NERI Privacy Statement

The Nevin Economic Research Institute (NERI) is a Data Controller and a Data Processor under the General Data Protection Regulations (GDPR) and respects the rights to privacy of the individual.  Personal data for the purpose of this document is any information which can identify an individual such as a name, address, date of birth etc. 

NERI Website

The NERI fully respects the right to privacy of all of the users of our website, and will not collect any personal data about you on this website without your clear consent.  Any personal information volunteered will be treated with the highest standard of security and confidentiality, strictly in accordance with the Data Protection Acts 1988 and 2003, and the General Data Protection Regulations.

The NERI does not collect any personal data on its website apart from information which you volunteer using, for example, email or the online feedback form.  Any information provided in this way is not made available to third parties, and is used only in line with the purposes for which you provided it.  Such personal data may also be anonymised and used for statistical purposes.

Technical details in connection with visits to our website are logged for statistical purposes.  The technical details logged include the following:

  • IP address of your internet connection
  • Browser type you are using
  • Date and time you accessed our site
  • The pages you have accessed and the documents downloaded
  • Websites you may have come from to access our website, including any search terms used.

The NERI will not attempt to identify individual visitors, or to associate technical details listed above with any individual.  This information is used to allow us to improve the information we are supplying to our users, find out how many people are vising our sites and for statistical purposes.  Some of this information is used to create summary statistics which allow us to assess the number of visitors to the different sections of our site, discover what information is most and least used, inform us on future design and layout specifications, and help us make our site more user friendly.

We are not responsible for the content or privacy practises of other websites.  Any external links to other websites are clearly identifiable as such.  Some technical terms in this statement are explained below.

Glossary of terms used:

  • Web Browser – the piece of software you use to read web pages.  Examples are Google Chrome, Microsoft Internet Explorer and Mozilla Firefox.
  • IP Address – the identifying details for your computer (or your internet company’s computer), expressed in ‘internet protocol’ code (for example 192.168.72.34).  Every computer connected to the web has a unique IP address, although the address may not be the same every time a connection is made.
  • Cookies – small pieces of information, stored in simple text files, placed on your computer by a website.  Cookies can be read by the website on your subsequent visits.  The information stored in a cookie may relate to your browsing habits on the web page, or a unique identification number so that the website can ‘remember’ you on your return visit.  In general, cookies do not contain personal information from which you can be identified, unless you have furnished such information to the website. See the cookies we use and our cookie policy.

Photographs

The NERI will from time to time take photographs of people at the NERI conferences, seminars, events, launches etc. and store these photographs in the cloud and on our servers.  We may use these images in publications and to promote the work that the NERI is involved in.  If an individual has any objection to having their photograph taken, stored or used in this manner they should contact [email protected] This email will be dealt with as quickly as possible and the photograph will be permanently deleted.  A record will be kept by Louisa O’Brien, Administrator, NERI of all such requests and deletions.

Communications

Any media contact lists held by the NERI will be regularly updated by Louisa O’Brien, Administrator, NERI and will be deleted once obsolete.  In the event of the NERI directly issuing press releases  or contacting journalists directly via our own email system, we undertake to do so using the bcc protocols for emails.

The NERI uses Mailchimp to communicate with its contact list.  All lists on Mailchimp will be kept in full compliance with the principles of GDPR.  Mail contacts on this list will be updated regularly and deleted when obsolete by Louisa O’Brien, Administrator, NERI.

Any incorrect or inaccurate information can be corrected by contacting Louisa O’Brien, Administrator, NERI. To opt out of the receipt of any press releases or media contact from the NERI please contact [email protected]   

Email

In line with best practice, the NERI staff members will endeavour to send all emails using the bcc facility.  All staff members have been instructed that this is done by sending the email to yourself and adding the recipients into the bcc line to ensure that email contacts cannot be harvested or end up in possession of unintended recipients.  It is not permitted to use the cc facility when sending emails.

Emails in your inbox which contain personal data should be saved to the relevant home directory and deleted from your inbox.  This information should be encrypted by using a unique password.

NERI data controllers

All members of the NERI staff are data controllers and processers in their own right and have personal data on their own computers, phones and devices, and should adhere to the main principles of GDPR in the maintenance of this information:

  1. Shall be obtained and processed fairly
  2. Shall be kept only for one or more specified and lawful purposes
  3. Shall not be used or disclosed in any manner incompatible with that purpose or those purposes
  4. Shall be kept safe and secure
  5. Shall be accurate and kept up-to-date
  6. Shall be adequate, relevant and not excessive
  7. Shall not be retained for longer than is necessary for the purpose or purposes

Data Breaches

There is a requirement to report personal data breaches to the Office of the Data Protection Commissioner (ROI) and/or the Information Commissioner’s Office (NI) where the breach presents a risk to the affected individual(s).  This must be done within 72 hours of becoming aware of the breach.  If you think that you have committed a data breach, you must immediately notify [email protected] who will help you assess the risk level involved and decide on the appropriate course of action.

There are strict guidelines for the notification of data breaches to the Data Protection Commissioner’s Office.  Even if it is decided that there is no risk to the affected individual(s) following a personal data breach, it is essential that we keep a record of the details of the breach, the means of determining the risk involved, who decided that there was no risk, and the risk rating recorded.

The self-declaring risk rating is as follows:

Low Risk:  The breach is unlikely to have an impact on individual(s), or the impact is likely to be minimal.

Medium Risk:  The breach may have an impact on individuals, but the impact is unlikely to be substantial.

High Risk:  The breach may have a considerable impact on affected individuals.

Severe Risk:  The breach may have a critical, extensive or dangerous impact on affected individuals.

An example of a data breach could include:

  • Sending an email containing personal data to the wrong individual
  • Using the cc facility on an email to a committee thereby making the email addresses visible to everybody and susceptible to harvesting
  • Posting correspondence with personal information to the wrong address
  • If your phone/laptop is stolen and it contains sensitive information which is not encrypted, password protected

Obviously this is just a small sample of examples, and is not exhaustive.

Access Requests

Access requests regarding the personal information held by the Nevin Economic Research Institute (NERI) should be made in writing to Louisa O’Brien, NERI, 31-32 Parnell Square, Dublin 1, D01 YR92.  We will reply to such requests within 30 days of receipt of same and each staff member must cooperate with the supply of information held by them to fulfil this obligation in a timely manner.

If an individual is aware or believes that the information held by the NERI on them is inaccurate or incorrect they have the right to have this information corrected or deleted, which can be done by contacting [email protected]

All staff have responsibility to ensure that any personal data they hold in relation to individuals is up-to-date, relevant, necessary for the smooth operation of our legitimate business, and deleted when no longer required or it is obsolete.