This procedure is to supplement the Data Protection Act 1988, 2003 and 2018 (“DPA”) and the new General Data Protection Regulations (GDPR) 2018.
Inishowen Rivers Trust (IRT) has a seven-point plan to ensure that it’s current practice is strengthened and complies with the intent as well as the letter of the new regulations:
- Define who is responsible
- Know what data we hold
- Update our privacy notices. (Primarily on the IRT’s website but includes future newsletters etc)
- Dealing with subject access requests
- Extra protection for children
- Reporting data breaches
- Data protection by design
The following sections will deal with each of these parts of the plan.
Who is responsible?
The main roles identified with respect to the control of data are:
The Inishowen Rivers Trust committee are ultimately responsible for the IRT’s management of data and fulfil the role of “Data Controller”. The Data Protection Policy will be reviewed annually by the Chairperson and Secretary and updated with any issues or risks to ensure that it is fit for purpose and that the purpose for collecting, storing and processing personal data is still required for the work of IRT.
This is the IRT Secretary, whose main responsibilities are to ensure that any processing of personal data within the IRT is done in accordance with the regulations and that data protection is built in at the design stage of any project rather than added in at the end.
Back-up of databases and security
This is the responsibility of the Data Processor.
From time to time individuals will ask informally to be added to contact databases. These requests need to be sent to the lead contact for the database as identified in the inventory. This will ensure that we audit the permission process and that the details are added to the correct database.
We know what data we hold & have created a data inventory
The IRT has audited its data holdings, identified the main sources of data and generated a data inventory. The inventory identifies where that data has come from, when it was collected and any third parties with whom the data may be shared. The IRT believes that it has identified all sources of personal data retained by the IRT committee, however, it is possible that legacy data will be uncovered in the future, if this happens the data will be deleted.
Review privacy notices and how we ask for consent and remove data on request
The Data Processor is responsible for the review of the IRT’s privacy notices and how we ask for consent to ensure that the IRT continues to follow best practice. The Data Inventory will be used to identify and remove personal data on request.
Build in extra protection for children
The IRT has only collected data from adults and it has not knowingly collected data from children. Should the IRT plan to collect personal data from children it will review its procedures and build in suitable protection as required.
Design in data protection at the start of a project
Data protection will be incorporated into the initial risk assessment for all projects to ensure that it is designed into each project. This will be project specific and the responsibility of the Project Manager.
General principles for the collection and use of personal data
- Processed fairly and lawfully.
- Obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes.
- Adequate, relevant and not excessive in relation to the purpose(s)for which it is held.
- Accurate and, where necessary, kept up to date.
- Held no longer than is necessary for the specified purpose(s).
- Processed in accordance with the rights of the data subjects.
- Held securely, with appropriate technical and organisational measures taken to prevent unauthorised or unlawful processing of personal data, and to prevent accidental loss or destruction of, or damage to, personal data.
- Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures and adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
All personal data processed will meet one of the conditions below:
- The data subject has given consent explicitly, where the purpose is obvious (e.g. gift aid).
- The personal information is related to the individuals professional interest in a project. This covers work emails, addresses and telephone numbers but also some private details of individuals such as @gmail accounts where these are provided explicity as the desired method of communication between the IRT and the individual.
- The processing is necessary to carry out a project
- It is needed to process the data in order to comply with a legal obligation (e.g. Requirement of funding, Garda vetting, Revenue Commissioners query).
- It is necessary to protect the vital interests of the data subject (e.g. repayment of expenses to directors, staff or volunteers etc).
- It is necessary for the administration of justice or for government or other functions of a public nature (e.g. claim for injury).
- It is necessary for the legitimate interests of the data controller or a third party to whom the information is disclosed.
Sensitive Personal Data
This will not be collected or processed by the IRT. If it is collected, the prior express consent of the data subject will be obtained. Sensitive personal data is information relating to:
- Racial or ethnic origin.
- Religious beliefs or similar.
- Trade union membership.
- Physical or mental health or condition.
- Sexual life.
- Commission or alleged commission of any offence.
- Any proceedings for any offences committed or allegedly committed by any data subject, the disposal of such proceedings or the Court’s sentence in any such proceedings.
The IRT is currently exempt from registration.
Protection of Personal Data
(a) Physical protection
The IRT’s employees/volunteers are required to effect and maintain security protection on all computers in accordance with the IT Policy. With home/office locations, there are self-defining safeguards against theft of, inter alia, computers and hard copy files. Dropbox as a cloud-based server uses Amazon S3 for data storage and, according to Amazon, it uses military grade perimeter berms, video surveillance and professional security staff.
The IRT does not encrypt files transmitted by email, and accordingly will not transmit any sensitive personal information by email. Contact details may be transmitted electronically within the IRT from time to time. Files stored on Dropbox are encrypted using the AES-256 standard.
(b) Confidentiality undertakings
All IRT committee members should maintain strict confidentiality in relation to personal data. Personal data is largely incidental to the business advice given. The confidentiality and personal data obligations are periodically reinforced at meetings.
Any external fundraising agreements or consultation responses will incorporate a clause making the confidentiality and data protection obligations clear. Other agreements routinely include reciprocal confidentiality undertakings to protect the IRT’s intellectual property rights and any personal data that may arise.
Subject access requests
Any request by an individual to have access to the personal data held by the IRT will be referred to the IRT Secretary. The request will be answered as soon as practicable and in any event within one month. It is the responsibility of the IRT Secretary to exercise his/her professional judgement or to seek external legal advice in any restriction of information disclosed if a request is received.
Dealing with a data breach
If there is a data breach it is the responsibility of the project manager and/or IRT data lead identified in the data inventory to notify the “Data processor” as soon as possible. The issue will be investigated by the IRT’s chairperson and rectified. Anyone affected by the data breach will be contacted and any mitigation required will be agreed and implemented.
The IRT will not use personal data for fundraising purposes or soliciting support, except where there is express consent. The IRT will not use personal data for other direct marketing of goods or services.
Right to prevent use of data
As a matter of routine, the IRT Secretary will arrange that any person who does not wish to receive any communication from the IRT accede to such a request.
Other than to maintain an audit trail for the IRT’s auditors or the Government’s auditors where public grants are involved, or the data is processed in such a manner so as to prevent any individual identification (e.g. market research data), the IRT Secretary will arrange for any other personal data the subject of a request to be deleted or provide an explanation in writing to the contrary.
Review of Policy
The IRT committee will review this Policy upon each renewal or registration change or more frequently if circumstances dictate or suggest otherwise. Any issues identified will be raised at an IRT committee meeting at the soonest opportunity.
If you require any further information or clarification on this Privacy and Data Protection Policy or any related issues, please contact firstname.lastname@example.org. In addition you can use the ‘Contact Us’ section of our website to register with us, provide consent, unsubscribe or edit your details.
Last updated: 12-09-2018