The Purpose of this policy it to provide a clear statement of KCCC’s commitment to protect the rights and privacy of individuals in accordance with the Data Protection Acts.
Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection Acts 1988 - 2018 (the “Data Protections Acts”) and the General Data Protection Regulation (EU) No 2016/679 (the “GDPR”) (the GDPR and the Data Protection Acts together “Data Protection Law”) confer rights on individuals as well as placing increased responsibilities on those persons and organisations that process personal data.
The Kildare County Childcare Committee (KCCC) process the personal data of employees, clients, suppliers and other individuals for a variety of business purposes. This may include the processing of special categories of personal data. We place a high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights and privacy of all individuals with whom we deal or interact with.
We respect your privacy and your rights to control your personal data. We will be clear about what data we collect and why we collect it. This policy sets out how we seek to protect personal data and ensure that our employees, joint controllers and third-party data processors understand the rules governing their use of the personal data to which they have access during the course of their work on our behalf.
This policy applies to all personal data received by KCCC. Personal data may be held or transmitted in paper or other physical or electronic formats. All personal and special category data will be equally referred to as personal data in this policy, unless specifically stated otherwise.
This policy applies to any person who is employed or engaged by KCCC and who process personal data in the course of their employment or engagement. This policy also applies to individuals who are not directly employed or engaged by us but who are employed or engaged by contractors and who process personal data in the course of their duties for us. KCCC may at any time amend this policy.
3. What is Personal Data
KCCC is a Controller of the personal data you (the data subject) provide us. Personal data basically means any information about a living person, where that person either is identified or could be identified. Personal data can cover various types of information, such as name, date of birth, email address, phone number, address, physical characteristics (images/video/audio)or location data – once it is clear to whom that information relates, or it is reasonably possible to find out.
We will keep your personal data safe and only share it when necessary. We recognise that you have a right to know that the information you share with KCCC is maintained confidentially. We only disclose your information if we are legally obliged to do so. Under certain circumstances KCCC may be required to disclose your Personal Information in response to valid requests by public authorities to meet law enforcement requirements.
Your personal data is stored (either in physical form or in our secure cloud-based IT system) and processed in KCCC located at Unit 21 Thompson Enterprise Centre, Clane Business Park, Clane, Co. Kildare.
Your records will be kept in line with our data retention policy.
4. Data Protection Principles
The following key principles are enshrined in the Irish legislation and are fundamental to the KCCC’s Data Protection policy.
In its capacity as Data Controller, KCCC ensures that all data shall:
... be obtained and processed fairly and lawfully.
For data to be obtained fairly, the data subject will, at the time the data are being collected, be made aware of:
- The identity of the Data Controller (KCCC)
- The purpose(s) for which the data is being collected
- The person(s) to whom the data may be disclosed by the Data Controller
- Any other information that is necessary so that the processing may be fair.
KCCC will meet this obligation in the following way.
Where possible, the informed consent of the Data Subject will be sought before their data is processed;
Where it is not possible to seek consent, KCCC will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.;
Processing of the personal data will be carried out only as part of KCCC’s lawful activities, and KCCC will safeguard the rights and freedoms of the Data Subject;
.... be obtained only for one or more specified, legitimate purposes.
KCCC will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which KCCC holds their data, and KCCC will be able to clearly state that purpose or purposes.
..... not be further processed in a manner incompatible with the specified purpose(s).
Any use of the data by KCCC will be compatible with the purposes for which the data was acquired.
.... be kept safe and secure.
KCCC will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by KCCC in its capacity as Data Controller.
Access to and management of staff and customer records is limited to those staff members who have appropriate authorisation and password-controlled access.
... be kept accurate, complete and up-to-date where necessary.
ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. KCCC conducts a review of sample data every six months to ensure accuracy; Staff contact details and details on next-of-kin are reviewed and updated every two years;
conduct regular assessments in order to establish the need to keep certain Personal Data.
... be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed.
KCCC will ensure that the data it processes in relation to Data Subjects are relevant to the purposes for which those data are collected. Data which are not relevant to such processing will not be acquired or maintained.
... not be kept for longer than is necessary to satisfy the specified purpose(s).
KCCC has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and electronic format. Once the respective retention period has elapsed, KCCC undertakes to destroy, erase or otherwise put this data beyond use.
... be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them.
KCCC has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the legislation.
5. Privacy Notice
KCCC will issue a Privacy Notice where:
• Information is being collected directly from an individual – the Privacy Notice will be provided at the point at which the data is collected.
• Information is obtained from another source – the Privacy Notice will be provided within one month after obtaining the date, preferable at the first point of contact.
A general Privacy Notice is available to view on our website an explains how personal data is processed.
6. Data Subject Rights
We are committed to assisting individuals with the implementation of the following data subject rights:
Right of Access
Data subjects have the right to access their personal data and supplementary information. Please use the Subject Access Request Form and contact the CEO at firstname.lastname@example.org or in writing to the CEO, Kildare County Childcare Committee, Unit 21 Thompson Enterprise Centre, Clane Business Park, Clane, Co. Kildare. We will acknowledge your request and respond to you within 1 month. There is no fee for such a request, although a fee may be charged for excessive or repetitive requests.
Right to Rectification
Please advise us of any changes in your personal information, as soon as possible. Should you believe that any personal data we hold on you is incomplete or incorrect, you have the ability to request to see this information and have it rectified.
Right to Erasure (right to be forgotten)
In certain circumstances, data subjects have the right to erasure of their data. When we receive a request from a data subject looking to exercise this right, we will carry out an assessment of whether the personal data can be erased.
Right to Restrict Processing
Data Subjects have the right to request the restriction or suppression of their personal data in certain circumstance. Where such a request is received, we will assess whether the restriction can be applied and communicate this to the individual.
Right to Object
You have the right to object to the processing of personal data in specific circumstances and be removed from any direct marketing emails. Where such an objection is received, we will assess it on its merits.
Right to Portability
Where we have collected personal data by consent or by contract, the data subject concerned has a right to receive the data in a common, machine readable format to give to another data controller. Exercising this right will depend on the technical feasibility of the request.
Right to Complain, Right to Judicial Remedy
If a data subject is unhappy with the service received, they are welcome to contact KCCC. They also have the right to contact the Data Protection Commission directly or seek a judicial remedy in the Irish Courts. All relevant contact details are provided at the end of this document.
7. Personal Data Breach
What is a personal data breach?
A personal data breach is described as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Reporting a breach.
KCCC treats any data breaches very seriously. The CEO will be notified of a data breach immediately. The CEO will manage any relevant communication with the Data Protection Commission. A record of any data breach that occurs, including a description of the breach, its effects and the remedial action taken, will be maintained by KCCC. Where the data breach results in a high risk to the rights and freedoms of a data subject, KCCC will inform the data subject without undue delay.
KCCC will provide access to data protection training to all employees, specific to their role. This training will be periodically reviewed and refreshed to ensure continuing professional development. Employees are responsible to ensure they avail of training and information provided and to identify gaps that they feel they need addressed.
9. Review and update
This policy may be reviewed from time to time in order to take into account any changes in the organisation structure of KCCC’s business practices and/or changes in legislation.