Print Print Page | A | A | A

Data Protection Policy

Data Protection Policy

1. Purpose

This policy is a statement of the Institute of Technology Blanchardstown’s commitment to protect the rights and privacy of individuals in accordance with the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003.  The Acts also impose responsibilities on those persons within organisations that process personal data.

2. Scope

This policy applies to all staff of the Institute, particularly those who collect and / or control the contents and use of personal data.

3. Definitions

Personal Data:
Any Data relating to a living identifiable individual.
For example: A living person’s name and address or PPS number.       
Data:                             
Automated data or structured manual data.
For example: Any paper form or an Excel file containing a person’s name and address.
Manual Data:         
Structured by reference to individuals in a way that makes data readily accessible.
For example: A form that contains a student ID and a student name, stored in a filing cabinet.
Data Controller:      
A person who controls the contents and use of personal data.
For example: An employer is a data controller for any personal data it processes about its employees.
Data Processor:     
A person who processes personal data on behalf of a data controller.
For example: An employer outsources its payroll function to a third party, that third party is a data processor.
Data Subject:        
An individual who is the subject of personal data.
For Example: personal data that the Institute holds about Students, makes each student a data subject under the terms
of the Act.
Processing:            
Anything done with personal data, from collection to disposal.
For example, submitting a list of student details to the Department of Education and Science.

4. Reference

3GA07           Record Retention Policy
3IT11            IT Systems & Information Security Policy
3EM07           Use of CCTV Policy


 5. Policy

Data Protection Principles
ITB acknowledges its responsibilities and undertakes to implement the legislation in accordance with the eight stated Data Protection principles outlined in the Acts as follows:

  • Obtain and process information fairly
    ITB obtains and processes personal data fairly and in accordance with its statutory and other legal obligations.
  • Keep it only for one or more specified, explicit and lawful purposes
    ITB keeps personal data for purposes that are specific, lawful and clearly stated. Personal data will only be processed in a manner compatible with these purposes.
  • Use and disclosure only in ways compatible with these purposes
    ITB only uses and discloses personal data in circumstances that are necessary for the purposes for which it collects and keeps the data.
  • Keep it safe and secure
    ITB takes appropriate security measures against unauthorized access to, or alteration, disclosure or destruction of data and against accidental loss or destruction.
  • Keep it accurate, complete and up-to-date
    ITB operates procedures that ensure high levels of data accuracy, completeness and consistency.
  • Ensure it is adequate, relevant and not excessive
    Personal data held by ITB are adequate, relevant and not excessive in data retention terms.
  • Retain for no longer than is necessary
    ITB has a policy on retention periods for personal data.
  • Give a copy of his/ her personal data to that individual, on request
    ITB has procedures in place to ensure that data subjects can exercise their rights under the Data Protection legislation.

6. Responsibility

The Institute of Technology Blanchardstown is registered as a Data Controller under the Data Protection Acts 1988 and 2003. Consequently, the Institute maintains overall responsibility for ensuring compliance with Data Protection legislation, when it is the Data Controller of personal data. However, all employees and students of ITB who separately collect and/or control the content and use of personal data are individually responsible for compliance with the legislation. The Institute’s Secretary / Financial Controller is the registered Data Protection Officer.

7. Procedures

The Institute is committed to ensuring the protection of the privacy of personal data. To facilitate compliance with the Data Protection legislation the Institute provides best practice guidelines and procedures in relation to all aspects of data protection.

Procedures for obtaining and processing information fairly

At the time of providing personal information, individuals are made fully aware of:

  • the identity of the persons who are collecting it (though this may often be implied);
  • that it will be kept on computer and in relevant filing systems;
  • the purpose for which it will be kept and used;
  • the persons or category of persons to whom it will be disclosed.

Secondary or future uses, which might not be obvious to individuals, should be brought to their attention at the time of obtaining personal data.  Individuals should be given the option of saying whether or not they wish their information to be used in these other ways.
The Institute should inform staff and students, on our official application forms, of how the information they provide will be used. 

Procedures for purpose specification

The Institute observes fully conditions regarding the fair collection and use of information:

  • meets its legal obligations to specify the purposes for which information is used
  • collects and processes appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements

Procedures for use and disclosure of information

The Institute uses the data obtained only in ways consistent with the purpose/s for which it is kept.
The Institute discloses the data only in ways consistent with that purpose/s.
Staff are made aware of these rules via the Institutes intranet. The Data Protection section contains training manuals, training presentations and guidance obtained from the Data Protection Commissioners web site.

Procedures to ensure security of information held/used
The Institute has established appropriate security provisions to ensure that: -

  • Access to the Institute’s computers is restricted to authorized staff only.
  • Access to information is restricted to appropriate personnel.
  • The Institute’s systems are password protected.
  • The Institute’s server and network communications facilities are accessible to IT Support staff, Estates Office staff and security personnel only.
  • Information on screens is kept hidden from callers to the offices.
  • The Institute has a back up procedure in operation.
  • Data distributed to government agencies or authorized partners are sent in encrypted format only. Institute staff to inform the partner’s authorized agent of the decryption password by telephone communication or face to face contact.

Procedures to ensure information is accurate and up-to-date

The Institute has established adequate clerical and computer procedures to ensure high levels of data accuracy.
The Institute ensures the quality of information used.
The Institute ensures that personal data is kept up-to-date.

Procedures to ensure information is adequate, relevant and not excessive

The Institute collects all information we need to serve our purpose effectively, and deals with individuals in a fair and comprehensive manner.
The Institute checks to make sure that all the information it collects is relevant and not excessive for our specified purpose.

Procedures to ensure information is not kept any longer than is necessary

The Institute has developed a Record Retention Policy, which lists all documents held and retention periods for these documents.

Procedures to deal with a breach or accidental disclosure of personal information 

The Institute acknowledges it’s intention to comply with the guidance proffered by the Data Protection Commissioner on their web site in relation to accidental disclosure of personal information.
In the event that personal data for which the Institute is responsible has been compromised – for example, through loss of a portable device, misaddressing of mailings, a “leak” from the organization – the Institute will respond as follows

  • Immediately notify the Data Protection Commissioner office by phone (1890 252 231) or email (info@dataprotection.ie).
  • Inform those persons directly affected by the loss.
  • Provide a detailed report of the incident to the Data Protection Commissioner, including:
    • the amount and nature of the data that has been compromised;
    • what action (if any) has been taken to inform those affected;
    • a chronology of the events leading up to the disclosure; and
    • a description of measures being undertaken to prevent a repetition of the incident. 

Procedure for right of access

Requests should be made in writing to the Data Protection Officer, detailing the information required.
Requests are logged by the Institute and the information is supplied to the requester within 40 days of receiving the request.
The information will be provided in a form which will be clear to the requester (e.g. codes etc will be explained).
The Institute will require photo identification before personal information will be released.
The requester must pay an access fee to the Institute not exceeding €6.35.
The Institute is not obliged to refund any fee that it charges for dealing with access requests if it is determined that no data is kept.  Fees will be refunded if the Institute does not comply with the request, or if the personal data concerned must be rectified, supplemented or erased.

Procedures for the disclosure of Institute controlled information to a third party

These procedures form part of the Institute’s Data Protection Policy and Procedures and apply to parties who wish to become disclosee’s of IT Blanchardstown controlled information.

The person or body who wishes to become a third party disclosee shall provide the following information in writing to the Data Controller of the Institute in a timely fashion, and at least 4 weeks in advance of the anticipated release of information.

A copy of the applicant’s Data Protection Policy;
Details relating to the purpose(s) for which the data is requested;
A specification and definition of the data required;
A list of staff and others whom it is proposed will have access to the data whether in electronic or paper format;
A description of the security measures the data will enjoy;
The duration which it is proposed to hold each category of data;
The purging and deletion policy which applies to this data whether in electronic or paper format;
Any other information which the applicant deems appropriate.

Requested documentation to be forwarded to:
Mr. Denis Murphy,
Data Controller,
Institute of Technology Blanchardstown,
Blanchardstown Road North
Dublin 15.

8. Review

The Institute through its internal auditors will conduct an annual review of the Data Protection procedures in situ, to ensure compliance with industry best practice.
This Data Protection Policy will be reviewed regularly in light of any legislative or other relevant developments. 


Appendices
Appendix A

Confidentiality statement for staff and data Processors

When working for ITB, you will often need to have access to confidential information which may include, for example:

  • Personal information about individuals who are supporters, partners, suppliers, students or otherwise involved in the activities organised by ITB.
  • Information about the internal business of ITB.
  • Personal information about colleagues working for ITB.

ITB is committed to keeping this information confidential, in order to protect people and ITB itself.  ‘Confidential’ means that all access to information must be on a need to know and properly authorised basis.  You must use only the information you have been authorised to use, and for purposes that have been authorised.  You should also be aware that under the Data Protection Act, unauthorised access to data about individuals is a criminal offence.
You must assume that information is confidential unless you know that it is intended by ITB to be made public.  The transfer of information between ITB and any other organisation is prohibited, unless specifically approved by the Head of Department.
You must also be particularly careful not to disclose confidential information to unauthorised people or cause a breach of security.  In particular you must:

  • not compromise or seek to evade security measures (including computer passwords);
  • be particularly careful when sending information to external agencies;
  • not gossip about confidential information, either with colleagues or people outside ITB;
  • not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorised to have it.

If you are in doubt about whether to disclose information or not, do not guess.  Withhold the information while you check with an appropriate person whether the disclosure is appropriate.
Your confidentiality obligations continue to apply indefinitely after you have stopped working for ITB.

 

Appendix B
A QUICK ‘HOW TO COMPLY’ CHECKLIST
 This short checklist will help you comply with the Data Protection Act (the Act). Being able to answer ‘yes’ to every question does not guarantee compliance, but it should mean that you are heading in the right direction.

    • Do I really need this information about an individual? Do I know what I’m going to use it for? 
    • Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
    • Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure? 
    • Am I sure the personal information is accurate and up to date?
    • Do I delete/destroy personal information as soon as I have no more need for it?
    • Is access to personal information limited only to those with a strict need to know?
    • If I want to put staff or student details on our website have I consulted with them about this?
    • If I want to monitor staff, for example by checking their use of email, have I told them about this and explained why?
    • Have I trained my staff in their duties and responsibilities under the Act, and are they putting them into practice?
    • If I’m asked to pass on personal information, am I and my staff clear when the Act allows me to do so? 
    • Would I know what to do if one of my employees or individual customers asks for a copy of information I hold about them? 
    • Do I have a policy for dealing with data protection issues? 
    • Do I need to notify the Data Protection Commissioner? 
    • If I have already notified, is my notification up to date, or does it need removing or amending?