The Open Community: The National Support Organisation for Ireland’s Community Sponsorship Programme for Refugees
Privacy Policy
1. What is the purpose of this Privacy Policy?
This Privacy Policy explains how The Open Community, as the National Support Organisation (NSO), for the Community Sponsorship Ireland (“CSI”) Programme (the “Programme”) uses personal data of resettled persons in the Programme, members of Community Sponsorship Groups (CSGs), and members of the public who engage with The Open Community though events, online training, and subscription to mailing lists. This policy is intended to explain the type of data that is collected and why it is used. This policy shall also satisfy The Open Community’s obligation to maintain a record of processing activities under Article 30 of the General Data Protection Regulation (GDPR)
2. Who We Are
The Open Community is a national support organisation, established by Amnesty International Ireland (Amnesty). Amnesty International Ireland is part of the worldwide Amnesty movement and is used as a collective name for:
- Amnesty International Irish Section CLG
- Amnesty International (Ireland) Foundation.
It is the intention that the Open Community will be established as a separate legal entity to Amnesty by 2024. Until separation, The Open Community adheres to all obligations, policies and procedures of Amnesty and its Data Protection Policy.
The Open Community represents a collaborative partnership of Doras, the Irish Red Cross, the Irish Refugee Council, Nasc, UNHCR and Amnesty International Ireland, who work collectively to support people all over Ireland to welcome refugees into their local communities.
The functions of The Open Community include, but are not limited to, the following functions:
- promoting community sponsorship at a national level and coordinating, subject to oversight from the Irish government, public facing messaging regarding community sponsorship in Ireland;
- maintaining web presence for CSI;
- connecting emerging CSG’s and community leaders to the relevant RSO;
- supporting the capacity building of RSOs;
- establishing and providing a secretariat function for a Community Sponsorship Stakeholder Group;
- establishing and providing a secretariat function for a National Peer Support Network for CSGs;
- developing and delivering of training programmes for CSGs in collaboration with RSOs, and maintaining the online training platform for CSI;
- facilitating and encouraging innovation and collaboration among RSOs avoiding duplication of work, identifying and minimising gaps;
- providing support and assistance to RSOs when breakdown issues arise with sponsorship placements;
- developing complementary resources and programme tools in partnership with RSOs and other stakeholders;
- developing a partner network to promote a whole of society approach, benefit from industry expertise; and
- developing and managing a Community Sponsorship Support Fund (CSSF).
3. Community Sponsorship Ireland Programme
The following “Actors” are involved in the implementation of the Programme:
- Irish Refugee Protection Programme or IRPP – under the authority of the Minister for Children, Equality, Disability, Integration and Youth.
- National Support Organisation or NSO – formally named: The Open Community. Represents a collaborative partnership body comprised of all key programme partners, including RSOs, private sector companies, trade union and representatives of third level institutions.
- Regional support organisations or RSOs – include Nasc, the Migrant and Refugee Rights Centre, the Irish Red Cross, the Irish Refugee Council, and Doras.
- Community sponsorship groups or CSGs – small, community-led volunteer groups.
Each Actor is an independent and separate data controller with respect to any personal data it processes in connection with the Programme. Each data controller is independently responsible for ensuring compliance with their own policies. Each Actor may have separate policies which govern the processing activities of the relevant Actor with respect to other activities the Actor conducts, which are outside the scope of this Programme
4. What type of data is collected and what is the purpose and lawful basis for processing?
Personal data is any information that can identify an individual either directly or indirectly.
Sensitive personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data and biometric data processed for the purpose of uniquely identifying a person; data concerning health; data concerning an individual’s sex life or sexual orientation; and data concerning criminal offences or convictions.
Type of data we may collect
We may collect personal data such as name, email address, phone number and address, in the following ways:
- Sign up to receive updates on our work, events, campaigns or fundraising
- Enquiry emails received to info@theopencommunity.ie
- Online Zoom registrations
- Online training platform registrations
- Inclusion under Insurance Policy for CSGs
- National Peer Support Network sign up function on The Open Community website
- Contact Form on The Open Community website
- Submission of surveys.
- Referral form for The Open Community Pro Bono Legal Panel.
- Case Management System used to track progress of CSG development.
- Referral form for The Open Community Pro Bono Legal Panel.
- Cairde Network sign up
Purpose and lawful basis
Where information is processed on the basis of the legitimate interest to operate the Programme.
Where consent has been provided to allow us to provide updates on our work, campaigns, fundraising, marketing and communications, newsletters, bulletins or events by email, phone or SMS.
Generally, we do not collect or keep a record of sensitive information. If we do need to gather this information (for example, accessibility information to support participation at an event, training course or consultation session) we only do so with explicit consent. We have measures in place to protect sensitive information and its confidentiality.
5. Who might we share your data with?
In connection with the purposes described above, personal data may be shared with Regional Support Organisations as necessary to provide the services offered under the Programme. These are: Doras, Nasc, the Irish Red Cross, and the Irish Refugee Council.
It may also be necessary to share personal data with third parties including:
- providers of case management systems used to manage information about the Programme and about resettled persons and members of CSGs;
- other external service providers such as accountants, auditors, experts, lawyers and other professional advisors; IT systems, support and hosting service providers;
- government and other public authorities for example courts, regulatory bodies, law enforcement agencies, tax authorities and criminal investigations agencies.
To the extent possible, data is hosted in the European Economic Area. Where personal data is transferred to an entity outside the European Economic Area which is not deemed to have an adequate level of protection under EU data protection law (such as the US) we will ensure that appropriate measures are in place to protect the data. This generally will involve the use of EU-approved standard contractual clauses.
6. What security measures should be in place to protect data and, in particular, sensitive data?
The Open Community will adhere to all obligations, policies and procedures of the Amnesty Data Protection Policy. This includes having in place technical and organisational measures to protect personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. This includes the provision of appropriate training for persons handling personal data.
In regard to handling of sensitive personal data, The Open Community will ensure that data will:
- only be processed where necessary for the purpose that the data is collected or provided and not for any other purpose;
- only be accessed by or disclosed to limited people who need access to that data;
- be protected or pseudonymised where possible (use password protected files, mark as private and use abbreviations like JD instead of John Doe); and
- should be deleted as soon as the data is no longer needed for the purpose for which it was collected or provided (for example, if particular sensitive information is contained in an email then the email should be deleted when the assistance has been provided – it is also recommended the sensitive information is shared by phone instead of sent or forwarded as this creates multiple copies).
7. What is a data breach and what is the appropriate response in the event of a data breach?
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Examples of data breaches include leaving hard copy documents on a bus or train, lost or stolen laptop, unauthorised access by bad actors through the use of phishing emails and sending an email to the wrong person.
The GDPR obliges data controllers to notify the Data Protection Commission within 72 hours of any data breach unless there is no risk to individuals (for example a stolen laptop is encrypted and so can’t be accessed by the thief). A notification to the Data Protection Commission can be made online here. Affected individuals will also need to be notified for high-risk data breaches where for example sensitive data is involved.
If a data breach occurs, The Open Community is responsible for reporting it to Amnesty who in turn will be responsible for notifying the Data Protection Commission and the individuals as necessary.
8. How long is data kept?
Data protection best practice requires that organisations should not store personal data for any longer than is required. Each Actor is responsible for the personal data that it collects and for ensuring this data is deleted or anonymised when it is no longer required.
In general data from members of the CSGs will be retained only for as long as they are involved with the Programme and/or engaged with The Open Community or a number of years after.
9. What rights do individuals have in relation to their data?
The Open Community is responsible for the personal data they hold in connection with the Programme and for responding to data subject rights requests made to it in relation to such Personal Data.
Individuals have the rights set out below under the GDPR in relation to their data. These rights won’t apply in all circumstances and are subject to exceptions in the GDPR and the Data Protection Act 2018.
- Right of access: The right to receive a copy of that individual’s personal data held by each Actor and information on how that data is used.
- Right to amend/rectify data: The right to correct data where it is incorrect or incomplete.
- Right to deletion (‘right to be forgotten’): The right to request that personal data be deleted – however, this right only applies in certain circumstances – it wouldn’t apply for example if there is a continuing lawful basis to retain such data.
- Right to restrict processing: The right to request the suspension of the use of personal data for example pending a determination of its accuracy or if the data is no longer needed for any other reason other than a legal claim.
- Right to data portability: The right to obtain personal data in a format that can be transferred to another organisation.
- Right to object to processing: The right to object to use of personal data in certain circumstances unless there are compelling legitimate grounds of the Actor to overcome the objection or the data is needed in connection with any legal claims or must be kept to comply with a legal obligation.
- Right to withdraw consent: A resettled person may withdraw their consent to the processing of any sensitive information that they voluntarily provide to a CSG. If they notify the CSG that they withdraw their consent (this may also be stated as a request to delete their data) then this data should be deleted immediately and the CSG should request that any RSOs to which it has communicated this information also delete this data.
- Right to complain to the relevant data protection authority: All individuals are entitled to make a complaint to the Data Protection Commission if they believe that an Actor has processed their personal data in a manner that is not in accordance with data protection law.
10. What information needs to be provided to individuals about how their data is processed?
The Open Community is obligated to provide information (through an appropriate privacy notice) to resettled persons, members of CSGs, and members of the public on how their data is processed.
11. Who is responsible for complying with the obligations in this policy?
As an organisation holding information about individuals on computer or in structured manual files, The Open Community is deemed a ‘data controller’ under the Data Protection Legislation. The Open Community is responsible for processing personal data, compliance with this Privacy Policy, the Amnesty Group Data Protection Policy and for compliance with applicable data protection law.
Each staff member of The Open Community must comply with the most up-to-date version of this Privacy Policy and the Amnesty Group Data Protection Policy, as published from time to time. If a staff member of The Open Community is found to have violated this Privacy Policy, they may be subject to a disciplinary process.
The Open Community has designated a primary point of contact in relation to its obligations under this Privacy Policy and to allow for communications for any data breaches. Any questions about this Privacy Policy or about how The Open Community manages data can be made to Conor Platt via email: info@theopencommunity.ie, telephone: 01 863 8300, or in writing: The Open Community, Sean MacBride House, 48 Fleet Street, Dublin, D02 T883.
12. Who is responsible for maintaining this policy?
This Privacy Policy will be maintained by The Open Community.
This Privacy Policy was last updated September 2022.