Service Data Privacy Policy

What personal data do we obtain and process?

• Names of young persons and their parents/guardians where the young person is under 18 years of age
• Contact details
• Sensitive mental health information and information which a young person might choose to share with their clinician.

There may be occasions when Jigsaw undertakes research to help inform and develop its work.

When this does occur, we will rely on Article 6(1)(f) – Legitimate Interest and Article 9(2)(j) – Scientific Research of the GDPR if and when we use your information for research.

All applications for undertaking health research study must be approved by our Research Ethics Committee.

All health research in Ireland is governed by the Health Research Regulations 2018 (HRR) and the amended regulations 2021. The HRR make explicit consent the default position for processing personal data for health research. Authorised personnel meeting criteria set out in the amended HRR 2021 may access service user health records for pre-screening purposes to determine whether an individual (prospective research participant) is suitable or eligible for inclusion in the study and/or for retrospective chart reviews.

What legal basis do we have for obtaining and processing personal data?

Jigsaw obtains and processes personal data under several legal bases as permitted by the articles of the General Data Protection Regulation (GDPR):

• Consent (Article 6(1)(a) and Article 9(2)(a)) when you or your parent/guardian explicitly agree to sharing your personal data with us. You have the right to withdraw your consent at any time.
• Legal obligation (Article 6(1)(c)), where for example we may be obliged to disclose your personal data to Tusla under child protection laws.
• Public interest in the area of public health (Article 6(1)(e), Article 9(2)(h)).
• Vital interests (Article 6(1)(d), Article 9(2)(c)) where it is necessary to share your personal data to protect your life or health.
• In some cases, we obtain personal data via referrals from third parties such as GPs or schools. In these cases, we may process your data under legal basis Provision of health or social care (Article 9(2)(h)) These legal bases ensure that we can process your data appropriately even when your consent is not the primary basis.

With whom do we share personal data?

Jigsaw clinicians may obtain or share important information under Article 6(1)(e), and Article 9(2)(h)) (obtaining from or sharing with GPs, mental health services, Tusla for example, as necessary).

If a Jigsaw clinician thinks there is a need for a more appropriate type of support, they may make a referral and share personal data with another service. Clinicians will always talk to young persons about this first.

If a Clinician is concerned that a young person have been or may be at risk of harm, or that another person has been or may be at risk of harm it is their duty to speak with a parent/guardian/next-of-kin or professional for the safety of the young person.

Jigsaw may use a provider called DocuSign to obtain consent from service users. Docusign do not store or share personal data.

If service users engage in video-based sessions, Jigsaw uses an application called Microsoft Teams: Microsoft do not store or share personal data.

From time to time, Jigsaw avails of data management services to aid its work. These service providers may be based outside of the European Union. Jigsaw will ensure that appropriate contractual arrangements are in place with such providers to ensure the safety, security and integrity of the personal data.

How do we store personal data?

Jigsaw uses an electronic health record known as iaptus to store personal data of people who engage with Jigsaw clinical services. This system is managed by data processors, Mayden House, based in Bath, UK. Jigsaw has a Data Processor Agreement in place with Mayden House. Mayden House uses sub-processors who are held accountable to the personal data by the same terms which govern the Data Processor Agreement. Mayden House do not share any personal data gathered by Jigsaw other than what is governed by this agreement. The agreement with Mayden House is governed by Irish and EU law. Mayden House will not transfer personal data outside of the EEA or the UK.

Jigsaw will ensure that information is stored and used in strict compliance with the Irish Data Protection Act (2018) and the General Data Protection Regulation (GDPR 279/2016).

Data that does not identify services users, i.e. not personal data, may be archived and used by Jigsaw for audit, evaluation and scientific research purposes to ensure that Jigsaw is working well for young people.

How long do we store personal data?

Personal data will be stored for no longer than 7 years after the end of availing of services from Jigsaw (if service users are under 18, personal data will be stored for 7 years from when they turn 18).

Data Protection Rights

Jigsaw assists its data subjects in upholding their data protection rights, such as:

• Right to be informed of Jigsaw’s use of their personal data
• Right to access their personal data
• Right to request erasure of their personal data
• Right to object to processing of their personal data
• Right to rectification of their personal data
• Right to request restriction of processing of their personal data
• Right not to have their data used for automated decision-making or profiling
• Right to Data Portability

Requests should be sent to Data.Protection@jigsaw.ie

Right to complain to the Office of the Data Protection Commission through their website: https://forms.dataprotection.ie/contact

If you are under 18, your parent(s) or guardian(s) may request access to your data under GDPR. Jigsaw is legally required to respond to such requests in accordance with data protection law. While this policy outlines your rights, how we handle such requests is governed by statutory obligations, and in Jigsaw we follow our own Data Subject Request policy to ensure we handle the requests in line with those statutory obligations.