Polasaí um Chosaint Sonraí Údarás na Gaeltachta

Data Protection

 

Based on the General Data Protection Regulation and the Data Protection Acts, this Data Protection Policy lays the base for each staff member in the organisation to develop their understanding of data protection concepts and their awareness of their individual responsibilities in this regard. That will enable the organisation to fulfil its legal obligations in relation to the data protection legislation in each area of its operations.

 

Údarás operates in accordance with the Údarás na Gaeltachta Act, 1979-2010 and the Gaeltacht Act 2012. Under the Gaeltacht Act 2012 “(3A) An tÚdarás may carry on, control and manage in the Gaeltacht in respect of the linguistic, cultural, social, physical and economic development of the Gaeltacht, such schemes, projects, programmes and facilities as it thinks fit.” To fulfil its functions, Údarás na Gaeltachta is obliged to collect and process certain personal data relating to the Board, Staff, Clients, Third Parties and other members of the organisation’s community, present, past and future. Údarás na Gaeltachta is a personal data controller and processor.

1. Introduction

Údarás na Gaeltachta’s mission is:

“To develop a vibrant, successful and sustainable Gaeltacht community and economy, and thus strengthen and maintain the use of Irish as the main language of the Gaeltacht community so that the Gaeltacht is a region of excellence on a global level.”

 

Údarás na Gaeltachta wishes to protect people’s rights and privacy in accordance with the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation, and understand the rights given to people by the Acts and the General Data Protection Regulation and the responsibilities the Acts and the Regulation places on Údarás na Gaeltachta staff members who process personal data in their work.

The data protection legislation gives individuals rights and places responsibilities on people who process personal data. This policy lays out the manner in which Údarás na Gaeltachta processes personal data, ensuring that staff understand the rules applicable to the usage of personal data available to them in the course of their work.

The General Data Protection Regulation (GDPR EU 2016/679) came into force on May 25th 2018 and replaced the Data Protection Directive 95/46/EC, and has been devised to coordinate data protection laws across Europe, to protect and empower all EU citizens’ data privacy and to restructure the approach used by organisations throughout the region in regard to data protection.

2. Purpose

 This Data Protection Policy applies to all Údarás na Gaeltachta staff, including permanent and temporary, Board Members, staff members working on a contract basis for the organisation and to other people that have been authorised to access personal data being held by Údarás na Gaeltachta. This policy should be read along with the organisation’s other relevant policies and procedures.  Údarás na Gaeltachta may add to this policy or amend it with other policies and guidelines from time to time.

3. Scope

This policy applies to all the organisation’s personal data processing functions regarding identified or identifiable natural persons, including processing functions regarding clients, employees, suppliers and any other personal data processed by Údarás na Gaeltachta from any source.

Personal data is defined as any information pertaining to an identified or identifiable natural person (‘data subject’); an identifiable natural person is a person that can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or one or more of the factors that relate specifically to the physical, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data are defined as personal data that disclose racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, genetic data, biometric data to uniquely identify a natural person, data relating to health or data relating to a natural person’s sex life and sexual orientation.

4. Principles of Data Protection

To fulfil its functions, Údarás na Gaeltachta is required to comply with the principals of data protection as set out in the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation 2016, that can be summarised as follows:

 

4.1     Lawfulness, fairness and transparency

The personal data will be processed in a lawful, fair and transparent manner regarding the data subject. Information is collected from the Board, staff, clients and from other members of the public.  Information regarding other people being held by the organisation (Board Members, post applicants within the organisation, grant applications), the information will usually have been provided by the individuals themselves with full and informed consent, and compiled while they were employed or on contract with the organisation. The data is dealt with in accordance with the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation 2016, and with the terms of this Data Protection Policy. Such information will be collected and processed fairly. 

 

4.2       Purpose limitation

Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving in the public interest, for scientific or historical research or for statistical purposes, shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes.

 

4.3       Data minimisation

Personal data will be adequate, relevant and limited to the extent required

for the purposes of processing.

 

4.4       Accuracy

Personal data will be accurate and, when required, kept up to date. All reasonable efforts will be made to ensure that inaccurate personal data is erased or amended without delay, for the purposes for which they are processed.

 

4.5       Storage limitation

Personal data should not be held longer than necessary for the specific purposes.  Personal data may be stored for a longer period but the data should not be processed other than for archiving in the public interest, for scientific or historical research or to collect statistics in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures included in this Regulation to safeguard the rights and freedoms of the data subject.

 

4.6       Integrity and confidentiality

Processing of personal data will be done in a manner that will ensure the appropriate security of the personal data, including the prevention of unauthorised or illegal processing and of accidental loss, destruction or damage, using appropriate technical or organisational measures.

5. Rights of Data Subjects

Údarás na Gaeltachta will design policies and procedures and will provide training to implement the following rights of data subjects:

 

 

 

5.1       Right of access by the data subject

Údarás na Gaeltachta will implement procedures to ensure that requests for access to their own personal data from data subjects will be identified and fulfilled in accordance with legislation.

 

5.2       Right to rectification

Údarás na Gaeltachta is committed to keeping data subjects’ data accurate, and processes and procedures will be implemented to ensure that data subjects can rectify their data in cases where inaccurate information is identified.

 

5.3       Right to erasure (right to be forgotten)

Údarás na Gaeltachta will only process personal data when there is a lawful basis to do so. In the event that Údarás na Gaeltachta receives a request from a data subject to exercise their right of erasure, Údarás na Gaeltachta will consider whether the data may be erased without affecting the organisation’s ability to provide future benefits and services to the data subject.

 

5.4       Right to restriction of processing

Údarás na Gaeltachta will consider whether or not it should act on a request from a data subject to restrict the processing of their data.

 

5.5        Right to data portability

Údarás na Gaeltachta will only process personal data when there is a lawful basis to do so. In the event that Údarás na Gaeltachta has collected personal data about a data subject by consent or by contract, the data subject has the right to get the data in a structured format that is commonly used and machine-readable, and that person also has the right to transfer that data to another controller.

 

5.6       Right to object

Data subjects have the right to complain about the processing of their own data in specific circumstances, as laid out in Article 21 of the GDPR. When such a complaint is received, Údarás na Gaeltachta will consider the case on its merits.  Under the Gaeltacht Act 2012 “(3A) An tÚdarás may carry on, control and manage in the Gaeltacht in respect of the linguistic, cultural, social, physical and economic development of the Gaeltacht, such schemes, projects, programmes and facilities as it thinks fit.”

 

5.7       Right not to be subject to automated decision-making

The data subject has the right not to be subject to a decision that is solely based on automated processing, where such a decision has a legal or similar consequence for him/her. Where a system or processes have been implemented, including benefits or services, Údarás na Gaeltachta shall ensure that an appropriate right to appeal will be available to the data subject.

 

 

 

5.8       Right to complain

Údarás na Gaeltachta shall have a complaints process in place which a data subject can use to contact the Data Protection Officer (DPO). The DPO will work with the data subject to deal with the complaint to the satisfaction of both parties. The data subject will be informed about his/her right to complain to the Data Protection Commission.

6. Responsibility for this Policy

Údarás na Gaeltachta is committed to conforming with all relevant EU and Irish laws in regard to personal data, and to the protection of people’s data and freedoms.

Every staff member in Údarás, and third parties working on behalf of the organisation, who collect and/or control content and the use of personal data on their own, has a responsibility to ensure that personal data is collected, held and handled appropriately. Every staff member who handles personal data has a responsibility to ensure that it is handled and processed in accordance with this policy, best practice and with legislation.

7. The organisation’s responsibilities

Údarás na Gaeltachta is responsible for the following:

 

7.1       Maintaining a record of data processing

Údarás na Gaeltachta will maintain a record of the data processing activities as set out in Article 30 of the GDPR. To ensure data accuracy, each department will review the records they possess on an annual basis.

 

7.2       Ensuring appropriate technical and organisational measures

Údarás na Gaeltachta will implement appropriate technical and organisational measures to ensure that personal data is being protected and to demonstrate same.

 

7.3       Implementing appropriate agreements with third parties

Údarás na Gaeltachta will implement appropriate agreements and contracts with all third parties it shares personal data with. The term ‘third party’ encompasses the departments and other agencies of the Irish Government. Every agreement of that kind shall be implemented in writing before the transfer of data begins. That agreement will lay out specifically the purpose of the transfer, the need for sufficient security, the right to terminate a process and to limit further transfers to another party, and it will include that requests for information will be replied to and that there will be a right to audit.

 

7.4       Data protection by design and default

Before deciding on the method of process and during that process, Údarás na Gaeltachta will ensure that appropriate technical and organisational measures and protections are integrated into the process and that the principles regarding data protection are adhered to.

 

7.5       Data Protection Impact Assessments (DPIAs)

Where there is a significant risk to the rights and freedoms of the data subject as a result of a new form of processing, especially if new technology is being used, Údarás na Gaeltachta will do a Data Protection Impact Assessment (DPIA). As part of this process, copies of the impact assessment will be shared with the organisation’s Data Protection Officer. In the event that Údarás na Gaeltachta cannot find a measure that would mitigate the significant risks identified, the organisation will confer with the Data Protection Commission before commencing with the process.

 

7.6       Personal data breaches

‘Personal data breaches’ are defined as security breaches resulting in the erasure, loss, alteration, or unauthorised disclosure of personal data that has been transmitted, stored or otherwise processed, or unauthorised access to the data, either by accident or illegally.

Údarás na Gaeltachta has developed a protocol to manage data protection breaches, and that encompasses a methodology to deal with a personal data breach and to inform the DPC about it and also the data subjects where necessary.

7.7       Freedom of Information

Under the Freedom of Information Act, 2014, Údarás na Gaeltachta is obliged to publish information about its activities, and to provide citizens and clients with the information it possesses, personal information included.

Údarás na Gaeltachta will implement procedures to ensure that requests for personal data are dealt with appropriately, whether they are under data protection legislation or under freedom of information legislation.

7.8       Governance

Údarás na Gaeltachta will monitor compliance with the relevant legislation through the organisation’s policies and procedures.

8. Responsibilities of the Data Protection Officer

The Data Protection Officer

Under Article 37 of the GDPR, each public body must appoint a Data Protection Officer (DPO).  The DPO is accountable to the Secretary of the Board and his/her responsibilities include the following:

 

  1. Provide all staff with the latest information regarding responsibilities, risks and data protection issues;
  2. Provide support for data protection within the organisation;
  3. Monitor compliance with the relevant data protection legislation;
  4. Review and update, as appropriate, on an annual basis on all the organisation’s data protection policies;
  5. Convey the organisation’s policies regarding data protection to each staff member and everyone mentioned in this policy, and organise appropriate training and advice for them regarding data protection;
  6. Provide advice where requested as regards the Data Protection Impact Assessments and monitor that such assessments are completed to an appropriate standard;
  7. Provide advice on data protection matters to staff members, Board members and other stakeholders;
  8. Reply to individuals, such as clients and employees, who wish to exercise their data protection rights;
  9. Liaise with staff members to ensure the implementation of appropriate agreements regarding data processing with third parties that handle the organisation’s data, and ensure that third parties are reviewed regularly;
  10. Ensure the updating of data processing records as necessary;
  11. Act as a contact point and provide cooperation with the Data Protection Commission.

9. Staff Responsibilities

Any person who processes data on behalf of the organisation must comply with this Data Protection Policy

9.1       Training and Awareness

All staff will receive appropriate training regarding the GDPR, data protection and the management of records. New staff members will receive training as part of the induction process.  All staff members will be informed of data protection responsibilities by the Data Protection Officer and through regular communication with the organisation’s GDPR coordinators.

  • Failure to comply with the data protection policy

Each staff member has a duty to ensure that the principles of data protection are complied with and that the provisions of this policy are adhered to. Each staff member is responsible for ensuring that all data as part of their daily duties be done in accordance with the data protection legislation and with this policy. Any breach of this policy may result in disciplinary action.

10. Third Party Policies

As part of Údarás na Gaeltachta’s function as personal data controller, a data processor may be used occasionally to process personal data on behalf of Údarás na Gaeltachta.

In each case, the processing is done on an agreed contract, ensuring that the processor is processing personal data in accordance with the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation, 2016.
Each agreement that is proposed between Údarás na Gaeltachta and a third party must be prepared in conjunction with the Corporate Secretariat Department.

11. Questions regarding the Data Protection Policy

Further information in relation to data protection is available on our website here.

Questions or concerns regarding the organisation’s data protection policies should be forwarded to the Data Protection Officer at:

 

The Data Protection Officer

Údarás na Gaeltachta,

Na Forbacha,

Co. na Gaillimhe,

H91 TY22.

 

Email: acs@udaras.ie

Appendix 1

Definition of the terms used in relation to personal data protection and that have been referred to in this policy

 

The Data Protection Acts – the Data Protection Acts 1988 to 2018, confer rights on individuals as well as responsibilities on those who handle, process, manage and control personal data. All staff members of the organisation must comply with the provisions of the Data Protection Acts when collecting and storing personal data. This applies to personal data regarding the organisation’s staff and also individuals who are in contact with Údarás na Gaeltachta.

 

Data – Information in a form that can be processed. That includes automated or electronic data (any information on computer or information recorded to be put on computer) and manual data (information that has been recorded as part of a relevant coding system or to be placed on a relevant coding system).

 

Personal data – Data relating to a living individual that is identified or is identifiable from the data, or from the data plus some other information, or that may be in the data controller’s possession.

 

Special categories of personal data – Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, genetic data, biometric data to uniquely identify a natural person, data regarding health or data regarding a natural person’s sex life or sexual orientation.

 

Relevant filing system – Any set of information that has been arranged by name, PPS Number, payroll number, staff number, date of birth, or any other identifier, is deemed relevant.

 

Data processing – Any operation or set of operations performed on data, including:

 

  • Obtaining, recording or keeping the data;
  • Collecting, organising, storing, altering or adapting the data;
  • Retrieving, observing or using the data;
  • Disclosing the data by transmission, transmitting, disseminating or otherwise making it available;
  • Aligning, collating, blocking, erasing or destroying the data.

 

Data subject – An individual who is the subject of the data.

 

Access Request – Where an individual submits a request to the organisation to disclose his/her personal data in accordance with data protection legislation.

 

Data controller – An individual (alone or with others) who controls the contents and use of personal data.

 

Data processor – A person who processes information on behalf of the data controller, e.g. an employee in an organisation to whom the data controller outsources data. The Acts place responsibilities on people who process data.  Note: A data processor does not refer to an employee of the data controller.

 

Personal data breach – A security breach resulting in the erasure, loss, alteration, or unauthorised disclosure, personal data that has been transferred, stored or otherwise processed, or unauthorised access of such data, be that by accident or done illegally.

Appendix 2

Purpose:

Údarás na Gaeltachta’s mission is:

“To develop a vibrant, successful and sustainable Gaeltacht community and economy, and thus strengthen and maintain the use of Irish as the main language of the Gaeltacht community so that the Gaeltacht is a region of excellence on a global level.”

Description:

To achieve all the objectives of the organisation’s functions, including:

  • General Administration (telephone directories, contact lists, distribution lists, email addresses, CCTV footage that is kept for 28 days):
  • IT Services and Applications (email addresses, staff numbers);
  • Financial and Personnel Management (data relating to employees, salaries, deductions, work history, CVs, and personal data when required);
  • Programmes, grants, processes and procedures relating to the organisation (applicants’ data and records requested in the application process);
  • Data relating to Údarás Board Members (contact details, CVs, bank details to pay fees/expenses);
  • Freedom of Information (applicants’ contact details);
  • Licensing, certification and authorisations as appropriate for the organisation;
  • Data relating to public consultation processes.

People/Entities to whom data is or may be disclosed:

  • The Minister for Culture, Heritage and the Gaeltacht and any other Minister to whom responsibility may be assigned for organisation functions, or when necessary or appropriate.
  • The Department of Culture, Heritage and the Gaeltacht;
  • Members of the Oireachtas in the discharge of their representative and parliamentary duties;
  • Government Departments/Offices;
  • State Agencies;
  • Office of the Revenue Commissioners;
  • The Pensions Authority;
  • Comptroller and Auditor General;
  • National Shared Services Office;
  • Department of Employment Affairs and Social Protection;
  • Data Protection Commission;
  • An Garda Síochána;
  • The Information Commissioner’s Office;
  • The Attorney-General’s Office and the Chief State Solicitor’s Office;
  • Freedom of Information – disclosure of data under the FOI Acts;
  • The organisation’s website – data about certain aspects of the organisation’s work is available on the website, as appropriate;
  • Authorised staff members – personal data is available to authorised staff members only, and that is protected by restricted access to files.

Appendix 3

Implementing the Data Protection Legislation

 

The Data Protection Commission

The Data Protection Commission (DPC) was established as a result of the Data Protection Acts 1988 to 2018. The Commission is the oversight authority and is responsible for monitoring the legality of the processing of personal data in accordance with the data protection legislation.   All the functions of the Data Protection Commissioner have now been transferred to the Commission.

The Commission will not have more than 3 members, as decided by Government. Each member of the Commission will be called a Data Protection Commissioner.

Included in the Commission’s duties is the promotion of public awareness and understanding in regard to risks, rules, protection measures and rights in regard to processing, complaints about the handling of data material, and working with (including the sharing of information with) other data protection authorities in other member states of the EU.

The Commission has a register, available for public inspection, which gives general data about the data handling practices used by a range of data controllers, such as Government Departments, State agencies and financial institutions.

The Commission has a wide range of enforcement powers to ensure that data protection principles are being adhered to.  These include the serving of legal notices to compel a controller to provide information to assist its investigation, compelling a controller to implement a provision in the Act, etc.

The Commission inspects complaints from the general public regarding the manner in which an organisation is processing their personal data. For example, the Commission can authorise officials to enter a premises and inspect personal information being held on a computer or in a relevant paper filing system. Further information about raising potential concerns or infringements of your data protection rights can be found at https://dataprotection.ie/en.

 

In a case where the Commission decides to impose an administrative fine on a data controller or a processor that is a public authority or a public body, the fine shall not exceed €1,000,000.

 

 

Personal Data Access Requests

Under data protection legislation, individuals have the right to get a copy from Údarás na Gaeltachta of any personal information about them being held on computer or in a structured filing system.

 

To obtain copies of personal data being held at Údarás na Gaeltachta requests in writing should be sent to the address below:

 

The Data Protection Officer

Údarás na Gaeltachta,

Na Forbacha,

Co.  na Gaillimhe,

H91 TY22.

Email: acs@udaras.ie

 

Further information about access rights, including an Application Form for Personal Data is available here.

 

 

Responding to an access request

When a valid request is received, the organisation must reply to it within one month, even in a case where no personal data is being held. In cases involving complicated requests or a large amount of requests, a two month extension may be applied to that time limit.

There is no fee for an access request to your own personal data, unless the request is considered manifestly unfounded or excessive.

There are certain exceptions to data disclosure, including third party data, data that is legally privileged, or data that is required to prevent, investigate or charge criminal offences.

Section 61(1) of the Data Protection Act 2018 allows for restrictions in the case of certain data material where data is processed for archiving in the public interest.

Who will the policy apply to?

The policy applies to the entire staff in the organisation and to the Board.

 

Personal Data regarding Deceased People

Best practice is that personal data regarding deceased persons is held and processed in the same manner as is done with a living individual’s personal data.

 

Provide the person with a copy of his/her Personal Data, when asked

To make an access request, a person must make the request in writing to the organisation’s  Data Protection Officer by filling out a Personal Data Request Form (see Appendix 4) and returning it to acs@udaras.ie.

 

Protecting Údarás na Gaeltachta Data 

To assist the employees with the implementation of this policy, the data protection procedures are available on the organisation’s intranet.  These regulations set out the main areas of work within the organisation where data protection problems may arise and sets out best practice for addressing such.

 

Keeping personal data accurate, complete and up to date

Rectifying personal data

We do our utmost to ensure that personal data is accurate and up to date.

 

If you feel that your personal data is not accurate or relevant, you may contact us in writing or by email at acs@udaras.ie

You should provide a detailed explanation about the personal data in question and the reasons you believe them to be inaccurate or irrelevant.

 

We will amend the data within 30 days, or else we will provide an explanation as to why we are unable to do so.