Based on the General Data Protection Regulation and the Data Protection Acts, this Data Protection Policy lays the base for each staff member in the organisation to develop their understanding of data protection concepts and their awareness of their individual responsibilities in this regard. That will enable the organisation to fulfil its legal obligations in relation to the data protection legislation in each area of its operations.
Údarás operates in accordance with the Údarás na Gaeltachta Act, 1979-2010 and the Gaeltacht Act 2012. Under the Gaeltacht Act 2012 “(3A) An tÚdarás may carry on, control and manage in the Gaeltacht in respect of the linguistic, cultural, social, physical and economic development of the Gaeltacht, such schemes, projects, programmes and facilities as it thinks fit.” To fulfil its functions, Údarás na Gaeltachta is obliged to collect and process certain personal data relating to the Board, Staff, Clients, Third Parties and other members of the organisation’s community, present, past and future. Údarás na Gaeltachta is a personal data controller and processor.
Údarás na Gaeltachta’s mission is:
“To develop a vibrant, successful and sustainable Gaeltacht community and economy, and thus strengthen and maintain the use of Irish as the main language of the Gaeltacht community so that the Gaeltacht is a region of excellence on a global level.”
Údarás na Gaeltachta wishes to protect people’s rights and privacy in accordance with the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation, and understand the rights given to people by the Acts and the General Data Protection Regulation and the responsibilities the Acts and the Regulation places on Údarás na Gaeltachta staff members who process personal data in their work.
The data protection legislation gives individuals rights and places responsibilities on people who process personal data. This policy lays out the manner in which Údarás na Gaeltachta processes personal data, ensuring that staff understand the rules applicable to the usage of personal data available to them in the course of their work.
The General Data Protection Regulation (GDPR EU 2016/679) came into force on May 25th 2018 and replaced the Data Protection Directive 95/46/EC, and has been devised to coordinate data protection laws across Europe, to protect and empower all EU citizens’ data privacy and to restructure the approach used by organisations throughout the region in regard to data protection.
This Data Protection Policy applies to all Údarás na Gaeltachta staff, including permanent and temporary, Board Members, staff members working on a contract basis for the organisation and to other people that have been authorised to access personal data being held by Údarás na Gaeltachta. This policy should be read along with the organisation’s other relevant policies and procedures. Údarás na Gaeltachta may add to this policy or amend it with other policies and guidelines from time to time.
This policy applies to all the organisation’s personal data processing functions regarding identified or identifiable natural persons, including processing functions regarding clients, employees, suppliers and any other personal data processed by Údarás na Gaeltachta from any source.
Personal data is defined as any information pertaining to an identified or identifiable natural person (‘data subject’); an identifiable natural person is a person that can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or one or more of the factors that relate specifically to the physical, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data are defined as personal data that disclose racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, genetic data, biometric data to uniquely identify a natural person, data relating to health or data relating to a natural person’s sex life and sexual orientation.
To fulfil its functions, Údarás na Gaeltachta is required to comply with the principals of data protection as set out in the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation 2016, that can be summarised as follows:
4.1 Lawfulness, fairness and transparency
The personal data will be processed in a lawful, fair and transparent manner regarding the data subject. Information is collected from the Board, staff, clients and from other members of the public. Information regarding other people being held by the organisation (Board Members, post applicants within the organisation, grant applications), the information will usually have been provided by the individuals themselves with full and informed consent, and compiled while they were employed or on contract with the organisation. The data is dealt with in accordance with the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation 2016, and with the terms of this Data Protection Policy. Such information will be collected and processed fairly.
4.2 Purpose limitation
Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving in the public interest, for scientific or historical research or for statistical purposes, shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes.
4.3 Data minimisation
Personal data will be adequate, relevant and limited to the extent required for the purposes of processing.
4.4 Accuracy
Personal data will be accurate and, when required, kept up to date. All reasonable efforts will be made to ensure that inaccurate personal data is erased or amended without delay, for the purposes for which they are processed.
4.5 Storage limitation
Personal data should not be held longer than necessary for the specific purposes. Personal data may be stored for a longer period but the data should not be processed other than for archiving in the public interest, for scientific or historical research or to collect statistics in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures included in this Regulation to safeguard the rights and freedoms of the data subject.
4.6 Integrity and confidentiality
Processing of personal data will be done in a manner that will ensure the appropriate security of the personal data, including the prevention of unauthorised or illegal processing and of accidental loss, destruction or damage, using appropriate technical or organisational measures.
Údarás na Gaeltachta will design policies and procedures and will provide training to implement the following rights of data subjects:
5.1 Right of access by the data subject
Údarás na Gaeltachta will implement procedures to ensure that requests for access to their own personal data from data subjects will be identified and fulfilled in accordance with legislation.
5.2 Right to rectification
Údarás na Gaeltachta is committed to keeping data subjects’ data accurate, and processes and procedures will be implemented to ensure that data subjects can rectify their data in cases where inaccurate information is identified.
5.3 Right to erasure (right to be forgotten)
Údarás na Gaeltachta will only process personal data when there is a lawful basis to do so. In the event that Údarás na Gaeltachta receives a request from a data subject to exercise their right of erasure, Údarás na Gaeltachta will consider whether the data may be erased without affecting the organisation’s ability to provide future benefits and services to the data subject.
5.4 Right to restriction of processing
Údarás na Gaeltachta will consider whether or not it should act on a request from a data subject to restrict the processing of their data.
Údarás na Gaeltachta will only process personal data when there is a lawful basis to do so. In the event that Údarás na Gaeltachta has collected personal data about a data subject by consent or by contract, the data subject has the right to get the data in a structured format that is commonly used and machine-readable, and that person also has the right to transfer that data to another controller.
5.6 Right to object
Data subjects have the right to complain about the processing of their own data in specific circumstances, as laid out in Article 21 of the GDPR. When such a complaint is received, Údarás na Gaeltachta will consider the case on its merits. Under the Gaeltacht Act 2012 “(3A) An tÚdarás may carry on, control and manage in the Gaeltacht in respect of the linguistic, cultural, social, physical and economic development of the Gaeltacht, such schemes, projects, programmes and facilities as it thinks fit.”
5.7 Right not to be subject to automated decision-making
The data subject has the right not to be subject to a decision that is solely based on automated processing, where such a decision has a legal or similar consequence for him/her. Where a system or processes have been implemented, including benefits or services, Údarás na Gaeltachta shall ensure that an appropriate right to appeal will be available to the data subject.
5.8 Right to complain
Údarás na Gaeltachta shall have a complaints process in place which a data subject can use to contact the Data Protection Officer (DPO). The DPO will work with the data subject to deal with the complaint to the satisfaction of both parties. The data subject will be informed about his/her right to complain to the Data Protection Commission.
Údarás na Gaeltachta is committed to conforming with all relevant EU and Irish laws in regard to personal data, and to the protection of people’s data and freedoms.
Every staff member in Údarás, and third parties working on behalf of the organisation, who collect and/or control content and the use of personal data on their own, has a responsibility to ensure that personal data is collected, held and handled appropriately. Every staff member who handles personal data has a responsibility to ensure that it is handled and processed in accordance with this policy, best practice and with legislation.
Údarás na Gaeltachta is responsible for the following:
7.1 Maintaining a record of data processing
Údarás na Gaeltachta will maintain a record of the data processing activities as set out in Article 30 of the GDPR. To ensure data accuracy, each department will review the records they possess on an annual basis.
7.2 Ensuring appropriate technical and organisational measures
Údarás na Gaeltachta will implement appropriate technical and organisational measures to ensure that personal data is being protected and to demonstrate same.
7.3 Implementing appropriate agreements with third parties
Údarás na Gaeltachta will implement appropriate agreements and contracts with all third parties it shares personal data with. The term ‘third party’ encompasses the departments and other agencies of the Irish Government. Every agreement of that kind shall be implemented in writing before the transfer of data begins. That agreement will lay out specifically the purpose of the transfer, the need for sufficient security, the right to terminate a process and to limit further transfers to another party, and it will include that requests for information will be replied to and that there will be a right to audit.
7.4 Data protection by design and default
Before deciding on the method of process and during that process, Údarás na Gaeltachta will ensure that appropriate technical and organisational measures and protections are integrated into the process and that the principles regarding data protection are adhered to.
7.5 Data Protection Impact Assessments (DPIAs)
Where there is a significant risk to the rights and freedoms of the data subject as a result of a new form of processing, especially if new technology is being used, Údarás na Gaeltachta will do a Data Protection Impact Assessment (DPIA). As part of this process, copies of the impact assessment will be shared with the organisation’s Data Protection Officer. In the event that Údarás na Gaeltachta cannot find a measure that would mitigate the significant risks identified, the organisation will confer with the Data Protection Commission before commencing with the process.
7.6 Personal data breaches
‘Personal data breaches’ are defined as security breaches resulting in the erasure, loss, alteration, or unauthorised disclosure of personal data that has been transmitted, stored or otherwise processed, or unauthorised access to the data, either by accident or illegally.
Údarás na Gaeltachta has developed a protocol to manage data protection breaches, and that encompasses a methodology to deal with a personal data breach and to inform the DPC about it and also the data subjects where necessary.
7.7 Freedom of Information
Under the Freedom of Information Act, 2014, Údarás na Gaeltachta is obliged to publish information about its activities, and to provide citizens and clients with the information it possesses, personal information included.
Údarás na Gaeltachta will implement procedures to ensure that requests for personal data are dealt with appropriately, whether they are under data protection legislation or under freedom of information legislation.
7.8 Governance
Údarás na Gaeltachta will monitor compliance with the relevant legislation through the organisation’s policies and procedures.
Under Article 37 of the GDPR, each public body must appoint a Data Protection Officer (DPO). The DPO is accountable to the Secretary of the Board and his/her responsibilities include the following:
All staff will receive appropriate training regarding the GDPR, data protection and the management of records. New staff members will receive training as part of the induction process. All staff members will be informed of data protection responsibilities by the Data Protection Officer and through regular communication with the organisation’s GDPR coordinators.
9.2 Failure to comply with the data protection policy
Each staff member has a duty to ensure that the principles of data protection are complied with and that the provisions of this policy are adhered to. Each staff member is responsible for ensuring that all data as part of their daily duties be done in accordance with the data protection legislation and with this policy. Any breach of this policy may result in disciplinary action.
As part of Údarás na Gaeltachta’s function as personal data controller, a data processor may be used occasionally to process personal data on behalf of Údarás na Gaeltachta.
In each case, the processing is done on an agreed contract, ensuring that the processor is processing personal data in accordance with the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation, 2016.
Each agreement that is proposed between Údarás na Gaeltachta and a third party must be prepared in conjunction with the Corporate Secretariat Department.
Further information in relation to data protection is available on our website here.
Questions or concerns regarding the organisation’s data protection policies should be forwarded to the Data Protection Officer at:
Údarás na Gaeltachta,
Na Forbacha,
Co. na Gaillimhe,
H91 TY22.
Email: acs@udaras.ie
Definition of the terms used in relation to personal data protection and that have been referred to in this policy
The Data Protection Acts – the Data Protection Acts 1988 to 2018, confer rights on individuals as well as responsibilities on those who handle, process, manage and control personal data. All staff members of the organisation must comply with the provisions of the Data Protection Acts when collecting and storing personal data. This applies to personal data regarding the organisation’s staff and also individuals who are in contact with Údarás na Gaeltachta.
Data – Information in a form that can be processed. That includes automated or electronic data (any information on computer or information recorded to be put on computer) and manual data (information that has been recorded as part of a relevant coding system or to be placed on a relevant coding system).
Personal data – Data relating to a living individual that is identified or is identifiable from the data, or from the data plus some other information, or that may be in the data controller’s possession.
Special categories of personal data – Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, genetic data, biometric data to uniquely identify a natural person, data regarding health or data regarding a natural person’s sex life or sexual orientation.
Relevant filing system – Any set of information that has been arranged by name, PPS Number, payroll number, staff number, date of birth, or any other identifier, is deemed relevant.
Data processing – Any operation or set of operations performed on data, including:
Data subject – An individual who is the subject of the data.
Access Request – Where an individual submits a request to the organisation to disclose his/her personal data in accordance with data protection legislation.
Data controller – An individual (alone or with others) who controls the contents and use of personal data.
Data processor – A person who processes information on behalf of the data controller, e.g. an employee in an organisation to whom the data controller outsources data. The Acts place responsibilities on people who process data. Note: A data processor does not refer to an employee of the data controller.
Personal data breach – A security breach resulting in the erasure, loss, alteration, or unauthorised disclosure, personal data that has been transferred, stored or otherwise processed, or unauthorised access of such data, be that by accident or done illegally.
Údarás na Gaeltachta’s mission is:
“To develop a vibrant, successful and sustainable Gaeltacht community and economy, and thus strengthen and maintain the use of Irish as the main language of the Gaeltacht community so that the Gaeltacht is a region of excellence on a global level.”
To achieve all the objectives of the organisation’s functions, including:
The Data Protection Commission (DPC) was established as a result of the Data Protection Acts 1988 to 2018. The Commission is the oversight authority and is responsible for monitoring the legality of the processing of personal data in accordance with the data protection legislation. All the functions of the Data Protection Commissioner have now been transferred to the Commission.
The Commission will not have more than 3 members, as decided by Government. Each member of the Commission will be called a Data Protection Commissioner.
Included in the Commission’s duties is the promotion of public awareness and understanding in regard to risks, rules, protection measures and rights in regard to processing, complaints about the handling of data material, and working with (including the sharing of information with) other data protection authorities in other member states of the EU.
The Commission has a register, available for public inspection, which gives general data about the data handling practices used by a range of data controllers, such as Government Departments, State agencies and financial institutions.
The Commission has a wide range of enforcement powers to ensure that data protection principles are being adhered to. These include the serving of legal notices to compel a controller to provide information to assist its investigation, compelling a controller to implement a provision in the Act, etc.
The Commission inspects complaints from the general public regarding the manner in which an organisation is processing their personal data. For example, the Commission can authorise officials to enter a premises and inspect personal information being held on a computer or in a relevant paper filing system. Further information about raising potential concerns or infringements of your data protection rights can be found at https://dataprotection.ie/en.
In a case where the Commission decides to impose an administrative fine on a data controller or a processor that is a public authority or a public body, the fine shall not exceed €1,000,000.
Under data protection legislation, individuals have the right to get a copy from Údarás na Gaeltachta of any personal information about them being held on computer or in a structured filing system.
To obtain copies of personal data being held at Údarás na Gaeltachta requests in writing should be sent to the address below:
The Data Protection Officer
Údarás na Gaeltachta,
Na Forbacha,
Co. na Gaillimhe,
H91 TY22.
Email: acs@udaras.ie
Further information about access rights, including an Application Form for Personal Data is available here.
When a valid request is received, the organisation must reply to it within one month, even in a case where no personal data is being held. In cases involving complicated requests or a large amount of requests, a two month extension may be applied to that time limit.
There is no fee for an access request to your own personal data, unless the request is considered manifestly unfounded or excessive.
There are certain exceptions to data disclosure, including third party data, data that is legally privileged, or data that is required to prevent, investigate or charge criminal offences.
Section 61(1) of the Data Protection Act 2018 allows for restrictions in the case of certain data material where data is processed for archiving in the public interest.
The policy applies to the entire staff in the organisation and to the Board.
Personal Data regarding Deceased People
Best practice is that personal data regarding deceased persons is held and processed in the same manner as is done with a living individual’s personal data.
Provide the person with a copy of his/her Personal Data, when asked
To make an access request, a person must make the request in writing to the organisation’s Data Protection Officer by filling out a Personal Data Request Form (see Appendix 4) and returning it to acs@udaras.ie.
Protecting Údarás na Gaeltachta Data
To assist the employees with the implementation of this policy, the data protection procedures are available on the organisation’s intranet. These regulations set out the main areas of work within the organisation where data protection problems may arise and sets out best practice for addressing such.
Keeping personal data accurate, complete and up to date
We do our utmost to ensure that personal data is accurate and up to date.
If you feel that your personal data is not accurate or relevant, you may contact us in writing or by email at acs@udaras.ie
You should provide a detailed explanation about the personal data in question and the reasons you believe them to be inaccurate or irrelevant.
We will amend the data within 30 days, or else we will provide an explanation as to why we are unable to do so.