Data Protection Policy
Cavan County Local Development is committed to protecting the rights and freedoms of our data subjects, and safely and securely processing their data in accordance with all of our legal obligations, including compliance with the General Data Protection Regulation (GDPR). We process both personal and sensitive data about our employees, applicants, suppliers, and other individuals for a variety of business purposes. This policy sets out how we seek to protect personal data and ensure that our employees, joint controllers and third-party data processors understand the rules governing their use of the personal data to which they have access during the course of their work on behalf of Cavan County Local Development.
This policy applies to all personal data processed by Cavan County Local Development. All personal and sensitive data will be equally referred to as personal data in this policy, unless specifically stated otherwise. The policy addresses the core principles set out by the Office for Data Protection for compliance and good practice within the current Data Protection Legislation (the Data Protection Acts of 2003 and 2018). This policy supplements other Cavan County Local Development policies relating to data protection, and email and systems use.
Cavan County Local Development may supplement or amend this policy by additional policies and guidelines.
3. POLICY STATEMENT
The General Data Protection Regulation (GDPR) describes how organisations — Cavan County Local Development — must co collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The office of the Data Protection Commissioner outlines eight principles of data processing which are binding on all organisations who handle personal data. This policy describes how Cavan County Local Development adheres to those principles.
The GDPR is underpinned by seven important principles:
Lawfulness, Fairness and Transparency
Collected for specific, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accurate and, where necessary, kept up-to-date
Kept in a form which permits identification of data subjects for no longer than is necessary
Processed in a manner that ensures appropriate security of personal data
Accountability for the implementation of the above principles
Partners and any third parties working with or for Cavan County Local Development and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy.
No third party may access personal data held by Cavan County Local Development without having first entered into a data confidentiality agreement, which imposes on the third party obligations no less onerous than those to which Cavan County Local Development is committed, and which gives Cavan County Local Development the right to audit compliance with the agreement.
Cavan County Local Development defines
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
An individual who is the subject of the personal data.
Sensitive Personal Data
Relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.
‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.
Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Joint Controllers as defined in Article 26 of the GDPR jointly determine the purposes and means of processing of personal data
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
This is the national body responsible for data protection. The supervisory authority for our organisation is the Data Protection Commission.
5.1. Principles of the General Data Protection Regulation
The following outlines the principles of the General Data Protection Regulation. Cavan County Local Development is required to adhere to the principles set out below.
5.1.1. Lawfulness, Fairness and Transparency
All data must be processed legally, and in a way that is fair and transparent. The Data Subject will be clearly informed about how their data is being processed at the time it is being captured and who their data is shared with. The Data Subject’s data will not be shared with or disclosed to a third party other than to a party contracted to Cavan County Local Development and operating on its behalf.
5.1.2. Collected for specific, explicit and legitimate purposes
Cavan County Local Development will only collect data from data subjects for a specific purpose, and this purpose will be made clear to the data subject at the time the data is collected.
Once data is collected for a specific purpose, it will not be processed for any other purpose without the data subject’s prior consent.
5.1.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Cavan County Local Development will ensure that any data obtained from the data subject will be adequate and relevant to the purpose(s) for which it is being processed. No unnecessary or additional data will be processed if the original purpose has been satisfied.
5.1.4. Accurate and, where necessary, kept up-to-date
Every effort will be made to ensure that all data collected from data subjects is accurate. Data held on the Cavan County Local Development system will be updated periodically to ensure any inaccuracies are rectified. Where Cavan County Local Development is made aware of any inaccurate data by the data subject, we will rectify this immediately. Cavan County Local Development will ensure that any out-of-date data be destroyed or deleted.
It may not be possible to rectify inaccurate due to assessment procedures.
5.1.5. Kept in a form which permits identification of data subjects for no longer than is necessary
Data will be retained for no longer than is necessary in light of the purposes for which that data was originally collected and processed. Any unsolicited data received by Cavan County Local Development employees, via email or post, will be deleted/destroyed immediately.
The Cavan County Local Development Data Retention Policy is available to view in the office and Cavan County Local Development staff should familiarise themselves with the content of the policy.
5.1.6. Processed in a manner that ensures appropriate security of personal data
All data will be processed safely and securely, to prevent unlawful or unauthorised processing, accidental or unlawful destruction, or accidental loss or damage to the data.
Cavan County Local Development will conduct a periodic security review of its IT systems to ensure that the appropriate measures are in place and adhered to.
5.1.7. Accountability for the implementation of the above principles
As a Data Controller, Cavan County Local Development takes responsibility to adhere to the above principles at all times during the course of business. Cavan County Local Development will keep a record of all personal data collected, held or processed. The following details will be recorded:
The name and contact details of the Controller, and where applicable, the Joint Controller and Data Protection Officer
The purposes of the processing
Categories of data subjects and personal data
Categories of recipients/third parties with whom the data will be shared
Retention periods for each category of data
Details of the technical/security measures in place
If, during any stage of data processing, a Cavan County Local Development employee/Data Processor is unsure of their obligations under the above GDPR principles, they should contact the DPO for clarification.
6. DATA PROTECTION OFFICER
As part of the General Data Protection Regulation, it is mandatory for Cavan County Local Development to have a formally appointed Data Protection Officer (“DPO”).
The DPO will be included in any matters involving data protection at the earliest possible stage, including privacy impact assessments, data processing activities that may affect data subjects, and incidents which affect the data of subjects.
6.1. Responsibilities of the DPO
The DPO will be responsible for the following:
To inform and advise Cavan County Local Development, its employees, and third-party data processors of their obligations under the GDPR;
To monitor compliance with GDPR and Cavan County Local Development policies in relation to the protection of personal data, including raising awareness of these policies amongst Cavan County Local Development employees, ensuring relevant and continuous staff training, and auditing and reviewing Cavan County Local Development systems and procedures;
To act as the contact point with the supervisory authority on issues relating to Cavan County Local Development’s processing activities;
To ensure a strict code of confidentiality concerning their role as Cavan County Local Development;
To provide advice to Cavan County Local Development, where requested, regarding Data Privacy Impact Assessments and to monitor their performance.
6.2. Contacting the DPO
DPO Contact Details:-
Tel: 049 4331029
Address: Unit 6A Corlurgan Business park, Ballinagh Road, Cavan.
The DPO should be notified of data breaches as per joint controller agreements, processor agreements or as per data breach management policy.
7. SUBJECT ACCESS REQUESTS
In order to submit a subject access request please contact Cavan County Local Development at firstname.lastname@example.org
8. DATA PROTECTION BREACH
8.1. What is a personal data breach?
A personal data breach is described as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8.2. Reporting a breach
Cavan County Local Development treats data breaches very seriously. The DPO should be notified of data breaches as per joint controller agreements, processor agreements or as per data breach management policy.
A record of any data breach that occurs, including a description of the breach, its effects and the remedial action taken, will be kept in the Cavan County Local Development Data Breach Log.
Where the personal data breach results in a high risk to the rights and freedoms of a data subject, Cavan County Local Development are obliged to inform the data subject immediately.
8.3. Data Breach Management Policy
In the event of a data breach occurring, Cavan County Local Development’s ‘Data Breach Management Policy’ outlines the procedure to be followed in responding to and managing the breach.
9. TRAINING, AUDITING & MONITORING
All Cavan County Local Development employees will receive data protection training specific to their role. This training will be periodically reviewed and refreshed to ensure continuing professional development in the area of data protection law and the general data protection regulation.
9.2. Auditing & Monitoring
Methods of collecting, holding and processing personal data will be regularly evaluated and reviewed. All employees, joint controllers and third-party processors working on behalf of Cavan County Local Development will be made fully aware of both their individual responsibilities and Cavan County Local Development’s responsibilities under the Regulation and under this Policy.
Every Data Subject has the right to make a complaint if their legal rights are not fully upheld. The Data Protection Commissioner will help you in ensuring that your legal rights under the General Data Protection Regulation (GDPR) are upheld.
Data Protection Commissioner
Telephone +353 57 8684800 or +353 (0)761 104 800
Lo Call Number 1890 252 231
Fax +353 57 868 4757
Postal Address Data Protection Commissioner
Canal House, Station Road, Portarlington, R32 AP23 Co. Laois
11. REVIEW OF POLICY
This Policy will be reviewed by the board annually.
12. EFFECTIVE DATE(S)
This Policy was effective on the 26th October, 2021.