The purpose of this document is to provide a concise policy regarding the Data Protection obligations of TES. This includes obligations in dealing with personal and sensitive personal data, in order to ensure that the organisation complies with the requirements of the relevant Irish legislation, namely the Irish Data Protection Act (2018), and the General Data Protection Regulation (2018) (the GDPR)
TES must comply with the Data Protection principles set out in the relevant legislation. This Policy applies to all Personal and Sensitive Personal Data collected, processed and stored by TES in relation to its staff, service providers, members and clients in the course of its activities. TES makes no distinction between the rights of Data Subjects who are employees, and those who are not. All are treated equally under this Policy.
The policy covers both personal and sensitive personal data held in relation to data subjects by TES. The policy applies equally to personal data held in manual and automated form.
In the course of its daily organisational activities, TES acquires, processes and stores personal data in relation to:
• Employees of TES
• Clients of TES’ professional services
· Members of TES
• Third party service providers engaged by TES
In accordance with the Irish and EU Data Protection legislation, this data must be acquired and managed fairly. Not all staff members will be expected to be experts in Data Protection legislation. However, TES is committed to ensuring that its staff have sufficient awareness of the legislation in order to be able to anticipate and identify a Data Protection issue, should one arise. In such circumstances, staff must ensure that the Data Protection Officer is informed in order that appropriate corrective action is taken.
Due to the nature of the services provided by TES, there is regular and active exchange of personal data between TES and its Data Subjects. In addition, TES exchanges personal data with Data Processors on the Data Subjects’ behalf.
This is consistent with TES’s obligations under the terms of its contract with its Data Processors.
This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a TES staff member is unsure whether such data can be disclosed.
Data Subject Access Requests
Any formal, written request by a Data Subject for a copy of their personal data (a Data Subject Access Request or DSAR) will be referred, as soon as possible, to the Data Protection Officer, and will be processed as soon as possible, but in any event within one month of receipt.
Third-Party processors
In the course of its role as Data Controller, TES engages a number of Data Processors to process Personal Data on its behalf. In each case, a formal, written contract, the Data Processing Agreement or DPA, is in place with the Processor, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Irish Data Protection legislation.
The following key principles are enshrined in the EU and Irish legislation and are fundamental to the TES Data Protection policy.
1. ... be obtained and processed fairly and lawfully.
For data to be obtained fairly, the Data Subject will, at the time the data are being collected, be made aware of:
· The identity of the Data Controller (TES)
· The purpose(s) for which the data is being collected
· The person(s) to whom the data may be disclosed by the Data Controller
· Any other information that is necessary so that the processing may be fair.
TES will meet this obligation in the following way.
· Where possible, the informed consent of the Data Subject will be sought before their data is processed;
· Where it is not possible to seek or secure consent, TES will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.;
· Where TES intends to record activity or events using video, a Fair Processing Notice will be posted in full view of those attending;
· Processing of the personal data will be carried out only as part of TES’s lawful activities, and TES will, at all times, safeguard the rights and freedoms of the Data Subject;
· The Data Subject’s data will not be disclosed to a third party other than to a party contracted to TES and operating on its behalf.
2. .... be obtained only for one or more specified, legitimate purposes.
TES will obtain data for purposes which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which TES holds their data, and TES will be able to clearly state that purpose or purposes.
3. .....be processed to the minimum necessary and will not be further processed in a manner incompatible with the specified purpose(s).
Any use of the data by TES will be the minimum necessary to achieve the intended objective, and will be compatible with the purposes for which the data was acquired.
4. ... be kept accurate, complete and up-to-date where necessary.
TES will:
· ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
· conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. TES conducts a review of sample data every six months to ensure accuracy; Staff contact details and details on next-of-kin are reviewed and updated every two years.
· conduct regular assessments in order to establish the need to keep certain Personal Data.
5. ... not be kept for longer than is necessary to satisfy the specified purpose(s).
TES has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format.
Once the respective retention period has elapsed, TES undertakes to destroy, erase or otherwise put this data beyond use.
TES will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by TES in its capacity as Data Controller.
Access to and management of staff and customer records is limited to those staff members who have appropriate authorisation and password access.
7. ... be processed in a manner by which TES can demonstrate its accountability and compliance with all relevant legislation.
TES is happy to respond to any queries, either from Clients, members or auditors, in order to demonstrate our compliance with the obligations set out under Irish and EU privacy legislation.
As part of the day-to-day operation of the organisation, TES’s staff engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by TES, such a request gives rise to access rights in favour of the Data Subject.
There are specific time-lines within which TES must respond to the Data Subject, depending on the nature and extent of the request.
TES’s staff will ensure that, where necessary, such requests are forwarded to the Data Protection Officer in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than one month from receipt of a validated request.
As a Data Controller, TES ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with Article 28 of the Data Protection legislation.
