DATA PROTECTION POLICY
Policy prepared by: Carrieann Belton
Approved & Ratified by board on: 11TH of June 2018
Policy operational on: 25th of May 2018
Next review date: 26th of May 2019
Longford County Childcare Committee CLG, in conducting its business, needs to gather and use certain information about individuals. This can include parents, childcare staff and committee members, clients, suppliers, business contacts, employees and other people that we have a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet data protection standards and to comply with GDPR.
This policy aims to ensure that Longford County Childcare Committee CLG:
- Complies with data protection law and follows good practice
- Protects the rights of staff, clients and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
This policy applies to:
- All staff & Committee members of Longford County Childcare Committee
- All volunteers and students on work experience
- All contractors, suppliers and other people working on behalf of Longford County Childcare Committee
It applies to all data that the company holds and has access to relating to identifiable individuals and can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Dates of Birth
- PPSN Numbers
- Bank details
- Financial information including social welfare payments as part of CCSP eligibility
- Medical information
- Plus any other information relating to individuals
Data protection risks
This policy helps to protect Longford County Childcare Committee from some very real data security risks including:
- Breaches of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all individuals should be free to choose how their personal data is used
- Reputational damage. In case of a data breach, data used for fraud or if hackers gained access to sensitive data
Everyone working for or with Longford County Childcare Committee has some responsibility to ensure that data is collected, stored and handled appropriately. Each staff member must ensure that they handle and process data in line with this policy and data protection principles (see Appendix 1)
General Staff Guidelines
- Only data needed for your work should be accessed
- Data should not be shared informally and should not be disclosed to unauthorised people
- Management will support staff to understand their responsibilities in regards to the implementation of this policy
- All data should be kept secure by taking sensible precautions
- Strong passwords should be used, passwords should never be shared, desktop computers should not be set to remember passwords
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required it should be deleted and disposed of
- Staff should request help from the manager or data protection officer if they are unsure about any aspect of data protection
The board of directors is ultimately responsible for ensuring that Longford County Childcare Committee meets its legal obligations
Data Protection Officer
The Data Protection Officer, Bernie Greene, is responsible for:
- Informing and advising colleagues and the Committee of their data protection obligations and keeping them aware about data protection responsibilities, risks and issues
- Monitoring the organisation’s GDPR compliance and reviewing all data protection procedures and related policies in line with an agreed schedule
- Handling data protection questions from staff and anyone else covered by this policy
- Working with other staff as necessary to ensure initiatives abide by data protection principles and approving any data protection statements attached to communications such as emails and letters
- Dealing with requests from individuals to see the data Longford County Childcare Committee holds about them (also called “subject access requests”)
- Provide advice regarding privacy impact assessments
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data and evaluating third party services used to store or process data (e.g. cloud computing services)
- Addressing any data protection queries from outside of the organisation
- Acting as a point of contact and co-operate with the data protection authority as required
Responsibilities of IT services contracted by Longford County Childcare Committee
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards
- Providing LCCC with verification statements and information in regards to the computer systems provided
- Performing regular checks and scans to ensure security hardware and software is functioning properly
We ensure that data is collected lawfully, fairly and transparent by considering that consent is freely given, that there are opportunities offered to withdraw consent and to correct data held.
Staff of Longford County Childcare Committee will carry out a data inventory on a regular basis to establish that all data is held in accordance with GDPR
Data stored on paper should be kept in a secure place in locked filing cabinet where unauthorised people cannot see it. This also applies to data usually stored electronically that has been printed:
- When not required the paper or files should be kept in a locked drawer or filing cabinet
- Staff must ensure that paper or printouts are not left where unauthorised people could see them, e.g. on the printer
- Data printouts should be shredded and disposed of securely when no longer required
Data stored electronically must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared only with Coordinator(in the event of sickness or annual leave)
- Data stored on removable media (CD, DVD, USB) should be kept locked away securely when not being used
- Data should only be stored on or uploaded to designated drives and servers
- Servers containing personal data should be sited in a secure location away from public office space
- Data should be backed up frequently, backups should be tested regularly in line with backup procedures
- Data should never be saved directly to laptops or mobile devices like tablets or smart phones
- All servers and computers containing data should be protected by approved security software and a firewall
Physical Security of the premises:
- Alarm system on the premises
- Care taker present when premises are in use at night
- Offices locked
- locked filing cabinets
- online data management systems are password protected
- files are stored in appropriate places
- shredder used to dispose of documents and printed data
Access Control, data Security:
- We are particularly aware that as part of our work we have access to children’s data
- Accessing computers, accessing portals (PIP safe & secure platform), access needs of internal staff and is it clearly linked to the job duties and requirements of the post.
- Staff desktop cannot be used for processing provider applications or reports – providers must arrive with their own laptop and if wifi is needed they need to do so via a hotspot on their mobile phone.
- Downloading can only be work related materials and research.
- Work related documents, facebook, twitter should only be downloaded or accessed from work related equipment
- USB should not be used to download work related documents
It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data staff should ensure that computers screens are always locked when left unattended or set to password activated sleep mode after 5 minutes
- Computers should be turned off at night or if working from home then have sleep mode activated on desktop screen
- Personal data should not be shared informally. It should never be sent by email, as this form of communication is not secure
- Precautions need to be put in place before transferring data electronically (i.e. encryption)
- Staff should not save copies of personal data to their own computers or devices, always access the central copy of any data instead
- Personal data should never be transferred outside of the European Economic Area
Longford County Childcare Committee will take reasonable and proportionate steps to ensure data is kept accurate and up to date. This responsibility is shared by all staff.
- Data will be held in as few places as necessary, staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated (i.e. as soon as they become aware of a change or an inaccuracy, checking details with clients routinely)
- Longford County Childcare Committee aims to make it easy for data subjects to update the information we hold about them, this is facilitated by regular reviews and ongoing updates as requested by email or phone
Data Access requests
All individuals who are the subject of personal data held by Longford County Childcare Committee are entitled to ask what information is held about them and why, find out how to gain access to it, be informed how to keep it up to date and have information on how Longford County Childcare Committee is meeting its data protection obligations. Any such request will be dealt with in line with GDPR aiming for a response time of one month
Disclosing data for other reasons:
In certain circumstances (i.e. Child Protection and Welfare) the Data Protection Act allows personal data to be disclosed to relevant agencies in an appropriate manner without the consent of the data subject.
Data Retention and Erasure
We aim to keep data for the least amount of time that is necessary in accordance with other requirements we are obliged to adhere to such as:
These retention periods are predominantly determined by statutory obligations. As an exemption, retention periods within the Data Retention Schedule will be prolonged in cases such as:
- Ongoing investigations from Irish authorities, if there is a chance records of personal data are needed by Longford County Childcare Committee to prove compliance with any legal requirements; or
- When exercising legal rights during legal cases or similar court proceedings recognised under Irish law.
Safeguarding of Data during Retention Period
If personal data is physically retained in hard copy format this personal data may become out of date quickly and this will be considered by the Manager. If personal data is retained on electronic storage media (hard drive, server) or in the cloud, the Manager will ensure that backup copies of the information also is available.
Destruction of Data
Longford County Childcare Committee and its employees will regularly review all data, whether held electronically or in hard copy format, to decide whether to destroy or delete any data once the purpose for which those documents were created is fulfilled or as per determined by statutory obligations as outlined in our Data Retention Schedule. Overall responsibility for the destruction of data falls to the Manager.
Once the decision is made to dispose of personal data according to the Data Retention Schedule, the data will be deleted, shredded or otherwise destroyed appropriately.
The method of destruction varies and will be dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) will be disposed of as confidential waste and be subject to secure electronic deletion. The Document Disposal Schedule section below defines the method of disposal.
The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Manager subcontracts for this purpose. Destruction of data is always approved by the Manager and the details recorded. Any applicable general provisions under relevant data protection laws and Longford County Childcare Committee’s Personal Data Protection Policy shall be complied with.
Appropriate controls are in place to prevent the permanent loss of essential information of Longford County Childcare Committee as a result of malicious or unintentional destruction of information. These controls include restricting access to the filing cabinet to only those who are permitted to access the data. These controls include password protected access to the IT equipment, data storage, documents saved on the shared drive.
Data Breach Reporting:
Breaches must be reported to the relevant supervisory authority within 72 hours of discovering the breach, unless the breach is unlikely to result in a risk to the rights of data subjects. Data subjects will be notified if the breach results in “high risk” to them. Records of all breaches will be kept by data controllers and processors.
Longford County Childcare Committee aims to ensure that individuals are aware that their data is being processed and that they understand how the data is being used and how to exercise their rights
Privacy Impact Assessments
Type of Data collected in the course of the work at Longford County Childcare Committee:
- Provider/service contact information & details
- Parent/child contact information & details
- Interagency contacts & details
- Training data & contact details of those attending training
- Complaints data
- Employee contact data and details / supervisory reports & appraisal
- Recruitment & applicant data
- Data Processing – Data Mapping throughout the organisation
Each LCCC staff member will process data relevant to their Job role using various systems:
Type of data
Level of risk
Retention and deletion