Data Protection

 

The General Data Protection Regulation and Data Protection Acts 1988-2018 impose substantial obligations on employees to ensure compliance with data protection rules and provide for fines and other sanctions where such rules are breached.

Compliance with data protection legislation is supported by having adequate policies in place, which are communicated and consistently implemented with employees. Each school should have a Data Protection Policy. A template Data Protection Policy for schools is available at the following link. A template Data Retention Schedule is also available at the following link.

An interactive resource on GDPR for schools is available at www.gdpr4schools.ie.

  • The General Data Protection Regulation and Data Protection Acts confer rights on any person (including any employee) about whom personal data is processed.

  • The GDPR and Data Protection Acts place duties on those who process or control persona data (including employers).

  • The GDPR covers personal data held either electronically or physically — this includes but is not limited to physical files, emails, Customer Relationship Management (CRM) systems, images and recording of individuals.

 Data Protection training should be provided for employees who regularly process personal data as part of their role, particularly employees who process sensitive personal data.

Legal basis for processing personal data

The lawful basis for processing should, for the majority of employee data, not be the consent of employees and an alternative legal basis should be relied upon.

  • Additional conditions for processing special categories (e.g a person’s race, religious beliefs, sexual orientation, health data or trade union membership) of personal data

  • The GDPR set out various legal bases for processing special categories of personal data.

Determining appropriate security measures

Employers (Boards of Management) must implement appropriate technical and organisational controls to ensure data security. Data controllers and data processors need to ensure that their employees comply with the security measures adopted.

Data security breaches

An organisation must notify the Data Protection Commission of a data security breach within 72 hours of becoming aware of the breach, unless the risk to rights and freedoms of data subjects is not significant.

Data Access Requests

Individuals have the right to access a copy of their personal data. They can request this data through a data access request (DAR). Documents relating to the individual must be given free of charge however, where the request is ‘manifestly unfounded or excessive’, a reasonable fee may be charged.

All the data requested must be supplied within one month of the receipt of the request. This period may be extended for up to 2 further months where necessary, taking into account the complexity of the request and the number of requests.

Written contract between data controller and data processor

A written contract (or a contract in another equivalent form) is required where a data controller engages the services of a data processor (e.g payroll provider, IT company). The GDPR sets out certain requirements for what should be included in such a data processing agreement

Data protection impact assessments

Data processing that involves a high risk to individuals’ data protection rights requires a data protection impact assessment. Projects which are likely to require a DPIA include adoption of new technology or the introduction of CCTV monitoring

The Data Protection Commission

The DP Acts provides for the establishment of the Data Protection Commission (DPC).

The DPC is responsible for monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relating to data processing.