Data protection policy, procedures and guidelines
From time to time, the Galway Archaeological and Historical Society (hereafter, GAHS) collects and utilises personal data (information) relating to members and other associated individuals, for a variety of purposes. For example, those who subscribe to our mailing lists, purchasers of publications or tickets for events, purchasers’ payment card information, applicants for grants or awards, those seeking membership, or those who register to use our online facilities.
The purposes of processing data includes:
– the organisation and administration of GAHS activities
– the management of research projects
– ensuring compliance with statutory obligations etc.
Data Protection legislation safeguards the privacy rights of individuals in relation to the processing of personal data. The Data Protection Act (1988) and the Data Protection (Amendment) Act (2003) confer rights on individuals as well as responsibilities on those persons processing personal data.
Personal data, both automated and manual, are data relating to a living individual who is or can be identified, either from the data or from the data in conjunction with other information.
- Purpose of this policy
This policy is a statement of the GAHS’s commitment to protect the rights and privacy of individuals in accordance with Data Protection legislation.
- Principles of data protection legislation
The GAHS will administer its responsibilities under the legislation in accordance with the eight stated data protection principles outlined in the Acts as follows:
- Obtain and process information fairly
The GAHS will obtain and process personal data fairly and in accordance with the fulfilment of its functions and its legal obligations.
- Keep it only for one or more specified and lawful purpose
The GAHS will keep data for purposes that are specific, lawful and clearly stated and the data will only be processed in a manner compatible with these purposes.
- Process data only in ways compatible with the purposes for which it was given initially
The GAHS will only use and disclose personal data in a manner that is necessary for the purpose(s) or compatible with the purpose(s) for which it collects and stores such data.
- Keep it safe and secure
The GAHS will take appropriate security measures to prevent unauthorised access to, or alteration, disclosure or destruction of such data, and against its accidental loss or destruction.
- Keep it accurate, complete and up-to-date
The GAHS will implement procedures that are adequate to ensure high levels of data accuracy and completeness, and to ensure that personal data are kept up-to-date.
- Ensure that it is adequate, relevant and not excessive
Personal data held by the GAHS will be adequate, relevant and not excessive in relation to the purpose(s) for which itis stored.
- Retain it for no longer than is necessary for the purpose or purposes
The GAHS will have a defined policy on retention periods for personal data and appropriate procedures in place to implement such a policy.
- Give a copy of his/her personal data to any individual, on request
The GAHS will have procedures in place to ensure that affected individuals may exercise their rights under the data protection legislation.
The GAHS has corporate responsibility for ensuring compliance with the data protection legislation in circumstances where it controls personal data. However, all members and employees who collect and /or control such data remain individually responsible for compliance with the data protection legislation. The GAHS will provide support, assistance, advice and training to all officers and committee members as required to ensure it is in a position to comply with the legislation. The GAHS has a Data Protection Officer who will assist in ensuring compliance with the legislation.
This policy will be reviewed regularly in light of any legislative or other relevant indicators.
The following is an account of the GAHS’s Data Protection procedures. All committee members should familiarise themselves with its contents.
- Purpose of Data Protection
The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 govern the processing of all personal data. The purpose of these Acts is to safeguard the privacy rights of living individuals in relation to the processing of their personal data by those who control such data. It provides for the collection of data in a responsible way, while providing against unwanted or harmful uses of data.
- Purpose of compliance guidelines
- Explanation of terms used in connection with Data Protection
Data means information in a form that can be processed. This includes automated and manual data.
Automated data means any information on computer or information recorded with the intention that it be processed by a computer, for example data from a registration form for a mailing list would normally be input to a database.
Manual data means information recorded as part of a relevant filing system or with the intention that it form part of a system. This could be a CV, or an application form for example.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.
Personal data means data, including sensitive personal data, relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the GAHS.
Sensitive personal data relates to specific categories of data, which are defined as data relating to a person’s racial origin; political opinions or religious or philosophical beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.
Data controller is a body that processes information about living people. The data controller must be in a position to control the contents and use of a personal data file. The GAHS is a data controller, but so also are Membership Secretary, PRO, Secretary, Webmaster and President.
Data processor is a body that processes personal data on behalf of a data controller.
Processing means performing any operation or set of operations on data, comprising:
Obtaining, assembling, organising and storing data;
using, consulting and retrieving data;
altering, erasing and destroying data; or,
- Role of the Data Protection Commissioner
The Data Protection Commissioner overseas compliance with the terms of the legislation. The Commissioner has wide enforcement powers, including investigation of records and record-keeping practices. A data controller found guilty of an offence can be fined up to €100,000 and/or may be ordered to delete data.
- Rules of Data Protection
There are eight rules of data protection which govern the processing of personal data. When processing personal data the following procedures apply:
- Obtain and process information fairly.
- Keep it only for one or more specified and lawful purposes.
- Process data only in ways compatible with the purposes for which it was initially given. Retain it for no longer than is necessary for the purpose or purposes of recording membership of GAHS, for example.
- Keep it safe and secure.
- Keep it accurate, complete and up-to-date.
- Ensure that it is adequate, relevant and not excessive.
- Retain it for no longer than is necessary for the purpose or purposes.
- Give a copy of his/her personal data to any individual member of GAHS, on request.
There are also special conditions that must be met before personal data may be transferred to a country outside the European Economic Area (EU member states and Iceland, Liechtenstein and Norway) if that country does not have an EU-approved data protection law. Specific provisions are in place concerning personal data transfers to the USA.
The above rules apply to all personal computer-held data and to all personal manual data created from 1 July 2003.
For manual records created before 1 July 2003, the obligations in relation to
5.5; 5.6 and 5.7 will only apply from 24 October 2007.
However, for personal manual data created before 1 July 2003, the following obligations apply:
- Provide a copy of his/her personal data to any individual member on request;
- Correct, erase, or destroy any manual personal data that are incomplete or inaccurate;
- Destroy any manual personal data that are incompatible with the legitimate purpose for which they were collected.
- Obtaining and processing personal data
Personal data is obtained fairly if the data subject is aware of the purpose for which the GAHS is collecting the data; of the categories of person/organisation to whom the data may be disclosed; of non-obligatory or optional answers in forms; and of their right of access to, and rectification of, such data.
The GAHS will:
- Obtain personal data only when there is a clear purpose for so doing; obtain only whatever personal data are necessary for fulfilling that purpose; and ensure data are used only for that purpose.
- Inform data subjects of what personal information is held by the GAHS, what it will be used for and to whom it may be disclosed.
- Obtain explicit consent in writing for processing sensitive data and retain a copy of that consent. Consent cannot be inferred from a non-response in the case of sensitive data.
The use of GAHS data processing facilities in capturing and storing personal data for non-GAHS purposes must not take place.
- Disclosing personal data
Personal data should only be disclosed in ways that are necessary or compatible with the purpose(s) for which the data are kept. Particular attention should be paid to the protection of sensitive personal data, the disclosure of which would normally require explicit consent.
- Except where there is a statutory obligation to comply with a request for personal data, or where a data subject has already been made aware of disclosures, the GAHS will not disclose to any third party any personal data without the consent of the data subject.
- Verbal consent to disclosure of personal data of a data subject may be obtained by a telephone call to the data subject in the case of non-sensitive personal data, but must request that the subject confirms facts that should be known only to them, such as date of birth, student number, etc. The date and time of the giving of verbal consent should be recorded in writing.
- Verbal consent to disclosure of personal data to a third party is not permitted unless there is a statutory obligation to disclose, or the information is released, to the Garda for example, for the prevention of crime and if informing the subject of the disclosure would prejudice the enquiries, or unless it is in the vital interests of the data subject.
- Personal data should only be disclosed to colleagues where they have a legitimate interest in the data in order to fulfill administrative functions. Responsible committee members should be satisfied of the need to disclose.
- Personal data should not be disclosed outside of the European Economic Area unless written consent has been obtained; unless disclosure is required for the performance of a contract to which the data subject is a party; or unless disclosure is necessary for the purpose of legal proceedings.
- Securing personal data
The GAHS must protect personal data from unauthorised access when in use and in storage, and the data must be protected from inadvertent destruction, amendment or corruption.
- Personal electronic data should be subject to appropriate stringent controls, such as passwords, encryption, access logs, backup, etc. Personal security passwords should not be disclosed to others within the organisation.
- Screens, printouts, documents, and files showing personal data should not be visible to unauthorised persons.
- Personal manual data must be held securely in locked cabinets, locked rooms or rooms with limited access.
- Subject to retention guidelines, personal manual data should be destroyed by confidential shredding when the retention period has expired.
- When upgrading or changing your personal computer, ensure the hard drive is wiped and data securely erased by an appropriate IT officer or GAHS webmaster.
- Special care must be taken where laptops or mobile devices containing personal data are used outside the GAHS.
- Health and social work personal data can only be released following consultation with the relevant professional.
- Disclosing personal data to a Data Processor should be done only under a written contract specifying security rules to be followed.
- Accuracy and completeness of personal data
Administrative procedures should include review and audit facilities to ensure that personal data are accurate, complete and up-to-date.
- Retention of personal data
- Data should not be kept for longer than is necessary for the purpose for which they were collected.
- Data already collected for a specific purpose should not be subject to further processing that is not compatible with the original purpose.
- Disposal of personal data
- Personal data should be disposed of when they are no longer needed for the effective functioning of the GAHS.
- The method of disposal should be appropriate to the sensitivity of the data. Shredding/incineration are appropriate in the case of manual data, and in the case of electronic data media are securely erased or destroyed.
- Particular care should be taken when personal computers, laptops or other devices are transferred from one individual to another, or outside the GAHS or are being disposed of.
- Audit logs should be kept of records containing personal data (including CCTV data), recording read access, changes made, additions, deletions etc.
12 Rights of data subjects
12.1 Right of access
The Acts provide for the right of access by the data subject to his or her personal information whether held electronically or on manual relevant filing systems. Data subjects must be made aware of how to gain access to their personal data. A data subject is entitled to be made aware of his or her right of access and to the means by which to access the data. A data subject is entitled to the following on written application within forty days:
- a copy of his or her personal data;
- the purpose of processing the data;
- the persons to whom the GAHS discloses the data;
- an explanation of the reasoning used in any automated decision-making;
- a copy of recorded opinions about the person, unless given in confidence.
12.2 Restriction of rights of access
The right of access is restricted where the data are:
- required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing moneys due to the State;
- subject to legal professional privilege;
- kept only for statistical or research purposes and the results are not made available in a way that identifies data subjects;
- back-up data.
12.3 Provision of access to third parties
A data subject is entitled to access his or her own personal data only. The personal information of a data subject, including contact details, must not be disclosed to a third party, be they parent, potential employer, employer, professional body, sponsor, etc., without the consent of the individual concerned.
An agreement may be made to forward a communication to a data subject on behalf of a third party, but no information should be disclosed about the data subject. In the case of research surveys where there is an agreement to forward documentation to data subjects, a notice should be included to the effect that no personal information has been released.
12.4 Limitations on the use of personal data for research
Any committee member involved in research or the collecting of personal data, especially sensitive personal data, must comply with the requirements of the Acts. Initially, they must ensure that data are obtained and processed fairly. It is essential that the necessary consent from data subjects is obtained. Whenever possible, personal data should be rendered anonymous.
The Acts require that personal data shall be kept only for one or more specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes. This restriction may limit the usefulness of data for research purposes. If personal data are made anonymous, however, they cease to be personal data subject to the terms of the Acts.
In addition, certain data protection rules are relaxed for personal data kept for statistical, research or other scientific purposes, so long as the data are not used in a way that may harm the data subject. The rules in question being the restrictions on further processing personal data that is incompatible with the original purpose, on not keeping data longer than necessary for the purpose and on not disclosing the purpose when the data were obtained. It should be noted that if research data are retained in personally identifiable format they may be subject to an access request from a data subject and are subject to restrictions on the transfer of data outside the European Economic Area.
12.5 Right of rectification or erasure
Data subjects have a right to have personal data rectified, or blocked from being processed, or erased where the data controller has contravened the Acts. In order to comply with the above rights of access, rectification or erasure, and in order to ensure that personal data can be located and collated quickly and efficiently, the following actions are required:
- ensure personal data are in a format that is easy to locate and collate;
- verify that the access request and the personal data released refer to the same individual;
- know exactly what data are held on individuals, and by whom;
- hold personal data in a secure central location.
12.6 Responsibilities of data subjects
- All committeemembers and other data subjects should be informed of how to keep their personal data up to date.
- All committeemembers and other data subjects are responsible for:
- checking that any information that they provide to the GAHS is accurate and up to date;
- informing the GAHS of any changes in information that they have provided, such as changes of address;
- checking the information the GAHS sends out from time to time, giving details of information kept and processed;
- informing the GAHS of any errors or changes (the GAHS cannot be held responsible for any errors unless previously informed).
- Further information
These guidelines provide a general introduction and should be used in conjunction with the comprehensive Data Protection advice and guidelines on www.dataprotection.ie, the website of the Irish Data Protection Commissioner (Office of the Data Protection Commissioner, Canal House, Station House, Portarlington, Co Laois).
If you have any queries or seek clarification on any aspect of this document, please contact Eugene Jordan, Data Protection Officer, Hardiman Library, NUI Galway.
Phone: + 353 89 9561744 or email firstname.lastname@example.org All enquiries will be dealt with in confidence.