IPRT PRIVACY STATEMENT
When you share your personal data with IPRT we are committed to protecting and respecting your privacy. This Privacy Statement tells you about your privacy rights and sets out how we, as a Data Controller, collect, use, process and disclose your personal data, particularly in respect of your interactions with our website www.iprt.ie (the Site).
This statement contains the following sections. Please read each carefully to understand our use of your personal data. We hope it will answer any questions you might have. If you have any other questions please contact us at email@example.com
- How we collect information about you
- Special categories of personal data
- How we use the personal data we collect
- How we keep your information safe
- Who do we share your information with?
- Links to other sites
- Your rights
- Exercising your rights
- What happens if there is a data breach?
- How to contact us
- Changes to this Privacy Statement
1. How we collect information about you
We collect personal data about you when you decide to provide us with such information – for example when you email us, use our online forms, request advice or information, sign up to our events or to request our newsletters. In addition to the personal information you provide to us, we also collect certain information when you visit our website, engage with our social media and discussion fora and when we take photos at our events.
We may collect and process the following types of personal data about you:
Identity Data: including name or similar identifier
Contact Data: including address, email address and telephone numbers
Financial Data: including bank account and payment card details. (This is only where you are making a donation or paying for membership).
Transaction Data: including details about donations or membership payments.
Usage Data: including information about how you use our site.
Communications Data: including your preferences in when and how you are happy to receive communications from us
Technical data and cookies
Technical details in connection with visits to our site are logged by our site hosting company (Linode), an international organisation, with the IPRT server based in the EU. IPRT will make no attempt to identify individual visitors, nor to associate the technical details with any individual. IPRT will never disclose such technical information in respect of individual website visitors to any third party (apart from our site hosting company, which records such data on our behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by a rule of law.
IPRT also uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics does use “cookies”. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.
2. Special Categories of Personal Data
As a general rule we do not collect details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. Nor do we generally collect any information about criminal convictions and offences.
However, there are some exceptions to this general rule:
- The first exception to this is where you are registering for free membership as a person with experience of imprisonment or as the family member of such a person. If you provide this information about a conviction to us, in order to (1) avoid charging you for membership at the time of registering and annually after that and (2) quantifying in the aggregate the number of our members with lived experience of imprisonment, we will ask for your consent to record this piece of information. If you provide consent we will record the fact of consent on our CRM system and the relevant information. If you do not consent we will not record this. We will ensure there are appropriate safeguards in place to protect this information.
- The second exception to this is where you contact us and in doing so disclose that you are a person with current or former experience of imprisonment and/or you disclose information about your health. This may be in the context of seeking advice or information or in response to a consultation process. In these circumstances, it will sometimes be necessary to initially record this information in order to (1) manage our relationship with you, including sending the requested advice or information to your current place of residence, which may be a prison and (2) providing appropriate advice or information or (3) engaging in consultation. In these circumstances we will ask for your consent to record this piece of information in the letter in which we provide the initial advice or information. If you provide consent we will record the fact of consent and the relevant information. The purpose of recording will only be for the purpose of providing advice and only where this is relevant to your query. If you do not consent we will not record this. We will ensure there are appropriate safeguards in place to protect this information.
- The third exception is when we take photographs at our events. These photographs are used in our publications, on our website, in our reports to our funders and for archive purposes. In some circumstances, photographs may be considered to be biometric data. We will request your express consent to be photographed when we run event registrations. Further, if you do not consent to having your photograph taken and processed in this way we will have a ‘sticker system’ in place to ensure that your photograph is not taken at the event. We will also have written notices in place at the venue advising attendees that photos are being taken, the purpose of taking the photo and the use to which the image will be put.
Usually we will ask for your express consent to use your personal information. For example, when you sign up to become a member, we will ask for your consent to make you aware of other related things which may be of interest to you, for example making a donation to IPRT or attending one of our events. Before you give your consent, we tell you what information we collect and what we use it for. You can withdraw your consent at any time by contacting us.
4. How we use the personal data we collect
We will never release your personal details to any organisation outside IPRT for mailing or marketing purposes. We only use your personal data for the following purposes:
- Providing and personalising our services
- Dealing with your enquiries or requests
- Administering orders, donations and membership
- Providing you with information about our activities
Click here to see a summary of the purpose and basis for processing your data, and for the retention period of your data.
5. How we keep your information safe
We are committed to protecting the security of your personal data. We use a variety of technical and physical security technologies and procedures to help protect your personal data from unauthorised access.
To ensure the security of your credit card information when you use it to log a donation or membership on our Site, we use Secure Socket Layer (SSL) technology. You will see the padlock in your browser’s security display indicating that the transfer of all data between your browser and our Site has been encrypted. When you supply us with your card information in the context of an online transaction, this information is not retained on this Site. Rather, it is securely transferred to Stripe, a secure online payments provider.
As effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our database, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. We have implemented strict internal guidelines to ensure that your privacy is safeguarded at every level of our organisation. We will continue to revise policies and implement additional security features as new technologies become available.
Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Site. Any transmission of personal data is at your own risk. Once we receive your personal data, we use appropriate security measures to seek to prevent unauthorised access or disclosure.
6. Who do we share your information with?
In some very limited circumstances we will share your information with third parties in order to improve our service to you, for example:
- with our website hosting company LINODE which processes data entered on our web forms on our behalf;
- with Stripe which processes data relating to any financial transaction on our website (i.e. a membership or donation) on our behalf;
- with Salesforce, a consumer relationship management system which processes data relating to your interactions with IPRT;
- with Mailchimp which processes bulk emails on our behalf;
- if we are under a duty to disclose in order to comply with any applicable law, legal obligation, regulation or lawful request (e.g. our accounting and auditing services)
- Non-personal “technical” data may occasionally be used to compile statistics that may be shared with our funders to demonstrate our effectiveness or reach – e.g. the aggregate number of visitors to the site, etc.
We have taken steps to ensure that these third parties to have the same levels of data protection that we have. See for example:
7. Links to other sites
Our Site may, from time to time, contain links to and from other websites. Also, some parts of the Site are powered by widgets designed by third parties e.g. YouTube. If you follow a link to any of those websites or widgets, please note that they will have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies before you submit any personal data to those websites or widgets.
8. Your rights
You have the right to request access to, rectification, or erasure of your personal data, or restriction of processing or object to processing of your personal data, as well as the right to data portability. We will not charge for this service.
A summary of your rights and what they mean is available here.
9. Exercising Your Rights
Our Executive Director oversees how we collect, use, share and protect personal data to ensure your rights are fulfilled. If you wish to exercise any of the rights listed in the table above, please contact her. You may contact her in person, by telephone, in writing or by email at firstname.lastname@example.org. Any complaint will be fully investigated.
- We will respond to your request within one month.
- That period may be extended by two further months where necessary, taking into account the complexity and number of requests.
- We will inform you of any such extension within one month of receipt of your request.
- We may request proof of identification to verify your request. This is to help protect your information.
- We have the right to refuse your request for the reasons set out above, or if it is manifestly unfounded or excessive, or to the extent necessary for important objectives of public interest.
10. What happens if there is a Data Breach?
All staff of the organisation receive training on data protection. In the unlikely case of any data breach occurs (which we define as any loss of control over the personal data which has been entrusted to us, including any inappropriate access to personal data on our systems or sending personal data to the wrong receiver) IPRT will apply the Personal Data Security Breach Code of Practice issued by the Data Protection Commissioner and which can be viewed in full at www.dataprotection.ie
- Staff must immediately report any data breach to the Executive Director
- Executive Director is responsible for dealing with the incident
- S/he will inform those affected by the breach as soon as reasonably possible.
- S/he will inform those that may be in a position to assist in protecting the personal data including An Garda Siochana as soon as reasonably possible
- S/he will report the incident to the Data Protection Commissioner as soon as reasonably possible and in any event within 2 working days
- S/he will consider and if possible take any steps necessary to limit damage or distress to those affected
- S/he must keep a summary record of the incident
- S/he will ensue that measures should be taken to prevent repetition of the incident
11. Changes to this Privacy Statement
We reserve the right to change this Privacy Statement from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Statement. However, if we make material changes to this Privacy Statement, we will notify you by means of a prominent notice on the Site prior to the change becoming effective. Please review this Privacy Statement periodically for updates.
12. Contact Us
Questions, comments, requests and complaints regarding this Privacy Statement and the personal data we hold are welcome and should be addressed to the Executive Director at email@example.com or sent in writing to:
1 Green Street
To download or print the privacy statement in full, click here.
[Last Updated: May 2018, changes to providers May 2019]
Data Subject Access Request
You are entitled to request access to your personal data under the General Data Protection Regulation (GDPR) 2018. To access the information we currently hold against you, please return the IPRT Data Subject Access Request, with a copy of photographic ID.
 "Personal data" means any information about an individual from which that person can be identified.
 A “cookie” is a text file placed on your computer, to help the website analyze how users use the site