Privacy

• Website Privacy Policy

  Turn2Me

  Website Privacy Policy

   

  Revision History

   

  Version	Revision Date	Revised by	Section Revised
  V1.0	27/11/2023	PrivacyEngine	Entire Document

   

   

  Document Control

   

  Document Owner:	Document No:	Status: Approved/Draft	Date Approved:
  Security Classification: High/Medium/Low	Next Review Date:	Version: V1.0	Department:

   

   

   

   

   

   

   

   

   

  1)  Introduction to our Members Privacy Policy

   

  At Turn2Me, privacy is a priority. The purpose of this document is to set out how Turn2Me collect, use, store, or otherwise process personal information about you on the Turn2Me website; https://Turn2me.ie. By using our Services, you understand that we will collect and use your personal information as described in this Privacy Policy

  This Privacy Policy explains why and how we will use the personal information that we have obtained from you or others, with whom we share it and the rights you have in connection with the information we use. Please read the following carefully.

  When you register with Turn2Me you will be asked to enter your username and some demographic information about you. All registered members agree to be bound by the terms of this Privacy Statement.

  Turn2Me will process your data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

  2)  Personal information you provide

  We receive personal information about you that you give to us, which we collect from your visits to our website. We only collect personal information which we need and that is relevant for the purposes for which we intend to use it.

  You may choose to not supply any personal information to us; however, doing so will mean you cannot register to and access the members’ area on this website, such as discussions, online support groups, online counselling, and the like. Members may not share, copy, or transmit any information posted on Turn2Me (including their own information). All information posted and / or published on Turn2Me shall remain within this website at all times.

   

      2.1 Account Creation and support

   

  Purpose	Categories of Data Subjects	Typical Data Categories	Legal Basis	Special Category Legal basis
  Registering or Logging into Your Account	Member	Name, E-mail Address, Postal Address, Phone Number, Gender, Sexuality, Emergency Contact Information	Performance of a Contract   Compliance with a Legal Obligation	Substantial Public Interest   Provision of Health and Social Care Treatment
  Create/Edit User Profile	Member	Name, E-mail Address, Postal Address, Phone Number, Gender, Sexuality, Emergency Contact Information, Company Number, Refugee number	Performance of a Contract	Substantial Public Interest   Provision of Health and Social Care Treatment
  Contacting Support	Member	Name, Email Address	Performance of a Contract	Provision of Health and Social Care Treatment
  Service Notifications including Bookings and Reminders	Member	Name, Email Address, Telephone Number	Performance of a Contract	Provision of Health and Social Care Treatment
  Statistical Analysis	Members	Log files	Consent	N/A
  Event of a Serious risk to Life or Health	Members, Parents/Guardians	Name, Next of Kin Details, Health Information	Vital Interest	Vital Interests
  Content Monitoring posted on Thought Catcher, Support Group or Counselling	Members	Name, Email Address, Telephone Number, Sensitive information pertaining to data subject	Performance of a Contract	Provision of Health and Social Care Treatment
  Marketing Emails	Members	Name, Email Address	Consent	N/A
  Counselling Service	Members	Name, Email Address, Next of Kin, GP details and Medical Details	Performance of a Contract	Substantial Public Interest   Provision of Health and Social Care Treatment

   

   

      2.2 Database Administration and Security

  Purpose	Categories of Data Subjects	Typical Data Categories	Legal Basis	Special Category Legal basis
  Ensure security of our online infrastructure and systems	Member	Name, E-mail Address	Legitimate Interest	N/A
  Safeguarding systems and to improve our services	Member	Name, Email Address,	Legitimate Interest	N/A
  Detect, prevent and address technical issues	Member	Name, Email Address	Legitimate Interest	N/A

   

   

   

      2.3 Finance

  Purpose	Categories of Data Subjects	Typical Data Categories	Legal Basis	Special Category Legal basis
  Processing payments and donations from members and keeping a record for accounting purposes	Member	Name, Email Address, Contact Details, Billing Information	Performance of a Contract   Compliance with a Legal Obligation	N/A

   

   

   

   

      2.4 Clinical data

  Purpose	Categories of Data Subjects	Typical Data Categories	Legal Basis	Special Category Legal basis
  To keep a record of all Clinical Information on a Member	Member	Chat transcripts, Emails that are Clinical in nature. Files that are Clinical in nature, clinical notes including a record of supports offered to you, Risk flags	Performance of a Contract   Compliance with a Legal Obligation	Substantial Public Interest   Provision of Health and Social Care Treatment
  Assessments and Surveys	Member	Name, Email Address, Clinical Files, Medical and Mental Health related issues and concerns	Performance of a Contract   Compliance with a Legal Obligation	Substantial Public Interest   Provision of Health and Social Care Treatment

   

  3. Who We Share Your Personal Data With

  We only disclose your personal information outside the organisation in limited circumstances. If we do, and where relevant, such as significant imminent risk to you or others where non-intervention could result in serious risk, harm or death or criminal activity. We will put in place an agreement that requires recipients to protect your personal information, unless we are legally required to share that information. Any contractors or recipients that work for or with us will be obliged to follow our instructions. We do not sell your personal information to third parties.

  When we use third-party service providers, we only disclose to them any personal information that is necessary for them to provide their services and only where we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions as a Data Controller.

  The organisation will not share personal data with any other entity or organisation without prior consent from the data subject or another appropriate legal basis. At some point in time we may request your permission to share personal data with another related organisation.

  4. Transfers of Your Personal Information Outside of European Economic Area (EEA)

  Typically, we do not transfer your personal information outside of Europe. However, we may rely on adequacy decisions by the European Commission for data transfers to countries outside the EEA such as to the UK.

  If at any time we transfer your personal information to, or store it in, countries located outside of the EEA (for example, if our hosting services provider changes) that are not subject to an adequacy decision, we will amend this statement and notify you of the changes. We will also ensure that appropriate safeguards are in place for that transfer and storage, as required by applicable law. This is because some countries outside of the EEA do not have adequate data protection laws equivalent to those in the EEA.

  We ensure that appropriate safeguards are in place when transferring and storing your data outside of the region as required by applicable law. This includes adopting EU 2021 Standard Contractual Clauses (SCCs) where applicable.

  By submitting or agreeing to the submission of personal data on your behalf, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

  Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

   

  5. Security and Links to Other Websites

  We take the security of your personal information seriously and use a variety of measures based on good industry practice to keep it secure. Nonetheless, transmissions over the internet and to our website, and our social media pages may not be completely secure, so please exercise caution. When accessing links to other websites, their privacy policies, not ours, will apply to your personal information.

  We employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction and damage.

  Although we will do everything possible to protect your personal information, we cannot guarantee the security of any personal information during its transmission to us online. You accept the inherent security implications of using the internet and will not hold us responsible for any breach of security unless we are at fault.

  Our website and social media pages may contain links to other websites run by other organisations which we do not control. This statement does not apply to those other websites, so we encourage you to read their privacy statements. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

  6. The Periods for Which We Retain Your Personal Information

   

  We will retain personal information we collect from you where we have a justifiable business need to do so or for as long as we determine it is needed to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, legal, accounting or other purposes). We may delete or de-identify your information sooner if we receive a verifiable erasure request, subject to exemptions under applicable law.

   

  Clinical data is required by law to be kept for a period set out below:

  • Healthcare records of an adult: eight years after last treatment or death
  • Children and young people: until the patient’s 25th birthday, or 26th if the young person was 17 at the conclusion of treatment, or eight years after the patient’s death.

  We will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which we collected it. For certain purposes we retain your personal information indefinitely (e.g., to supress marketing messages).

  6.1        Account Deletion

  We will delete user accounts on request. This will result in all non-Clinical related data being deleted. Closing and deleting your account means we will remove all of your non-Clinical Personal data. These terms of use, including our proprietary rights, disclaimer of warranties, indemnities, limitations of liability, choice of law and choice of forum, and miscellaneous provisions shall survive any termination of your user privileges and / or closure of your account.

    7. Consent

  By using this Website, you provide your explicit consent to us and to the organisations directly involved in delivering our service, to collect, use, store, disclose and otherwise process your personal data (including special category data such as mental health related information and data) in accordance with the terms set out in this Privacy Statement.

  The Comment and Thought Catcher sections are restricted to members only and you consent to your comments and Content posted being monitored as set out in our Terms of Use sections Content Posted and Content Monitoring.

  Where we use consent as our legal basis for processing your data, or process special categories of your data on the basis of your explicit consent, you have the right to withdraw your consent at any time. For further information on when we rely upon consent please see Section 2 “Personal Information We Collect About You”.

  There are two ways that you can easily withdraw your consent, you can:

  • Press the ‘Unsubscribe’ option contained within our email communications to you,
  • Contact our Data Protection Officer directly by post, email and/or telephone by using the contact details on section 12 of this statement.

  If you would like to opt-out please visit here. We will maintain a record of your withdrawal of consent to comply with our legal obligations.

  8. Cookie Policy

  We use cookies to provide you with a tailored experience on our website and to gather statistics on how our online services are used so that we can improve our services. Some of our cookies may also collect personal data.

  Please visit our cookie page for more information about how we use cookies on our websites and services. We always seek your consent to use cookies

    9. Third Party Services

  We require a number of third parties to deliver our service. Without these, we cannot provide you with a service.

  These include all the companies and services listed:

  Name	Service	Data Controller/Data Processor	Description	Privacy URL
  Circulator	Email marketing	Data Processor	Email marketing, site news, and offers	Circulator Privacy
  Google	Google Analytics	Data Processor	User analytics tracking	Google Privacy
  Twilio	SMS	Data Processor	SMS services	Twilio Privacy
  Google	email	Data Processor	Productivity and collaborations tools	Google Privacy
  Tokbox	Hosting infrastructure	Data Processor	Cloud-based service provider for video	Tokbox Privacy
  Stripe	Payment service	Data Controller and Processor	Online payment processing	Stripe Privacy
  Mandrill	Transactional SMTP	Data Processor	Relays emails through SMTP service	Mandrill Privacy

   

  We take reasonable measures to protect the information you share with us from unauthorised access or disclosure.

  All the information gathered is stored on Turn2Me servers and is subject to reasonable ongoing security measures. Turn2Me will endeavour to take all reasonable steps to keep all information about you secure. Your information is held on a secure server that is in controlled facilities. In addition, all the staff on Turn2Me team as well as all employees, contractors and agents that provide services related to our information systems, are obliged by law to respect the confidentiality of any personal information and/or research information held by Turn2Me. You can also play an important role in keeping your personal information secure using a pseudo username and by keeping your password secure.

  10. Content Monitoring

  Content posted to the website is within the live chat, Thought Catcher, and Support Groups. Content posted in these services including Private thoughts and public comments may be monitored by the Turn2Me Clinical and Support Teams to:

  • Provide the most supportive experience to you
  • Ensure the wellbeing and welfare of all Website Users and
  • Uphold the Terms of Use

  What actions can we take when monitoring content posted? Through monitoring content posted, the Turn2Me Clinical and Support Teams may:

  • Directly contact you by onsite direct message, email, SMS if provided or through push site notifications if any Content Posted by you is deemed to be a concern for your wellbeing
  • Add support and service usage notes in our system about you in order to provide you with the most supportive and safest experience and so that our Clinical and Support Team can help and support you when needed.
  • Make suggestions or invite you to our Services through your Thought Catcher Feed, direct message, or email.

  Please note that Monitoring of your Content Posted does not amount to a mental health diagnosis. We cannot guarantee that all Content posted will be monitored.

   

   

   11. Rights of a Data Subject

  Your Data Rights	Explanation
  Right of Access	If you want to know if we are processing personal data relating to you and to have access to any such personal data, you can contact us using the details below. In order to furnish you with a copy of your personal data that we hold we will need to verify you identify. Requests will be processed within 1 month from the date of the receipt of the subject access request. This is known as a Data Subject Access Request. To request a copy of your data, please contact the Data Protection Officer at info@turn2me.org
  Right to be Informed	You have the right to be informed about the collection and use of your personal data. The Party provides this in a form of privacy information and/or privacy policies at the point of collection.
  Right To Rectification	If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the data and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified. If you believe that we hold inaccurate personal data about you, please contact us using the details below. Depending on the type of personal data you believe is inaccurate, we may ask you for further proof to ensure that the personal data is being corrected properly. If we are satisfied that the personal data is inaccurate, we will make the necessary changes.
  Right To Erasure	You also have the right to request erasure of your personal data or to restrict processing (where applicable). However, this right does not apply where we have to comply with a legal obligation or where we need personal data for the establishment, exercise, or defence of legal claims. In addition, if you opt out of marketing communications or have previously opted out of marketing communications, we have to keep a record of such opt out to ensure that we do not contact you again in the future. This right can be exercised by writing to Turn2Me at info@turn2me.org
  Right To Restriction	You have a right to request that processing of personal data is restricted in certain circumstances. However, we shall still continue to process the personal data for storage purposes, for the establishment, exercise, or defence of legal claims.
  Right To Object	Where we are relying on legitimate interests as a legal basis to process your data, you have a right to object to such processing on grounds relating to your particular situation.
  Right To Portability	You have the right to have the data we hold about you transferred to a third-party organisation, and you can ask that we provide it in a machine-readable format.
  Right To Complain to The Supervisory Authority	You have the right to lodge a complaint with the Irish Data Protection Commission and more details can be found on their website www.dataprotection.ie.

   

   

   

   

   

   

  12. How to contact Turn2Me with questions about your Personal Data

   

  Our Clinical and Support Team, who are all bound by strict confidentiality agreements. They only access the information that they need to do their jobs, and no more.

  The data controller responsible for your information is Turn2Me Ltd., which you can contact by email info@turn2me.org (subject “FAO DPO”) or by post at:

  Data Protection Officer,

  Turn2Me Ltd.,

  WeWork Charlemont Exchange,

  Charlemont Street,

  Dublin 2

  D02VN88,

  Ireland

   

  You also have the right to lodge a complaint with the Data Protection Commissioner about the processing of your personal data.

   13. Changes to this Statement

  We may occasionally update this Privacy Statement. We encourage you to periodically review this Statement to stay informed about how we are helping to protect the personal information we collect. Your continued use of this service constitutes your agreement to this Privacy Statement and any updates.

• Consent

  By using this Website, you provide your explicit consent to us and to the organisations directly involved in delivering our service, to collect, use, store, disclose and otherwise process your personal data (including special category data such as mental health related information and data) in accordance with the terms set out in this Privacy Statement.

  The Comment and Thought Catcher sections are restricted to members only and you consent to your comments and Content posted being monitored as set out in our Terms of Use sections Content Posted and Content Monitoring.

• Data Subjects rights Policy

  Turn2Me’s Network

  Data Subject Rights Policy and Procedures

   

  Revision History

   

  Version	Revision Date	Revised by	Section Revised
  V1.0	23/11/2023	PrivacyEngine	Entire Document
  V2.0	24/09/2024	Turn2Me	Entire Document

   

  1       Introduction

  This document supplements the Subject Access Request (SAR) provisions set out in the Turn2Me (hereinafter referred to as “Us”, “We” or “Our”) Data Protection Policy & Procedures and provides the process for individuals to use when making an access request, along with the protocols followed by Turn2Me when such a request is received.

  Turn2Me needs to collect personal information to carry out our everyday business functions and services effectively and compliantly, and in some circumstances, to comply with the requirements of the law and/or regulations.

  As Turn2Me processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) and relevant data protection legislation to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the GDPR and its principles.

  2       The General Data Protection Regulation

  The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data. The GDPR is a standardised regulatory framework which ensures that personal information is obtained, handled, and disposed of properly.

  As Turn2Me are obligated under the GDPR and Irish data protection laws, we abide by the Regulations’ principles, which ensure that personal information shall be: –

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
  3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  4. accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

  The Regulation also requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the GDPR principles’ (‘accountability’). Turn2Me have adequate and effective measures, controls and procedures in place, that protect and secure your personal information and guarantee that it is only ever obtained, processed and disclosed in accordance with the relevant data protection laws and regulations.

  3       What is Personal Information?

  Information protected under the GDPR is known as “personal data” and is defined as: –

  “Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

   

  Further information on what constitutes personal information and your rights under the data protection regulation and laws can be found at www.dataprotection.ie.

  4       The Right of Access

  Under Article 15 of the GDPR, an individual has the right to obtain from the controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information: –

  • the purposes of the processing.
  • the categories of personal data concerned.
  • the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed.
  • If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used).
  • the envisaged period for which the personal data will be stored (or the criteria used to determine that period).
  • where the personal data was not collected directly from the individual, any available information as to its source.

  4.1                    How To Make a Subject Access Request (SAR)?

  A subject access request (SAR) is a request for access to the personal information that the Turn2Me holds about you, which we are required to provide under the GDPR (unless an exemption applies). The information that we provide is covered in Section 4 of this document.

   

  You can make this request in writing using the details provided in Section 8, or you can submit your access request electronically. Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).

  4.2                    What We Do When We Receive An Access Request

  Identity Verification

  Subject Access Requests (SAR) are passed to the Data Protection Lead as soon as received and a record of the request is made. The person in charge will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services.

   

  We will utilise the request information to ensure that we can verify your identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.

   

  If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning the request.

   

  Information Gathering

  If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.

   

   

  Information Provision

  Once we have collated all the personal information held about you, we will send this to you in writing. The information will be in a concise, transparent, intelligible, and easily accessible format, using clear and plain language.

   

  5       Fees and Timeframes

  We aim to complete all access requests within 30 days and provide the information free of charge. Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.

   

  Whilst we provide the information requested without a fee, further copies requested by the individual may incur a charge to cover our administrative costs.

  Turn2Me always aim to provide the requested information at the earliest convenience, but at a maximum, 30 days from the date the request is received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons for the extension.

  6       Your Other Rights

  Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reason(s).

  We will rectify any errors within 30 days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.

  If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you.

   

  In certain circumstances, you may also have the right to request from Turn2Me, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information, as well as the right to object to such processing. You can use the contact details in Section 8 to make such requests.

  7       Exemptions and Refusals

  The GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your Subject Access Request or where Turn2Me does not act upon the request, we shall inform you at the earliest convenience, or at the latest, within one month of receipt of the request.

   

  Where possible, we will provide you with the reasons for not acting. Details of how to contact the Supervisory Authority are laid out in Section 8 of this document.

  8       Submission & Lodging a Complaint

  To submit your SAR, you can contact us at dpo@turn2me.org. You can also submit your request in writing using the form in Appendix 1, sending the request to:

   

  Data Protection Officer,

  Turn2Me Ltd.,

  WeWork Charlemont Exchange,

  Charlemont Street,

  Dublin 2

  D02VN88,

  Ireland

  8.1                    Supervisory Authority

  If you remain dissatisfied with our actions, you have the right to lodge a complaint with the Irish Data Protection Supervisory Authority. You can find details on how to contact the Data Protection Commission on www.dataprotection.ie. The Data Protection Commission can also be contacted using their online form.

   

  Subject Access Request Form

  Under the General Data Protection Regulation, you are entitled as a data subject to obtain from Turn2Me, confirmation as to whether we are processing personal data concerning you, as well as to request details about the purposes, categories and disclosure of such data. You can use this form to request information about, and access to any personal data we hold about you. Details on where to return the completed form can be found at the end of the document.
  1. Personal Details:
  Data Subject’s Name:						DOB:	___ / ___ / _______
  Home Telephone No:						Email:
  Data Subject’s Address:
  Any other information that may help us to locate your personal data:
  2. Specific Details of the Information Requested:
  3. Representatives (only complete if you are acting as the representative for a data subject) [Please Note: We may still need to contact the data subject where proof of authorisation or identity are required]
  Representative’s Name:			Relationship to Data Subject:
  Telephone No:					Email:
  Representative’s Address:
  I confirm that I am the authorised representative of the named data subject:
  Representative’s Name: ____________________			Signature: __________________
  4. Confirmation
  Data Subject’s Name: ________________________ [print name]
  Signature:	________________________			Date:		____ /____ /________
  5. Completed Forms
  For postal requests, please return this form to:   Data Protection Officer, Turn2me Ltd., WeWork Charlemont Exchange, Charlemont Street, Dublin 2 D02VN88, Ireland   For email requests, please return this form to: dpo@turn2me.org

   

   

• Personal information you provide

  We collect personal information from you when you register to this Website and when you apply for one of the services which we offer, this may be via an online form, an online assessment, a chat or video Counselling session, a direct message on site, an email or other means. It is necessary for us to collect sensitive and special category data (such as clinical and medical information) relating to you so that our Clinical and Support team can make a clinical decision if the service is safe and suitable for you and to make appropriate referrals to other services or Professional Counselling Bodies.

  We collect your email and mobile number so that our team can contact you if required and so that SMS notifications and reminders can be sent. We collect your next of kin details and GP and some medical details when you apply for our Counselling Service per our Counselling Policy.

  You may choose to not supply any personal information to us; however, doing so will mean you cannot register to and access the members’ area on this website, such as discussions, online support groups, online counselling and the like. Members may not share, copy or transmit any information posted on turn2me (including their own information). All information posted and / or published on turn2me shall remain within this website at all times.

• Your usage of this Website

  Information is collected in statistical form about the most frequently visited pages on this website. This is intended to help us understand how visitors use the website.  turn2me analyses the log files of this website to better understand the volume of traffic to particular areas of this website.

  This information helps us to better understand and serve your information needs.  Although we do track the Internet address of the domains from which people visit us, our log files do not correlate individual visitors with the pages visited. Therefore, the individual user remains anonymous in this website’s log files.

  We collect information about how you use this website, such as the types of content you view or engage with; the Services you use; the Services bookings you make; the people or accounts you interact with; and the time, frequency and duration of your activities. This information is collected and recorded so that our Clinical and Support Team can provide the most supportive and safest online environment to you and so that every member of our Clinical and Support Team can support you if needed at any time.

• Donations on this Website

  If you use turn2me to make a donation or a payment (such as when you make a donation directly or towards a 1 to 1 Counselling session), we collect information about the donation or transaction. This includes payment information, such as your credit or debit card number and other card information; other account and authentication information; and billing and contact details.

  You can opt-in to receive further updates about turn2me and donor emails. Where you make a donation to turn2me, we will retain your donor information where you provide it, for as long as we are required to do for tax and accounting purposes. Once this is fulfilled, we will delete your information from our system.

  Any credit or debit card information you provide is collected and processed directly by our payment processor, which is currently Stripe. We will never receive or store your credit card information on our servers. Stripe commits to complying with the Payment Card Industry Data Security Standard (PCI-DSS). You can view the Stripe Privacy Policy here.

• Assessments and Surveys that you may complete

  When you register for and enter the turn2me website you may be asked to complete a number of assessments and surveys and enter some information, which may be sensitive data, about yourself.

  The website asks for this information in order to provide you with tailored, and specifically relevant information about mental health related issues and concerns. The information is stored in the turn2me database along with information about the date and time you complete each exercise or survey.

  It is necessary for us to collect sensitive and special category data (such as medical and mental health related information) relating to you so that our Clinical and Support team can make a clinical decision if the services we offer  are safe and suitable for you.

• Content Posted and Usage

  We collect the content, communications and other information you provide when you use this website  including when you sign up for an account, create or share content on Thought Catcher or through  your use of our services including Thought Catcher, Support Groups and Counselling (where applicable)

• Use of Personal Information and your Data

  We use the information you provide for the following purposes:  To provide a mental health support service and provide support to you Our mission is to provide professional mental health services online, this means that the data you share or post on this website can be reviewed by our Clinical and Support Team so that services and support can be offered to you.

• Data Retention Schedule

  Turn2Me

  Data Retention Schedule

   

  Revision History

   

  Version	Revision Date	Revised by	Section Revised
  V1.0	24/11/2023	PrivacyEngine	Entire Document
  V2.0	24/09/2024	Turn2Me	Entire Document

   

   

   

  1.   POLICY STATEMENT

  • The corporate information, records, and data of Turn2Me is important to how we conduct our organisation and manage employees.
  • There are legal and regulatory requirements for us to retain certain data, usually for a specified amount of time. We also retain data to help our organisation operate and to have information available when we need it. However, we do not need to retain all data indefinitely.
  • This Data Retention Schedule explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
  • This policy does not form part of any employee’s contract of employment, and we may amend it at any time.

  2.   SCOPE

  • This policy covers all data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters, and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”.
  • This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers data that belongs to us but is held by employees on personal devices.
  • This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data, and non-personal data. It also gives guidance on how we classify our data.

  3.   GUIDING PRINCIPLES

  • Through this policy, and our data retention practices, we aim to meet the following commitments:
  • We comply with legal and regulatory requirements to retain data.

  • We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
  • We handle, store, and dispose of data responsibly and securely.
  • We create and retain data where we need this to operate our organisation effectively, but we do not create or retain data without good organisational reason.
  • We allocate appropriate resources, roles, and responsibilities to data retention.
  • We regularly remind employees and clinical placements of their data retention responsibilities; and
  • We regularly monitor and audit compliance with this policy and update this policy when required.

  4.   ROLES AND RESPONSIBILITIES

  • Responsibility of all employees and clinical placements. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions regarding data retention. Failure to do so may subject us, our employees, clinical placements and contractors to serious civil and/or criminal liability. An employee’s, contractor’s or clinical placement’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.

  5.   TYPES OF DATA AND DATA CLASSIFICATIONS

  • Formal or official records. Certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our organisation. Please see paragraph 1 below for more information on retention periods for this type of data.
  • Disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:
  • Duplicates of originals that have not been annotated.

  • Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
  • Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of Turn2Me and retained primarily for reference purposes.
  • Spam and junk mail.

  Please see paragraph 6.2 below for more information on how to determine retention periods for this type of data.

  • Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 3 below for more information on this.
  • Confidential information belonging to others. Any confidential information that an employee may have obtained from a source outside of Turn2Me, such as a previous employer, must not, so long as such information remains confidential, be disclosed to, or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted, if received via the internet.

  6.   RETENTION PERIODS

  • Formal or official records. Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule unless a valid organisational reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact the Data Protection Officer.
  • Disposable information. The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for organisational purposes. Once it no longer has any organisational purpose or value it should be securely disposed of.
  • Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data.
  • Different types of data will be retained for different periods of time. For more details, please refer to Annex B of this Data Retention Schedule
  • What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the Data Protection Officer.

  7.   STORAGE, BACK-UP, AND DISPOSAL OF DATA

  • Our data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our organisation operations during an emergency must be duplicated and/or backed up at least once per week and maintained off site.
  • Our Data Protection Officer is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling. The destruction of electronic data must be co-ordinated with our IT provider.

  8.   SPECIAL CIRCUMSTANCES

  • Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or the Data Protection Officer informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, reporting, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until the Data Protection Officer determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
  • If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Data Protection Officer.
  • In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

  9.   BREACH REPORTING AND AUDIT

  • Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your line manager. If you are not comfortable bringing the matter up with your immediate line manager, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the Data Protection Officer or the manager at the next level above your direct line manager. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
  • No one will be subject to, and we do not allow any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.

  ANNEX A              DEFINITIONS

  Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters, and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”.

  Data Protection Officer: our Data Protection Officer who is responsible for advising on and monitoring compliance with data protection laws.

  Data Retention Schedule: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

  Disposable information: disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.

  Formal or official record: certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our organisation. We refer to this as formal or official records or data.

  Non-personal data: data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.

  Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person’s actions or behaviour.

  Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records.

  Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the GDPR as the principle of storage limitation.

  ANNEX B               RECORD RETENTION SCHEDULE

  Turn2Me establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs.

  Employees should comply with the retention periods listed in the record retention schedule below, in accordance with Turn2Me Data Retention Schedule.

  If you hold data not listed below, please refer to Turn2Me Data Retention Schedule. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact the Data Protection Officer.

   

   

   

   

  Statutory Retention
  Type of data	Retention Period	Rationale
  Terms and conditions of employment be retained for the duration of their employment.	End of employment plus 7 years	The Terms of Employment (Information) Act, 1994 and the legitimate interest of the Data Controller
  Payslips showing the employees were paid at least minimum wage.	7 Years	The National Minimum Wage Act, 2000 Taxes Consolidation Act, 1997 (Revenue)
  Weekly working hours, the name and address of employee, the employee’s PPS numbers and a statement of their duties.	7 Years	The Organisation of Working Time Act, 1997
  Records relating to persons under 18 years of age.	3 Years	The Protection of Young Persons (Employment) Act, 1996
  Collective Redundancies	7 Years	The Protection of Employment Acts, 1977-2007
  Parental, carers, or force majeure leave.	8 Years	The Parental Leave Acts 1998-2006
  Tax & Accounting Records	7 Years	Taxes Consolidation Act, 1997
  Health & Safety Records – Accident	10 Years	The Safety, Health, and Welfare at Work (General Applications) Regulations 1993
  Records dealing with annual leave, public holiday leave and other employee leave entitlements	7 Years	Holidays (Employees) Act, 1973 (Public Holiday) Regulations, 1993
  Type of Data	Retention Period	Rationale
  General
  Formal organisation documents: a) Statutory books b) Board minutes c) Resolutions	Indefinitely	Taxes Consolidation Act, 1997
  Consultant’s Reports	7 years	Legitimate interest of the Data Controller
  Policy and Procedures Manuals – Original	Current version with revision history
  Policy and Procedures Manuals – Copies	Retain current version only
  Annual Reports	Permanent
  Type of Data	Retention Period	Rationale
  Operational
  Notebooks & Diary	3 Years	Legitimate Interest of the Controller
  Repair & Maintenance Contracts (Commercial)	2 years from conclusion	Legitimate Interest of the Controller Contract Obligation of the Controller
  Email Communications	2 years	Legitimate Interest of the Controller
  Digital Analytics (Website analytics, media analytics and social media analytics) and Website Cookies	Various (See Cookie Policy)	Consent
  Records of Consent	Until consent has been removed + 7 years	Consent and legitimate interest of the Controller
  Type of Data	Retention Period	Rationale
  Recruitment
  Unsolicited CV received	Immediately	Legitimate Interest of the Controller
  Recruitment records for unsuccessful candidates	18 Months from last communication/interview	Legitimate Interest of the Controller
  Recruitment records for successful candidates	Duration of employment + 3 Years	Legitimate Interest of the Controller
  Type of Data	Retention Period	Rationale
  HR
  Insurance Policies (including expired policies)	Permanent	See above statutory requirements on retentions on page 8
  Garda Vetting	Application forms deleted after 6 months; record of disclosure results noted on record and kept on National Bureau (GNBCI) database	Compliance with a Legal Obligation
  Employee Handbooks	1 copy kept permanently	See above statutory requirements on retentions on page 8
  Employee Medical Records	Separation + 7 years	See above statutory requirements on retentions on page 8
  Employment Contracts – Individual	Separation + 7 years	See above statutory requirements on retentions on page 8
  Employee Personnel Records (including individual attendance records, application forms, job or status change records, performance evaluations, termination papers, withholding information, garnishments, test results, training, and qualification records)	Separation + 7 years	See above statutory requirements on retentions on page 8
  Job Descriptions	3 years after superseded	See above statutory requirements on retentions on page 8
  Grievance Raised	throughout the employment plus 7 years.	See above statutory requirements on retentions on page 8
  Disciplinary Investigations	throughout the employment plus 7 years	See above statutory requirements on retentions on page 8
  Disciplinary Warnings	throughout the employment plus 7 years	See above statutory requirements on retentions on page 8
  Type of Data	Retention Period	Rationale
  Legal & Regulatory Files
  Legal files and Opinions (including all subject matter files)	7 years after close of matter	Legal Obligation of the Controller
  Court Orders	Permanent	Legal Obligation of the Controller
  Data Breach Notifications	7 years from date of incident	Legitimate Interest of the Controller
  Data Subject Complaints and General Complaints	1 year	Legitimate Interest of the Controller
  Data Subject Requests	1 year	Legitimate Interest of the Controller
  Type of Data	Retention Period	Rationale
  Website
  Donation History	10 years	Revenue recommendations (https://www.revenue.ie/en/corporate/documents/records-retention-schedule.pdf)
  Client information (Name, phone number, email, postal address, sexuality, gender, emergency contact info)	Separation + 8 years	HSE Record Retention Periods 2013
  Client bank card information (name, email, card number, CVV, expiry date)	Separation	Consent
  Consultant notes on clients	Separation + 8 years	HSE Record Retention Periods 2013

   

• Data Retention & Erasure Policy

  Turn2Me Data Retention & Erasure Policy

   

  Revision History

   

  Version	Revision Date	Revised by	Section Revised
  V1.0	27/11/2023	PrivacyEngine	Entire Document
  V2.0	25/09/2024	Turn2Me	Entire Document

   

   

   

   

   

   

  1       Policy Statement

  Turn2Me (hereinafter referred to as the “Company”) recognises that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory, and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organisation.

  This policy and related documents meet the standards and expectations set out by contractual and legal requirements and has been developed to meet the best practices of business records management, with the aim of ensuring a structured approach to document control.

  Effective and adequate records and data management is necessary to:

  • Ensure that the business conducts itself in a structured, efficient, and accountable manner
  • Ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems
  • Support core business functions and provide evidence of conduct and the appropriate maintenance of systems, tools, resources, and processes
  • Meet legislative, statutory, and regulatory requirements
  • Deliver services to, and protect the interests of employees, contractors, users, clinical placements, clients, and stakeholders in a consistent and equitable manner
  • Assist in document policy formation and managerial decision making
  • Provide continuity in the event of a disaster or security breach
  • Protection personal information and data subject rights

  • Avoid inaccurate or misleading data and minimise risks to personal information
  • Erase data in accordance with the legislative and regulatory requirements

  Information held for longer than is necessary carries additional risk and cost and can breach data protection rules and principles. The Company only ever retains records and information for legitimate or legal business reasons and always comply fully with the data protection laws, guidance and best practice.

  2       Purpose

  The purpose of this document is to provide the Company’s statement of intent on how it provides a structured and compliant data and records management system. We define ‘records’ as all documents, regardless of the format, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions.

  Such records may be created, received, or maintained in hard copy or in an electronic format with the overall definition of records management being a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, distribution, storage, and disposal of records.

  3       Scope

  This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns, and agents engaged with the Company in Ireland). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

  4       Personal Information and Data Protection

  The Company needs to collect personal information about the people we employ, work with have a business relationship with, to carry out our everyday business functions and activities effectively and compliantly, and to provide the products and services defined by our business type. This information can include (but is not limited to), name, address, email address, data of birth, IP address, identification number, private and confidential information, sensitive information, and bank details.

  In addition, we may occasionally be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation 2018 data protection law and any other associated legal or regulatory body rules or codes of conduct that apply to our business and/or the information we process and store.

  Our Data Retention Policy and processes comply fully with the GDPR’s fifth Article 5 principle:

  Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).

  5       Objectives

  A record is information, regardless of media, created, received, and maintained which evidences the development of, and compliance with, regulatory requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is the Company’s objective to implement the necessary records management procedures and systems which assess and manage the following processes: –

  • The creation and capture of records
  • Compliance with legal, regulatory, and contractual requirements
  • The storage of records
  • The protection of record integrity and authenticity
  • The use of records and the information contained therein
  • The security of records

  • Access to and disposal of records

  Records contain information that are a unique and invaluable resource to the Company and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also pivotal in the documentation and evidence of all business functions and activities.

  The Company’s objectives and principles in relation to Data Retention are to:

  • Ensure that the Company conducts itself in an orderly, efficient, and accountable manner
  • Support core business functions and providing evidence of compliant retention, erasure, and destruction
  • To develop and maintain an effective and adequate records management program to ensure effective archiving, review, and destruction of information

  • To only retain personal information for as long as is necessary
  • Comply with the relevant data protection regulation, legislation, and any contractual obligations
  • Ensure the safe and secure disposal of confidential data and information assets
  • Ensure that records and documents are retained for the legal, contractual, and regulatory period stated in accordance with each body’s rules or terms.
  • Ensure that no document is retained for longer than is legally or contractually allowed
  • Mitigate against risks or breaches in relation to confidential information

  6       Guidelines & Procedures

  The Company manage records efficiently and systematically, in a manner consistent with the GDPR requirements, and regulatory Codes of Practice on Records Management. Records management training is mandatory for all staff as part of the Company’s statutory and compliance training programme and this policy is widely disseminated to ensure a standardised approach to data retention and records management.

  Records will be created, maintained, and retained to provide information about, and evidence of the Company’s transactions, customers, clinical placements, employment, and activities. Retention schedules will govern the period that records will be retained and can be found in the Retention Schedule.

  It is our intention to ensure that all records and the information contained therein is:

  • Accurate – records are always reviewed to ensure that they are a full and accurate representation of the transactions, activities, or practices that they document
  • Accessible – records are always made available and accessible when required (with additional security permissions for select staff where applicable to the document content)
  • Complete – records have the content, context and structure required to allow the reconstruction of the activities, practices, and transactions that they document
  • Compliant – records always comply with any record keeping legal and regulatory requirements
  • Monitored – staff, company and system compliance with this Data Retention Policy is regularly monitored to ensure that the objectives and principles are being complied with at all times and that all legal and regulatory requirements are being adhered to.

  7       Retention Period Protocols

  All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All company and employee information are retained, stored, and destroyed in line with legislative and regulatory guidelines.

  For all data and records obtained, used, and stored within the Company, we:

  • Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy, and requirement to retain.
  • Establish periodical reviews of data retained.
  • Establish and verify retention periods for the data, with special consideration given in the below areas: –
    • the requirements of the Company
    • the type of personal data
    • the purpose of processing
    • lawful basis for processing
    • the categories of data subjects
  • Where it is not possible to define a statutory or legal retention period, as per the GDPR requirement, the Company will identify the criteria by which the period can be determined and provide this to the data subject on request and as part of our standard information disclosures and privacy notices.
  • Have processes in place to ensure that records pending audits, litigation or investigation are not destroyed or altered.
  • Transfer paper-based records and data to an alternative media format in instances of long retention periods (with the lifespan of the media and the ability to migrate data where necessary always being considered)

  8       Designated Owners

  All systems and records have designated owners (IAO) throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. The designated owner is recorded on the Retention Register and is fully accessible to all employees. Data and records are never reviewed, removed, accessed, or destroyed with the prior authorisation and knowledge of the designated owner.

  9       Document Classification

  The Company have detailed Asset Management protocols for identifying, classifying, managing, recording, and coordinating the Company’s assets (including information) to ensure their security and the continued protection of any confidential data they store or give access to. We utilise an Information Asset Register (IAR) to document and categorise the assets under our remit and carry out regular Information Audits to identify, review and document all flows of data within the Company.

  We also carry out regular Information Audits which enable us to identify, categorise and record all personal information obtained, processed, and shared by our company in our capacity as a controller and processor and has been compiled on a central register which includes:

  • What personal data we hold
  • Where it came from
  • Who we share it with
  • Legal basis for processing it
  • What format(s) is it in
  • Who is responsible for it?
  • Retention periods
  • Access level (e. full, partial, restricted etc)

  Our information audits and registers enable us to assign classifications to all records and data, thus ensuring that we are aware of the purpose, risks, regulations, and requirements for all data types.

  We utilise 5 main classification types:

  1. Unclassified – information not of value and/or retained for a limited period where classification is not required or necessary
  2. Public – information that is freely obtained from the public and as such, is not classified as being personal or confidential
  3. Internal – information that is solely for internal use and does not process external information or permit external access
  4. Personal – information or a system that processes information that belongs to an individual and is classed as personal under the data protection laws

  5. Confidential – private information or systems that must be secured at the highest level and are afforded access restrictions and high user authentication

  The classification is used to decide what access restriction needs to be applied and the level of protection afforded to the record or data. The classification along with the asset type, content and description are then used to assess the risk level associated with the information and mitigating action can then be applied.

  10   Suspension of Record Disposal for Litigation or Claims

  If the Company is served with any legal request for records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our firm, we will suspend the disposal of any scheduled records until we are able to determine the requirement for any such records as part of a legal requirement.

  11   Storage & Access of Records and Data

  Documents are grouped together by category and then in clear date order when stored and/or archived. Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are either reviewed, archived, or confidentially destroyed dependant on their purpose, classification, and action type.

  12   Expiration of Retention Period

  Once a record or data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the GDPR requirements or to archive records for a further period.

  13   Destruction and Disposal Of Records & Data

  All information of a confidential or sensitive nature on paper, card, microfiche, or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients, and customers.

  The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions of the General Data Protection Regulation (GDPR) and that staff are trained and advised accordingly on the procedures and controls in place.

  14   Electronic & IT Records and Systems

  The Company uses numerous systems, computers, and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

  The deletion of electronic records must be organised in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed. When records or data files are identified for disposal, their details must be provided to the designated owner to maintain an effective and up to date a register of destroyed records.

  Where possible, information is wiped from the equipment through use of software and formatting, however this can still leave imprints or personal information that is accessible and so we also comply with the secure disposal of all assets.

  It is the explicit responsibility of the asset owner and IT Department to ensure that all relevant data has been sufficiently removed from the IT device and backed up before requesting disposal and/or prior to the scheduled pickup.

  15   Internal Correspondence and General Memoranda

  Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e., where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).

  Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases or at a maximum, 3 years.

  Examples of correspondence and routine memoranda include (but are not limited to):

  • Internal emails
  • Meeting notes and agendas
  • General inquiries and replies
  • Letter, notes, or emails of inconsequential subject matter

  16   Erasure

  In specific circumstances, data subjects’ have the right to request that their personal data is erased, however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have personal data erased and to prevent processing if one of the below conditions applies: –

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed.
  • The personal data must be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

   

  Where one of the above conditions applies and the Company received a request to erase data, we first ensure that no other legal obligation or legitimate interest applies. If we are confident that the data subject has the right to have their data erased, this is carried out by the Data Protection Officer in conjunction with any department manager and the IT team to ensure that all data relating to that individual has been erased.

  These measures enable us to comply with a data subject right to erasure, whereby an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. Whilst our standard procedures already remove data that is no longer necessary, we still follow a dedicated process for erasure requests to ensure that all rights are complied with, and that no data has been retained for longer than is needed.

  Where we receive a request to erase and/or remove personal information from a data subject, the below process is followed:

  1. The request is allocated to the Data Protection Officer and recorded on the Erasure Request Register
  2. The DPO locates all personal information relating to the data subject and reviews it to see if it is still being processed and is still necessary for the legal basis and purpose it was originally intended.
  3. The request is reviewed to ensure it complies with one or more of the grounds for erasure: –
     1. Personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
     2. The data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing.
     3. The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
     4. the personal data has been unlawfully processed.
     5. the personal data must be erased for compliance with a legal obligation.
     6. personal data has been collected in relation to the offer of information society services to a child.
  4. If the erasure request complies with one of the above grounds, it is erased within 30 days of the request being received.
  5. The DPO writes to the data subject and notifies them in writing that the right to erasure has been granted and provides details of the information erased and the date of erasure.
  6. Where the Company has made any of the personal data public and erasure is granted, we will take every reasonable step and measure to remove public references, links, and copies of data and to contact related controllers and/or processors and inform them of the data subjects request to erase such personal data.

   

  If for any reason we are unable to act in response to a request for erasure, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data include:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation for the performance of a task carried out in the public interest.
  • For reasons of public interest in the area of public health
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, as far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
  • For the establishment, exercise or defense, of legal claims

  17   Special Category Data

  In accordance with GDPR requirements, organisations are required to have and maintain appropriate policy documents and safeguarding measures for the retention and erasure of special categories of personal data and criminal convictions etc.

  Our methods and measures for destroying and erasing data are noted in this policy and apply to all forms of records and personal data, as noted on our retention register schedule.

  18   Compliance and Monitoring

  The Company are committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners are tasked with ensuring the continued compliance and review of records and data within their remit.

  19   Responsibilities

  Heads of departments and information asset owners have overall responsibility for the management of records and data generated by their departments’ activities, namely, to ensure that the records created, received, and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this policy.

  Where a DPO has been designated, they must be involved in any data retention processes and records, or all archiving and destructions must be retained. Individual employees and clinical placements must ensure that the records for which they are responsible are complete and accurate records of their activities, and that they are maintained and disposed of in accordance with the Company’s protocol.

   

• Breach Policy

   

  Turn2Me

  Data Breach Policy & Procedures

   

  Revision History

   

  Version	Revision Date	Revised by	Section Revised
  V1.0	28/11/2023	PrivacyEngine	Entire Document
  V2/0	24/09/2024	Turn2Me	Entire Document

   

   

  1     Introduction

  Turn2Me (hereinafter referred to as the “Company”) are committed to our obligations under the regulatory system and in accordance with the GDPR and maintain a robust and structured program for compliance and monitoring. We carry out frequent risk assessments and GAP analysis reports to ensure that our compliance processes, functions, and procedures are fit for purpose and that mitigating actions are in place where necessary. However, we recognise that breaches can occur, hence this policy states our intent and objectives for dealing with such incidents.

  Although we understand that not all risks can be mitigated, we operate a robust and structured system of controls, measures, and processes to help protect data subjects and their personal information from any risks associated with processing data. The protection and security of the personal data that we process is of paramount importance to us and we have developed data specific protocols for any breaches relating to the GDPR and the Data Protection Act 2018.

  2     Purpose

  The purpose of this policy is to provide the Company’s intent, objectives and procedures regarding data breaches involving personal information. As we have obligations under the GDPR, we also have a requirement to ensure that adequate procedures, controls, and measures are in place and are disseminated to all employees; ensuring that they are aware of the protocols and reporting lines for data breaches. This policy details our processes for reporting, communicating, and investigating such breaches and incidents.

  3     Scope

  This policy applies to all staff within the Company, volunteers, contractors and clinical placements. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

  4     Data Security & Breach Requirements

  The Company’s definition of a personal data breach is any incident of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  Alongside our ‘Privacy by Design’ approach to protecting data, we also have a legal, regulatory, and business obligation to ensure that personal information is protected whilst being processed by the Company. Our technical and organisational measures are detailed in our Data Protection Policy & Procedures and Information Security Policies.

  We carry out information audits to ensure that all personal data processed by us is adequately and accurately identified, assessed, classified and recorded. We carry out risk assessments that assess the scope and impact of any potential data breach; both on the processing activity and the data subject. We have implemented adequate, effective, and appropriate technical and organisational measures to ensure a level of security appropriate to the risks, including (but not limited to):

  • Pseudonymisation and encryption of personal data
  • Restricted access and biometric measures
  • Reviewing, auditing and improvement plans for the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Disaster Recovery and Business Continuity Plan to ensure up-to-date and secure backups and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Audit procedures and stress testing on a regularly basis to test, assess, review, and evaluate the effectiveness of all measures in compliance with the data protection regulations
  • Frequent and ongoing data protection training programs for all employees
  • Staff assessments and regular knowledge testing to ensure a high level of competency, knowledge and understanding of the data protection regulations and the measures we have in place to protect personal information
  • Reviewing internal processes to ensure that where personal information is transferred, disclosed, shared or is due for disposal; it is rechecked and authorised by the Data Protection Officer

  4.1                    Objectives

  • To adhere to the GDPR and the relevant Data Protection laws (Data Protection Act 2018) and to have robust and adequate procedures and controls in place for identifying, investigating, reporting, and recording any data breaches
  • To develop and implement adequate, effective, and appropriate technical and organisational measures to ensure a high level of security with regards to personal information
  • To utilise information audits and risk assessments for mapping data and to reduce the risk of breaches
  • To have adequate and effective risk management procedures for assessing any risks presented by processing personal information
  • To ensure that any data breaches are reported to the correct regulatory bodies within the timeframes set out in any regulations, codes of practice or handbooks
  • To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
  • To use the Data Breach Incident Form for all data breaches, regardless of severity so that any patterns in causes can be identified and corrected

  • To protect consumers, clients, and employees, including their information and identity
  • To ensure that where applicable, the Data Protection Officer is involved in and notified about all data breaches and risk issues
  • To ensure that the Supervisory Authority is notified of any data breach (where applicable) with immediate effect and at the latest, within 72 hours of the Company having become aware of the breach

  4.1.2                                   Data Breach Procedures & Guidelines

  The Company has robust objectives and controls in place for preventing data breaches and for managing them in the rare event that they do occur. Our procedures and guidelines for identifying, investigating and notification of breaches are detailed below. Our documented breach incident policy aims to mitigate the impact of any data breaches and to ensure that the correct notifications are made.

  4.2                    Breach Monitoring & Reporting

  The Company has appointed a Data Protection Officer who is responsible for the review and investigation of any data breach involving personal information, regardless of the severity, impact, or containment. All data breaches are reported to this person with immediate effect, whereby the procedures detailed in this policy are followed.

  All data breaches will be investigated, even in instances where notifications and reporting are not required, and we retain a full record of all data breaches to ensure that gap and pattern analysis are available and used. Where a system or process failure has given rise to a data breach, revision to any such process is recorded in the Change Management and Document Control records.

  4.3                    Breach Incident Procedures

  4.3.1                                   Identification of an Incident

  As soon as a data breach has been identified, it is reported to the direct line manager and the reporting officer Data Protection Officer immediately so that breach procedures can be initiated and followed without delay.

  Reporting incidents in full and with immediate effect is essential to the compliant functioning of the Company and is not about apportioning blame. These procedures are for the protection of the Company, its staff, customers, clients and third parties and are of the utmost importance for legal regulatory compliance.

  As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measures should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting. The measures taken are noted on the incident form in all cases.

  4.3.2           Breach Recording

  The Company utilises a Breach Incident Form for all incidents, which is completed for any data breach, regardless of severity or outcome. Completed forms are logged in the Breach Incident Folder (electronic or hard copy) and reviewed against existing records to ascertain patterns or reoccurrences.

  In cases of data breaches, the Data Protection Officer is responsible for carrying out a full investigation, appointing the relevant staff to contain the breach, recording the incident on the breach form and making any relevant and legal notifications. The completing of the Breach Incident Form is only to be actioned after containment has been achieved.

  A full investigation is conducted and recorded on the incident form, with the outcome being communicated to all staff involved in the breach, in addition to senior management. A copy of the completed incident form is filed for audit and documentation purposes.

  If applicable, the Supervisory Authority and the data subject(s) are notified in accordance with the GDPR requirements (refer to section 5 of this policy). The Supervisory Authority protocols are to be followed and their ‘Security Breach Notification Form’ should be completed and submitted. In addition, any individual whose data or personal information has been compromised is notified if required, and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.

  4.4                    Breach Risk Assessment

  4.4.1           Human Error

  Where the data breach is the result of human error, an investigation into the root cause is to be conducted and a formal interview with the employee(s) held.

  A review of the procedure(s) associated with the breach is conducted and a full risk assessment completed in accordance with the Company’s Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are revised and risk assessed to mitigate any future occurrence of the same root cause.

  Resultant employee outcomes of such an investigation can include, but are not limited to:

  • Re-training in specific/all compliance areas
  • Re-assessment of compliance knowledge and understanding
  • Suspension from compliance related tasks
  • Formal warning (in-line with the Company’s disciplinary procedures)

  4.4.2           System Error

  Where the data breach is the result of a system error/failure, the IT team are to work in conjunction with the Data Protection Officer to assess the risk and investigate the root cause of the breach. A gap analysis is to be completed on the system/s involved and a full review and report to be added to the Breach Incident Form.

  Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause. Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident:

  • Attempting to recover any lost equipment or personal information
  • Shutting down an IT system
  • Removing an employee from their tasks
  • The use of back-ups to restore lost, damaged, or stolen information
  • Making the building secure
  • If the incident involves any entry codes or passwords, then these codes must be changed immediately, and members of staff informed

  4.4.3           Assessment of Risk and Investigation

  The Data Protection Officer should ascertain what information was involved in the data breach and what subsequent steps are required to remedy the situation and mitigate any further breaches.

  The lead investigator should look at:

  • The type of information involved
  • It is sensitivity or personal content
  • What protections are in place (e.g. encryption)?
  • What happened to the information/Where is it now?
  • Whether there are any wider consequences/implications to the incident

  The appointed lead should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation and any recommendations for future work/actions.

  5        Breach Notifications

  The Company recognises our obligation and duty to report data breaches in certain instances. All staff have been made aware of the Company’s responsibilities and we have developed strict internal reporting lines to ensure that data breaches falling within the notification criteria are identified and reported without delay.

  5.1.1                                   Supervisory Authority Notification

  The Supervisory Authority is to be notified of any breach where it is likely to result in a risk to the rights and freedoms of individuals. These are situations which if the breach were ignored, would lead to significant detrimental effects on the individual.

  Where applicable, the Supervisory Authority is notified of the breach no later than 72 hours after the Company becoming aware of it and are kept notified throughout any breach investigation, being provided with a full report, including outcomes and mitigating actions as soon as possible, and always within any specified timeframes.

  If for any reason it is not possible to notify the Supervisory Authority of the breach within 72 hours, the notification will be made as soon as is feasible, accompanied by reasons for any delay. Where a breach is assessed by the DPO and deemed to be unlikely to result in a risk to the rights and freedoms of natural persons, we reserve the right not to inform the Supervisory Authority in accordance with Article 33 of the GDPR.

  The notification to the Supervisory Authority will contain:

  • A description of the nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of personal data records concerned
  • The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)

   

  Breach incident procedures are always followed, and an investigation carried out, regardless of our notification obligations and outcomes, with reports being retained and made available to the Supervisory Authority if requested.

  Where the Company acts in the capacity of a processor, we will ensure that controller is notified of the breach without undue delay. In instances where we act in the capacity of a controller using an external processor, we have a written agreement in place to state that the processor is obligated to notify us without delay after becoming aware of a personal data breach.

  5.2                    Data Subject Notification

  When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will always communicate the personal data breach to the data subject without undue delay, in a written, clear, and legible format.

  The notification to the Data Subject shall include:

  • The nature of the personal data breach
  • The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)

  We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organisational measures which render the data unintelligible to any person who is not authorised to access it (i.e. encryption, data masking etc) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.

  If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.

  6        Record Keeping

  All records and notes taking during the identification, assessment and investigation of the data breach are recorded and authorised by the Data Protection Officer and are retained for a period of 6 years from the date of the incident. Incident forms are to be reviewed monthly to assess for patterns or breach reoccurrences and actions taken to prevent further incidents from occurring.

  7        Responsibilities

  The Company will ensure that all staff are provided with the time, resources, and support to learn, understand, and implement all procedures within this document, as well as understanding their responsibilities and the breach incident reporting lines.

  The Data Protection Officer is responsible for regular compliance audits and gap analysis monitoring and the subsequent reviews and action follow ups. There is a continuous audit trail of all compliance reviews and procedural amendments and feedback to ensure continuity through each process and task.

• Turn2Me Cookie Policy

  What are Cookies?

  A cookie is a small text file, which often includes a unique identifier that is sent to your computer browser from a website’s computer and is stored on your computer’s hard drive. Some cookies are only placed on your device for the time you are browsing the website. Others may be stored on your device and sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.Your browser only allows a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. You can find more information about cookies, at www.allaboutcookies.org This website uses transient or session cookies. Cookies by themselves do not identify you or any user but they do identify your browser.  Because turn2me uses ‘transient’ cookies, your computer does not retain the information delivered in the cookie once you leave this Website.  When you close your browser the transient cookie set up by turn2me is destroyed, and no personal information is retained which could identify you or your browser next time you log on to turn2me.

  Accepting or rejecting Cookies You will be presented with Cookie options on visiting turn2me, you can chose to consent to our use of cookies by choosing “I consent” or if you would prefer we did not collect data by this method, you can choose “Manage my cookies” where you will be presented with further options to

  • Accept All
  • Reject All
  • Customise your acceptance options

  If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can find out more about turning off cookies at the independent website www.allaboutcookies.org.

  Why we use the following cookies on this website:   The following are activities that we may use cookies for are to:

  • Store details that help you to manage accounts and service activity online, such as user login details.  Capture your geolocation so that certain services can be offered or restricted as the case may be.
  • Find out how people use our sites, such as how often they visit, which pages they go to, and which links they click on, so that we can improve our sites.
  • Help us to provide relevant information, such as details of services and other information that you may be interested in.

  Cookies used by turn2me:

  • Essential Services(Required) – To monitor site usage to allow us to provide a better user experience and to improve our services and geo locate our services. This is a required cookie by turn2me and you cannot opt out of it.
  • Facebook Pixel – To enable us to recognise and count the number of visitors coming from Facebook advertising and measure conversions from these ads.
  • Google Analytics – To enable us to recognise and count the number of visitors and to see how visitors move around the Website when they are using it. This helps us to improve the way our website works. These cookies collect information in an anonymous form

  How do I change my cookie settings?

  Once you have submitted your cookie preferences, the ‘Privacy Settings’ options will disappear from your screen.

  The current mechanism is browser-based, so that you can choose different privacy settings for different devices/browsers. We retain your privacy preferences until either one of the following happens:
  – Your browser cache is cleared- You use a different device or browser- You log out
  You can change your settings at any time by choosing “Privacy Settings” in the website footer.   You can completely remove cookies from your browser by following the instructions in this section of this policy. You can use your browser settings to choose whether you want to accept cookies or not, as well as to remove cookies that have been set on your device.You can find out how to manage cookies on popular browsers by using the links below:

  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Opera
  • Apple Safari
  • Apple Safari Mobile

  To find information relating to other browsers, visit the browser developer’s website.To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout. It may also be possible to install extensions into your web browser that block cookies and online advertising.  Please consult your browser developer’s website for more information on this technology.While you can still visit and browse our website if you block or remove cookies, the functionality and performance of the website may be impaired as a result, and you may be prevented from using certain services provided through the website.If you would like to change your preferences in relation to certain cookies used for online targeted advertising, you can also visit the self-regulatory program opt-out webpages listed below:

  • www.youronlinechoices.eu
  • www.aboutads.info/choices/
  • www.networkadvertising.org/managing/opt_out.asp

  Please note that these sites are operated by third parties and not by turn2me. Please also note that any opt-out preference selected will only apply to the web browser on the particular device from which you access the opt-out options.

• Changes to this statement

  We may occasionally update this Privacy Statement. We encourage you to periodically review this Statement to stay informed about how we are helping to protect the personal information we collect. Your continued use of this service constitutes your agreement to this Privacy Statement and any updates.