Data Protection Policy and Procedure
The purpose of the policy is to enable Parentline to follow all provisions of the Data Protection Acts 1988 and 2003. The purpose of the Act is to protect employees and volunteers whose personal data is held on computer or in manual files.
Data Protection Principles
It is Parentline’s policy to adhere to the data protection principles (responsibilities of Data Controllers) to avoid repercussions, such as complaints to the Commissioner.
Data Controllers and Data Processors will familiarise themselves with the provisions of the Acts. Employees and volunteers who process personal data will be informed of their duties and obligations under the Acts. Parentline will only allow authorised persons access to personal data. Unauthorised alteration, disclosure, destruction or accidental loss or damage to data will lead to disciplinary action.
Personal information kept on computer and manual files (also photographs, video recordings, images, voice recordings) will be regularly reviewed to ascertain whether the Data Controller is obliged to register with the Data Protection Commissioner. If the controller is required to register, it is Parentline’s policy to start the registration process immediately, providing the Commissioner with the information and registration fee required. Personal data kept on computer must be reviewed on a regular basis. If the Data Controller wants to change the way in which data is obtained, kept or disclosed, the registration with the Commissioner must be renewed or altered accordingly.
Purpose(s) for which the data are kept
Purpose(s) will not be unlawful
Data will only be used or disclosed in a manner consistent with the purpose(s).
Right to confirm the existence of personal data
On receiving a written request for confirmation of the existence of personal data, the employee/volunteer will be supplied with a description of such personal data and the purpose for which it is being kept. This will be done free of charge and as soon as possible (within 21 days).
Right of access to personal data
On receiving a written request from an employee or volunteer for a copy of personal data relating to him/her, the employee/volunteer will be provided with a copy of such data as it appears in the computer files and manual files* on the date of the request. This will be done as soon as possible (within 40 days). Right of access can only be refused in specific circumstances. A fee, not in excess of €6.35 may be charged for the data.
Right of rectification or erasure of personal data
Employees/volunteers have the right to have inaccurate personal data rectified or erased within 40 days of making a request. It is Parentline’s policy to rectify such errors immediately.
Updating the data
Data will be checked periodically, to ensure that it is up-to-date, relevant, accurate, retained no longer than necessary and not excessive in relation to its purpose. If the data is not adequate and accurate, additional information or amendments will be obtained from data subjects. The data will be held securely.
Disposal of Information
Disposing of documents which are no longer relevant must receive as much attention as their storage. If disciplinary documents are removed from files, they should be shredded, then incinerated or otherwise disposed of in a safe and secure manner. Similarly, financial information which is no longer relevant should be disposed of carefully. Accidental disclosure of personal information can occur as a result of improper disposal of personal files.
The Data Protection Act requires some Data Controllers to register with the Data Commissioner when they hold particular information. “Sensitive information” is personal data on:
• racial origin
• political opinion
• religious or other beliefs
• Physical or mental health (other than such information kept solely for personnel administration purposes).
• sexual inclinations
• criminal convictions
While all information should be treated with the utmost confidentiality, the Data Commissioner regards sensitive information as particularly confidential and potentially detrimental to the individual concerned if the information is improperly treated.