Carlow County Development Partnership Data Protection and Privacy Policy 2017

County Carlow Development Partnership CLG is committed to supporting rural and community development in County Carlow and in this mission is required to collect data from members of the community. These policy statements outline Company policy with regard to the data it uses.

Data Protection Policy

PURPOSE

Together, the Irish Data Protection Acts, 1988 and the Data Protection (Amendment) Act 2003 regulate the way in which companies may use the personal information of individuals and prohibits the unauthorised use or disclosure of that information.  It is Carlow County Development Partnership CLG’s (CCDP CLG) policy to comply with its legal obligations in this regard.

The purpose of this document is to advise employees of the conditions surrounding the use and recording of employee personal data by CCDP CLG.

SCOPE

This document sets out the conditions surrounding the collection, processing and storage of data relating to employees and applicants for CCDP CLG’s services (clients).

RESPONSIBILITY

Employees must inform Olive Nolan of any changes to their personal details (for example, change of address etc) using the Personal Details Update Form (see appendix 2).

Management must forward all personal information held about employees to Olive Nolan.

Applicants are notified, at registration, of the purposes, scope and extent of the processing of their application data by CCDP CLG and other parties involved in the application process.

Olive Nolan is responsible for the review and updating of this policy and bears overall responsibility for ensuring compliance with Irish Data Protection legislation.

APPLICABLE DOCUMENTS

  • Personal Details Update Form (appendix 2).
  • This policy has been drafted in accordance with the Data Protection Acts, 1988 and 2003.
  • Service Application Forms
  • Service Notification/Consent Form
  • Grievance Procedure.

DEFINITIONS

See Glossary of Terms (appendix 1).

PROCEDURE
Collection and Storage of Information

CCDP CLG processes personal data relating to its employees and clients in the course of business in a variety of circumstances e.g. recruitment, training, performance reviews, administration of benefits, processing of applications and to protect the legitimate interests of the company.

Processing of data includes collecting, recording, storing, altering, disclosing, and destroying data. This policy covers any individual about whom CCDP CLG processes data. This may include potential employees (during the recruitment and selection process), current and former employees and clients.

Information which is usually obtained includes CVs, interview notes, references and other pre-employment screening checks (for example, Garda clearance), medical checks, bank account details, personal details necessary for the administration of benefits such as pay, sick pay, pensions, medical or performance records, disciplinary records, grievance records, training records, service application and registration forms, etc. This list is not exhaustive.

Personal information kept by CCDP CLG will normally be stored on file within the organisation’s offices, and in the case of employees, in the employee’s personal file or other related HR files in accordance with this data protection policy and the Data Protection Acts, 1988-2003.

Where it is necessary to obtain personal information relating to any individual, CCDP CLG will ensure that information is:

– Obtained and processed fairly;
– Retained for one or more specified, explicit and lawful purposes;
– Used and disclosed in a manner/s compatible with the purpose/s for which it was obtained;
– Kept safe and secure;
– Kept accurate, complete and up-to-date;
– Processed in a manner that is adequate, relevant and not excessive;
– Retained for no longer than is necessary for the purpose/s for which it was obtained; and
– Furnished to an employee (to whom it relates) on request in accordance with the Data Protection Acts, 1988-2003.

Personal information will normally be obtained directly from the employee concerned. However, in certain circumstances it may be necessary to obtain information from third parties e.g. references from previous employers etc.

Where ‘sensitive personal data’ is required, the company will seek the express written consent of the employee or client to obtain and retain this information.

Personal information kept by CCDP CLG shall normally be stored in the appropriate department’s filing system, or on the employee’s personnel file or other related HR files which are located in their line manager’s office.  Access to this database is restricted to authorised personnel.

Highly sensitive information such as medical reports obtained during the course of an employee’s employment, medical certificates etc. will be stored on the employee’s personal file or other related files. The company will ensure that only authorised personnel have access to the employee’s personnel file or related HR files.

Data in relation to a client’s application will be processed and shared with other stakeholder organisations in an appropriate manner, based on the reasonable expectations set with the client at registration.

Personal information collected by the company is used for ordinary personnel management purposes. Where there is a need to collect information for another purpose, the company shall inform you of this. In cases where it is appropriate to get your consent to do this, the company will do so.

Employees are responsible for ensuring that they inform the company of any changes in their personal details, i.e. change of address etc. by completing and forwarding to their manager the Personal Details Update Form (see appendix 2). CCDP CLG will endeavor to ensure personal data held by the company is up to date and accurate.

The company is under a legal obligation to keep certain information as per the Data Retention Schedule. In addition, the company will need to keep personnel information for a period of time in order to protect its legitimate business interests, such retention is defined in the Data Retention Schedule.

Security and Disclosure of Information
Carlow County Development Partnership CLG shall take all reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and manual information. Security measures will be reviewed from time to time having regard to the technology available, the cost and the risk of unauthorised access. Employees are trained in and are expected to comply with all security policies and procedures e.g. use of computer passwords, locking filing cabinets etc.

Personal information will only be processed for employment related purposes and in general will not be disclosed to third parties except where required or authorised by law or with the agreement of the employee. Client files are stored in the relevant employee’s office and authorised employee/s who have access to those files must ensure that they treat them confidentially. Employees working in the payroll department/accounts must treat all information they receive confidentially and must not disclose it, except in the course of their employment.

All employees will have access to a certain amount of personal data relating to clients, colleagues or third parties.  Employees must play their part in ensuring its confidentiality. They must adhere to the data protection principles and must not disclose such information, except where necessary in the course of their employment, or in accordance with the law. They must not remove or destroy personal information except for lawful purposes. Employees are aware of and comply with the CCDP Data Retention Schedule. If an employee is in any doubt regarding their obligations they should contact their Manager or the CEO.

Any employee dealing with email or telephone queries should be careful about disclosing any personal information held by the company. Any requests for personal information relating to a person employed by the company should be directed to their manager or the CEO as per our Subject Access Request Policy.

As per the Breach Notification Policy, we are obliged to report certain breaches to the Office of Irish Data Protection Commissioner. Any breach of the data protection principles is a serious matter and may lead to disciplinary action up to and including termination of employment.

Medical Information
The company may request that interview candidates attend a Medical Practitioner for examination. The purpose of the report/examination is to determine an employee’s fitness or otherwise to do the job for which they are being considered. The information will not be used for any other purpose.  A copy of the medical report with minimal reference to medical information will be retained and filed.

Occasionally, it may be necessary for the company to refer an employee to a company nominated doctor or other appropriate healthcare professional during the course or his/her employment. In exceptional circumstances, the company will request permission from the employee concerned to receive and retain a copy of the medical report from the examining doctor/medical professional.

This report will be received by the employee’s manager or CEO and will then be retained on the employee’s personnel file or related HR files as appropriate. The contents of the report may be disclosed to the employee’s immediate supervisor or manager. All copies of medical certificates submitted to the company during an employee’s absence, including return to work certificates will also be retained on the employee’s personal file or related HR files as appropriate.

Employees are entitled to request access to their medical reports. Should an employee wish to do so, please contact your Manager who will consult with the doctor/medical professional who examined you. The final decision lies with the doctor to decide whether the information should be disclosed to you or not in accordance with SI No. 82 of 1989.

Interview Records
The company will retain records of CVs, interview notes, reference, Garda clearance, etc. in order to ensure compliance with the Employment Equality Acts, 1998-2011 and with the company’s Equal Opportunities Statement as per the Data Retention Schedule.

Email/Internet Monitoring
The company provides email facilities and access to the internet. In order to protect against the dangers associated with email and internet use, screening software is in place to monitor email and web usage. Please refer to the company Computer, Email and Internet Policy for further details. Note in particular that the company may open your mailbox upon specific authorisation of the CEO in cases where there is a suspicion of inappropriate use of screening equipment or a complaint indicates that a particular mailbox may contain material which is dangerous or offensive or where there is a legitimate work reason or in the legitimate interests of the company. You should have no expectation whatsoever of privacy in relation to your use of company communications equipment.

Giving References
The company will seek the express written consent of a former employee before giving a reference in relation to that former employee unless the requesting party can provide written evidence to CCDP CLG that the former employee has given written consent to the disclosure of information in relation to him or her.

Close Circuit Monitoring
There are a limited number of security cameras located at CCDP premises, but with minimal recording of personal data by the organization.  This is necessary in order to protect the company against theft or pilferage and for the security of staff and property which the company occupies (Jobs Club in Carlow). Access to any CCTV data recorded is strictly limited to authorised personnel.

Data Protection Officer

Olive Nolan is the Data Protection Officer for Carlow County Development Partnership CLG. Olive Nolan bears overall responsibility for ensuring compliance with data protection legislation. All employees must co-operate with the Data Protection Officer when she is carrying out her duties in accordance with data protection laws and policies.

Access Requests
Employees are entitled to establish what information exists about them and to request information held about them on computer or on their manual personal file in accordance with data protection legislation.  The company will provide this information, where it exists and it is appropriate to do so, within 40 days.

A Data Subject should make a request in writing to The DPO, CCDP CLG, Bagenalstown, Co Carlow stating the exact information required.

Employees are only entitled to information about them and will not be provided with information relating to other employees or third parties.

An employee who is dissatisfied with the outcome of an access request has the option of raising their complaint under the company Grievance Procedure (refer to the staff handbook).

Right to Object
Clients and Employees have the right to object to data processing which is causing them distress. Where such objection is justified, the company will cease processing that information unless it has a legitimate business interest that prevents this. The company will make every effort to alleviate the distress caused to the individual.

It should be noted that, in some circumstances, such an objection will render an applicant’s application for CCDP services void.

An objection must be made in writing to Olive Nolan as the DPO, outlining in detail the nature of their objection and grounds for same and the harm being caused to the employee.

Review of Policy
The company will regularly review the effectiveness of this policy to ensure that it is achieving its stated objectives.

Privacy Policy (Website)

Introduction

This is the Privacy Statement of Carlow County Development Partnership as it relates to the personal data which we process.

In addition to this Privacy Statement you are advised to read our Data Protection Policy and the Cookie Policy on our website.

Carlow County Development Partnership respects the rights of users of our services and visitors to our website and is committed to protecting your privacy in accordance with Irish Data Protection legislation at all times. We will not collect or process any personal information about you without your permission or otherwise in accordance with Irish legislation.

You are not required to provide us with any personal information (or personal data) in order to use our services or our website. However, where you choose to give us personal data, via submission of an applications for services, online feedback forms or e-mail, then we will treat your personal information in accordance with our obligations as a Data Controller in that regard.

Giving us your Personal Information

Please note that where you provide us with your personal information (e.g. name, e-mail address, work address, phone and/or other contact information), through a facility provided on this website or directly to us by post, telephone or e-mail, you consent to us:

  1. Processing and administering your personal data to perform all necessary actions to give effect to your request or instruction; and
  2. Retaining a record of incoming and outgoing communications (e.g. e-mail). Information in the e-mail we receive and send will not be disclosed to any third party without the permission of the sender unless otherwise in accordance with the Data Protection legislation.

 

Please note that by continuing to use this website you are giving us your consent to process your personal data as outlined in this Statement.  Your consent is also provided to any successor or assignee of Carlow County Development Partnership and/or any of its businesses.

We inform all persons who submit their personal data to us of these conditions by this Privacy Statement.

Security of Data

Carlow County Development Partnership takes seriously its security obligations in respect of your personal data under the Data Protection Acts in order to prevent unauthorised access to, or alteration or destruction of personal data in our possession. 

Right of Access

Where you have provided us with your personal data you have a right to be given a copy of your personal data in accordance with section 4 of the Irish Data Protection Acts, subject to certain exceptions.  To request a copy of your personal data please read our Subject Access Request Policy.

Any Subject Access Request must be accompanied by a fee of €6.35.  Please note the following important requirements:

  • We reserve the right not to process an access request that is not accompanied by proof of identification;
  • We shall not disclose your personal data unless the prescribed fee of €6.35 has been received; and
  • We do not accept access requests via telephone, e-mail or text message.

Right of Rectification or Erasure

If we hold incorrect information about you, you have the right to have the data amended. To request your right to rectification and/or erasure please send your request in writing to:

The Data Protection Officer,

Carlow County Development Partnership

Main St.

Bagenalstown

Co. Carlow

This request must be accompanied by:

  • Proof of your name and address; and
  • A description of the specific personal data you wish rectified.

If you request erasure of your personal data all your data will be erased subject to the following important notice:

  • We are not required to rectify or erase your data where to do so would prevent you from meeting your contractual obligations to us or where we are required to process (including retaining) your personal data for a lawful purpose in accordance with Irish legislation.

Carlow County Development Partnership trusts that you appreciate that we respect and value your right to privacy, and that our honesty and integrity shall mean that you will continue to trust us with your personal data, knowing that we will not use it for any inappropriate purpose.

Appendix 1

Glossary of Terms

Personal Data

Data relating to a living individual (who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller).

Processing Data

To ‘process’ such personal data means:

  • obtaining, recording or keeping the information, or
  • collecting, recording, organising, storing, altering or adapting the information or data,
  • retrieving, consulting or using the information or data,
  • disclosing the information or data by transmitting, disseminating or otherwise making it available, or
  • aligning, combining, blocking, and erasing the information or data.

Data Controller

A Data Controller is a person who, either alone or with others, controls the contents and the use of personal data.

Principles of Data Protection

  • The data must be obtained and processed fairly.
  • The data shall be obtained for one or more specified, explicit and legitimate purpose(s).
  • The data shall not be further processed in a manner incompatible with that purpose(s).
  • Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
  • The data should be accurate, complete and kept up to date.
  • The data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it was collected.
  • The data shall not be kept for longer than is necessary for that purpose(s).
  • On request, individuals will have the right to access a copy of their personal data which relates or refers to them.

 

Sensitive Personal Data

 ‘Sensitive Personal Data’ includes information about a person’s:

  • Racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • Trade union membership;
  • Physical or mental health or condition, or sexual life;
  • Commitment or alleged commitment of an offence or any proceeding for an offence committed or allegedly committed by the data subject, the disposal of such proceedings or the sentence of any court proceedings.


Appendix 2

 

Employee Personal Details Update Form

Employee Personal Details Update Form

Personal Details
First name: Surname:
Start date:
Address:
In Case of Emergency: Next Of Kin Details
Name: Contact Number:
Contact Address:
Relationship to Employee:
Dependants (children or other persons you are responsible for) – if relevant for pension/benefit purposes
Name of Dependant: Date of Birth: Relationship with Dependant:

E.g. Son, Daughter, Legal Guardian etc.

     
     
     
     
     
     
     
Other Information
Address (Home Country, if different to above):