Data Protection Policy
Updated May 2018
Table of Contents
- Categories of Personal Data
- Data Protection Principles
- Roles and Responsibility
- Data Subjects’ Rights in Relation to their Personal Data
- Retention of Personal Data
- Personal Data Breach
- Data Storage/Security
- Disclosure to Third Parties / Data Processors
- Transfer of Data outside the EEA
- Policy Review
The Granning Group and its affiliated companies (‘Granning’) need to collect and use Personal Data for a variety of purposes relating to its staff, board members, members and other individuals who come into contact with Granning in the course of its work.
Where this Policy applies to Personal Data of employees of Granning it should be read in conjunction with the associated Employee Handbook, which specifically addresses Personal Data held and / or processed on behalf of employees and board members.
This is an internal Granning policy document applicable to all Granning employees, board members, contractors and relevant third party providers. It is a statement of Granning’s commitment to protect the rights and privacy of all individuals in respect of whom it holds Personal Data and to ensure compliance with the Data Protection Acts.
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Processor means a natural or legal person, public authority, agency or another body which processes Personal Data on behalf of the Data Controller.
Data Protection Acts means the Data Protections Act 1998 – 2003 including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any enactment thereof or amendment thereto.
Data Subject is an individual who is the subject of Personal Data.
Personal Data means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factures specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Sensitive Personal Data is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning health or sex life or sexual orientation, genetic data or biometric data, data relating to criminal offences and convictions.
4. Categories of Personal Data
The personal data records held by Granning may include but are not limited to:
· Staff records
· Industry stakeholder details
· Personal data of subscribers to our website(s)
5. Data Protection Principles
Granning will administer its responsibilities under the Data Protection Acts in accordance with the Data Protection principles outlined as follows:-
· Granning will obtain and Process the Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject.
· Granning will collect and Process the Personal Data for specified, explicit and legitimate purposes and will not further Process the Personal Data in a manner that is incompatible with these purposes.
· Granning will use and disclose Personal Data only in ways compatible with these purposes.
· Granning will Process the Personal Data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
· Granning will keep the Personal Data accurate and, when necessary, up to date, and will take reasonable steps to ensure that Personal Data that is inaccurate is erased and or rectified without delay.
· Granning will ensure that the Personal Data collected and Processed is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
· Granning will not retain the data for longer than is necessary for the purpose for which the personal data is processed.
· Granning has procedures in place to ensure that Data Subjects can exercise their rights to access a copy of their Personal Data held by the Granning upon request. See Clause 7 below.
· Granning will maintain a Data Processing inventory.
6. Roles and Responsibility
Granning has overall responsibility for ensuring compliance with the Data Protection Acts. However, all employees who Process Personal Data in the course of their employment are also responsible for ensuring compliance with the Data Protection Acts.
Granning will provide support, assistance, advice and training to appropriate individuals who are handling such data in order to ensure that they are in a position to comply with the legislation.
Carol Gordon has been appointed Data Compliance Administrator and his/her principal duties are as follows:
· Process and respond to formal Data Access Requests
· Initiate regular reviews of Data Protection policies and procedures and ensure documentation is updated as appropriate
· Liaise with the Office of the Data Protection Commissioner where necessary
· Organise training and briefing sessions for staff as required
· Provide advice and guidance to staff and on Data Protection matters
All members of staff are expected to acquaint themselves with and abide by the rules of Data Protection as set out in this policy, read and understand this policy document, understand what is meant by Personal Data and Sensitive Personal Data and know how to handle such data, not to jeopardise individuals’ rights or risk a contravention of the Data Protection Acts and contact the Data Compliance Administrator if in any doubt.
All staff members have an obligation to report any Personal Data Breaches to the Data Compliance Administrator or to contact him/her if they have concerns of such a breach. This will allow the appropriate personnel to investigate further and take the appropriate steps to fix the issue in a timely manner.
Failure of an individual staff member to comply with this policy may lead to disciplinary action in accordance with Granning’s Disciplinary Procedures.
7. Data Subjects’ Rights in Relation to their Personal Data
Data Subjects have various rights under the Data Protection Acts, subject to certain exceptions and limitations (for example, where Granning must retain data to comply with any law or regulation to which it is subject), in connection with the Processing of their Personal Data:
· Right to access the data: Data Subjects have the right to request a copy of the Personal Data that Granning holds about them, together with other information about Granning’s processing of that Personal Data. This does not include the right to see Personal Data about other individuals without that other person’s consent.
· Right to rectification: Data Subjects have the right to request that any inaccurate data that is held about them is corrected, or if Granning has incomplete information they may request that Granning update the information such that it is complete.
· Right to erasure: Data subjects have the right to request Granning to delete Personal Data that it holds about them. This is also known as the right to be forgotten.
· Right to restriction of processing or to object to processing: Data Subjects have the right to request that Granning no longer processes their Personal Data for particular purposes, or to object to Granning’s processing of their Personal Data for particular purposes.
· Right to data portability: Data Subjects have the right to request Granning to provide them or a third party with a copy of their Personal Data in a structured, commonly used machine readable format.
For requests or further information in relation to access to, or deletion or rectification of Personal Data please email the Data Compliance Administrator at firstname.lastname@example.org
8. Retention of Personal Data
Personal Data Processed or kept for any purpose will not be kept for longer than is necessary for that purpose. Granning occasionally needs to make a judgment about how long is “necessary” and this may vary on a case-by-case basis at may also vary where Granning needs to retain Personal Data in order to defend any threatened or actual legal action. Personal Data retained by Granning is regularly reviewed, and updated if it is found to be out of date. If no longer required, it will be deleted and / or disposed of.
9. Personal Data Breach
Granning Data Breach procedure follows the Data Protection Commissioner’s Personal Data Security Breach Code of Practice. All loss of Personal Data must be notified and managed in accordance with this. To this end any incident which gives rise or may give rise to the risk of a Personal Data Breach, including any loss, destruction or disclosure of any Personal Data must be immediately notified to the Data Compliance Administrator.
Even if you feel an incident is minor please report it and also please report such incidents even if they may not actually result in a breach. Data breaches can include equipment failure, human error, and loss of documents or inappropriate access.
Once notified the Data Compliance Administrator will make a decision on the next steps to be taken in accordance with the above mentioned code of practice and undertake to make the necessary notifications.
Please contact the Data Compliance Administrator if in any doubt.
10. Data Storage/Security
These rules describe how Granning ensures the safe storage of Personal Data. All employees are expected to follow these storage rules.
· When not required, paper or manual files should be kept in a locked drawer or filing cabinet and employees should make sure paper and printouts containing personal data are not left where unauthorised people could see them, such as on a printer.
· Printouts containing Personal Data should be shredded and disposed of securely when no longer required.
· Personal Data should never be saved directly to laptops or other mobile devices such as tablets or smart phones. If Personal Data is saved to a laptop or device it must be encrypted.
· All servers and computers containing Personal Data are protected by approved security software and a firewall and kept in a secure location.
· When working with Personal Data, employees should ensure the screens of their computers are always locked when left unattended.
· Personal Data should not be shared informally. In particular, it should never be sent by email unless appropriate encryption is applied, as this form of communication is not secure.
· When an email is being sent to a number of individuals this should be done using BCC (blind carbon copy) rather than CC. This prevents the unnecessary disclosure of all of the intended recipients’ email addresses to the others.
· Personal Data should be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
· When data is stored electronically, it must be protected from unauthorised access, accidental deletion and hacking.
11. Disclosure to Third Parties / Data Processors
There are times when, rather than discharge a service itself, Granning may wish to outsource the supply of a service to an external supplier. Granning will not disclose Personal Data to third parties unless the Data Subject has specifically consented or it is necessary to carry out certain functions on the Data Subject’s behalf. In addition Granning needs to comply with the law and various regulations from time to time and in this regard may need to send Personal Data to third parties for certain services. If the service involves the Processing of Personal Data on behalf of Granning there will be a written contract in place between Granning and the Data Processor outlining the Data Processor’s obligations in relation to personal data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Data Protection Acts.
12. Transfer of Data outside the EEA
The Data Protection Acts restricts the transfer of Personal Data outside of the European Economic Area.