STATUS OF THE POLICY
- This policy does not form part of the formal contract of employment, but it is a condition of employment that staff abide by the rules and policies made by the organisation. Any failure to follow this policy can therefore result in disciplinary proceedings.
- Any staff member who considers that this policy has not been followed in respect of personal information about themselves, should raise the matter with their line manager initially. If the matter is not resolved, it should be raised as a formal grievance.
WHY PERSONAL INFORMATION IS COLLECTED
- In order to operate efficiently, this organisation has to collect and use information about people with whom it works. These may include members of the public, current, past and prospective staff members, clients, service users and suppliers. In addition, the organisation may be required by law to collect and use information in order to comply with the requirements of Government.
HOW PERSONAL INFORMATION IS TREATED
- The organisation regards the lawful and responsible treatment of personal information as very important for successful operation and for maintaining confidence between the organisation and those with whom it carries out business. The organisation will take the following steps.
THE PRINCIPLES OF THE GENERAL DATA PROTECTION REGULATIONS
- The organisation will comply with principles set out in the Act. Through appropriate management controls, the organisation will ensure that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data is inaccurate, having regard to the purposes for which it is processed, erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
People 1st Data Controller is Bernadette Daly (General Manager) – the controller will be responsible for, and be able to demonstrate, compliance with the principles.
STAFF AWARENESS AND INVOLVEMENT
- Staff are key to ensuring that the organisation complies with the Act. The organisation will ensure that:
- there is a staff member with specific responsibility for data protection in the organisation and who will be named as the Data Protection Officer. People 1st Data Protection Officer is Jacqueline McStravick.
- everyone managing and handling personal information understands they are contractually responsible for following good data protection practice
- everyone managing and handling personal information is appropriately trained to do so
- everyone managing and handling personal information is appropriately supervised
- anyone wanting to access their personal information knows what to do
- queries about handling personal information are promptly and courteously dealt with
- methods of handling personal information are regularly assessed and evaluated
- performance in handling personal information is regularly assessed and evaluated
- data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal information will be in compliance with approved procedures.
CONTRACTORS AND THIRD PARTIES
- All contractors, consultants, partners or other servants or agents of the organisation who are users of personal information supplied by the organisation will be required to confirm that they will abide by the requirements of the Act. The organisation will require that they enter into a contract which will oblige them to:
- ensure that they and all of their staff who have access to personal information held or processed for us or on our behalf, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between this organisation and that individual, company, partner or firm
- ensure that they only act on our instructions with regard to the processing of personal information we supply to them
- ensure that they have adequate security around personal information supplied to them and, in particular, will take appropriate organisational and technical steps to ensure that there is no loss, damage or destruction of such information
- allow data protection audits by the organisation, of information held on its behalf (if requested)
- indemnify the organisation against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation arising out of any breach of the Act by them.
SUBJECT ACCESS REQUESTS
- Staff, service users and other individuals about whom the organisation holds personal information have the right to access it. Any person may exercise this right by submitting a request in writing to, or emailing the General Manager – [email protected].
11. To comply with the GDPR rules, the organisation does not charge for subject access requests, however does retain the right, under the GDPR rules, to charge a ‘reasonable fee’ when a request is, in the Data Controller’s opinion, clearly unfounded or excessive, particularly if it is repetitive. Any fee charged will be based on the administrative cost of providing the information.
- The organisation aims to comply with requests for access to personal information as quickly as possible, but will ensure that this is provided within one month from the date the request is received, unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing within a month of receiving the request, along with an estimation of when the information will be made available (no later than another two months).
NOTIFICATION TO THE INFORMATION COMMISSIONER – Reference Z8932430
- The Act requires the organisation to notify our processing of personal information on an annual basis. Failure to do so is a criminal offence. The Information Commissioner maintains a public register of data controllers. An up-to-date notification can be seen at:
- Any changes to the register shall be notified to the Information Commissioner within 28 days.
RIGHT TO ERASURE
- In line with the GDPR rules, People 1st understand that individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- the personal data is no longer necessary for the purpose which we originally collected or processed it for;
- we are relying on consent as the lawful basis for holding the data, and the individual withdraws their consent;
- we are relying on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- we are processing the personal data for direct marketing purposes and the individual objects to that processing;
- we have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- we have to erase to comply with a legal obligation; or
- we have processed the personal data to offer information society services to a child.
People 1st will comply with a request to erase personal data unless there is a regulatory/legal reason why the data cannot be erased, eg personal data relating to a candidate’s qualification must be held for a period of time set by the Awarding Body. People 1st will also aim to inform any third parties, with whom the personal data has been shared, so they may also erase this data.
16: BREACH REPORTING
Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data must immediately notify the Data Protection Officer providing a description of what occurred. Notification of the incident can be made via e-mail, by calling, or in person. The Data Protection Officer will investigate all reported incidents to confirm whether or not a personal data breach has occurred. If a personal data breach is confirmed, the Data Protection Officer will follow the relevant authorised procedure. For severe personal data breaches, the directors will initiate and chair an emergency response team to coordinate and manage the personal data breach response. People 1st will comply with the GDPR and advise customers of any risk to their data within 72 hours of a breach.
- Compliance with the Act is the responsibility of everyone within the organisation. Any questions or concerns about the interpretation or operation of this policy should be communicated to Bernadette Daly, General Manager