1 ABOUT THIS POLICY.
- The information, records, and data of the Divine Word Missionaries is important to how we conduct our activities and manage Divine Word Missionaries Officials/employees/volunteers (“Staff”).
1.2 There are legal and regulatory requirements for us to retain certain data, usually for a specified amount of time. We also retain data to help us operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to us.
1.3 This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
1.4 Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it, and difficulties in carrying out our activities.
1.5 This policy does not form part of any employee’s contract of employment and we may amend it at any time.
2 SCOPE OF POLICY
2.1 This policy covers all data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters, and invoices. It also includes electronic data such as emails, electronic documents, audio, and video recordings, and CCTV recordings. It applies to both personal data and non-personal data. In this policy, we refer to this information and these records collectively as “data”.
2.2 This policy covers data that is held by third parties on our behalf, for example, cloud storage providers or offsite records storage. It also covers data that belongs to us but is held by Staff on personal devices.
2.3 This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data, and non-personal data. It also gives guidance on how we classify our data.
3 GUIDING PRINCIPLES
3.1 Through this policy, and our data retention practices, we aim to meet the following commitments:
3.1.1 We comply with legal and regulatory requirements to retain data.
3.1.2 We comply with our data protection obligations, in particular, to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
3.1.3 We handle, store and dispose of data responsibly and securely.
3.1.4 We create and retain data where we need this to operate effectively, but we do not create or retain data without good reason.
3.1.5 We allocate appropriate resources, roles, and responsibilities to data retention.
3.1.6 We regularly remind Staff of their data retention responsibilities.
3.1.7 We regularly monitor and audit compliance with this policy and update this policy when required.
4 ROLES AND RESPONSIBILITIES
4.1 Responsibility of all Staff. We aim to comply with the laws, rules, and regulations which govern us and with recognized compliance good practices. All Staff must comply with this policy, the Record Retention Schedule, any communications suspending data disposal, and any specific instructions from the Prior Provincial. Failure to do so may subject us, our staff, and contractors to serious civil and/or criminal liability. An employee’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.
4.2 The Records Management Officer (RMO) is responsible for identifying the data that we must or should retain, and determining, in collaboration with the BURSAR, the proper period of retention. He or she also arranges for the proper storage and retrieval of data, coordinating with outside vendors where appropriate.
4.3 We have designated our Data Protection Manager as the Records Management Officer. The Records Management Officer is responsible for:
4.3.1 Administering the data management program;
4.3.2 Helping Bursar’s office heads implement the data management program and related best practices;
4.3.3 Planning, developing, and prescribing data disposal policies, systems, standards, and procedures;
4.3.4 Providing guidance, training, monitoring, and updating in relation to this policy.
4.4 Data Protection Manager (DPM). Our Data Protection Manager is responsible for advising on and monitoring our compliance with data protection laws that regulate personal data. Our DPM will work on the retention requirements for personal data and on monitoring compliance with this policy in relation to personal data.
5 TYPES OF DATA AND DATA CLASSIFICATIONS
5.1 Formal or official records. Certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the activities of the Divine Word Missionaries. Please see Section 6.1 of this Policy below for more information on retention periods for this type of data.
5.2 Disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:
5.2.1 Duplicates of originals that have not been annotated.
5.2.2 Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
5.2.3 books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of the Divine Word Missionaries and retained primarily for reference purposes.
5.2.4 Spam and junk mail.
Please see Section 6.2 of this Policy below for more information on how to determine retention periods for this type of data.
5.3 Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See Section 6.3 of this Policy below for more information on this.
5.4 Confidential information belonging to others. Any confidential information that an employee may have obtained from a source outside of the Divine Word Missionaries, such as a previous employer, must not, so long as such information remains confidential, be disclosed to, or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted if received via the internet.
5.5 Data classifications. Some of our data is more confidential than other data. If you are unsure how data should be classified, contact the Records Management Officer.
5.6 If you make a charitable donation by card, we use that financial information to process your donation. If you give us your card details (e.g. over the telephone), they will be held in encrypted form pending completion of the payment and then securely deleted once the payment has been processed. If you make the donation online via our website, the payment will be processed by the payments platform BOIPA. For further information on how [BOIPA] handles payment data, please see their policy at: www.dwmcards.com. Your payment details are not stored on our website, they are solely processed directly by BOIPA. We only receive a payment ID to verify your payment has been received. We will process this personal data based on your consent. If you make a donation via our website or send us a donation by post, we will contact you to thank you for your donation and add your details to our postal list.
5.7 Acknowledgement of donation:
5.7.1 Letter of thanks: We will use your personal data to send you (by post) a receipt and thanks for any donation. We send you these by post on the basis of our legitimate interests as a charity to thank our benefactors for their support, to build our relationship with our benefactors. Having taken into consideration the reasonable expectations of the benefactor based on the fact that they have made a donation to us, we believe our writing to thank them for the donation does not override their fundamental rights and freedoms. We have undertaken a legitimate interests assessment to ensure the correct balance has been reached. We notify benefactors of their right to object to the receipt of any correspondence from us (see further below). These opt-out options will be displayed at the bottom of any letters we send you.
5.7.2 Email of thanks: If you make an online donation, we will not collect your postal details/postal address. As a Charity, we are trying to keep our overheads small so that we can prioritize our resources towards our charitable projects. Therefore, we ask that benefactors provide their email address so that acknowledgments of online donations can be sent via email (rather than incurring postal costs).
5.8 CHY3 or CHY4: If you wish to enable the Charity to claim back the tax on your donation from the Revenue Commissioners, we will send you a Form CHY3 or CHY4 with our details on it for you to complete. That form will ask for your personal data (including your PPS number), so that the Revenue Commissioners can refund the tax to the Charity at the applicable rate. You complete and submit the form, and we will forward them directly to the Charities Section of the Revenue Commissioners. The Revenue Commissioners is the data controller in respect of your personal data on that form, and the Revenue Commissioners process same in accordance with its own privacy notice (available on revenue. ie). When we receive the tax rebate from Revenue, we do not see what benefactor(s) it relates to; the Revenue Commissioners do not provide us with your personal data.
5.9 To send you letters and appeals materials by post: If you have been in contact with us and provided us with your postal address (e.g. been in contact in person or via the telephone), we will take it that there is a relevant and appropriate relationship between us that you are interested in hearing further about our work as a Charity. Therefore, we rely on our legitimate interests as a charity to send you materials by ordinary post. Having taken into consideration the reasonable expectations of a person based on the fact that they have been in contact with us, we believe our sending them a letter to let them know about forthcoming events (e.g. Novena, Easter / Christmas Mass), or to invite them to make a donation to help us achieve our charitable objectives does not override their fundamental rights and freedoms. We have undertaken a legitimate interests assessment to ensure the correct balance has been reached. We notify people of their right to object (see further below). These opt-out options will be displayed at the bottom of any letters we send you.
5.10 To send you emails and newsletters (eZines): You can sign-up via our website to receive emailed newsletters. The newsletter includes information about our charitable projects, fundraising activities, forthcoming events, few greeting cards, products and designs, ways you can get involved, etc. We send eZines via a data processor, a cloud-based platform called [Mailchimp?]. We use the [Mailchimp] double-opt-in facility to verify your email address and ensure you are still happy to receive emails and eZines from us. The double-opt-in process is as follows:
5.10.1 Step 1: If you wish, you can enter your name and email address via the website form Stay Connected/subscribe/contact us. By providing us with your details and clicking the “sign-up” button you are acknowledging that you are happy for us to send you an initial verification email for you to complete the first step of the subscription process. The verification email will contain a link for you to click to indicate your consent to be added to our mailing list. If you do not click the link within a month, you will not be signed up to receive emails and newsletters. Unconfirmed names and email addresses will be deleted on a monthly basis.
5.10.2 Step 2: If you do click the link, you will be added to our mailing list. We process this personal data based on your consent.
5.11 It is our policy to turn off all [Mailchimp] tracking features on all email newsletter campaigns. However, should you wish to take extra measures to prevent tracking, there are tools such as uglyemail.com or Pixelblock which can be employed for your personal use. If at any stage you no longer wish to receive these eZines from us, you can withdraw your consent by clicking the “unsubscribe” option that is displayed at the bottom of each email. Alternatively, you can contact us by email at email@example.com, by telephone at +353 90 666 2222, or by post at Divine Word Missionaries, 3 Pembroke Road, Dublin, D04 N5W6, and we will update your contact preferences. [Mailchimp is based in the United States and this processing involves ex-EEA transfers. Mailchimp has certified its compliance with the EU-US Privacy Shield framework for the purposes of Article 45 GDPR. For further information about Mailchimp’s privacy framework, see www.mailchimp.com/legal/privacy/]
5.12 To send you text messages: If you have given us your consent for us to send you text messages, we will send you texts about forthcoming events, news, etc. Your consent remains in place until or unless you withdraw your consent. If at any time you no longer wish to receive these SMS texts from us, you can withdraw your consent by texting back “STOP” (details set out at the end of every SMS text sent). Alternatively, you can contact us by email at firstname.lastname@example.org, by telephone at +353 (0) 90 666 2222, or by post at Divine Word Missionaries, 3 Pembroke Road, Dublin, D04 N5W6, and we will update your contact preferences. Where you text “STOP” to cease receiving text messages, we will not delete your number, but rather we will put you on the “no marketing” list to ensure we honor your preferences. We sent SMS texts via a processor, a cloud-based platform called Twilio. Twilio is based in Ireland, but processes and stores clients’ data in the United States on the basis of an adequacy decision (within the meaning of Article 45 of GDPR, namely Privacy Shield) or on the basis of appropriate safeguards (within the meaning of Article 46 of GDPR namely Twilio’s Binding Corporate Rules approved May 2018). For further information, see twilio.com/legal/privacy#how-twilio-processes-your-end-users-personal-information].
5.13 Website: We collect personal data via our website www.dwmcards.com.
5.13.2 Other website forms: You can “Light a Candle” through our website, submit a “Prayer Request”, and sign up for our newsletter(s). You can also donate via the website “Donate Now” form.
5.13.3 E-Commerce: You can order cards and gifts via our website. Further details are set out below.
5.14. Cookies: Our website utilizes cookies. A cookie is a small text file stored on your computer/device when you visit a website. For example, a cookie may allow a website to “remember” your actions or preferences, or it may contain data related to the function or delivery of the site. We use the tool [“cookie bot”] to manage your cookie consent choices, and to automatically block all first-party and third-party cookies unless you give your consent:
5.14.1 Strictly necessary cookies: Some of the cookies on our website are “strictly necessary”, i.e. for website security or to keep items in your shopping cart. These are set to “on” by default to ensure our website works properly. You can set your browser to reject all cookies (although that may affect the functionality of the website). Further details are set out in our Cookies Policy. We rely on our legitimate interests and on regulation 5(5) S.I.336/2011 for the placement of these strictly necessary cookies.
5.14.2 Non-essential cookies and social media buttons: Some of the cookies are not strictly necessary (e.g. Google Analytics), but these are helpful to us as they help us to see what website pages people are interested in, how many visitors viewed the pages, etc. These cookies are set by default to “off”. If you wish to give consent to and/or manage your preferences in relation to these non-essential cookies, you can do so through the cookiebot tool. In addition, our website has social media buttons so that website visitors can access our Facebook and Twitter pages. These social media plug-ins are set to “off” by default, and you can manage your consent preferences through the cookiebot tool. In respect of non-essential cookies and all social media plug-ins, these are automatically set to “off” by default, and our cookiebot tool will ask for your consent as to whether you want to place these cookies on your device and/or transfer your data to the relevant social media sites. You can do not have to give your consent if you do not want to: you can still visit our website even if you decline these non-essential cookies and reject the plug-ins. You can change your preferences (and withdraw your consent) at any time via the cookiebot tool.
For further information, please see the Divine Word Missionaries Cookies Policy.
5.15 Social media: Divine Word Missionaries have a Facebook and a Twitter account.
5.15.1 Messaging us: If you use those social media platforms to contact us (i.e. posting or commenting or sending us a direct message), we will process your personal data via that social media platform to respond to you based on our legitimate interests. For the avoidance of doubt, we do not engage in unsolicited messaging via social media – we only reply to you if you comment/direct message us.
5.15.2 Advertising: We do not engage in any form of targeted/custom audiences or advertisements via social media.
5.16 E-Commerce: When you place an order on the website, we collect the following data: first name, last name, company name (if applicable), email address (to send you service messages including an email confirming your order, to notify you if we are out of stock, to notify you of dispatch, etc.), phone number (to call you if there is a problem or delay with the order), your postal address, and the delivery address (if different). If you wish to provide any “Order Notes” you can insert them in the order notes section (this is optional). You are asked to insert your credit card details, and the payment processing is via a third-party processor, BOIPA (for further information, see above). You can:
5.16.1 Check-out as a guest: You do not have to create an account in order to make a purchase. You can check out as a guest.
5.16.2 Check out via account: If you already have an account with us, we will ask you to enter your username or email address and password. The same data as referred to above is stored in your account, together with the details of your previous orders.
5.16.3 If you order a personalized item (e.g. a Mass Card, Mass Enrolment Book), you will be asked to insert the name of the person to be enrolled for the saying of Masses and prayers of the Divine Word Missionaries, to choose your message, and to insert your own details. These details are used for the printing of the personalized item. During check-out, you will be given the option of having the personalized item delivered to a different address (which could be the recipient of the personalized item), in which case we will ask you to insert their name and postal address for posting purposes. As the person placing the order, we process your personal data on the basis of the contract (necessary to fulfill the order). You provide us with the details of the recipient of the personalized item and we use their personal data for the printing of the personalized item and the saying of Masses and remembrance of that person in our prayers. See further below. We process the third party’s personal data on the basis of legitimate interests, to fulfill the order/request made by the benefactor. We have undertaken a legitimate interests assessment to ensure that this strikes the correct balance between our legitimate interests as a charity and the recipient’s fundamental rights and freedoms. We will retain the personal data about the person who placed and paid for the order to prepare the item, process payment, arrange for its postage, resolve customer queries, facilitate returns (or replacement of items that were damaged in transit), to resolve complaints/disputes, for stock-take and replenishment purposes, and for preparation of audited financial statements.
5.16.4 Light a Candle: Lighting a candle in our online gallery is a special way to pray for an intention, for thanksgiving, or to remember a loved one.
188.8.131.52 About “Light a Candle”: You can complete a form on our website that allows you to “light a candle”. The lit candle is then displayed on the online candle gallery page of our website. Once you complete the online form, the candle will be displayed on the website for three (3) days. The candle name and special intention will be given to a Divine Word Missionaries priest so that they can be remembered in the prayers of our Divine Word Missionaries priests for one week. The data will then be deleted after one week. For further information see below. When you complete the online form, you can submit your name, your email address, your candle name (limited to 15 characters including spaces), and your prayer intention. The candle form is checked by a member of our staff and we reserve the right to shorten or amend the “candle name” information to ensure the online candle gallery does not inadvertently disclose identifying information about the third party. This is to respect that third party’s privacy and to ensure there is no embarrassment or distress caused to any person. We process your personal data gathered in this form on the basis of your consent. If you ask us to pray for someone else (i.e. a third party), we will process the third party’s data based on our legitimate interests to ensure that your special intention is remembered in our prayers. For further information see below.
184.108.40.206 Prayer request (online): Divine Word Missionaries priests are asked to pray for people’s special intentions in times of worry, grief, or celebration. You can make a prayer request online via our website. By submitting this form, your special intentions will be remembered in the prayers of our Divine Word Missionaries priests. You can submit your name, your email address, and the details of your prayer petition.
5.18 Retreats and Workshops: Divine Word Missionaries priests conduct retreats and workshops [ADDRESS].
5.18.1 If you sign up for a retreat day, workshop, prayer group, or educational program, you will be asked to provide certain personal data for the purposes of booking your place, processing your payment (if applicable), sending you details about the event details (e.g. venue, start time), and contacting you where necessary (e.g. cancellations due to adverse weather, etc.). If you provide us with your email address or mobile phone number, we will use your email address/mobile number to email/text you details relating to the retreat/workshop you have booked. We do so based on your consent. You will be asked to sign your consent to this on the booking form. For the avoidance of any doubt, we will not use your email/mobile for further direct marketing purposes (unless you separately give us consent for that).
5.18.2 If you have attended a retreat/workshop event, we will take it that you are interested in hearing about other Divine Kapoor Missionaries events and we will rely on our legitimate interests to send you Divine Word Missionaries materials by post.
5.18.3 If you have any particular special needs, access requirements (e.g. disability access, ramps, etc.), or dietary requirements (e.g. coeliac, nut allergies) that you wish to notify us of, you can let us know in advance of the retreat/workshop event so that we can make all reasonable accommodations for you to ensure you can participate in the event. We will process that data on your explicit consent to accommodate your needs.
5.19 Wills: Where a benefactor leaves us an inheritance, we will retain the Will (which may include details of the personal representative/executor and other beneficiaries) for the purpose of administering any bequest, to ensure the terms of any trust are honored if the Will is a trust instrument, for the saying of Masses (if requested), to remember the benefactor (and their family) in prayers, and for issuing a letter of thanks to the estate/family. Divine Word Missionaries considers the Will to be a document of enduring historical value to acknowledge the meaningful contribution benefactors have made to the work of Divine Word Missionaries. We will keep the Will (and any correspondence with the estate) in our active accounting system for accounting and audit purposes in line with our legal obligations as a registered charity. If Will is a trust instrument we will hold as a constitutional document of the Charity in line with our legal obligations as a registered charity. We process the same on the lawful basis of a legal obligation to comply with the charity’s corporate governance obligations under Charities Act 2009 and Taxes Consolidation Act 1997. Once the inheritance has been administered, we will retain the Will in archives on the lawful basis of our legitimate interests and as part of our Archives (Article 89) as an enduring historical record commemorating the significant contribution, benefactors make to the work of the Divine Word Missionaries.
5.20 General charity records: We process benefactors’ personal data based on our legitimate interests for proper record keeping, for good corporate governance, to manage risk, for verification purposes, to obtain professional advice (including legal advice), for insurance purposes, to prevent fraud. We also keep records where we are required to do so for compliance with any legal obligation applicable to us as a registered charity. The legitimate interests are to achieve our charitable objectives and to run an efficient charity. We use your personal data on the lawful basis of establishment, exercise, or defense of legal claims to obtain legal advice to resolve disputes and take or defend litigation, etc.
5.21 Parishioners, local parish community, volunteers, etc.: We collect and process personal data of members of local communities i.e. parishioners, the local parish community, and volunteers in the areas in which we operate. Parishioners do not have to provide any personal data to us if they do not wish to do so. Volunteers do have to provide certain personal data to us, particularly to comply with vetting requirements, child safeguarding training, etc. We collect the following data for the following purposes:
5.21.1 Prayers: Our Divine Word Missionaries all over the world are often asked to pray for people’s special intentions in times of worry, grief, and celebration. You are welcome to submit a prayer request to the Divine Word Missionaries (either in person or online. Your special intentions will be remembered in the prayers of our Divine Word Missionaries priests. Any prayer petitions submitted online containing a specific request (e.g. Novena petition, or request for a particular Mass) will be processed by the Office to ensure the benefactor’s wishes are honored. Your prayer petition (but not your name or email address) is given to a Divine Word Missionaries priest for remembrance in his prayers. Divine Word Missionaries priests will pray for your special intentions for the relevant period (generally 1 month unless an alternative period is agreed with the benefactor).
5.21.2 Praying for you: Where our benefactor specifies their special intentions and they relate only to the requester (e.g. their own ill-health, their new job, etc.), we will record the benefactor’s special intentions to ensure they are remembered in our prayers. We will process your personal data for the prayer request based on your consent/explicit consent.
5.21.3 Praying for a third party: Where a benefactor asks us to pray for another living person with whom we have no regular contact (a “third-party”), we will record the benefactor’s special intentions based on legitimate interests to ensure that special intention is remembered in our prayers. In order to respect that third party’s privacy, where possible we will endeavor not to record any special categories of personal data relating to that third party.
5.22 General parish work, pastoral care, sacraments: Divine Word Missionaries processes records relating to parishioners.
5.22.1 General information about parishioners: Divine Word Missionaries process the usual records about parishioners, e.g. baptismal register, marriage register, Mass stipends, information required to coordinate sacraments, etc. Divine Word Missionaries process this data on the lawful basis of legitimate activities of a not-for-profit body with a religious aim (Article 9(2)(d)GDPR). Certain records (e.g. baptismal register, marriage register, etc.) are retained in archives to preserve a contemporaneous record for their enduring historical value (Article 9(2)(j) and Article 89).
5.22.2 Parish newsletter: Divine Word Missionaries operates a newsletter with information about Mass times, forthcoming events, community news, etc. The newsletter is not posted out – it is only available for collection in the local parish. If a person requests for their special intentions, or personal news, or photographs to be published, we will ask them to sign a consent form and will process their personal data based on their consent.
5.22.3 Live streaming: Masses, Novenas, and special services are live-streamed via our website www.dwmcards.com, facilitated by our data processor called [Church Services TV (for further information, please see www.churchservices.tv]. Divine Word Missionaries also records some important celebrations, such as the Novena to Our Lady of the Sacred Heart, Mass celebrations in November, and events during the run-up to Christmas. These recordings are then available to view on our website [and on www.churchservices.tv] for a certain period determined by Divine Word Missionaries. These services are to facilitate the sick and homebound to join in our daily worship. Signs are prominently displayed in our churches to alert local parishioners and visitors that the service is being live-streamed and/or recorded to be shown on our website, and letting them know the location of the camera. The camera is positioned to capture the altar and the people on the altar. Those participating in activities at the altar (the priest, altar servers, Eucharistic Ministers, readers, cantors, etc.) have signed consent forms, and we process their data on consent/explicit consent. For all sacraments wholly or mainly involving children (e.g. Baptism, preparation for First Holy Communion, Ceremony of Light, Confirmation), the live-streaming and recording functions are turned off by default for child safeguarding reasons. By prior agreement with the Divine Word Missionaries priest, parents of the child in a Baptismal ceremony can request for the live-streaming or recording to be turned on (e.g. to facilitate the ceremony being viewed by a sick or infirm relative), but participants will be asked to sign a consent form for same in advance.
5.22.4 Ministries: Divine Word Missionaries process data relating to Eucharistic ministers, altar servers, choir members, etc. to coordinate services and celebrations. Divine Word Missionaries process this data on the lawful basis of legitimate activities of a not-for-profit body with a religious aim.
5.22.5 Pastoral care: Where a local parishioner is sick or housebound, Divine Word Missionaries can be contacted to request a visit by a Divine Word Missionaries priest. [Pastoral care and care of the sick is an important part of our ministry, and the priest can upon request visit sick parishioners for confession, Holy Communion, or, where necessary, the Sacrament of the Sick. Divine keyboard Missionaries process this data on the lawful basis of legitimate activities of a not-for-profit body with a religious aim].
5.22.6 Sacraments: Divine Word Missionaries will, where requested, liaise with schools and/or individual parents to co-ordinate the preparation of children for the sacraments of Baptism, First Confession, First Holy Communion, Confirmation, etc. Divine Word Missionaries process the child’s personal data on the explicit consent of the parents/guardians of the child concerned. A consent form will be prepared and issued to parents/guardians for that purpose.
5.22.7 Vetting: Divine Word Missionaries are required to undertake the vetting for certain persons per the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016 (the “Vetting Acts”). Divine Word Missionaries have an obligation to obtain a vetting disclosure from the National Vetting Bureau prior to employing, contracting, or placing a person to undertake relevant work or activities with children or vulnerable persons or prior to permitting a person to undertake such relevant work or activities on behalf of the organization. We process this on the lawful basis of legal obligation (i.e. the Vetting Acts) and explicit consent (the signed NVB1/NVB3 Forms).
Vetting applications are processed via AMRI (the Association of Leaders of Missionaries and Religious of Ireland) which is registered with the National Vetting Bureau for the purposes of sections 9 and 13(4) Vetting Act and is a Divine Word Missionaries “data processor” for the vetting process. Divine Word Missionaries members and staff who are legally required to undertake to vet are required to complete the relevant form (NVB1) accurately and provide the supporting identification documents. Divine Word Missionaries submits the documentation to the vetting data processor. The vetting data processor then submits the vetting information to NVB and liaises with NVB to ensure the vetting outcome is returned to Divine Word Missionaries. Further information is made available at the time vetting is being undertaken.
5.22.8 Safeguarding: We share safeguarding data with TUSLA (pursuant to Children First and the HSE Policy on Safeguarding of Vulnerable Adults), An Garda Síochána, and any other statutory child protection and law enforcement bodies from other relevant jurisdictions. Inappropriate cases we will notify you that this data-sharing/reporting is taking place. We will not seek your consent, as we are legally required to make such reports due to mandatory reporting laws. We reserve the right not to notify you this is being done, particularly if that would put another person at risk.
5.22.9 CCTV: Divine Word Missionaries have CCTV in operation at the entrance gates to its premises in Ireland, in car parks, and at certain internal points within the premises. In areas where CCTV is in operation, appropriate notices are prominently displayed to alert visitors that CCTV is in operation. The lawful basis is legitimate interests and the taking/defense of litigation. We use CCTV for security purposes: to protect premises and assets; to deter crime and anti-social behavior; to assist in the investigation, detection, and prosecution of offenses; to monitor areas in which cash and/or goods are handled; to provide a safe environment for all parishioners, staff and Divine Word Missionaries members; for verification purposes and for dispute-resolution, particularly in circumstances where there is a dispute as to facts and the recordings may be capable of resolving that dispute; for the taking and defense of litigation. The CCTV recordings will be retained for dispute resolution and/or verification purposes and will be transferred to Divine Word Missionaries’ insurers and legal advisors for the taking and defense of legal claims. CCTV images are generally retained for [NUMBER] days unless an issue is identified in which case the recordings will be retained with copies being transferred to An Garda Síochána, our insurance company, and lawyers.
5.23 Third-country transfers: Where personal data are being transferred outside the EEA, that will only be done on the basis of an adequacy decision, or on the basis of appropriate safeguards (binding corporate rules, or standard contractual clauses) or with the person’s explicit consent (Article 49 derogation) or any other Article 49 derogation. Divine Word Missionaries transfers personal data outside the EEA for the following purposes and on the following safeguards:
5.23.1 Email/ezines [Mailchimp]: Transferred to the US on the basis of Privacy Shield.
5.23.2 SMS texts [Twilio]: Transferred to the US on the basis of Privacy Shield.
5.23.3 Cookies on our website (Google Analytics): Transferred to the US on the basis of Privacy Shield. For further information, please see our Divine Word Missionaries Missions Cookies Policy.
5.23.4 Divine keyboard Missionaries priests abroad: In more limited situations, for example, if a benefactor wishes us to apply their donation to a particular Divine Word Missionaries missionary priest working outside the EEA, we will ask the benefactor if they would be happy for us to send their contact details to that Divine Word Missionaries priest so that he can correspond with the benefactor to thank them for the donation and let them know how their donation will be applied in that country. In such situations, we will only transfer their personal data outside the EEA with the benefactor’s explicit consent, and this will be discussed with you at the time.
5.24 Automated Decision Making/Profiling: We do not undertake any automated decision-making and/or profiling.
5.25 Security: We take appropriate security measures (including technical and organizational measures) to protect your personal data. This includes protecting the same from unauthorized access, unlawful processing, accidental loss, destruction, and damage. Where you submit your payment details via our website (e.g. to make a donation, or to make a purchase), you are transferred to BOIPA, the payments platform, which processes your card data as our processor. BOIPA takes appropriate security measures to protect your financial information, including encryption, secure payment gateways, and other security and fraud management tools. Although our website is protected by HTTPS (any information you transfer to us via our website is encrypted), please note that communications across an electronic network cannot be guaranteed as a secure form of communication. Due to the risk of online fraud and the potential for unauthorized interception, we respectfully request that you never send us any sensitive data or financially sensitive information (e.g. bank account details) using the “Contact Us” page of our website or by email. We accept no responsibility or liability in the event that any person or party suffers loss as a result of cyber-crime, unlawful interception of communications, or otherwise.
5.26 Your rights: You have the following statutory rights that can be exercised at any time by contacting us, and providing us with proof of identity and the detail of your request:
5.26.1 Right to complain to the supervisory authority – the Data Protection Commission. Their contact details are set out below:
Telephone: +353 57 8684800 +353 (0)761 104 800/Lo Call Number 1890 252 231
Postal Address: Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois.
5.26.2 Right of access, provided that such access shall not adversely affect the rights and freedoms of others.
5.26.3 Right to rectification.
5.26.4 Right to erasure (Right to be forgotten).
5.26.5 Right to restrict processing.
5.26.6 Right to data portability.
5.26.7 Right to object (e.g. to processing based on legitimate interests, such as receipt of fundraising and appeals materials). You can opt out of receiving postal communications at any time by contacting us. You can contact us by email at [EMAIL ADDRESS], by telephone on +353 (0) [NUMBER], or by post at Divine Word Missionaries, 3 Pembroke Road, Dublin, D04 N5W6, Ireland, and we will update your contact preferences.
Please note that if you ask us to delete or restrict the processing of your personal data (e.g. if you withdraw your consent something or opt-out of receipt of postal marketing) we reserve the right to retain your contact details on our suppression list to ensure we do not inadvertently contact you as part of any future direct marketing/fundraising campaigns. These rights can be exercised at any time subject always to the exemptions and exceptions set down by GDPR and the Data Protection Act 2018.
6 RETENTION PERIODS
6.1 Formal or official records. Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule unless a valid reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact the Records Management Officer.
6.2 Disposable information. The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of.
6.4 What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the Records Management Officer.
7 STORAGE, BACK-UP, AND DISPOSAL OF DATA
7.1 Storage. Our data must be stored in a safe, secure, and accessible manner.
7.2 Destruction. Our Records Management Officer is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling.
7.3 The destruction of data must stop immediately upon notification from the BURSAR or Records Management Officer that preservation of documents for contemplated litigation is required. This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once the BURSAR] lifts the requirement for preservation.
8 SPECIAL CIRCUMSTANCES
8.1 Preservation of documents for contemplated litigation and other special situations. We require all Staff to comply fully with our Record Retention Schedule and procedures as provided in this policy. All Staff should note the following general exception to any stated destruction schedule: If you believe, or the Records Management Officer informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or another event, you must preserve and not delete, dispose of, destroy, or change those records, including emails and other electronic documents, until the Records Management Officer determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or another format in which the records are kept.
8.2 If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Records Management Officer.
8.3 In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as the replacement of our information technology systems.
9 WHERE TO GO FOR ADVICE AND QUESTIONS
9.1 Questions about the policy. Any questions about this policy should be referred to the Data Protection Manager, Divine Word Missionaries, 3 Pembroke Road, Dublin 4, Ireland, D04 N5W6, email@example.com who is in charge of administering, enforcing, and updating this policy.
10 BREACH REPORTING AND AUDIT
10.1 Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depends largely on Staff. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the Records Management Officer. If Staff does not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
10.2 No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or cooperating in related investigations.
10.3 Audits. The Records Management Officer will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure we are in compliance with relevant new or amended laws, regulations, or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.
11 OTHER RELEVANT POLICIES
11.1 This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time.
(This Policy is part of the overall data Protection Policy of the Divine Word Missionaries.)
Approved by DWM Press Bord] on 12/08/2021
To be reviewed: [DATE]
12 ANNEX A – DEFINITIONS
Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters, and invoices. It also includes electronic data such as emails, electronic documents, audio, and video recordings, and CCTV recordings. It applies to both personal data and non-personal data. In this policy, we refer to this information and these records collectively as “data”.
Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Disposable information: disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.
Formal or official record: certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the activities of the Divine Word Missionaries. We refer to this as formal or official records or data.
Non-personal data: data that does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymized.
Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person’s actions or behavior.
Records Management Officer: the Records Management Officer is responsible for administering the data management program, helping Community/office heads implement it and related best practices, planning, developing, and prescribing data disposal policies, systems, standards, and procedures, and providing guidance, training, monitoring, and updating in relation to this policy.
Record Retention Schedule (or Guide): the schedule attached to this policy sets out retention periods for our formal or official records.
Storage limitation principle: Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the GDPR as the principle of storage limitation.
13 ANNEX B – RECORD RETENTION SCHEDULE
The Divine Word Missionaries establish retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs.
Staff should comply with the retention periods listed in the record retention schedule (guide), in accordance with the Divine Word Missionaries’ Data Retention Policy.
If you hold data not listed below, please refer to the Divine Word Missionaries’ Data Retention Policy section on disposable records. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below, or if you have any other questions about this record retention schedule, please contact the Data Protection Manager