Irish Family History Society

Connecting People With Their Irish Roots

Data Protection and Privacy Policy

Purpose and Scope:

The purpose of this procedure is to provide information and processes to help the Society to ensure and demonstrate compliance with the EU General Data Protection Regulation (GDPR) introduced on 25 May 2018

The Irish Family History Society holds personal data of Members’ contact details and preferences including names, postal addresses and email addresses so that we can:

● maintain an accurate list of members
● have accurate financial accounting of membership fees and
● to distribute journals and news sheets
● send membership renewal forms and advise of upcoming events.

The Irish Family History Society commit to the following eight principles of data protection:

1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and lawful purposes.
3. Use and disclose it only in ways compatible with these purposes.
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the purpose or purposes.
8. Give a copy of his/her personal data to that individual, on request.

Arrangements and Procedures:

Our arrangements and procedures follow the 12 step guidance issued by the Data Protection Commission at the introduction of the GDPR.

1: Awareness

● All committee members will be made aware of the importance of data protection via this procedure.
● All committee members are required to ‘factor in’ data protection to any tasks or projects they undertake and they should identify areas that could cause compliance problems under the GDPR.

2: Accountability

● An inventory of all personal data we hold will be maintained in a ‘Master Database’
● Furthermore within the database, for each ‘data’ grouping (e.g. name, address etc.) the following information will be linked with each grouping: Why we hold this data, How we obtained it, when we obtained it, how long we will retain it, whether it is shared with third parties and if so on what basis it is shared.
● The ‘Master Database’ will be password protected and the Hon. Chairperson and the Membership Secretary and the Treasurer are the only IFHS committee members who will have access to the database.
● If other persons need limited access (e.g. modifying the website) either of the above three officers of the committee can allow  limited access for specific purposes.
● The Master Database’s inventory will enable the society to maintain an accurate list of members and to maintain accurate financial accounting of membership fees.
● The Master Database’s inventory will also enable the society to amend incorrect data, manage access requests and preferences and track third-party disclosures (if in place in the future).
● Data from our ‘Master Database’ is transposed to our website to allow Members access to the Website.
● The data on the website is managed and updated by the Membership Secretary.

3: Communicating with Service User

The following Privacy Statement is available on our Website. The Privacy Statement is also referenced on our Membership/Renewal Form.

Irish Family History Society – Privacy Statement

The Irish Family History Society will only collect personal data directly (i.e. where you provide the information to us). We do not collect personal data indirectly (i.e. via an external source).

● Our contact information is:

▪ The Irish Family History Society, C/O Membership Secretary, 17 Aubrey Park, Shankill, Dublin, D18 CX64, Ireland
▪ Our email is: info@ifhs.ie

● The purpose of our data processing is:

▪ holding personal data on Members’ contact details and preferences, including names, postal addresses, and email addresses so that we can maintain an accurate list of members
▪ have accurate financial accounting of membership fees to enable us to distribute journals and news sheets
▪ distribute membership renewal forms advise of upcoming events.

● We do not share your personal data with any other entity and do not forward your personal data to a third country (outside the EU).
● We retain the data for all paid up Members for the period of their subscription.
● We retain the data for all lapsed Members for two years after their subscription has lapsed
● You have entitlements regarding your personal data held by us which include:

 subject access, (your personal data held by us)
 to have inaccuracies corrected,
 to have information erased,
 to object to direct marketing,
 to restrict the processing of your information, including automated decision-making, data portability

4: Personal Privacy Rights

● The Irish Family History Society understands the importance of  personal Privacy Rights and the requirements of the General Data Protection Regulation and will respond to requests and enquiries in a timely manner (i.e. within 30 days as per the GDPR)
● To facilitate this we only hold one ‘Master Database’ which contains members personal data in which any requests will be completed and actions noted.
● The decision to make changes to the Master Database in response to requests will be made and carried out by the Membership Secretary ? and reported generally at committee meetings (i.e. individuals will not be identified)
● Changes in personal data on the Master Database will also be used to maintain accurate accounting of membership fees. This will be carried out by the Treasurer.
● Changes in personal data on the Master Database will in turn result in changes to the personal data held on our Website. This will be carried out by the Membership Secretary.

5: Access Requests

● On receipt of an Access Request the Membership Secretary will consider the following:

The rights of the individual under GDPR

▪ subject access, (individual personal data held by us)
▪ to have inaccuracies corrected,
▪ to have information erased,
▪ to object to direct marketing,
▪ to restrict the processing of your information, including automated decision-making, data portability

● Will consult the Master Database and the accuracy of individual personal data held.
● Will provide additional information to people making requests, such as our data retention periods and the right to have inaccurate data corrected.
● Will amend the Master Database according to the request so that the rights of the individual under GDPR are respected and/or amended as per the request and that this is communicated to the individual

6: ‘Legal Basis’

● Our legal basis for processing personal data is ‘Consent’: the individual has given consent for the IFHS to process their personal data for the purpose of ‘Membership management’ and ‘Contact’.
● The following wording is included on our Membership/Renewal Form and on our Website: –

Irish Family History Society – Personal Data ‘Consent’

Personal Data processed by us is by ‘Consent’ (i.e. you provide your personal data to us). Under the
EU General Data Protection Regulation, we are required to record your ‘consent’ to process your
personal data. In the IFHS there are two aspects to this Consent:

1. Personal Data for ‘Membership Management’

● I give my consent for my personal data to be used by the IFHS for the purpose of Membership Management (i.e. to maintain an accurate list of Members and have accurate financial accounting of membership fees)

Please place a tick in this box to give your consent:

2. Personal Data for ‘Contact’ (i.e. to provide journals, newsletters, membership renewal forms and to advise of upcoming events)

● Members can opt in/out on whether to be contacted for this purpose.
● Please tick one of the boxes below to opt in/ out of being contacted.
● Contact me Do not contact me
● Members can also opt in/out at any time by emailing us at info@ifhs.ie
● Please refer to our Privacy Statement on our Website www.ifhs.ie
● Please place a tick in this box to give your consent:

7: Using customer consent as a grounds to process data

● Consent must be ‘freely given, specific, informed and unambiguous’. Essentially, our members cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.
● Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and that individuals generally have stronger rights where you rely
on consent to process their data.
● The IFHS will keep records of consent so that we are able to demonstrate that consent was given.

8: Processing Children’s Data

● The IFHS does not process children’s data.
● If the IFHS was to process data from underage subjects, we must ensure that we have adequate systems in place to verify individual ages and gather consent from guardians and will refer to the Data Protection Commission guidance.

9: Data Protection Impact Assessments (DPIA) and Data Protection by design and default

● The IFHS will refer to Data Protection Commission guidance if a DPIA situation arises in the future.
● A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders.

10: Reporting data breaches

● The GDPR introduces a duty on all organisations to report certain types of personal data breach to the Data Protection Commission
● If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, individuals must also be informed without undue delay.
● The IFHS will keep a record of any personal data breaches, regardless of whether they are required to be notified to the Data Protection Commission
● The IFHS will apply the guidance on Data Breaches available from the Data Protection Commission in the event of a data breach
● Guidance:
https://www.dataprotection.ie/docs/Data-Security-Breach-Code-of-Practice/y/1082.htm 

11: Data Protection Officers

● The IFHS has not designated a Data Protection Officer (DPO).
● The person in the IFHS who is responsible for data protection compliance is W Noel Jenkins.

12: Cross-border processing and the one stop shop

● The IFHS in not engaged in cross-border processing of personal data.

Responsibilities:

The responsibilities of the IFHS committee members are as is indicated in the Arrangements and Procedures Section of this procedure