Data Protection Policy

1. Introduction

The Law Reform Commission is an independent statutory body established by the Law Reform Commission Act 1975. The Commission’s principal role is to keep the law under review and to make proposals for reform, in particular by recommending the enactment of legislation to clarify and modernise the law. Researching reform proposals involves consultations with interested groups and individuals.

The LRC is committed to protecting the rights and privacy of individuals whose information the LRC collects and processes in accordance with both European Union and Irish data protection legislation.

 

2. Purpose

The purpose of this policy is to outline the obligations of the LRC under applicable data protection law and to describe the steps to be taken to ensure compliance with those obligations.

 

3. Scope

This policy applies to all personal data collected, processed, and stored by the LRC by whatever means. The GDPR applies equally to automated and manual data, i.e., data held or processed on a computer, or data held in ‘hard copy’ and stored in a relevant filing system.

This policy relates to the processing of ‘personal data’. Personal data is, broadly speaking, any information which could identify (or help to identify) a living person (in particular by reference to an identifier such as a name or an identification number).

 

4. Users

This policy applies to all staff of the LRC. Each member of staff has an individual responsibility to ensure that they adhere to this policy and to the GDPR and the Data Protection Act 2018, which gives further effect to the GDPR.

Failure to comply with this policy may result in the defaulting staff member being subject to disciplinary action under the Civil Service Disciplinary Code.

When handling personal data, all staff of the LRC are also subject to the provisions of the Official Secrets Act 1963 (the “OSA”). Among other relevant obligations, Section 4 of the OSA provides that a person shall not communicate any official information to any other person unless they are duly authorised to do so or does so in the course of, and in accordance with, their duties as the holder of a public office or when it is their duty in the interest of the State to communicate it.

 

5. General Policy Statement

The LRC operates as a data controller which includes operating as a data controller in respect of employee data in order to manage and administer the employment relationship and operating as a data controller in respect of any stakeholder data (to the extent that it is personal data) in order to manage the relationship with the stakeholder.

The LRC can also act as a Data Processor in respect of personal data which is shared with it.

This policy will be kept under review and will be updated in light of legislative changes and/or guidance from competent regulatory authorities as and when it is published and becomes applicable.

 

6. Principles relating to processing of personal data

As a data controller, the LRC must comply with the following key data protection principles in relation to personal data:

  1. Obtain and process personal data lawfully, fairly and in a transparent manner:

For personal data to be obtained fairly, subject to specific exemptions, data subjects must be provided with certain information, generally at the time at which the personal data is obtained.

For personal data to be processed fairly, a controller must also have a lawful basis for its processing, pursuant to relevant provisions of the GDPR. In many instances, the LRC relies on the basis set out in Article 6.1(e) of the GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Furthermore, the processing of special categories of personal data (such as data relating to an individual’s health, racial or ethnic origin) is prohibited, unless the processing has a lawful basis under Article 6 of the GDPR and the processing falls within one of the exceptions set out in Article 9.2 of the GDPR.

2. Process for only specified explicit and legitimate purposes:

The LRC may only process personal data for a purpose that is specific, lawful, and clearly stated. It is unlawful to collect information about people routinely and indiscriminately without having a sound, clear and legitimate purpose for doing so.

If personal data is obtained by the LRC for a particular purpose then, subject to limited exceptions, the data may not be used or disclosed for any purpose other than that for which it was obtained. The LRC’S practice is to process personal data lawfully, and only in accordance with the purposes set out in its Data Protection Notices or as otherwise required or permitted by applicable legislation.

3. Ensure that it is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed:

Personal data should not be collected or kept if it is not needed and/or on the off chance that a use might be found for it in the future. The LRC’S practice is to ensure that it collects and keeps only such personal data as is necessary for the purposes for which it was obtained.

4. Keep personal data accurate, complete, and up to date:

The LRC endeavours to ensure that the personal data it holds is accurate, complete, and up to date. All staff must ensure that personal data which they provide in connection with their employment is accurate and up-to-date and that they inform HR of any errors, corrections, or changes, for example, change of address, marital status etc. The LRC takes every reasonable step to ensure that personal

data that is inaccurate, having regard to the purposes for which it is processed, is rectified, or erased without delay.

5. Retain personal data for no longer than necessary for the purpose for which it is acquired:

Personal data may not be retained in a form that permits the identification of data subjects indefinitely. The LRC’S policy is to ensure that its record retention, archiving, and destruction practices give effect to this principle.

6. Keep personal data safe and secure.

The LRC must ensure that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. The LRC’s practice is to ensure that employee access to personal data which it processes is restricted on a ‘need to know’ basis.

In relation to electronic data, the LRC’s IT systems operate on the basis of securely authenticated access only. All LRC personnel who have access to the LRC’s IT systems are subject to the LRC’s “ICT Policy” which outlines their responsibilities in using the IT Systems. The ICT Policy is based on the general principle of IT access levels being the minimum necessary in order to carry out official duties. The ICT Policy must be signed off by the staff member and HR before access to ICT systems is made available to new staff. Guidelines for staff are also in place which outline their continued responsibility to data protection and to additional risks associated with remote working.

The LRC maintains both electronic and hard copy files. Hard copy files are kept in the office of the LRC at Styne House, Hatch Street Upper. Access to the building is restricted, with staff only able to enter during the hours of 7.30 am to 7.00 pm. Access to floors and corridors is by security swipe cards. Where staff hold particularly sensitive or confidential files, these should be stored in lockable presses or cabinets.

The Commission’s ICT Policy should be consulted for up-to-date guidance on the safe and secure processing of data held in electronic format.

7. As a controller, the LRC is responsible for, and must be able to demonstrate compliance with the foregoing  principles.

 

7. Data Subject Rights

The GDPR provides the following data subject rights, and the Law Reform Commission will uphold these data subject rights:

  1. The right to information about how data is processed;
  2. The right of a data subject to access and obtain a copy of their own data;
  3. The right to rectification;
  4. The right to erasure (the ‘right to be forgotten’);
  5. The right to restriction of processing;
  6. The right to data portability;
  7. The right to object to the processing of personal data where it is being processed on the legal basis of public interest, exercise of official authority or legitimate interest;
  8. The right to object specifically to the processing of personal data for the purpose of direct marketing;
  9. The right to be subject to automated individual decision making where such a decision has a legal or significant effect on the data subject;
  10. The right to make a complaint to the Data Protection Commission
  11. The right to sue for material and non-material damage.

 

8. Data Security by Design and Default

The GDPR sets out that data protection compliance shall be implemented by design and default.

Data protection by design is the concept that the means and purposes of the processing of personal data are designed, from the beginning, with data protection in mind. The principle requires the LRC to implement both technical and organisational measures that will guarantee and protect the privacy of data subjects. Methods of data protection by design employed by the LRC include ensuring that any new processes or procedures are designed and tested from a data protection perspective, staff training and audit and policy reviews in the context of data protection.

Data Protection by Default – The LRC shall implement appropriate technical and organisational measures to ensure that, only personal data which is necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of its processing, the period of its storage and its accessibility. In particular, such measures shall ensure that, by default, a data subject’s personal data are not made accessible without the data subject’s intervention to an indefinite number of natural persons.

 

9. Data Breaches

A personal data breach is defined in the GDPR as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed’.

For example, the loss of personal information, inappropriate access to personal information on LRC systems or the sending of personal data to the wrong individuals.

A data breach can happen for several reasons, including:

  • loss or theft of data or equipment on which data is stored;
  • inappropriate access or the bypassing of controls thus allowing unauthorised use;
  • equipment failure;
  • human error;
  • unforeseen circumstances such as a flood or fire;
  • a hacking attack;
  • access where data is obtained by deceiving the organisation that holds it.

In the event of a staff member becoming aware of a breach or suspected breach, a report of the incident MUST be sent to the Data Protection Officer as soon as possible.

  • a form for reporting breaches is available at Appendix A;
  • the Data Protection Officer will assess the breach and will decide what action, if any, should be taken;
  • The LRC Data Breach Policy should be consulted for further detail.

Notification of a personal data breach to the Data Protection Commission

Having been notified of a personal data breach or suspected breach, the DPO will, not later than 72 hours after the organisation has become aware of the breach, notify the Data Protection Commission of the breach, ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms’ of the data subject.

If a reportable data breach is not notified within the 72-hour period, reasons for the delay must be provided to the Office of the Data Protection Commission.

The DPO will keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction, or alteration of personal data and will record it in the Data Protection Breaches Register. The record should include a brief description of the nature of the incident. Such records will be provided to the Data Protection Commission upon request.

Communication of a personal data breach to the data subject

While there is not a general obligation to notify a data subject of a data breach, where the DPO considers that the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, the DPO shall communicate certain details of the breach to the data subjects without delay, in accordance with Article 34 of the GDPR. If the decision is to advise the data subject(s) of the breach, those affected shall be provided with the following information regarding the breach:

  • the name and contact details of the DPO or other contact points where more information can be obtained;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The DPO should document the reasoning for the decisions taken in response to a breach, including if the decision is not to notify the data subjects of the breach.

If a processor used by the LRC becomes aware of a breach of the personal data it is processing on behalf of the LRC, it must notify the LRC’s Data Protection Officer ‘without undue delay’, as provided for in Article 33(2) of the GDPR. The processor will not assess the likelihood of the risk arising from the breach before notifying the LRC, it is the LRC’s DPO who must make this assessment on becoming aware of the breach.

How should the risk of a data breach be assessed?

The EU ‘Article 29 Data Protection Working Party’ has issued guidelines which set out criteria which data controllers may take into account when assessing such risks:

  • the type of breach;
  • the nature, sensitivity, and volume of personal data;
  • ease of identification of individuals;
  • severity of consequences for individuals;
  • special characteristics of the individual;
  • the number of affected individuals;
  • special characteristics of the data controller.

10. Subject Access Requests

The LRC is committed to compliance with all relevant EU and Irish laws in respect of personal data and the protection of the rights and freedoms of individuals whose information the LRC collects and processes.

The GDPR confers rights on individuals regarding their personal data and imposes obligations on entities which control or process personal data. In the course of its business, the LRC processes personal data (including special categories of personal data) relating to various categories of individuals, including employees, and third parties, such as job applicants, people making FOl requests, individuals making submissions and in connection with procurement applications. In all circumstances, it is the LRC’S policy to ensure that it processes personal data in accordance with the GDPR and the terms of this policy.

Article 15 of the GDPR provides data subjects with the right to access information.

Data subjects have the right to obtain the following information from the data controller:

  1. confirmation of whether or not personal data concerning them is being processed;
  2. where personal data concerning them is being processed, a copy of their personal data;
  3. where personal data concerning them is being processed, other additional information as follows:
    1. purpose(s) of the processing;
    2. categories of personal data;
    3. any recipients of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and where this is the case, information about appropriate safeguards;
    4. the retention period, or if that is not possible, the criteria used to determine the retention period;
    5. the existence of the following rights
    • the right to rectification
    • the right to erasure
    • the right to restrict processing
    • the right to object

6. the right to lodge a complaint with the Data Protection Commission

7. where the personal data has not been collected from the data subject, any available information as to their  source;

8. the existence of automated decision making, including profiling and meaningful information about how decisions are made, and the significance and consequences of such processing.

While a data subject may make a Subject Access Request in a way or format of their choosing, they can nonetheless be offered to use the form at Appendix B which will help the LRC deal with their request efficiently and expediently.

Ideally, all subject access requests will be received directly by the DPO but where a member of staff receives such a request, they should refer it to the DPO without delay.

The DPO will maintain a register of subject access and other requests.

Once a request has been made the information must be given within one month of receipt of the request. This can be extended by a further 2 months if the request is complex. There is no fee for providing this information however for any further copies requested by the data subject, a reasonable fee based on administrative costs may be charged.

A subject access request is usually made in writing, but the GDPR does not explicitly state that it must be in writing. The DPO may request additional information from a data subject in order to verify their identity and to help clarify the information sought. Where the data subject makes the request by electronic means, and unless otherwise requested, the information shall be provided in electronic form.

Processing a Subject Access Request

It is the responsibility of each Business Unit to process a subject access request which falls under their area of responsibility. The Data Protection Officer will provide guidance to the Business Unit processing the request and will undertake quality assurance checks before a subject access request is replied to.

What must be done in response to an access request?

  • the subject access request will be acknowledged by the Data Protection Officer;
  • the DPO will assign the request to the relevant section;
  • the section processing the access request will request, if considered necessary, all sections in the LRC to search their eDoc folders and relevant hard copy files as part of the search for personal data;
  • each section must document the procedures undertaken to locate records and provide the document to the section processing the request;
  • the section processing the request must provide the DPO with a copy of the records and draft a response to the DPO within 20 days of receipt of the request;
  • the DPO will examine the return for quality assurance and issue the reply to the requester.

Further details on processing a subject access request are set out in the Subject Access Request Policy.

Please note that, having received the access request, you cannot change or delete the personal data which is held.

Personal information should only be given to the individual concerned. If someone is acting on behalf of an individual, it is important to ensure that they have been given authority to act on behalf of the person.

If no information is being kept on computer or in a relevant filing system about the individual making the request, they should be informed of this within one month of making the request.

 

11. Correcting Inaccurate Factual Information

Article 5.1(d) of the GDPR provides that personal data shall be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’.

Under Articles 16 and 19 of the GDPR, if an individual’s personal data is inaccurate, they have the right to have the data rectified, by the controller, without undue delay. If personal data is incomplete, a data subject has the right to have data completed, including by means of providing supplementary information.

Each section is responsible for ensuring that personal information which it holds is accurate and up to date.

If an individual believes that the LRC holds inaccurate factual personal information about them, the individual may have the inaccurate personal information corrected by contacting the LRC’s Data Protection Officer in writing outlining the information which they believe is incorrect and providing the correct information.

The Data Protection Officer will assess whether the information is incorrect. The GDPR provides that if the information is factually incorrect, it will be rectified ‘without undue delay’. The DPO will notify the individual making the request that if the amendment materially modifies the data concerned, it will notify any person to whom the data were disclosed during the 12 months immediately before the giving or sending of the request, unless such notification proves impossible or involves a disproportionate effort.

12. Data Protection Impact Assessments

A Data Protection Impact Assessment ‘DPIA’ is a process designed to describe the proposed data processing, assess its necessity and proportionality and to identify the risks to the rights and freedoms of natural persons resulting from the proposed processing by assessing those risks and determining the measures to address and mitigate them.

DPIAs are important tools for accountability as they help the LRC, as a controller, to not only comply with the requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the GDPR.

A DPIA may concern a single data processing operation, e.g., operation of CCTV, or can be used to assess multiple processing operations that are similar, e.g., HR functions.

The DPIA should be carried out prior to the processing – the controller is responsible for ensuring that a DPIA is carried out. The controller must seek the advice of the Data Protection Officer, and this advice, and the decisions taken by the controller, should be documented within the DPIA.

A DPIA template is set out in Appendix C.

 

13. Definitions

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  4. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  5. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  6. ‘recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  7. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  8. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  9. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

 

Sign up for our newsletter

Subscribe to the Law Reform Commission newsletter for all news, updates and information about our work.

Sign up for our newsletter