Data Protection Policy

1.         INTRODUCTION

Cavan County Local Development is committed to protecting the rights and freedoms of our data subjects, and safely and securely processing their data in accordance with all of our legal obligations, including compliance with the General Data Protection Regulation (GDPR). We process both personal and sensitive data about our employees, applicants, suppliers, and other individuals for a variety of business purposes. This policy sets out how we seek to protect personal data and ensure that our employees, joint controllers and third-party data processors understand the rules governing their use of the personal data to which they have access during the course of their work on behalf of Cavan County Local Development.

 

2.         SCOPE

This policy applies to all personal data processed by Cavan County Local Development. All personal and sensitive data will be equally referred to as personal data in this policy, unless specifically stated otherwise.  The policy addresses the core principles set out by the Office for Data Protection for compliance and good practice within the current Data Protection Legislation (the Data Protection Acts of 2003 and 2018).  This policy supplements other Cavan County Local Development policies relating to data protection, and email and systems use.

 

Cavan County Local Development may supplement or amend this policy by additional policies and guidelines.

 

3.         POLICY STATEMENT

The General Data Protection Regulation (GDPR) describes how organisations — Cavan County Local Development — must co collect, handle and store personal information.

  • These rules apply regardless of whether data is stored electronically, on paper or on other materials.

  • To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

 

The office of the Data Protection Commissioner outlines eight principles of data processing which are binding on all organisations who handle personal data.  This policy describes how Cavan County Local Development adheres to those principles.  

 

The GDPR is underpinned by seven important principles:

  1. Lawfulness, Fairness and Transparency

  2. Collected for specific, explicit and legitimate purposes

  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

  4. Accurate and, where necessary, kept up-to-date

  5. Kept in a form which permits identification of data subjects for no longer than is necessary

  6. Processed in a manner that ensures appropriate security of personal data

  7. Accountability for the implementation of the above principles

Partners and any third parties working with or for Cavan County Local Development and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy.

No third party may access personal data held by Cavan County Local Development without having first entered into a data confidentiality agreement, which imposes on the third party obligations no less onerous than those to which Cavan County Local Development is committed, and which gives Cavan County Local Development the right to audit compliance with the agreement.

 

4.         DEFINITIONS

Cavan County Local Development defines

Personal data

Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject

An individual who is the subject of the personal data.

Sensitive Personal Data

Relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.

Data Controller

‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.

Data Processor

Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Joint Controller

Joint Controllers as defined in Article 26 of the GDPR jointly determine the purposes and means of processing of personal data

Processing

Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Consent

Means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Supervisory Authority

This is the national body responsible for data protection. The supervisory authority for our organisation is the Data Protection Commission.

 

5.         POLICY 

5.1. Principles of the General Data Protection Regulation

The following outlines the principles of the General Data Protection Regulation. Cavan County Local Development is required to adhere to the principles set out below.

 

5.1.1.   Lawfulness, Fairness and Transparency

All data must be processed legally, and in a way that is fair and transparent. The Data Subject will be clearly informed about how their data is being processed at the time it is being captured and who their data is shared with. The Data Subject’s data will not be shared with or disclosed to a third party other than to a party contracted to Cavan County Local Development and operating on its behalf.

 

5.1.2.   Collected for specific, explicit and legitimate purposes

Cavan County Local Development will only collect data from data subjects for a specific purpose, and this purpose will be made clear to the data subject at the time the data is collected.

 

Once data is collected for a specific purpose, it will not be processed for any other purpose without the data subject’s prior consent.

 

5.1.3.   Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Cavan County Local Development will ensure that any data obtained from the data subject will be adequate and relevant to the purpose(s) for which it is being processed.  No unnecessary or additional data will be processed if the original purpose has been satisfied.

 

5.1.4.   Accurate and, where necessary, kept up-to-date

Every effort will be made to ensure that all data collected from data subjects is accurate. Data held on the Cavan County Local Development system will be updated periodically to ensure any inaccuracies are rectified. Where Cavan County Local Development is made aware of any inaccurate data by the data subject, we will rectify this immediately.  Cavan County Local Development will ensure that any out-of-date data be destroyed or deleted.

 

It may not be possible to rectify inaccurate due to assessment procedures.

 

5.1.5.   Kept in a form which permits identification of data subjects for no longer than is necessary

Data will be retained for no longer than is necessary in light of the purposes for which that data was originally collected and processed. Any unsolicited data received by Cavan County Local Development employees, via email or post, will be deleted/destroyed immediately.

 

The Cavan County Local Development Data Retention Policy is available to view in the office and Cavan County Local Development staff should familiarise themselves with the content of the policy.

 

5.1.6.   Processed in a manner that ensures appropriate security of personal data

All data will be processed safely and securely, to prevent unlawful or unauthorised processing, accidental or unlawful destruction, or accidental loss or damage to the data.

 

Cavan County Local Development will conduct a periodic security review of its IT systems to ensure that the appropriate measures are in place and adhered to.

 

5.1.7.   Accountability for the implementation of the above principles

As a Data Controller, Cavan County Local Development takes responsibility to adhere to the above principles at all times during the course of business. Cavan County Local Development will keep a record of all personal data collected, held or processed. The following details will be recorded:

 

  • The name and contact details of the Controller, and where applicable, the Joint Controller and Data Protection Officer

  • The purposes of the processing

  • Categories of data subjects and personal data

  • Categories of recipients/third parties with whom the data will be shared

  • Retention periods for each category of data

  • Details of the technical/security measures in place

If, during any stage of data processing, a Cavan County Local Development employee/Data Processor is unsure of their obligations under the above GDPR principles, they should contact the DPO for clarification.

 

 

6.         DATA PROTECTION OFFICER

As part of the General Data Protection Regulation, it is mandatory for Cavan County Local Development to have a formally appointed Data Protection Officer (“DPO”).

The DPO will be included in any matters involving data protection at the earliest possible stage, including privacy impact assessments, data processing activities that may affect data subjects, and incidents which affect the data of subjects.

 

6.1.      Responsibilities of the DPO

The DPO will be responsible for the following:

  • To inform and advise Cavan County Local Development, its employees, and third-party data processors of their obligations under the GDPR;

  • To monitor compliance with GDPR and Cavan County Local Development policies in relation to the protection of personal data, including raising awareness of these policies amongst Cavan County Local Development employees, ensuring relevant and continuous staff training, and auditing and reviewing Cavan County Local Development systems and procedures;

  • To act as the contact point with the supervisory authority on issues relating to Cavan County Local Development’s processing activities;

  • To ensure a strict code of confidentiality concerning their role as Cavan County Local Development;

  • To provide advice to Cavan County Local Development, where requested, regarding Data Privacy Impact Assessments and to monitor their performance.

 

6.2.      Contacting the DPO

DPO Contact Details:-

Terry Hyland

Email: thyland@ccld.ie,

Tel: 049 4331029

Address:  Unit 6A Corlurgan Business park, Ballinagh Road, Cavan.

The DPO should be notified of data breaches as per joint controller agreements, processor agreements or as per data breach management policy.

 

7.         SUBJECT ACCESS REQUESTS

In order to submit a subject access request please contact Cavan County Local Development at info@ccld.ie

 

8.         DATA PROTECTION BREACH

8.1.      What is a personal data breach?

A personal data breach is described as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

8.2.      Reporting a breach

Cavan County Local Development treats data breaches very seriously. The DPO should be notified of data breaches as per joint controller agreements, processor agreements or as per data breach management policy.

A record of any data breach that occurs, including a description of the breach, its effects and the remedial action taken, will be kept in the Cavan County Local Development Data Breach Log.

Where the personal data breach results in a high risk to the rights and freedoms of a data subject, Cavan County Local Development are obliged to inform the data subject immediately.

 

8.3.      Data Breach Management Policy

In the event of a data breach occurring, Cavan County Local Development’s ‘Data Breach Management Policy’ outlines the procedure to be followed in responding to and managing the breach.

 

9.         TRAINING, AUDITING & MONITORING

9.1.      Training

All Cavan County Local Development employees will receive data protection training specific to their role. This training will be periodically reviewed and refreshed to ensure continuing professional development in the area of data protection law and the general data protection regulation.

 

9.2.      Auditing & Monitoring

Methods of collecting, holding and processing personal data will be regularly evaluated and reviewed. All employees, joint controllers and third-party processors working on behalf of Cavan County Local Development will be made fully aware of both their individual responsibilities and Cavan County Local Development’s responsibilities under the Regulation and under this Policy.

10.       COMPLAINTS

Every Data Subject has the right to make a complaint if their legal rights are not fully upheld. The Data Protection Commissioner will help you in ensuring that your legal rights under the General Data Protection Regulation (GDPR) are upheld.

Data Protection Commissioner

Telephone                   +353 57 8684800 or +353 (0)761 104 800

Lo Call Number                       1890 252 231 

Fax                               +353 57 868 4757      

E-mail                          info@dataprotection.ie

Postal Address             Data Protection Commissioner

Canal House, Station Road, Portarlington, R32 AP23 Co. Laois

 

 

11.       REVIEW OF POLICY

This Policy will be reviewed by the board annually.

 

12.       EFFECTIVE DATE(S)

This Policy was effective on the 26th October, 2021.