County Carlow Development Partnership CLG is committed to supporting rural and community development in County Carlow and in this mission is required to collect data from members of the community. These policy statements outline Company policy with regard to the data it uses.
DATA PROTECTION POLICY
Together, the Irish Data Protection Acts, 1988 and the Data Protection (Amendment) Act 2003 regulate the way in which companies may use the personal information of individuals and prohibits the unauthorised use or disclosure of that information. It is Carlow County Development Partnership CLG’s policy to comply with its legal obligations in this regard.
The purpose of this document is to advise employees of the conditions surrounding the use and recording of employee personal data by Carlow County Development Partnership CLG.
This document sets out the conditions surrounding the collection, processing, and storage of data relating to employees and applicants for Carlow County Development Partnership CLG’s services (clients).
Employees must inform the Financial Controller of any changes to their personal details (for example, change of address etc) using the Personal Details Update Form.
Management must forward all personal information held about employees to the Financial Controller.
Applicants are notified, at registration, of the purposes, scope, and extent of the processing of their application data by Carlow County Development Partnership CLG and other parties involved in the application process.
Jason Culleton is responsible for the review and updating of this policy and bears overall responsibility for ensuring compliance with Irish Data Protection legislation.
- Personal Details Update Form
- This policy has been drafted in accordance with the Data Protection Acts, 1988 and 2003 and GDPR.
- Service Application Forms
- Service Notification/Consent Form
- Grievance Procedure.
See Glossary of Terms (appendix 1).
Collection and Storage of Information
Carlow County Development Partnership CLG processes personal data relating to its employees and clients in the course of business in a variety of circumstances e.g. recruitment, training, performance reviews, administration of benefits, processing of applications and to protect the legitimate interests of the company.
Processing of data includes collecting, recording, storing, altering, disclosing, and destroying data. This policy covers any individual about whom Carlow County Development Partnership CLG processes data. This may include potential employees (during the recruitment and selection process), current and former employees and clients.
Information which is usually obtained includes CVs, interview notes, references and other pre-employment screening checks (for example, Garda clearance), medical checks, bank account details, personal details necessary for the administration of benefits such as pay, sick pay, pensions, medical or performance records, disciplinary records, grievance records, training records, service application and registration forms, etc. This list is not exhaustive.
Personal information kept by Carlow County Development Partnership CLG will normally be stored on file within the organisation’s offices, and in the case of employees, in the employee’s personal file or other related HR files in accordance with this data protection policy and the Data Protection Acts, 1988-2003.
Where it is necessary to obtain personal information relating to any individual, Carlow County Development Partnership CLG will ensure that information is:
– Obtained and processed fairly;
– Retained for one or more specified, explicit and lawful purposes;
– Used and disclosed in a manner/s compatible with the purpose/s for which it was obtained;
– Kept safe and secure;
– Kept accurate, complete and up-to-date;
– Processed in a manner that is adequate, relevant and not excessive;
– Retained for no longer than is necessary for the purpose/s for which it was obtained; and
– Furnished to an employee (to whom it relates) on request in accordance with the Data Protection Acts, 1988-2003.
Personal information will normally be obtained directly from the employee concerned. However, in certain circumstances, it may be necessary to obtain information from third parties e.g. references from previous employers etc.
Where ‘sensitive personal data’ is required, the company will seek the express written consent of the employee or client to obtain and retain this information.
Personal information kept by Carlow County Development Partnership CLG shall normally be stored in the appropriate department’s filing system, or on the employee’s personnel file or other related HR files which are located in their line manager’s office. Access to this database is restricted to authorised personnel.
Highly sensitive information such as medical reports obtained during the course of an employee’s employment, medical certificates etc. will be stored in the employee’s personal file or other related files. The company will ensure that only authorised personnel have access to the employee’s personnel file or related HR files.
Data in relation to a client’s application will be processed and shared with other stakeholder organisations in an appropriate manner, based on the reasonable expectations set with the client at registration.
Personal information collected by the company is used for ordinary personnel management purposes. Where there is a need to collect information for another purpose, the company shall inform you of this. In cases where it is appropriate to get your consent to do this, the company will do so.
Employees are responsible for ensuring that they inform the company of any changes in their personal details, i.e. change of address etc. by completing and forwarding to their manager the Personal Details Update Form. Carlow County Development Partnership CLG will endeavor to ensure personal data held by the company is up to date and accurate.
The company is under a legal obligation to keep certain information as per the Data Retention Schedule. In addition, the company will need to keep personnel information for a period of time in order to protect its legitimate business interests, such retention is defined in the Data Retention Schedule.
Security and Disclosure of Information
Carlow County Development Partnership CLG shall take all reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and manual information. Security measures will be reviewed from time to time having regard to the technology available, the cost and the risk of unauthorised access. Employees are trained in and are expected to comply with all security policies and procedures e.g. use of computer passwords, locking filing cabinets etc.
Personal information will only be processed for employment related purposes and in general will not be disclosed to third parties except where required or authorised by law or with the agreement of the employee. Client files are stored in the relevant employee’s office and authorised employee/s who have access to those files must ensure that they treat them confidentially. Employees working in the payroll department/accounts must treat all information they receive confidentially and must not disclose it, except in the course of their employment.
All employees will have access to a certain amount of personal data relating to clients, colleagues or third parties. Employees must play their part in ensuring its confidentiality. They must adhere to the data protection principles and must not disclose such information, except where necessary in the course of their employment, or in accordance with the law. They must not remove or destroy personal information except for lawful purposes. Employees are aware of and comply with the Carlow County Development Partnership CLG Data Retention Schedule. If an employee is in any doubt regarding their obligations they should contact their Manager or the CEO.
Any employee dealing with email or telephone queries should be careful about disclosing any personal information held by the company. Any requests for personal information relating to a person employed by the company should be directed to their manager or the CEO as per our Subject Access Request Policy.
As per the Breach Notification Policy, we are obliged to report certain breaches to the Office of Irish Data Protection Commissioner. Any breach of the data protection principles is a serious matter and may lead to disciplinary action up to and including termination of employment.
The company may request that interview candidates attend a Medical Practitioner for examination. The purpose of the report/examination is to determine an employee’s fitness or otherwise to do the job for which they are being considered. The information will not be used for any other purpose. A copy of the medical report with minimal reference to medical information will be retained and filed.
Occasionally, it may be necessary for the company to refer an employee to a company nominated doctor or other appropriate healthcare professional during the course or his/her employment. In exceptional circumstances, the company will request permission from the employee concerned to receive and retain a copy of the medical report from the examining doctor/medical professional.
This report will be received by the employee’s manager or CEO and will then be retained on the employee’s personnel file or related HR files as appropriate. The contents of the report may be disclosed to the employee’s immediate supervisor or manager. All copies of medical certificates submitted to the company during an employee’s absence, including return to work certificates will also be retained on the employee’s personal file or related HR files as appropriate.
Employees are entitled to request access to their medical reports. Should an employee wish to do so, please contact your Manager who will consult with the doctor/medical professional who examined you. The final decision lies with the doctor to decide whether the information should be disclosed to you or not in accordance with SI No. 82 of 1989.
The company will retain records of CVs, interview notes, reference, Garda clearance, etc. in order to ensure compliance with the Employment Equality Acts, 1998-2011 and with the company’s Equal Opportunities Statement as per the Data Retention Schedule.
The company provides email facilities and access to the internet. In order to protect against the dangers associated with email and internet use, screening software is in place to monitor email and web usage. Please refer to the company Computer, Email and Internet Policy for further details. Note in particular that the company may open your mailbox upon specific authorisation of the CEO in cases where there is a suspicion of inappropriate use of screening equipment or a complaint indicates that a particular mailbox may contain material which is dangerous or offensive or where there is a legitimate work reason or in the legitimate interests of the company. You should have no expectation whatsoever of privacy in relation to your use of company communications equipment.
The company will seek the express written consent of a former employee before giving a reference in relation to that former employee unless the requesting party can provide written evidence to Carlow County Development Partnership CLG that the former employee has given written consent to the disclosure of information in relation to him or her.
Close Circuit Monitoring
There are a limited number of security cameras located at Carlow County Development Partnership CLG premises, but with minimal recording of personal data by the organization. This is necessary in order to protect the company against theft or pilferage and for the security of staff and property which the company occupies (Jobs Club in Carlow). Access to any CCTV data recorded is strictly limited to authorised personnel.
Data Protection Officer
Jason Culleton is the Data Protection Officer for Carlow County Development Partnership CLG. Jason Culleton bears overall responsibility for ensuring compliance with data protection legislation. All employees must co-operate with the Data Protection Officer when he is carrying out his duties in accordance with data protection laws and policies.
Employees are entitled to establish what information exists about them and to request information held about them on computer or on their manual personal file in accordance with data protection legislation. The company will provide this information, where it exists and it is appropriate to do so, within 40 days.
A Data Subject should make a request in writing to The Data Protection Officer, Carlow County Development Partnership CLG, Bagenalstown, Co Carlow stating the exact information required.
Employees are only entitled to information about them and will not be provided with information relating to other employees or third parties.
An employee who is dissatisfied with the outcome of an access request has the option of raising their complaint under the company Grievance Procedure (refer to the staff handbook).
Right to Object
Clients and Employees have the right to object to data processing which is causing them distress. Where such objection is justified, the company will cease processing that information unless it has a legitimate business interest that prevents this. The company will make every effort to alleviate the distress caused to the individual.
It should be noted that, in some circumstances, such an objection will render an applicant’s application for Carlow County Development Partnership CLG services void.
An objection must be made in writing to Jason Culleton as the Data Protection Officer, outlining in detail the nature of their objection and grounds for same and the harm being caused to the employee.
Review of Policy
The company will regularly review the effectiveness of this policy to ensure that it is achieving its stated objectives.
This is the Privacy Statement of Carlow County Development Partnership CLG as it relates to the personal data which we process.
Carlow County Development Partnership CLG respects the rights of users of our services and visitors to our website and is committed to protecting your privacy in accordance with Irish Data Protection legislation at all times. We will not collect or process any personal information about you without your permission or otherwise in accordance with Irish legislation.
You are not required to provide us with any personal information (or personal data) in order to use our services or our website. However, where you choose to give us personal data, via submission of an applications for services, online feedback forms or e-mail, then we will treat your personal information in accordance with our obligations as a Data Controller in that regard.
Giving us your Personal Information
Please note that where you provide us with your personal information (e.g. name, e-mail address, work address, phone and/or other contact information), through a facility provided on this website or directly to us by post, telephone or e-mail, you consent to us:
- Processing and administering your personal data to perform all necessary actions to give effect to your request or instruction; and
- Retaining a record of incoming and outgoing communications (e.g. e-mail). Information in the e-mail we receive and send will not be disclosed to any third party without the permission of the sender unless otherwise in accordance with the Data Protection legislation.
Please note that by continuing to use this website you are giving us your consent to process your personal data as outlined in this Statement. Your consent is also provided to any successor or assignee of Carlow County Development Partnership CLG and/or any of its businesses.
We inform all persons who submit their personal data to us of these conditions by this Privacy Statement.
Security of Data
Carlow County Development Partnership CLG takes seriously its security obligations in respect of your personal data under the Data Protection Acts in order to prevent unauthorised access to, or alteration or destruction of personal data in our possession.
Right of Access
Where you have provided us with your personal data you have a right to be given a copy of your personal data in accordance with section 4 of the Irish Data Protection Acts, subject to certain exceptions. To request a copy of your personal data please read our Subject Access Request Policy.
Any Subject Access Request must be accompanied by a fee of €6.35. Please note the following important requirements:
- We reserve the right not to process an access request that is not accompanied by proof of identification;
- We shall not disclose your personal data unless the prescribed fee of €6.35 has been received; and
- We do not accept access requests via telephone, e-mail or text message.
Right of Rectification or Erasure
If we hold incorrect information about you, you have the right to have the data amended. To request your right to rectification and/or erasure please send your request in writing to:
The Data Protection Officer,
Carlow County Development Partnership
This request must be accompanied by:
- Proof of your name and address; and
- A description of the specific personal data you wish rectified.
If you request erasure of your personal data all your data will be erased subject to the following important notice:
- We are not required to rectify or erase your data where to do so would prevent you from meeting your contractual obligations to us or where we are required to process (including retaining) your personal data for a lawful purpose in accordance with Irish legislation.
Carlow County Development Partnership trusts that you appreciate that we respect and value your right to privacy, and that our honesty and integrity shall mean that you will continue to trust us with your personal data, knowing that we will not use it for any inappropriate purpose.
Glossary of Terms
Data relating to a living individual (who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller).
To ‘process’ such personal data means:
- obtaining, recording or keeping the information, or
- collecting, recording, organising, storing, altering or adapting the information or data,
- retrieving, consulting or using the information or data,
- disclosing the information or data by transmitting, disseminating or otherwise making it available, or
- aligning, combining, blocking, and erasing the information or data.
A Data Controller is a person who, either alone or with others, controls the contents and the use of personal data.
Principles of Data Protection
- The data must be obtained and processed fairly.
- The data shall be obtained for one or more specified, explicit and legitimate purpose(s).
- The data shall not be further processed in a manner incompatible with that purpose(s).
- Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
- The data should be accurate, complete and kept up to date.
- The data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it was collected.
- The data shall not be kept for longer than is necessary for that purpose(s).
- On request, individuals will have the right to access a copy of their personal data which relates or refers to them.
Sensitive Personal Data
‘Sensitive Personal Data’ includes information about a person’s:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs;
- Trade union membership;
- Physical or mental health or condition, or sexual life;
- Commitment or alleged commitment of an offence or any proceeding for an offence committed or allegedly committed by the data subject, the disposal of such proceedings or the sentence of any court proceedings.