1. About Us – Data Protection

Welcome to the Avista Data Protection (DP) section of the Website.

2. Introduction

a) Avista supports the rights of an individual and family members to see what information is held about them within the organisation as defined in the Data Protection Act 2018. Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing, storage, and security of their personal data.
b) Avistaundertakestoprotectanyinformationprovidedtoitonaconfidentialbasissubject to our obligations under law, including the Data Protection Act 2018 and the EC (Electronic Communication Regulation) Act 2011.
c) For the purpose of Data Protection, Avista is known as a Data Controller and this Data Privacy Statement sets out our obligations to manage your data in a fair, transparent and lawful manner whilst also upholding your rights under Data Protection.

3. Principles of Data Protection

Avista as Data Controller must adhere to the 7 Principles of the Data Protection Act 2018 where the information is held on computer or in a manual form. The 7 Principles of Data Protection include the following:

  1. Obtained and processed in a fair, transparent and lawful manner, meaning that the person(s) providing the information must be informed of the purpose for which the information is required and how will it be used.
  2. The information collected is used for the purpose for which it was provided.
  3. The information is adequate, relevant and limited to what is necessary in relation the purposes for which it has been provided.
  4. The information is accurate, complete, up to date and well organised at all times.
  5. The information is retained for no longer than is necessary and in compliance with Avista’s Records Management Policy DOCS 050
  6. The information is safe and secure at all times with access limited on a need to know basis
  7. Avista as the Data Controller will demonstrate accountability for the personal and
    sensitive information that it processes and retains.

4. What information do we collect?

The following is the type of personal/sensitive data that Avista collects about you, depending on whether you are a person we support or your family/guardian, an employee/ volunteer, board member or persons contracted for business/services:
a) b)
Personal information that identifies you, including name, contact information, location details, email address, date of birth and any other identifiable personal data that is provided to the Service that is required.
Special categories of personal data, such as that relating to your physical/mental health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data.

4.1 How is your personal/sensitive information collected?

We obtain your information from a variety of sources, including information you give us. We may also receive information from Third Parties, for example, a former service provider or former employer.

4.2 What are the legal basis for processing (using) your personal/sensitive data?

Any use of your personal data must have a legal basis. The basis under GDPR which we, depending on the circumstances, may rely on include:

  • When it is necessary for the provision of a health or personal social service under Section 38(1) of the Health Act 2004.
  • Where you have consented to the processing of your personal data by us.
  • To perform a contract or to take steps at your request (clearly with your knowledge and consent) before entering into a contract, such as a contract to provide you with a service, or an employment contract.
  • When it is necessary for Avista to comply with a legal obligation, such as reporting to a statutory or regulatory body. e.g. HIQA, Túsla, or law enforcement.
  • When it is necessary to protect your vital interests in exceptional circumstances, such as in a case of a medical emergency.
  • When it is necessary for the legitimate interests of Avista, except where those interests are overridden by your interests or your fundamental rights and freedoms.

4.3 How we use your personal/sensitive data.

We will only use your personal data when the law permits us. We may use your personal data for the following purposes:
Providing you with services – we may process information about you when you avail of our services.
Legal and Contractual obligations – we may process your data to comply with our legal and/or contractual obligations.
Running our Service – we will process your data to monitor and improve the quality of our services and to meet certain legal and regulatory obligations that apply to our organisation, including administration, operations and security.

4.4 Who may access your personal/sensitive data?

Access to your personal data is strictly on a need-to-know basis. Those authorised to access your personal data will vary, depending on whether you are a person supported by Avista or your family/guardian, a staff member or volunteer, or a person contracted for services.

Third parties who may be provided access to your personal data include the following:

  • Avista Executive Leads/Service Managers/Heads of Departments/Administration staff.
  • Avista healthcare professionals, including social workers, therapists, nurses, psychologists;
  • External healthcare professionals, including physicians and psychiatrists;
  • Staff/ Volunteers providing support to clients;
  • Statutory and regulatory bodies;
  • Banks, financial institutions, insurers, pension fund administrators;
  • Avista’s legal advisors, as and when appropriate.

We require third parties to respect the security of your data and to treat it in accordance with the law.
All our third-party service providers are required to take appropriate security measures to protect your personal data. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

4.5 For how long will Avista hold your personal/sensitive data?

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for,including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal data are available in our records management policy. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

5. Your rights under Data Protection – General Data Protection Regulation (GDPR May 2018)

1. Right to have your personal data processed in accordance with the Data Protection Acts.
2. Right to be informed.
3. Right of access.
4. Right to establish existence of personal data.
5. Right of rectification or erasure if the information is inaccurate.
6. Right to block certain issues.
7. Right to have your name removed from a direct marketing list.
8. Right to object.
9. Freedom from automated decision making.
10. Right under Data Protection and Privacy in Telecommunications Regulations.

Please contact the Data Protection Officer by email or mobile phone details below, should you wish to exercise your Data Protection rights.

6. How to make a request under Data Protection?

You can make a request by writing to the Data Protection Officer at the address below or by email to [email protected]. Please state the specific record(s) you are requesting.
It is important that you describe the records that you are seeking in the greatest detail possible to enable us to identify the relevant records. Please note that the Data Protection Acts apply only to personal information but not to records of the deceased.

Please submit your request to:
Marie Grimes McGrath, Data Protection Officer, Avista
St Anne’s Centre, Sean Ross Abbey, Corville Road, Roscrea, Co Tipperary.
Telephone: (0505) 22046. Mob: (086) 8189201 Email: [email protected]

Entitlements under the Data Protection Acts
A decision will, in normal circumstances be issued within 30 working days including weekends and public holidays of receipt of your request. There are exemptions provided for in the Acts, this means that there are specific circumstances when the requested information will not be released. Should this situation arise, the reason/s will be clearly explained to you. Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter.
More details on ‘Your Rights’ can be obtained from:

The Office of the Data Protection Commissioner’s Office, Canal House, Station Road, Portarlington, Co. Laois.
LoCall: 1890 25 22 31 Telephone: 00353 57 868 4757
Email: [email protected]

To view The Data Protection Act 2018, please visit www.dataprotection.ie

6.1 How and to whom can you voice a concern or make a complaint in relation to your information?

You may voice a concern or make a complaint regarding the processing of your personal data to any Manager, Head of Department, or if you prefer, directly to Avista’s Data Protection Officer.

You have the right to make a complaint at any time to the Data Protection Commission, the Irish supervisory authority for data protection issues. The Data Protection Commission can be contacted at:

The Office of the Data Protection Commissioner’s Office Canal House, Station Road,
Co. Laois.
LoCall: 1890 25 22 31 Telephone: 00353 57 868 4757 Email: [email protected]

7. Cookies

A cookie is a small piece of data that may be stored on your computer or mobile device. It allows a website “remember” your actions or preferences over a length of time.

Our Cookie Statement explains what cookies are, how we use cookies, how third parties we may partner with may use cookies on our website, your choices regarding cookies and further information about cookies. Please visit http://www.docservice.ie/about-us-policies.aspx to view our Cookie Policy.

8. Changes to this Privacy Statement

We reserve the right to update this Privacy Statement at any time. We may also notify you in other ways from time to time about the processing of your personal data.

Completed by: Marie Grimes McGrath Date: 9 August 2021 Data Protection Officer