Carlow County Council is the democratically elected unit of Local Government in County Carlow and is responsible for the provision of an extensive and diverse range of services to the people of the County.
In order to provide the most effective and targeted range of services to meet the needs of the citizens, communities and businesses of County Carlow we will be required to collect, process and use certain types of information about people and organisations. Depending on the service being sought or provided, the information sought may include ‘personal data’ as defined by the Data Protection Acts and by the General Data Protection Regulation (GDPR) and may relate to current, past and future service users; past; current and prospective employees; suppliers; and members of the public who may engage in communications with our staff. In addition, staff may be required, from time to time, to collect, process and use certain types of personal data to comply with regulatory or legislative requirements.
Definitions
Article 4 (1) defines ‘personal data’
“means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Article 9 (1) lists the special categories of personal data
“revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”
Article 4 (2)‘ defines processing’ as
“ any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
What and who is a Data Controller?
A data controller under Article 4 (7) of the General Data Protection Regulation (EU) No. 2016/679 means
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”
Principles Relating to the Processing of Personal Data
All personal data processed by Carlow County Council in the course of its work will be dealt with in compliance with the Principles relating to Processing Personal Data laid down in Article 5 (1)
of the General Data Protection Regulations set out hereunder:
Personal data shall be:
a) Processed lawfully, fairly and in a transparent manner in relation to the data subject
b) Collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
d) Accurate and, where necessary, kept up to date
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
This policy sets out how the Council will handle and process data, deal with a request for data by a data subject and manage a breach of data.
Data in this policy document means both personal data and sensitive personal data.
In particular we are committed to protecting personal data as enshrined in the second title (Freedoms) of the Charter of Fundamental Rights of the European Union which has full legal effect under the Treaty of Lisbon since 1st December 2009.
This policy must be read in conjunction with the Data Protection Act and Regulation EU No. 2016/679 the General Data Protection Regulations.
It also references the controls in place in respect of the use of CCTV systems. Carlow County Council also has a CCTV policy.
Data is collected for any one of the 150 plus services the Council provides to the citizens of County Carlow. It collects it on paper, by way of application forms, correspondence etc. It also receives data by way of emails and holds data electronically on shared drives and servers.
In all cases it must ensure that data is processed in compliance with the 6 GDPR Principles:
• Lawfulness, Fairness and Transparency
• Purpose Limitation
• Data Minimisation
• Accuracy
• Storage Limitation
• Accountability, integrity and confidentiality.
1. Policy in Respect of Compliance with the Data Protection Acts.
It is the policy of Carlow County Council to comply fully with the Data Protection Acts. It will, as a Data Control Authority, carry out all duties and functions as set out in the Acts and ensure that the gathering and holding of data is done so solely within the terms of the Acts.
2. Appointment and Role of a Data Protection Officer
Under Article 37 (1) the controller and the processor shall designate a Data Protection Officer (DPO) in any case where: (a) the processing is carried out by a public authority or body. The Senior Executive Officer, Corporate Services is currently the Data Protection Officer for Carlow County Council.
GDPR requires the DPO to be an independent member of staff who is not responsible for any line department. The Council is currently recruiting such a person.
In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation.
3. Policy in Respect of Informing Customers of their privacy rights
Carlow County Council has in place a privacy policy which advises customers and citizens of their privacy rights when providing personal data to the council for processing. As well as a general policy and a website policy, a number of sections have their own privacy policies.
4. Policy in Respect of Adherence with Guidelines issued by the Office of the Data Protection Commissioner.
It is the policy of Carlow County Council to adhere to all guidelines issued by the Office of the Data Protection Commissioner. These include guidance on such matters as CCTV, records management as well as rulings in respect of complaints made to that Office.
5. Policy in Respect of Data Protection Rules.
It is the policy of Carlow County Council to adhere to the following six Data Protection rules which are fundamental to Data Protection law.
The Rules are that personal data shall be-
1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
3. Collected for specified, explicit and legitimate purposes
4. Kept in a form which permits identification of data subjects for no longer than is Necessary for the purposes for which the personal data are processed
5. Accurate and where necessary kept up to date
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
6. Policy in Respect of Rights of the Individual.
(A Data Subject means an individual who is the subject of personal data.)
It is the policy of Carlow County Council to ensure that the rights of the Individual are fully protected as set out below:
Rights for individuals under the GDPR include:
1. subject access
2. to have inaccuracies corrected
3. to have information erased
4. to object to direct marketing
5. to restrict the processing of their information, including automated decision-making
6. data portability
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some significant enhancements. Carlow County Council has a procedure in place for dealing with Subject Access Requests which can be accessed at Making a Data Access Request.
We will strive to ensure there is no undue delay in processing an Access Request and, at the latest, they must now be concluded within one month.
In relation to policies on refusal these are clearly laid out in the procedure at the link above.
7. Policy in Respect of Managing Data Protection Breaches.
It is the policy of Carlow County Council to detect, report and investigate a personal data breach in accordance with the DPA, and guidelines as issued by the Office of the Data Protection Commissioner.
All personal data or sensitive personal data breaches will be notified to the Data Protection Officer within 72 hours unless the data was anonymised or encrypted as laid out in the regulations Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned
A data protection breach occurs where personal data or sensitive personal data is released without authority or consent. Such breaches may occur in the event of the loss of USB keys, disks, laptops, digital cameras and mobile phones, or other electronic devices on which data is held, as well as paper records containing data. An Information Security Management Team has been put in place to manage the risk in this area.
A breach may also occur due to inappropriate access to such data on Carlow County Council systems or the sending of data to the wrong individuals.
In the event of a Data Protection Breach measures will be put in place to prevent a repetition of the incident.
The findings of the investigation and recommendations will be advised to the Data Protection Commissioners Office and to affected individuals. All recommendations will be implemented as soon as possible.
8. Policy in Respect of Promoting Awareness of Data Protection among Staff and others who carry out Data Processing for the Council.
It is the policy of Carlow County Council to ensure compliance with the Data Protection Acts. The Data Protection Officers role as defined in –
Article 39 (1) (a)
“to inform and advised the controller or the processor and the employees who carry out processing of their obligations pursuant to this regulation and to other Union or Member State data protection provisions”.
All employees of the Council who collect and / or control the contents and use of personal data are also responsible for compliance with the DPA.
A data processing or data sharing agreement will be put in place where personal data is shared with a third party and this fact will be disclosed to the public.
The Council will continue to provide support, assistance, advice and Data Protection Awareness training to staff to ensure compliance with the legislation.
9. Policy in Respect of a Records Management Policy to ensure the security and ready access of data.
It is the policy of Carlow County Council to implement a Records Management Policy throughout the organisation. These records contain information as well as data.
The Policy is designed to ensure that there is a standardised filing system in which data is securely held and is readily accessible and retrievable in the event of a subject access request and a Freedom of Information request.
In order to ensure a standardised filing methodology, guidance notes on the use of electronic drives, including usage of folder and sub-folder files and categorising and filing of emails will be developed and issued to staff.
Data and information can be held in the following formats:
• Paper records, application forms etc.
• Text Messages
• Electronic Files on Shared and standalone drives
• Emails
• Diaries
• Accounts
• Registers
• Note Books
• Tapes
• DVDs
• Servers
• CDs etc.
• Website, Intranet
• Drawings, Maps etc.
• Photographs/images
• Micrographic materials (e.g. microfilm, microfiche)
The Records Management Policy will also be designed to enable the regular systematic destruction of records in line with the policy. In order to ensure full destruction all traces of the electronic footprint will have to be deleted as well as the corresponding paper file.
10. Policy in Respect of Developing a Data Protection Expertise
It is the policy of Carlow County Council to train staff in Data Protection law and precedents in order to have expertise available to advise on queries and subject access requests when received.
The Data Protection Office (D.P.O.) is the primary point of contact for the public wishing to make subject access requests as well as for contact by the Office of the Data Protection Commissioner.
11. Policy in relation to Privacy by default or Design and Data Protection Impact Assessments (DPIAs)
Data privacy needs to be at the heart of all future projects.
A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. The GDPR introduces mandatory DPIAs for those organisations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area.
Carlow County Council will also adopt privacy by design as a default approach; privacy by design and the minimisation of data have always been implicit requirements of the data protection principles. However, the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law.
This means that Carlow County Council will ensure that the service settings they provided will be privacy friendly, and the development of services and products will take into account of privacy considerations from the outset
12. Policy in Respect of Handling a Subject Access Request (SAR).
It is the policy of Carlow County Council to have a central point of access for Data Protection requests as well as providing assistance to requesters. A Data Access Request must meet certain requirements as specified in the Data Protections Acts.
A data subject has the right of access to personal data which have been collected concerning themselves. Carlow County Council will endeavour to ensure this right can be exercises easily. All data subject access request will be channelled through a central point which will be the D.P.O. office.
These are:
a) It must be in writing
b) Carlow County Council will make reasonable enquiries to satisfy itself about the identity of the person making the request to ensure personal data is only released to those entitled to it
c) Subject Access Requests will be dealt with as soon as may be and in any event not more than one month of receipt in accordance with the new regulations
d) If no action is taken on the request within one month the controller “shall inform the data subject of their right to lodge a complaint with the Supervisory Authority” and is a deemed refusal
e) The response time on a request may be extended by “two further months where necessary, taking into account the complexity and number of requests. This extension must be informed to the data subject within one month of receipt of request, together with the reason for delay
f) In the event of receiving a very general Data Access Request, e.g. “please give me everything you have on me”, additional information may be sought on the nature of the request, such as the approximate date of a particular incident, our reference number, the identity of the other party, etc.
g) There is no charge for making a Data Access Request however where requests are manifestly unfounded or excessive in particular because of their repetitive nature the controller may charge a reasonable fee or refuse to act on the request
h) The controller shall provide a copy of the personal data to the requester. If further copies are requested by the data subject, the controller may charge a reasonable fee based on administrative costs
The policy and procedure in relation to requests by the Garda Síochána (or other law enforcement or investigation agency) for access to data from council records in relation to the prevention, detection or prosecution of offences or investigations of incidents is that any such request should:
• Be made in writing
• Provide detail in relation to the data required
• State the reason it is required
• Quote the relevant legislation which applies to their request for data
• Be signed by a person at management level in the organisation, e.g. Garda Sergeant in Charge, Investigating Manager etc.
13. Policy in Respect of Restriction on the rights of access:
It is the policy of Carlow County Council to examine each request to ensure that data which can be released is released and that restrictions on release under the Acts are adhered to.
The release of records and data is governed by the Data Protection Act and General Data Protection regulation which contains a legislative measure Article 18 to restrict the scope of the obligations and rights provide for the relevant section of the regulation. Some of these include -
1. national security or defence
2. public security
3. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties
4. other important objectives of general public interest of the Union or of a Member State.
5. the protection of judicial independence and judicial proceedings
6. the protection of the data subject or the rights and freedoms of others
7. the enforcement of civil law claims
14. Policy in Respect of CCTV.
Carlow County Council has a policy in respect of CCTV systems operated by the Council in the County. The policy will distinguish between private and public CCTV. It will provide for a 28 day deletion of images, restricted access to monitors, servers and recording equipment and security to ensure images are neither deleted nor modified.
15. Policy in respect of the Review of this Policy Document
It is the policy of Carlow County Council to review this policy periodically in light of its operation and in terms of new legislative or other relevant factors and following guidance from the Office of the Data Protection Commissioner.