer, and Site URL (along with other information directly provided by the commenter such as their name, username, email address, and the comment itself). 

General statement 

The Clanwilliam Institute website does not store or collect any personal information about site users. Any personal information which you choose to send to us via the website will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 & 2003 and the General Data Protection Regulation 2018 (GDPR). 

Collection and use of personal information 

The Clanwilliam Institute does not collect any personal data about you on this website, apart from information which you send us by email. Any information which you provide in this way is not made available to any third parties. We do not pass on any of your personal information when dealing with your enquiry, unless you have given us permission to do so. 

Collection and use of technical information 

To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too. 

What are cookies? 

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another. 

Further information on cookies can be found at: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm 

Privacy and Cookies Policy 

Pursuant to article no. 13 of the Regulation EU n. 2016/679 (GDPR), and in general in observance of the principle of transparency set forth in the above Regulation, personal data will be processed with automated tools for the management of web services connected with the Clanwilliam website. 

Data, Cookies 
Clanwilliam collects User information. We use technologies like cookies (small files stored by your browser), unique device identifiers to anonymously identify your computer or device so we can deliver a better experience. Our systems also log information like your browser, operating system, and IP address. 

Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Site or a third-party to recognize you and make your next visit easier and the Site more useful to you. Essentially, cookies are a user’s identification card for the Clanwilliam servers. Web beacons are small graphic files linked to our servers that allow us to track your use of our Site and related functionalities. Cookies and web beacons allow Clanwilliam to serve you better and more efficiently,and to personalize your experience on our Site. Cookies can be “persistent” or “session” cookies. 

How do we use cookies? 

This site uses 2 different types of cookie, 

  • Session Cookies 
  • Persistent Cookies 

Session Cookies are temporary cookies that are not stored on your computer or mobile device. They are used as part of the registration process for financial security purposes. A session cookie is also used to remember your language preference when viewing the site. These session cookies are erased when you close your browser, or after 20 minutes of inactivity. 

Persistent cookies are those placed on your computer or mobile device for a pre-determined length of time when you visit this site. This site only places cookies that are specific to this site. 

We use analytics services provided by Google Analytics. Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling us to better understand how our site is used. This, in turn, enables us to improve our site and the products and services offered through it. You do not have to allow us to use these cookies, however whilst our use of them does not pose any risk to your privacy or your safe use of our site, it does enable us to continually improve our site, making it a better and more useful experience for you. 

How to control cookies: 

Within your browser you can choose whether you wish to accept cookies or not. 

Links to Other Sites: Our website has links to other agencies, and, in a few cases, to private organisations, foreign agencies and international organisations. You should be aware that: 

  • If you access another site through a link we provide, you are subject to the privacy policy of that site. 
  • Links to other websites do not constitute an endorsement of that website by the Clanwilliam Institute 
  • The Clanwilliam Institute is not responsible for the contents of any pages referred from its website. As a general rule, where links are requested on www.clanwilliam.ie pages, we will link to services related to the Clanwilliam Institute. We do not provide links to or promote commercial services that are unconnected to family therapy services. 

These cookies are not used for purposes other than those described above and therefore their installation does not require your consent. 

Third-party profiling cookies: These cookies are installed by parties other than Clanwilliam and need your consent to be installed. If you refuse consent, they will be not installed. We may allow third-parties from other providers that need your consent; if not given they will not be installed. Please follow the links below to view the privacy policies of the above third parties where you will be allowed to consent to the installation of such cookies. Please note that if you do not express your preference and continue your navigation in the website, you will consent to the use of such cookies. 

To disable, remove or block cookies you can use your browser’s settings or the DNT option (Do Not Track), if applicable. Clanwilliam does not guarantee the full operation of the website when cookies have been disabled. How to disable cookies from browsers: 

Security: We use physical, technical, and administrative measures to safeguard information in our possession against loss, theft and unauthorized use, disclosure, or modification. Please note, however, that no data transmission or storage can be guaranteed to be secure. As a result, while we strive to protect the information we maintain, we cannot ensure or warrant the security of any information that you transmit to us. 

Changes to this privacy policy 

If this privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties 

Further information on the implementation of the Data Protections Acts at Clanwilliam Institute is available from: 

Clinical Manager / Data Protection Officer 
Clanwilliam Institute 
18 Clanwilliam Terrace 
Dublin 2 

01-6761363 
clinical@clanwilliam.ie 

 

Data Protection Policy Clanwilliam Institute

Definitions

Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Subject means an individual who is the subject of Personal Data. Personal Data means any information relating to an identified or identifiable  natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Subject Access Request means a written or verbal request made to a Data Controller by any individual about whom a Data Controller keeps personal data on computer or in a relevant filing system. Response must be provided to the data subject under the terms outlined under Article 15 of the GDPR and Section 91 of the Data Protection Act 2018. GDPR EU General Data Protection Regulation (EU) 2016/679

  1. Purpose/Overview

CLANWILLIAM INSTITUTE, a registered charity (CHY6591), is dedicated to providing accessible psychotherapy services to all. Our organization is committed to delivering quality mental health care, raising mental health awareness, and safeguarding the rights and dignity of individuals experiencing mental illness.

The purpose of this Data Protection Policy is to outline the obligations of CLANWILLIAM INSTITUTE regarding the protection of personal data in our role as a Data Controller and/or Data Processor. It details the measures we take to protect the rights and fundamental freedoms of data subjects in compliance with EU and Irish legislation.

As part of our operations, we are required to collect and use certain types of information, including ‘personal data’ as defined by the GDPR. This document outlines our policies and practices concerning the collection and use of personal data. We recognize that data protection is an ongoing responsibility, and we will update this policy as needed to reflect changes in our personal data practices or the adoption of new data protection policies.

  1. Scope

This policy applies to all individuals who provide information to CLANWILLIAM INSTITUTE, including service users, employees, volunteers, interns, work experience candidates, students, contractors, subcontractors, agency staff, and clients. It encompasses all information and data generated by CLANWILLIAM INSTITUTE in the course of providing treatment and care to a person.

Data protection rights extend to all information held in any format, whether electronic, manual or paper-based, and to recordings in audio or visual form.

  1. Policy

It is the policy of CLANWILLIAM INSTITUTE that all data is processed and protected in line with the principles of the GDPR, the Data Protection Act 2018, including the Health Research Regulations, , and other relevant EU and Irish Legislation.

4.1 GDPR Principles

CLANWILLIAM INSTITUTE will adhere to the following GDPR principles, which apply to all instances where personal data is stored, transmitted, processed, or otherwise handled, regardless of geographic location:

  • Personal data shall be processed lawfully, fairly, and in a transparent manner with respect to the data subject (Principles of Lawfulness, Fairness, and Transparency). More detailed information on our processing, safeguarding, and confidentiality of personal and sensitive data is available in the CLANWILLIAM INSTITUTE privacy notice, which can be found at https://www.clanwilliam.ie/privacy-statement/
  • Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in ways that are incompatible with those purposes (Principle of Purpose Limitation).
  • Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Principle of Data Minimization).
  • Personal data shall be accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that inaccurate personal data, considering the purposes for which they are processed, are erased or rectified without delay (Principle of Accuracy).
  • Personal data shall be retained in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the data are processed (Principle of Storage Limitation).
  • Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using suitable technical or organizational measures (Principle of Integrity and Confidentiality).

As a data controller, CLANWILLIAM INSTITUTE is responsible for and must demonstrate compliance with these key GDPR principles (Principle of Accountability). The Institute will demonstrate its compliance to the Office of the Data Protection Commission, the statutory body responsible for data protection, through measures such as documenting internal data protection policies, maintaining records of processing activities, providing data protection training, conducting Data Privacy Impact Assessments (DPIAs), recording consent where applicable, documenting data incidents, and maintaining full transparency in its data processing activities.

4.2 Data Subject Rights

CLANWILLIAM INSTITUTE is committed to ensuring that the rights of data subjects, as outlined in the GDPR and the Data Protection Act 2018, are fully protected:

  • Right of Access: Data subjects have the right to request a copy of their personal information held by CLANWILLIAM INSTITUTE.
  • Right to Rectification: Data subjects have the right to ask CLANWILLIAM INSTITUTE to correct any personal information they believe is inaccurate or to complete any information they believe is incomplete.
  • Right to Erasure: Data subjects may request the erasure of their personal information in certain circumstances. However, this is not an absolute right. CLANWILLIAM INSTITUTE, with its duty of care to service users, will review each request on a case-by-case basis.
  • Right to Data Portability: Data subjects have the right to request that their personal information, if in an electronic format, be transferred to another organization outside of CLANWILLIAM INSTITUTE.
  • Right to Restriction: Data subjects have the right to ask CLANWILLIAM INSTITUTE to restrict the processing of their personal information in specific circumstances.
  • Right to Object: Data subjects have the right to object, at any time and on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) or (f) of the GDPR, including profiling. CLANWILLIAM INSTITUTE will cease processing the data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or are necessary for the establishment, exercise, or defence of legal claims.
  • Right to Object to Automated Decision Making, including Profiling: Data subjects have the right to object to decisions made solely by automated processing, except in cases where there are legitimate grounds for processing or for the defence of legal claims. They can request a human review of such decisions. CLANWILLIAM INSTITUTE does not engage in fully automated decision-making.

CLANWILLIAM INSTITUTE is dedicated to upholding these rights and ensuring compliance with relevant data protection laws and regulations.

4.3 CLANWILLIAM INSTITUTE Processing of Personal Data

CLANWILLIAM INSTITUTE will process personal data in full compliance with all data subject rights as outlined above. We will communicate with data subjects in a concise, transparent, intelligible, and easily accessible manner, using clear and plain language. All personal data processing will be conducted based on a lawful basis as required by the GDPR, which may include one of the following grounds under Article 6(1) of the GDPR:

  • Consent: The data subject has given clear consent for the processing of their personal data.
  • Performance of a Contract: Processing is necessary for the performance of a contract involving the data subject.
  • Legal Obligation: Processing is necessary for compliance with a legal obligation.
  • Protection of Vital Interests: Processing is necessary to protect the vital interests of the data subject or another individual (e.g., in life-saving situations where the patient is unable to provide consent).
  • Public Interest or Official Authority: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
  • Legitimate Interest: Processing is necessary for the legitimate interests of the data controller or a third party, provided these interests are not overridden by the rights and freedoms of the data subject. For all processing conducted on this basis, a Legitimate Interest Assessment will be carried out and documented to ensure that the interests of the data controller or third party do not override the fundamental rights and freedoms of the data subject, particularly when the data subject is a child.

CLANWILLIAM INSTITUTE is committed to ensuring that all personal data processing is conducted lawfully, fairly, and transparently in accordance with these principles.

4.4 CLANWILLIAM INSTITUTE Processing of Special Categories of Personal Data

The processing of special categories of personal data is generally prohibited by the GDPR. This includes data related to racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health information, sex life details, and sexual orientation.

However, CLANWILLIAM INSTITUTE may lawfully process special categories of personal data under the following circumstances:

(a) When necessary for preventive or occupational medicine. (b) For assessing an employee’s working capacity. (c) For medical diagnosis. (d) For providing health care, treatment, or social care. (e) For the management of health or social care systems and services. (f) Pursuant to a contract with a health professional. (g) For the establishment, exercise, or defense of legal claims. (h) When necessary for reasons of public interest in the field of public health, such as protecting against serious cross-border health threats or ensuring high standards of health care quality and safety.

CLANWILLIAM INSTITUTE ensures that any processing of such sensitive data is conducted in strict compliance with these legal grounds.

4.5 Data Protection Impact Assessment

CLANWILLIAM INSTITUTE is committed to delivering mental health services in strict adherence to the GDPR and the Data Protection Act 2018. Beyond general data protection obligations, we incorporate the following principles in projects that involve designing a new service or modifying an existing one:

  • Privacy by Design and by Default
  • Data Protection by Design and by Default

If any staff member believes a processing activity may affect a data subject’s rights and freedoms, they should:

  • Consult with the Data Protection Office regarding the processing activity.
  • Conduct a Data Protection Impact Assessment (DPIA), which is mandatory when a high risk to data subjects’ privacy or data protection is identified due to the processing.

All DPIAs must be submitted to the CLANWILLIAM INSTITUTE Data Protection Office. A DPIA is a process designed to identify and minimize risks associated with the processing of personal data as early as possible. DPIAs are essential tools for mitigating risk and demonstrating compliance with the GDPR.

Under the GDPR, a DPIA is mandatory for any new “high-risk” processing projects. The DPIA process enables CLANWILLIAM INSTITUTE to make informed decisions about the acceptability of data protection risks and effectively communicate with affected individuals. While not all risks can be eliminated, a DPIA helps identify and mitigate data protection risks, plan solutions, and assess project viability early on. If a DPIA does not identify adequate safeguards against residual high risks, the Data Protection Commissioner must be consulted.

Maintaining thorough records during the DPIA process helps CLANWILLIAM INSTITUTE demonstrate compliance with the GDPR and minimize the risk of legal challenges associated with new projects.

4.6 Controller and Processor – Data Contracts

Under the GDPR, both CLANWILLIAM INSTITUTE, as a data controller, and any individual or organization that processes personal data on its direct instruction (Data Processor), have specific obligations. One such obligation is to establish a legally binding contract that governs the processing of personal data (“Data Processing Contract”).

CLANWILLIAM INSTITUTE will ensure that all data processing activities, whether in the role of a data controller or data processor, are covered by a legally binding Data Processing Contract. Additionally, CLANWILLIAM INSTITUTE will make certain that any Data Processing Contracts it enters into are updated as necessary to include at least the mandatory provisions outlined in Article 28 of the GDPR.

When engaging with a data processor (e.g., a vendor) to enter into a Data Processing Contract, the CLANWILLIAM INSTITUTE Data Protection Officer (DPO via clinical@clanwilliam.ie) should be consulted.

4.7 Data Protection Awareness & Training

All CLANWILLIAM INSTITUTE staff have individual responsibilities to protect the personal data they process. Therefore, it is essential for staff to have a solid understanding of the GDPR. Staff members should familiarize themselves with the CLANWILLIAM INSTITUTE Data Protection Online Training Module available on the intranet and consult the Data Protection Officer (DPO) for any questions or concerns related to data protection.

In addition to the online module, departments may receive further training as needed or upon request from the DPO.

4.8 CLANWILLIAM INSTITUTE Data Breach Management

Under the GDPR and the Data Protection Act 2018, CLANWILLIAM INSTITUTE is legally required to ensure the security and confidentiality of the personal data it processes on behalf of its patients, employees, and clients. Data is one of our most valuable assets, and everyone at CLANWILLIAM INSTITUTE shares the responsibility to safeguard this information. Accurate, timely, relevant, and properly protected data is essential for the effective operation of CLANWILLIAM INSTITUTE as a mental health service provider to our clients, as an employer to our staff, and as a contracting agency to our suppliers.

Data breaches can occur in various ways, such as accidental disclosure to unauthorized persons, loss due to a fire or flood, or theft as a result of a targeted attack or the loss of a mobile device. The CLANWILLIAM INSTITUTE Data Breach Management Policy ensures that a standardized approach is in place throughout the organization to manage any data breaches effectively.

4.9 Data Transfers to Third Country

A third country is any country outside the European Economic Area (EEA) that the European Commission deems as not providing an adequate level of data protection. Transfers of personal data from the EU to controllers and processors in third countries must not compromise the level of protection for the individuals involved.

CLANWILLIAM INSTITUTE will either obtain explicit consent from the data subject for one-off transfers to a third country or, depending on the context, implement appropriate safeguards such as standard contractual clauses and a Transfer Impact Assessment. We will ensure that any transfers to third countries or international organizations are conducted in full compliance with Chapter 5 of the GDPR.

4.10 Disclosure

Personal data can be used or disclosed for a secondary purpose different from the original purpose for which it was collected only under the following conditions:

  • Explicit Consent: The individual concerned has given explicit consent for the proposed use or disclosure. Consent will always be sought from a data subject before disclosing personal data to a third party.
  • Medical Teaching and Statutory Reporting: Personal data may be disclosed for medical teaching or required reporting to statutory agencies (e.g., reporting an incident to the Mental Health Commission, a death to the Coroner, or an adverse drug reaction to the Health Products Regulatory Authority). (See Policy on Access to Clinical Information.)
  • Serious Threats: If a healthcare professional reasonably believes that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life, health, or safety, or a serious threat to public health or safety.
  • Notifiable Diseases: Certain communicable diseases are statutorily notifiable. Notifications should ideally be made with the service user’s informed consent. If consent is not provided, reporting should be done to the relevant authority while maintaining the service user’s confidentiality in other respects.
  • Legal Requirement: The use or disclosure is required or authorized by law.
  • Service User Without Capacity: If the information concerns a service user who lacks capacity and is normally a Ward of Court, disclosure can be made to a responsible person to facilitate appropriate care or treatment, provided that adequate legal documentation is accepted by the DPO.
  • Limited Disclosure: Any disclosure to a third party should be limited to what is necessary to achieve the statutory or organizational objective.
  • Anonymized Data: Anonymized information, which cannot be traced back to the service user, may be used in clinical audits within St. Patrick’s Mental Health Services and shared with other healthcare agencies such as the Mental Health Commission, the Health Research Board (HRB), the Economic and Social Research Institute (ESRI), the Health Products Regulatory Authority, and the Coroner’s Office. This information is provided for regulatory, clinical audit, and data analysis purposes and is regulated by statute.
  • Health Research: CLANWILLIAM INSTITUTE adheres to data protection obligations for processing service user information for health research. We comply with the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021. The CLANWILLIAM INSTITUTE Research Ethics Committee will follow the CLANWILLIAM INSTITUTE Research Ethics Committee Governance Policy and Standard Operating Procedures, which are aligned with these regulations.