DATA PROTECTION POLICY

Introduction

Longford County Childcare Committee CLG, in conducting its business, needs to gather and use certain information about individuals. This can include parents, childcare staff and committee members, clients, suppliers, business contacts, employees and other people that we have a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet data protection standards and to comply with principles of GDPR.

This policy aims to ensure that Longford County Childcare Committee CLG:

  • Complies with data protection law and follows good practice
  • Protects the rights of staff, clients and stakeholders.
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

Policy Scope

This policy applies to:

  • All staff & Committee members of Longford County Childcare Committee
  • All volunteers and students on work experience
  • All job applicants, existing and former employees, board members, contractors, suppliers and other people working on behalf of Longford County Childcare Committee

It applies to all data that the company holds and has access to relating to identifiable individuals and can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Dates of Birth
  • PPSN Numbers
  • Bank details
  • Financial information
  • Medical information
  • Salary and terms of condition of employment
  • Details of formal and informal proceedings involving employees, former employees/board members such as letters of concern, disciplinary and grievance proceedings, annual leave/sick records, appraisal and performance information
  • Plus any other information relating to individuals

All of the above information is required for our processing activities. More information on those processing activities are included in our privacy notice for employees.

Data protection risks

This policy helps to protect Longford County Childcare Committee from some very real data security risks including:

  • Breaches of confidentiality. For instance, information being given out inappropriately
  • Failing to offer choice. For instance, all individuals should be free to choose how their personal data is used
  • Reputational damage. In case of a data breach, data used for fraud or if hackers gained access to sensitive data

Responsibilities

Everyone working for or with Longford County Childcare Committee have a responsibility to ensure that data is collected, stored and handled appropriately. Each staff member must ensure that they handle and process data in line with this policy and data protection principles (see Appendix 1)

General Staff Guidelines

  • No additional data should be sought for training registration forms, than what is needed.
  • Data should not be shared informally and should not be disclosed to unauthorised people
  • Management will support staff to understand their responsibilities in regards to the implementation of this policy
  • All data should be kept secure by taking sensible precautions
  • Strong passwords should be used, passwords should never be shared, desktop computers should not be set to remember passwords
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required it should be deleted and disposed of correctly.
  • Staff should request help from the manager or data protection officer if they are unsure about any aspect of data protection

The board of directors is ultimately responsible for ensuring that Longford County Childcare Committee meets its legal obligations.

Data Protection Officer

The Data Protection Officer, Bernie Greene, is responsible for:

  • Informing and advising colleagues and the Committee of their data protection obligations and keeping them aware about data protection responsibilities, risks and issues
  • Monitoring the organisation’s GDPR compliance and reviewing all data protection procedures and related policies in line with an agreed schedule
  • Handling data protection questions from staff and anyone else covered by this policy
  • Working with other staff as necessary to ensure initiatives abide by data protection principles and approving any data protection statements attached to communications such as emails and letters
  • Dealing with requests from individuals to see the data Longford County Childcare Committee holds about them (also called “subject access requests”)
  • Provide advice regarding privacy impact assessments
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data and evaluating third party services used to store or process data (e.g. cloud computing services)
  • Addressing any data protection queries from outside of the organisation
  • Acting as a point of contact and co-operate with the data protection authority as required

Responsibilities of CTS Computers, the IT services contracted by Longford County Childcare Committee

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards
  • Providing LCCC with verification statements and information in regards to the computer systems provided
  • Performing regular checks and scans to ensure security hardware and software is functioning properly

Data Collection

We ensure that data is collected lawfully, fairly and transparent by considering that consent is freely given, that there are opportunities offered to withdraw consent and to correct data held.

Staff of Longford County Childcare Committee will carry out a data inventory on a regular basis to establish that all data is held in accordance with GDPR

Data Storage

Data stored on paper should be kept in a secure place in locked filing cabinet, and access will be to authorised staff only. This also applies to data usually stored electronically that has been printed:

  • When not required the paper or files should be kept in a locked drawer or filing cabinet
  • Staff must ensure that paper or printouts are not left where unauthorised people could see them, e.g. on the printer
  • Data printouts should be shredded and disposed of securely when no longer required
  • Individual scanned folders should be cleared at the end of every work week. This is the responsibility of each staff member.

Data stored electronically must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared only with Coordinator(in the event of sickness or annual leave)
  • Data stored on removable media (CD, DVD, USB) should be kept locked away securely when not being used
  • Data should only be stored on or uploaded to designated drives and servers
  • Servers containing personal data should be sited in a secure location away from public office space
  • Data should be backed up frequently, backups should be tested regularly in line with backup procedures
  • Data should never be saved directly to laptops or mobile devices like tablets or smart phones
  • All servers and computers containing data should be protected by encryption, approved security software and a firewall
  • All electronic devices (e.g. laptops and mobile phones) should be checked for updates by individual staff members weekly, in order to ensure most up to data protection measures

Physical Security of the premises:

  • Alarm system on the premises
  • CCTV in place indoors and outdoors.
  • Offices locked
  • Key coded system to enter the main premises from front hall.
  • Locked filing cabinets
  • Online data management systems are password protected
  • Files are stored in appropriate places
  • Shredder used to dispose of documents and printed data

Access Control, data Security:

  • We are particularly aware that as part of our work we may sometimes have access to children’s data
  • Accessing computers, accessing portals (NCS Hive portal), access needs of internal staff and is it clearly linked to the job duties and requirements of the post.
  • Staff desktop cannot be used for processing provider or parent applications or reports – providers/parents must arrive with their own laptop and they should only log into guest wifi or via hotspot on their mobile phone.
  • In the event that a parent/provider does not have access to their own laptop – the training laptop may be provided to process applications for supports such as NCS – no personal data is to be saved or stored on desktop and web browser/cache to be cleared after usage.
  • Downloading can only be work related materials and research.
  • Work related documents, facebook, twitter and Instagram should only be downloaded or accessed from work related equipment.
  • USB should never be used to download work related documents.

Data use

It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data staff should ensure that computers screens are always locked when left unattended or set to password activated sleep mode after 5 minutes.
  • Computers should be turned off at night or if working from home then have sleep mode activated on desktop screen.
  • Personal data should not be shared informally. It should never be sent by email, as this form of communication is not secure.
  • Precautions need to be put in place before transferring data electronically (i.e. encryption)
  • Staff should not save copies of personal data to their own computers or devices, always access the central copy of any data instead.
  • Personal data should never be transferred outside of the European Economic Area.

Data accuracy

Longford County Childcare Committee will take reasonable and proportionate steps to ensure data is kept accurate and up to date. This responsibility is shared by all staff, volunteers and board members.

  • Data will be held in as few places as necessary, staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated (i.e. as soon as they become aware of a change or an inaccuracy, checking details with clients routinely).
  • Longford County Childcare Committee aims to make it easy for data subjects to update the information we hold about them, this is facilitated by regular reviews and ongoing updates as requested by email or phone.

Data Access requests

All individuals who are the subject of personal data held by Longford County Childcare Committee are entitled to ask what information is held about them and why, find out how to gain access to it, be informed how to keep it up to date and have information on how Longford County Childcare Committee is meeting its data protection obligations. Any such request will be dealt with in line with GDPR aiming for a response time of one month.

Disclosing data for other reasons:

In certain circumstances (i.e. Child Protection and Welfare) the Data Protection Act allows personal data to be disclosed to relevant agencies in an appropriate manner without the consent of the data subject.

Data Retention and Erasure

We aim to keep data for the least amount of time that is necessary in accordance with other requirements we are obliged to adhere to such as:

These retention periods are predominantly determined by statutory obligations. As an exemption, retention periods within the Data Retention Schedule will be prolonged in cases such as:

  • Ongoing investigations from Irish authorities, if there is a chance records of personal data are needed by Longford County Childcare Committee to prove compliance with any legal requirements; or
  • When exercising legal rights during legal cases or similar court proceedings recognised under Irish law.

Safeguarding of Data during Retention Period

If personal data is physically retained in hard copy format this personal data may become out of date quickly and this will be considered by the Manager. If personal data is retained on electronic storage media (hard drive, server) or in the cloud, the Manager will ensure that backup copies of the information also is available.  

Third party processing

Where Longford CCC engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain LCCC’s commitment to protecting data.

International Data Transfers

Longford CCC does not transfer personal data to any recipients outside of the EEA. 

Destruction of Data

Longford County Childcare Committee and its employees will regularly review all data, whether held electronically or in hard copy format, to decide whether to destroy or delete any data once the purpose for which those documents were created is fulfilled or as per determined by statutory obligations as outlined in our Data Retention Schedule. Overall responsibility for the destruction of data falls to the Manager.

Once the decision is made to dispose of personal data according to the Data Retention Schedule, the data will be deleted, shredded or otherwise destroyed appropriately.

The method of destruction varies and will be dependent upon the nature of the document.  For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) will be disposed of as confidential waste and be subject to secure electronic deletion. The Document Disposal Schedule section below defines the method of disposal.

The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Manager subcontracts for this purpose. Destruction of data is always approved by the Manager and the details recorded.  Any applicable general provisions under relevant data protection laws and Longford County Childcare Committee’s Personal Data Protection Policy shall be complied with.

Appropriate controls are in place to prevent the permanent loss of essential information of Longford County Childcare Committee as a result of malicious or unintentional destruction of information. These controls include restricting access to the filing cabinet to only those who are permitted to access the data.  These controls include password protected access to the IT equipment, data storage, documents saved on the shared drive.  

Data Breach Reporting

Breaches must be reported to the relevant supervisory authority within 72 hours of discovering the breach, unless the breach is unlikely to result in a risk to the rights of data subjects. Data subjects will be notified if the breach results in “high risk” to them. Records of all breaches will be kept by data controllers and processors.

Providing Information:

Longford County Childcare Committee aims to ensure that individuals are aware that their data is being processed and that they understand how the data is being used and how to exercise their rights.

Privacy Statement

Privacy Impact Assessments

Data Inventory

Type of Data collected in the course of the work at Longford County Childcare Committee:

  • Provider/service contact information & details
  • Parent/child contact information & details
  • Interagency contacts & details
  • Training data & contact details of those attending training
  • Complaints data
  • Employee contact data and details / supervisory reports & appraisal
  • Recruitment & applicant data
  • Data Processing – Data Mapping throughout the organisation

Training

New employees must read and understand the policies on data protection as part of their induction.  All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.

All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the company of any potential lapses and breaches of LCCC’s policies and procedures.