Data Protection Policy

1.Réamhrá

Comhlacht reachtúil neamhspleách a bunaíodh leis an Acht fán gCoimisiún um Athchóiriú an Dlí, 1975, is ea an Coimisiún um Athchóiriú an Dlí. Is é príomhról an Choimisiúin an dlí a choinneáil faoi athbhreithniú agus tograí le haghaidh athchóirithe a dhéanamh, go háirithe trí achtú reachtaíochta a mholadh chun an dlí a shoiléiriú agus a nuachóiriú. Is é atá i gceist le taighde a dhéanamh ar thograí athchóirithe ná dul i gcomhairle le grúpaí agus daoine aonair leasmhara.

Tá an Coimisiún tiomanta do chearta agus príobháideacht daoine aonair a ndéanann an Coimisiún a gcuid faisnéise a bhailiú agus a phróiseáil a chosaint de réir reachtaíocht cosanta sonraí an Aontais Eorpaigh agus de réir reachtaíocht cosanta sonraí na hÉireann araon.

2.Cuspóir

Is é cuspóir an bheartais seo na hoibleagáidí atá ar an gCoimisiún faoin dlí cosanta sonraí is infheidhme a leagan amach agus tuairisc a thabhairt ar na bearta atá le déanamh chun comhlíonadh na n-oibleagáidí sin a chinntiú.

3.Raon feidhme

Tá feidhm ag an mbeartas seo maidir leis na sonraí pearsanta uile a ndéanann an Coimisiún iad a bhailiú, a phróiseáil agus a stóráil ar cibé slí. Tá an fheidhm chéanna ag an Rialachán Ginearálta maidir le Cosaint Sonraí (RGCS) maidir le sonraí uathoibrithe agus sonraí de láimh, i.e., sonraí a shealbhaítear nó a phróiseáiltear ar ríomhaire, nó sonraí a shealbhaítear ‘i gcóip chrua’ agus a stóráiltear i gcóras comhdúcháin iomchuí.

Baineann an beartas seo le próiseáil ‘sonraí pearsanta’. Tríd is tríd, is é is sonraí pearsanta ann ná aon fhaisnéis a d’fhéadfaí a úsáid chun duine beo a shainaithint (nó chun cabhrú le duine beo a shainaithint) (go háirithe faoi threoir aitheantóra amhail ainm nó uimhir aitheantais).

4.Úsáideoirí

Tá feidhm ag an mbeartas seo maidir le baill foirne uile an Choimisiúin. Tá freagracht aonair ar gach ball foirne as a chinntiú go gcloíonn siad leis an mbeartas seo, le RGCS agus leis an Acht um Chosaint Sonraí, 2018, rud lena dtugtar tuilleadh éifeachta do RGCS.

Mura gcomhlíontar an beartas seo, is féidir go mbeidh an ball foirne mainneachtana faoi réir gníomhaíocht araíonachta faoi Chód Araíonachta na Státseirbhíse.

Le linn dóibh sonraí pearsanta a láimhseáil, bíonn foireann uile an Choimisiúin faoi réir fhorálacha an Achta um Rúin Oifigiúla, 1963. I measc oibleagáidí iomchuí eile, foráiltear le halt 4 den Acht um Rúin Oifigiúla nach gcuirfidh aon duine aon fhaisnéis oifigiúil in iúl d’aon duine eile mura bhfuil sé/sí údaraithe go cuí chun déanamh amhlaidh nó mura ndéanann sé/sí amhlaidh i gcúrsa agus de réir a d(h)ualgas mar shealbhóir oifige poiblí nó mura bhfuil sé de dhualgas air/uirthi í a chur in iúl le leas an Stáit.

5.Ráiteas Beartais Ginearálta

Oibríonn an Coimisiún mar rialaitheoir sonraí, rud a n-áirítear leis oibriú mar rialaitheoir sonraí i ndáil le sonraí fostaithe chun an caidreamh fostaíochta a bhainistiú agus a riar, agus oibriú mar rialaitheoir sonraí i ndáil le haon sonraí geallsealbhóirí (a mhéid is sonraí pearsanta iad sin) chun an caidreamh leis an ngeallsealbhóir a bhainistiú.

Féadfaidh an Coimisiún gníomhú mar Phróiseálaí Sonraí freisin i ndáil le sonraí pearsanta a chomhroinntear leis.

Coinneofar an beartas seo faoi athbhreithniú agus athrófar chun dáta é i bhfianaise athruithe reachtacha agus/nó treoir ó údaráis rialála inniúla de réir mar a fhoilsítear í agus a thagann sí chun bheith infheidhme agus nuair a fhoilsítear í agus a thagann sí chun bheith infheidhme.

6.Prionsabail a bhaineann le próiseáil sonraí pearsanta

Mar rialaitheoir sonraí, ní mór don Choimisiún na heochairphrionsabail cosanta sonraí seo a leanas i ndáil le sonraí pearsanta a chomhlíonadh:

  1. Sonraí pearsanta a fháil agus a phróiseáil go dleathach, go cothrom agus ar shlí thrédhearcach:

Chun go mbeidh sonraí pearsanta faighte go cothrom, faoi réir díolúintí sonracha, ní mór faisnéis áirithe a sholáthar d’ábhair sonraí, ag an am a fhaightear na sonraí pearsanta go ginearálta.

Chun go mbeidh sonraí pearsanta próiseáilte go cothrom, ní mór do rialaitheoir bunús dleathach a bheith aige le haghaidh iad a phróiseáil, de bhun fhorálacha iomchuí RGCS. Ina lán cásanna, braitheann an Coimisiún ar an mbunús a leagtar amach in Airteagal 6.1(e) RGCS: “is gá an phróiseáil a dhéanamh chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil atá dílsithe don rialaitheoir”.

Ina theannta sin, toirmeascfar próiseáil catagóirí speisialta sonraí pearsanta (amhail sonraí a bhaineann le sláinte nó bunadh ciníoch nó eitneach duine aonair), mura rud é go bhfuil bunús dleathach leis an bpróiseáil faoi Airteagal 6 RGCS agus go dtagann an phróiseáil faoi cheann amháin de na heisceachtaí a leagtar amach in Airteagal 9.2 RGCS.

  1. Gan sonraí pearsanta a phróiseáil ach amháin chun críocha follasacha agus dlisteanacha sonraithe:

Ní fhéadfaidh an Coimisiún sonraí pearsanta a phróiseáil ach amháin chun críche atá sonrach, dleathach agus sonraithe go soiléir. Tá sé neamhdhleathach faisnéis a bhailiú faoi dhaoine go tráthrialta agus go neamh-idirdhealaitheach gan críoch fhónta, shoiléir agus dhlisteanach a bheith ann le déanamh amhlaidh.

Má fhaigheann an Coimisiún sonraí pearsanta chun críche ar leith, ní fhéadfar na sonraí a úsáid ná a nochtadh chun aon chríche seachas an chríoch ar chuici a fuarthas iad, faoi réir eisceachtaí teoranta. Is é cleachtas an Choimisiúin sonraí pearsanta a phróiseáil go dleathach agus gan iad a phróiseáil ach amháin de réir na gcríoch a leagtar amach sna Fógraí Cosanta Sonraí uaidh nó de réir mar a cheanglaítear nó a cheadaítear ar shlí eile leis an reachtaíocht is infheidhme.

  1. A chinntiú go bhfuil sonraí pearsanta leormhaith, ábhartha agus teoranta don mhéid is gá maidir leis na críocha ar chucu a phróiseáiltear iad:

Níor cheart sonraí pearsanta a bhailiú ná a choinneáil mura bhfuil siad ag teastáil agus/ná ar an gcaolseans go n-aimseofaí úsáid ina leith sa todhchaí. Is é cleachtas an Choimisiúin a chinntiú nach ndéanann sé sonraí pearsanta den sórt sin a bhailiú agus a choinneáil ach amháin de réir mar is gá chun na gcríoch ar chucu a fuarthas iad.

  1. Sonraí pearsanta a choinneáil cruinn, iomlán agus cothrom le dáta:

Déanann an Coimisiún a dhícheall a chinntiú gur cruinn, iomlán agus cothrom le dáta atá na sonraí pearsanta a shealbhaíonn sé. Ní mór do gach ball foirne a chinntiú gur cruinn agus cothrom le dáta atá na sonraí pearsanta a sholáthraíonn siad i ndáil lena bhfostaíocht agus go gcuireann siad an rannóg acmhainní daonna ar an eolas faoi aon earráidí, aon cheartúcháin nó aon athruithe, mar shampla, athrú ar sheoladh, athrú ar stádas pósta, etc. Déanann an Coimisiún gach beart réasúnta chun a chinntiú go gceartaítear nó go léirscriostar sonraí pearsanta míchruinne gan mhoill, ag féachaint do na críocha ar chucu a dhéantar iad a phróiseáil.

      (e) Sonraí pearsanta a choinneáil ar feadh tréimhse nach faide ná mar is gá chun na críche ar

            chuici a bhailítear iad:

 

Ní fhéadfar sonraí pearsanta a choinneáil i bhfoirm lenar féidir ábhair sonraí a shainaithint go deo. Is é beartas an Choimisiúin a chinntiú go dtugtar éifeacht don phrionsabal sin lena chleachtais um choinneáil taifead, um chartlannú agus um scriosadh.

(f) Sonraí pearsanta a choinneáil slán sábháilte:

Ní mór don Choimisiún a chinntiú go bpróiseáiltear sonraí pearsanta ar shlí lena gcinntítear slándáil chuí na sonraí pearsanta, lena n-áirítear cosaint ar phróiseáil neamhúdaraithe nó neamhdhleathach agus ar chailleadh, scrios nó damáiste de thaisme. Is é cleachtas an Choimisiúin a chinntiú go ndéantar rochtain na bhfostaithe ar shonraí pearsanta a phróiseálann sé a shrianadh ar bhonn riachtanais.

I ndáil le sonraí leictreonacha, oibríonn córais TF an Choimisiúin ar bhonn rochtain atá údaraithe go slán agus ar an mbonn sin amháin. Tá pearsana uile an Choimisiúin a bhfuil rochtain acu ar chórais TF an Choimisiúin faoi réir Bheartas TFC an Choimisiúin, ina dtugtar breac-chuntas ar a bhfreagrachtaí le linn dóibh na córais TF a úsáid. Tá an Beartas TFC bunaithe ar an bprionsabal ginearálta arb é atá ann go dtugtar an rochtain is lú is gá ar TF chun dualgais oifigiúla a dhéanamh. Ní mór an Beartas TFC a bheith sínithe ag an mball foirne agus ag an rannóg acmhainní daonna sula gcuirtear rochtain ar chórais TFC ar fáil do bhaill foirne nua. Tá treoirlínte do bhaill foirne i bhfeidhm freisin. Tugtar breac-chuntas sna treoirlínte sin ar an bhfreagracht leantach a bhíonn orthu as cosaint sonraí agus as rioscaí breise a bhaineann le cianoibriú.

Coimeádann an Coimisiún idir chomhaid leictreonacha agus chomhaid cóipe crua. Coinnítear comhaid cóipe crua in oifig an Choimisiúin i dTeach Styne, Sráid Haiste Uachtarach. Bíonn srian ann le rochtain ar an bhfoirgneamh, agus baill foirne gan a bheith ábalta dul isteach ann ach amháin ó 7.30 am go dtí 7.00 pm. Is gá svaidhpchártaí slándála a úsáid chun urláir agus pasáistí a rochtain. I gcás go sealbhaíonn baill foirne comhaid lena mbaineann íogaireacht nó rúndacht ar leith, ba cheart iad sin a stóráil i gcófraí nó caibinéid is féidir a ghlasáil.

Ba cheart Beartas TFC an Choimisiúin a cheadú le haghaidh treoir atá cothrom le dáta faoi phróiseáil shlán shábháilte na sonraí a shealbhaítear i bhformáid leictreonach.

(g) Mar rialaitheoir, tá an Coimisiún freagrach as na prionsabail roimhe seo agus ní mór dó a bheith in ann comhlíonadh na bprionsabal sin a thaispeáint.

 

7.Na Cearta atá ag Ábhair Sonraí

Foráiltear le RGCS do na cearta seo a leanas d’ábhair sonraí, agus seasfaidh an Coimisiún um Athchóiriú an Dlí leis na cearta sin atá ag ábhair sonraí:

  1. An ceart chun faisnéis a fháil faoi conas a phróiseáiltear sonraí;
  2. An ceart atá ag ábhar sonraí chun cóip dá s(h)onraí féin a rochtain agus a fháil;
  3. An ceart go ndéanfaí ceartúcháin;
  4. An ceart go ndéanfaí léirscriosadh (‘an ceart go ndéanfaí ligean i ndearmad’);
  5. An ceart go gcuirfí srian le próiseáil;
  6. An ceart chun iniomparthacht sonraí;
  7. An ceart chun agóid a dhéanamh i gcoinne próiseáil sonraí pearsanta i gcás go bhfuil siad á bpróiseáil ar an mbunús dlí arb éard é leas an phobail, feidhmiú údaráis oifigiúil nó leas dlisteanach;
  8. An ceart chun agóid a dhéanamh go sonrach i gcoinne próiseáil sonraí pearsanta chun críche margaíochta dírí;
  9. An ceart gan a bheith faoi réir cinnteoireacht aonair uathoibrithe i gcás go mbeidh éifeacht dhlíthiúil nó éifeacht mhór ag cinneadh den sórt sin ar an ábhar sonraí;
  10. An ceart chun gearán a dhéanamh leis an gCoimisiún um Chosaint Sonraí;
  11. An ceart chun agairt i leith damáiste ábhartha agus neamhábhartha.

8.Slándáil Sonraí trí Dhearadh agus mar Réamhshocrú

Leagtar amach in RGCS go ndéanfar comhlíonadh cosanta sonraí trí dhearadh agus mar réamhshocrú.

Is é is cosaint sonraí trí dhearadh ann ná coincheap inarb amhlaidh a dheartar modhanna agus críocha na próiseála a dhéantar ar shonraí pearsanta ó thús agus aird á tabhairt ar chosaint sonraí. Leis an bprionsabal sin, ceanglaítear ar an gCoimisiún cur chun feidhme a dhéanamh ar bhearta teicniúla agus ar bhearta eagraíochtúla araon lena ndéanfar príobháideacht na n-ábhar sonraí a chinntiú agus a chosaint. Áirítear leis na modhanna um chosaint sonraí trí dhearadh a mbaineann an Coimisiún úsáid astu a chinntiú go ndéantar aon phróisis nó nósanna imeachta nua a dhearadh agus a thástáil ó thaobh cúrsaí cosanta sonraí de, oiliúint foirne a chinntiú, agus a chinntiú go ndéantar athbhreithnithe iniúchóireachta agus beartais i gcomhthéacs cosanta sonraí.

Cosaint Sonraí mar Réamhshocrú – Cuirfidh an Coimisiún bearta teicniúla agus eagraíochtúla cuí chun feidhme chun a chinntiú nach bpróiseálfar ach sonraí pearsanta atá riachtanach le haghaidh gach críche sonraí de chuid na próiseála. Tá feidhm ag an oibleagáid sin maidir leis an méid sonraí pearsanta a bhailítear, le méid a bpróiseála, le tréimhse a stórála agus lena n-inrochtaineacht. Go háirithe, cinnteofar le bearta den sórt sin gurb amhlaidh, mar réamhshocrú, nach dtabharfar rochtain ar shonraí pearsanta aon ábhair sonraí do líon éiginnte daoine nádúrtha gan idirghabháil an ábhair sonraí.

 

9.Sáruithe Sonraí

Is é seo a leanas an sainmhíniú in RGCS ar shárú i ndáil le sonraí pearsanta: sárú ar shlándáil as a dtiocfaidh scrios, cailleadh, athrú, nó nochtadh neamhúdaraithe sonraí pearsanta a rinneadh a tharchur, a stóráil nó a phróiseáil ar bhealach eile, nó rochtain neamhúdaraithe ar na sonraí sin, bíodh sé sin de thaisme nó neamhdhleathach’.

Mar shampla, cailleadh faisnéise pearsanta, rochtain mhíchuí ar fhaisnéis phearsanta ar chórais an Choimisiúin, nó sonraí pearsanta a sheoladh chuig na daoine aonair míchearta.

Is féidir le sárú sonraí tarlú ar roinnt cúiseanna, lena n-áirítear:

  • cailleadh nó goid na sonraí nó an trealaimh ar a stóráiltear sonraí;
  • rochtain mhíchuí nó dul timpeall ar rialuithe, agus úsáid neamhúdaraithe á ceadú dá réir;
    • cliseadh trealaimh;
    • earráid dhaonna;
    • imthosca neamhthuartha amhail tuile nó dóiteán;
    • ionsaí haiceála;
    • rochtain i gcás go bhfaightear sonraí trí dhallamullóg a chur ar an eagraíocht a shealbhaíonn iad.

 

I gcás go dtagann ball foirne ar an eolas faoi shárú nó faoi shárú amhrasta, NÍ MÓR tuairisc ar an teagmhas a sheoladh chuig an Oifigeach Cosanta Sonraí a luaithe is féidir.

  • tá foirm le haghaidh sáruithe a thuairisciú ar fáil in Aguisín A;
  • measúnóidh an tOifigeach Cosanta Sonraí an sárú agus cinnfidh sé/sí cén gníomh, más ann dó, ba cheart a dhéanamh;
  • ba cheart an Beartas um Sháruithe Sonraí ón gCoimisiún a cheadú le haghaidh tuilleadh mionsonraí a fháil.

 

Fógra i dtaobh sárú i ndáil le sonraí pearsanta a thabhairt don Choimisiún um Chosaint Sonraí

Tar éis dó/di fógra a fháil i dtaobh sárú i ndáil le sonraí pearsanta nó sárú amhrasta, déanfaidh an tOifigeach Cosanta Sonraí, tráth nach déanaí ná 72 uair an chloig tar éis don eagraíocht teacht ar an eolas faoin sárú, fógra a thabhairt don Choimisiún um Chosaint Sonraí i dtaobh an tsáraithe, ‘mura dócha go mbeidh an sárú i ndáil le sonraí pearsanta ina chúis le riosca do chearta agus saoirsí’ an ábhair sonraí.

Mura dtugtar fógra i dtaobh sárú sonraí intuairiscithe laistigh de thréimhse 72 uair an chloig, ní mór na cúiseanna leis an moill a sholáthar d’Oifig an Choimisiúin um Chosaint Sonraí.

 

Coimeádfaidh an tOifigeach Cosanta Sonraí taifead achoimre ar gach teagmhas ba chúis le riosca go ndéanfaí sonraí pearsanta a nochtadh, a chailleadh, a scriosadh nó a athrú go neamhúdaraithe agus taifeadfaidh sé/sí é sa Chlár um Sháruithe ar Chosaint Sonraí. Ba cheart cur síos achomair ar chineál an teagmhais a bheith ar áireamh sa taifead. Soláthrófar taifid den sórt sin don Choimisiún um Chosaint Sonraí arna iarraidh sin.

Sárú i ndáil le sonraí pearsanta a chur in iúl don ábhar sonraí

Cé nach bhfuil aon oibleagáid ghinearálta ann fógra a thabhairt d’ábhar sonraí i dtaobh sárú sonraí, is amhlaidh, i gcás go measann an tOifigeach Cosanta Sonraí gur dócha go mbeidh an sárú i ndáil le sonraí pearsanta ina chúis le hardriosca do chearta agus saoirsí na n-ábhar sonraí, a chuirfidh an tOifigeach Cosanta Sonraí mionsonraí áirithe i dtaobh an tsáraithe in iúl do na hábhair sonraí gan mhoill, i gcomhréir le hAirteagal 34 RGCS. Más é an cinneadh an t-ábhar sonraí/na hábhair sonraí a chur ar an eolas faoin sárú, soláthrófar an fhaisnéis seo a leanas i ndáil leis an sárú dóibh sin a ndearnadh difear dóibh:

  • ainm agus mionsonraí teagmhála an Oifigigh Cosanta Sonraí nó pointí teagmhála eile ar féidir tuilleadh faisnéise a fháil uathu;
  • iarmhairtí dóchúla an tsáraithe i ndáil le sonraí pearsanta;
  • na bearta a rinne an rialaitheoir sonraí, nó atá beartaithe a dhéanamh ag an rialaitheoir sonraí, chun aghaidh a thabhairt ar an sárú i ndáil le sonraí pearsanta, lena n-áirítear, i gcás gur cuí, bearta chun na héifeachtaí díobhálacha a d’fhéadfadh a bheith ag gabháil leis a mhaolú.

Ba cheart don Oifigeach Cosanta Sonraí an réasúnaíocht taobh thiar de na cinntí a rinneadh mar fhreagairt do shárú a dhoiciméadú, lena n-áirítear i gcás gurb é an cinneadh gan fógra a thabhairt do na hábhair sonraí i dtaobh an tsáraithe.

Má thagann próiseálaí a n-úsáideann an Coimisiún é ar an eolas faoi shárú i ndáil leis na sonraí pearsanta atá sé ag próiseáil thar ceann an Choimisiúin, ní mór dó fógra a thabhairt d’Oifigeach Cosanta Sonraí an Choimisiúin ‘gan moill mhíchuí’, mar a fhoráiltear dó in Airteagal 33(2) RGCS. Ní mheasúnóidh an próiseálaí dóchúlacht an riosca a d’eascródh as an sárú sula dtabharfaidh sé fógra don Choimisiún. Is é Oifigeach Cosanta Sonraí an Choimisiúin an duine nach mór dó/di an measúnú sin a dhéanamh ar theacht ar an eolas faoin sárú dó/di.

Conas ba cheart an riosca a ghabhann le sárú sonraí a mheasúnú?

D’eisigh Meitheal Airteagal 29 um Chosaint Sonraí de chuid an Aontais Eorpaigh treoirlínte ina leagtar amach critéir a fhéadfaidh rialaitheoirí sonraí a chur san áireamh agus iad ag measúnú rioscaí den sórt sin:

  • cineál an tsáraithe;
  • cineál, íogaireacht agus méid na sonraí pearsanta;
  • a éasca atá sé daoine aonair a shainaithint;
  • déine na n-iarmhairtí do dhaoine aonair;
  • saintréithe speisialta an duine aonair;
  • an líon daoine aonair lena mbaineann;
  • saintréithe speisialta an rialaitheora sonraí.

 

10.Iarrataí ar Rochtain d’Ábhar Sonraí

Tá an Coimisiún tiomanta do chomhlíonadh a dhéanamh ar na dlíthe ábhartha uile de chuid an Aontais Eorpaigh agus de chuid na hÉireann i ndáil le sonraí pearsanta agus le cearta agus saoirsí na ndaoine aonair a mbailíonn agus a bpróiseálann an Coimisiún a bhfaisnéis a chosaint.

Le RGCS, tugtar cearta do dhaoine aonair i ndáil lena sonraí pearsanta agus forchuirtear oibleagáidí ar eintitis a dhéanann sonraí pearsanta a rialú nó a phróiseáil. I gcúrsa a ghnó, próiseálann an Coimisiún sonraí pearsanta (lena n-áirítear catagóirí speisialta sonraí pearsanta) a bhaineann le catagóirí éagsúla daoine aonair, lena n-áirítear fostaithe, agus tríú páirtithe, amhail iarratasóirí ar phost, daoine atá ag déanamh iarrataí saorála faisnéise, agus daoine aonair atá ag déanamh aighneachtaí, agus i ndáil le hiarratais soláthair. Sna himthosca uile, is é beartas an Choimisiúin a chinntiú go bpróiseálann sé sonraí pearsanta i gcomhréir le RGCS agus le téarmaí an bheartais seo.

Le hAirteagal 15 RGCS, tugtar an ceart chun faisnéis a rochtain d’ábhair sonraí.

 

Tá an ceart ag ábhair sonraí chun an fhaisnéis seo a leanas a fháil ón rialaitheoir sonraí:

  1. deimhniú maidir le cé acu atá nó nach bhfuil sonraí pearsanta a bhaineann leo á bpróiseáil;
  2. cóip dá sonraí pearsanta, i gcás go bhfuil sonraí pearsanta a bhaineann leo á bpróiseáil;
  3. faisnéis bhreise eile mar a leanas, i gcás go bhfuil sonraí pearsanta a bhaineann leo á bpróiseáil;
  1. críoch(a) na próiseála;
  2. catagóirí sonraí pearsanta;
  3. aon fhaighteoirí de chuid na sonraí pearsanta ar nochtadh na sonraí pearsanta dóibh nó a nochtfar na sonraí pearsanta dóibh, go háirithe faighteoirí i dtríú tíortha nó eagraíochtaí idirnáisiúnta agus, i gcás go bhfuil sé sin amhlaidh, faisnéis faoi choimircí cuí;
  4. an tréimhse choinneála nó, mura bhfuil sé sin indéanta, na critéir a úsáideadh chun an tréimhse choinneála a chinneadh;
  5. is ann do na cearta seo a leanas
  • an ceart go ndéanfaí ceartúcháin
  • an ceart go ndéanfaí léirscriosadh
  • an ceart go gcuirfí srian le próiseáil
  • an ceart chun agóid a dhéanamh
  1. an ceart chun gearán a thaisceadh leis an gCoimisiún um Chosaint Sonraí
  2. i gcás nár bailíodh na sonraí pearsanta ón ábhar sonraí, aon fhaisnéis atá ar fáil maidir lena bhfoinse;
  3. is ann do chinnteoireacht uathoibrithe, lena n-áirítear próifíliú agus faisnéis fhónta faoi conas a dhéantar cinntí, agus suntasacht agus iarmhairtí na próiseála sin.

 

 

Cé go bhféadfaidh ábhar sonraí Iarraidh ar Rochtain d’Ábhar Sonraí a dhéanamh ar shlí nó i bhformáid a roghnaíonn sé/sí, tairgfear dó/di ina ainneoin sin an rogha chun an fhoirm in Aguisín B a úsáid, rud a chabhróidh leis an gCoimisiún déileáil leis an iarraidh uaidh/uaithi ar bhealach éifeachtúil caoithiúil.

Sa chás is fearr, gheobhaidh an tOifigeach Cosanta Sonraí na hiarrataí uile ar rochtain d’ábhar sonraí go díreach ach, i gcás go bhfaigheann ball foirne aon iarraidh den sórt sin, ba cheart dó/di í a tharchur chuig an Oifigeach Cosanta Sonraí gan mhoill.

Coimeádfaidh an tOifigeach Cosanta Sonraí clár um iarrataí ar rochtain d’ábhar sonraí agus um iarrataí eile.

Nuair a dhéantar iarraidh, ní mór an fhaisnéis a thabhairt laistigh de mhí amháin ón iarraidh a fháil. Féadfar an tréimhse sin a fhadú dhá mhí sa bhreis más iarraidh chasta í. Ní ghearrtar aon táille i leith an fhaisnéis sin a sholáthar. I gcás go n-iarrfaidh an t-ábhar sonraí aon chóipeanna breise, áfach, is féidir go ngearrfar táille réasúnach atá bunaithe ar chostais riaracháin.

Is gnách go ndéantar iarraidh ar rochtain d’ábhar sonraí i scríbhinn, ach ní shonraítear go follasach in RGCS nach mór í a bheith i scríbhinn. Féadfaidh an tOifigeach Cosanta Sonraí faisnéis bhreise a iarraidh ó ábhar sonraí chun a c(h)éannacht a fhíorú agus chun cabhrú leis an bhfaisnéis a lorgaítear a shoiléiriú. I gcás go ndéanann an t-ábhar sonraí an iarraidh ar mhodh leictreonach, soláthrófar an fhaisnéis i bhfoirm leictreonach, mura n-iarrtar a mhalairt.

Iarraidh ar Rochtain d’Ábhar Sonraí a Phróiseáil

Tá sé de fhreagracht ar gach Aonad Gnó iarraidh ar rochtain d’ábhar sonraí a thagann faoina réimse freagrachta a phróiseáil. Soláthróidh an tOifigeach Cosanta Sonraí treoir don Aonad Gnó atá ag próiseáil na hiarrata agus déanfaidh sé/sí seiceálacha dearbhaithe cáilíochta sula dtabharfar freagra ar iarraidh ar rochtain d’ábhar sonraí.

Cad nach mór a dhéanamh mar fhreagairt d’iarraidh ar rochtain?

  • admhóidh an tOifigeach Cosanta Sonraí go bhfuarthas an iarraidh ar rochtain d’ábhar sonraí;
  • sannfaidh an tOifigeach Cosanta Sonraí an iarraidh don rannóg iomchuí;
  • má mheastar é a bheith riachtanach, iarrfaidh an rannóg atá ag próiseáil na hiarrata ar rochtain ar na rannóga uile sa Choimisiún a bhfillteáin ríomhdhoiciméad agus a gcomhaid cóipe crua iomchuí a chuardach mar chuid den chuardach le haghaidh sonraí pearsanta;
  • ní mór do gach rannóg na nósanna imeachta a rinneadh chun taifid a aimsiú a dhoiciméadú agus an doiciméad a sholáthar don rannóg atá ag próiseáil na hiarrata;
  • ní mór don rannóg atá ag próiseáil na hiarrata cóip de na taifid a sholáthar don Oifigeach Cosanta Sonraí agus freagra don Oifigeach Cosanta Sonraí a dhréachtú laistigh de 20 lá ón iarraidh a fháil;
  • scrúdóidh an tOifigeach Cosanta Sonraí an tuairisceán ó thaobh dearbhú cáilíochta de agus eiseoidh sé an freagra chuig an iarrthóir.

Tá tuilleadh mionsonraí faoi iarraidh ar rochtain d’ábhar sonraí a phróiseáil leagtha amach sa Bheartas um Iarraidh ar Rochtain d’Ábhar Sonraí.

Tabhair faoi deara nach bhféadfaidh tú na sonraí pearsanta a shealbhaítear a athrú ná a scriosadh tar éis an iarraidh ar rochtain a fháil.

Níor cheart faisnéis phearsanta a thabhairt ach amháin don duine aonair lena mbaineann. Má tá duine éigin ag gníomhú thar ceann duine aonair, beidh sé tábhachtach a chinntiú gur tugadh údarás dó/di gníomhú thar ceann an duine.

Mura bhfuil aon fhaisnéis á coinneáil ar ríomhaire ná i gcóras comhdúcháin iomchuí faoin duine aonair atá ag déanamh na hiarrata, ba cheart an méid sin a chur in iúl dó/di laistigh de mhí amháin ón iarraidh a dhéanamh.

11.Faisnéis Fhíorasach Mhíchruinn a Cheartú

Le hAirteagal 5.1(d) RGCS, foráiltear don mhéid seo a leanas maidir le sonraí pearsanta: ‘beidh siad cruinn agus, i gcás inar gá, coimeádfar suas le dáta iad; déanfar gach beart réasúnta chun a áirithiú go léirscriostar nó go gceartaítear sonraí pearsanta míchruinne gan mhoill, ag féachaint do na críocha ar chucu a dhéantar iad a phróiseáil’.

Faoi Airteagail 16 agus 19 RGCS, is amhlaidh, más míchruinn atá sonraí pearsanta duine aonair, a bheidh an ceart ag an duine aonair sin chun go ndéanfadh an rialaitheoir na sonraí a cheartú gan moill mhíchuí. Má tá sonraí pearsanta neamhiomlán, beidh an ceart ag ábhar sonraí chun go ndéanfaí sonraí a chomhlánú, lena n-áirítear trí bhíthin faisnéis fhorlíontach a sholáthar.

Tá freagracht ar gach rannóg as a chinntiú gur cruinn agus cothrom le dáta atá an fhaisnéis phearsanta a shealbhaíonn siad.

Má chreideann duine aonair go sealbhaíonn an Coimisiún faisnéis phearsanta fhíorasach mhíchruinn faoi/fúithi, féadfaidh an duine aonair a iarraidh go gceartófaí an fhaisnéis phearsanta mhíchruinn trí theagmháil a dhéanamh le hOifigeach Cosanta Sonraí an Choimisiúin i scríbhinn, agus breac-chuntas á thabhairt aige/aici ar cad a chreideann sé/sí a bheith mícheart agus an fhaisnéis cheart á soláthar.

Measúnóidh an tOifigeach Cosanta Sonraí cé acu atá an fhaisnéis mícheart nó nach bhfuil. Foráiltear le RGCS go ndéanfar an fhaisnéis a cheartú ‘gan moill mhíchuí’ má tá sí mícheart ó thaobh fíoras de. Tabharfaidh an tOifigeach Cosanta Sonraí fógra don duine aonair atá ag déanamh na hiarrata á rá gurb amhlaidh, má mhodhnaítear na sonraí lena mbaineann go hábhartha leis an leasú, a thabharfaidh sé/sí fógra d’aon duine ar nochtadh na sonraí dó/di le linn an 12 mhí díreach roimh an iarraidh a thabhairt nó a sheoladh, mura rud é go gcruthaítear nach bhfuil fógra den sórt sin indéanta nó go bhfuil dua díréireach i gceist leis.

12.Measúnuithe Tionchair ar Chosaint Sonraí

Is é is Measúnú Tionchair ar Chosaint Sonraí ann ná próiseas atá ceaptha chun cur síos a dhéanamh ar an bpróiseáil sonraí atá beartaithe, measúnú a dhéanamh ar an ngá leis an bpróiseáil sonraí atá beartaithe agus ar chomhréireacht na próiseála sonraí atá beartaithe, agus sainaithint a dhéanamh ar na rioscaí do chearta agus saoirsí daoine nádúrtha a eascraíonn as an bpróiseáil atá beartaithe trí na rioscaí sin a mheasúnú agus trína shuí cé na bearta a theastaíonn chun aghaidh a thabhairt orthu agus chun iad a mhaolú.

Is uirlisí tábhachtacha le haghaidh cuntasachta iad Measúnuithe Tionchair ar Chosaint Sonraí toisc go gcabhraíonn siad leis an gCoimisiún, mar rialaitheoir, ceanglais RGCS a chomhlíonadh agus a thaispeáint freisin go ndearnadh bearta cuí chun comhlíonadh RGCS a chinntiú.

Is féidir le Measúnú Tionchair ar Chosaint Sonraí a bheith bainteach le hoibríocht próiseála sonraí aonair, e.g., TCI a oibriú, nó is féidir é a úsáid chun measúnú a dhéanamh ar roinnt oibríochtaí próiseála atá cosúil le chéile, e.g., feidhmeanna acmhainní daonna.

Ba cheart Measúnú Tionchair ar Chosaint Sonraí a dhéanamh roimh an bpróiseáil – tá freagracht ar an rialaitheoir as a chinntiú go ndéantar Measúnú Tionchair ar Chosaint Sonraí. Ní mór don rialaitheoir an chomhairle ón Oifigeach Cosanta Sonraí a lorg agus ba cheart an chomhairle sin, agus na cinntí a ndearna an rialaitheoir iad, a dhoiciméadú laistigh den Mheasúnú Tionchair ar Chosaint Sonraí.

Tá teimpléad le haghaidh Measúnú Tionchair ar Chosaint Sonraí leagtha amach in Aguisín C.

13.Sainmhínithe

  1.    ciallaíonn ‘sonraí pearsanta’ aon fhaisnéis a bhaineann le duine nádúrtha sainaitheanta nó in-sainaitheanta (‘ábhar sonraí’); is é is duine nádúrtha in-sainaitheanta ann duine is féidir a shainaithint, go díreach nó go hindíreach, go háirithe trí thagairt a dhéanamh d'aitheantóir amhail ainm, uimhir aitheantais, sonraí suímh, aitheantóir ar líne nó ceann amháin nó níos mó de thosca a bhaineann go sonrach le céannacht fhisiceach, fhiseolaíoch, ghéiniteach, mheabhrach, eacnamaíoch, chultúrtha nó shóisialta an duine nádúrtha sin;
  2.    ciallaíonn ‘próiseáil’ aon oibríocht nó aon sraith d’oibríochtaí a dhéantar ar shonraí pearsanta nó ar shraitheanna de shonraí pearsanta, trí mhodhanna uathoibrithe nó trí mhodhanna eile, amhail bailiú, taifeadadh, eagrú, struchtúrú, stóráil, oiriúnú nó athrú, aisghabháil, ceadú, úsáid, nochtadh trí tharchur, trí scaipeadh nó trí chur ar fáil ar bhealach eile, ailíniú nó comhcheangal, srianadh, léirscriosadh nó díothú;
  3.    ciallaíonn ‘ainm bréige a chur i bhfeidhm’ próiseáil a dhéantar ar chaoi nach féidir na sonraí a chur i leith ábhair sonraí ar leith a thuilleadh gan faisnéis bhreise a úsáid, ar choinníoll go gcoimeádtar faisnéis bhreise den sórt sin ar leithligh agus go bhfuil sí faoi réir bearta teicniúla agus eagraíochtúla chun a áirithiú nach gcuirtear na sonraí pearsanta i leith duine nádúrtha sainaitheanta nó in-sainaitheanta;
  4.    ciallaíonn ‘rialaitheoir’ an duine nádúrtha nó dlítheanach, an t-údarás poiblí, an ghníomhaireacht nó an comhlacht eile a chinneann, ina aonar nó i gcomhpháirt, críocha agus modhanna na próiseála; i gcás ina gcinntear críocha agus modhanna na próiseála sin le dlí an Aontais nó le dlí Ballstáit, féadfar foráil a dhéanamh don rialaitheoir le dlí an Aontais nó le dlí Ballstáit nó féadfar foráil a dhéanamh do na critéir shonracha dá ainmniú le dlí an Aontais nó le dlí Ballstáit;
  5.    ciallaíonn ‘próiseálaí’ duine nádúrtha nó dlítheanach, údarás poiblí, gníomhaireacht nó comhlacht eile a phróiseálann sonraí pearsanta thar ceann an rialaitheora;
  6.    ciallaíonn ‘faighteoir’ duine nádúrtha nó dlítheanach, údarás poiblí, gníomhaireacht, nó comhlacht eile, dá nochtar na sonraí pearsanta, bíodh siad ina dtríú páirtí nó ná bíodh.2 Maidir le húdaráis phoiblí a fhéadfaidh sonraí pearsanta a fháil faoi chuimsiú fiosrúchán ar leith i gcomhréir le dlí an Aontais nó le dlí Ballstáit, ní mheasfar gur faighteoirí iad; comhlíonfaidh an phróiseáil a dhéanfaidh na húdaráis phoiblí sin ar na sonraí sin na rialacha is infheidhme maidir le cosaint sonraí de réir na gcríoch atá leis an bpróiseáil;
  7.    ciallaíonn ‘tríú páirtí’ duine nádúrtha nó dlítheanach, údarás poiblí, gníomhaireacht, nó comhlacht eile seachas an t-ábhar sonraí, an rialaitheoir, an próiseálaí agus daoine a údaraítear, faoi údarás díreach an rialaitheora nó an phróiseálaí, chun na sonraí a phróiseáil;
  8.    ciallaíonn ‘toiliú’ an ábhair sonraí aon chur in iúl atá sonrach, feasach agus gan athbhrí, a dhéanann an t-ábhar sonraí a thabhairt faoi shaoirse, trí ráiteas nó trí ghníomhaíocht shoiléir dhearfach, á rá gur mian leis nó léi aontú le próiseáil sonraí pearsanta a bhaineann leis nó léi;
  9.    ciallaíonn ‘sárú i ndáil le sonraí pearsanta’ sárú ar shlándáil as a dtiocfaidh scrios, cailleadh, athrú, nó nochtadh neamhúdaraithe sonraí pearsanta a rinneadh a tharchur, a stóráil nó a phróiseáil ar bhealach eile, nó rochtain neamhúdaraithe ar na sonraí sin, bíodh sé sin de thaisme nó neamhdhleathach.

 

 

 

1.Introduction

The Law Reform Commission is an independent statutory body established by the Law Reform Commission Act 1975. The Commission’s principal role is to keep the law under review and to make proposals for reform, in particular by recommending the enactment of legislation to clarify and modernise the law. Researching reform proposals involves consultations with interested groups and individuals.

The LRC is committed to protecting the rights and privacy of individuals whose information the LRC collects and processes in accordance with both European Union and Irish data protection legislation.

 

2.Purpose

The purpose of this policy is to outline the obligations of the LRC under applicable data protection law and to describe the steps to be taken to ensure compliance with those obligations.

 

3.Scope

This policy applies to all personal data collected, processed, and stored by the LRC by whatever means. The GDPR applies equally to automated and manual data, i.e., data held or processed on a computer, or data held in 'hard copy' and stored in a relevant filing system.

This policy relates to the processing of 'personal data'. Personal data is, broadly speaking, any information which could identify (or help to identify) a living person (in particular by reference to an identifier such as a name or an identification number).

 

4.Users

This policy applies to all staff of the LRC. Each member of staff has an individual responsibility to ensure that they adhere to this policy and to the GDPR and the Data Protection Act 2018, which gives further effect to the GDPR.

Failure to comply with this policy may result in the defaulting staff member being subject to disciplinary action under the Civil Service Disciplinary Code.

When handling personal data, all staff of the LRC are also subject to the provisions of the Official Secrets Act 1963 (the "OSA"). Among other relevant obligations, Section 4 of the OSA provides that a person shall not communicate any official information to any other person unless they are duly authorised to do so or does so in the course of, and in accordance with, their duties as the holder of a public office or when it is their duty in the interest of the State to communicate it.

 

5.General Policy Statement

The LRC operates as a data controller which includes operating as a data controller in respect of employee data in order to manage and administer the employment relationship and operating as a data controller in respect of any stakeholder data (to the extent that it is personal data) in order to manage the relationship with the stakeholder.

The LRC can also act as a Data Processor in respect of personal data which is shared with it.

This policy will be kept under review and will be updated in light of legislative changes and/or guidance from competent regulatory authorities as and when it is published and becomes applicable.

 

6.Principles relating to processing of personal data

 

As a data controller, the LRC must comply with the following key data protection principles in relation to personal data:

  1. Obtain and process personal data lawfully, fairly and in a transparent manner:

For personal data to be obtained fairly, subject to specific exemptions, data subjects must be provided with certain information, generally at the time at which the personal data is obtained.

For personal data to be processed fairly, a controller must also have a lawful basis for its processing, pursuant to relevant provisions of the GDPR. In many instances, the LRC relies on the basis set out in Article 6.1(e) of the GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Furthermore, the processing of special categories of personal data (such as data relating to an individual's health, racial or ethnic origin) is prohibited, unless the processing has a lawful basis under Article 6 of the GDPR and the processing falls within one of the exceptions set out in Article

9.2 of the GDPR.

  1. Process for only specified explicit and legitimate purposes:

The LRC may only process personal data for a purpose that is specific, lawful, and clearly stated. It is unlawful to collect information about people routinely and indiscriminately without having a sound, clear and legitimate purpose for doing so.

If personal data is obtained by the LRC for a particular purpose then, subject to limited exceptions, the data may not be used or disclosed for any purpose other than that for which it was obtained. The LRC'S practice is to process personal data lawfully, and only in accordance with the purposes set out in its Data Protection Notices or as otherwise required or permitted by applicable legislation.

  1. Ensure that it is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed:

Personal data should not be collected or kept if it is not needed and/or on the off chance that a use might be found for it in the future. The LRC'S practice is to ensure that it collects and keeps only such personal data as is necessary for the purposes for which it was obtained.

  1. Keep personal data accurate, complete, and up to date:

The LRC endeavours to ensure that the personal data it holds is accurate, complete, and up to date. All staff must ensure that personal data which they provide in connection with their employment is accurate and up-to-date and that they inform HR of any errors, corrections, or changes, for example, change of address, marital status etc. The LRC takes every reasonable step to ensure that personal

data that is inaccurate, having regard to the purposes for which it is processed, is rectified, or erased without delay.

  1. Retain personal data for no longer than necessary for the purpose for which it is acquired:

Personal data may not be retained in a form that permits the identification of data subjects indefinitely. The LRC'S policy is to ensure that its record retention, archiving, and destruction practices give effect to this principle.

  1. Keep personal data safe and secure.

The LRC must ensure that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. The LRC's practice is to ensure that employee access to personal data which it processes is restricted on a 'need to know' basis.

In relation to electronic data, the LRC's IT systems operate on the basis of securely authenticated access only. All LRC personnel who have access to the LRC's IT systems are subject to the LRC's "ICT Policy" which outlines their responsibilities in using the IT Systems. The ICT Policy is based on the general principle of IT access levels being the minimum necessary in order to carry out official duties. The ICT Policy must be signed off by the staff member and HR before access to ICT systems is made available to new staff. Guidelines for staff are also in place which outline their continued responsibility to data protection and to additional risks associated with remote working.

The LRC maintains both electronic and hard copy files. Hard copy files are kept in the office of the LRC at Styne House, Hatch Street Upper. Access to the building is restricted, with staff only able to enter during the hours of 7.30 am to 7.00 pm. Access to floors and corridors is by security swipe cards. Where staff hold particularly sensitive or confidential files, these should be stored in lockable presses or cabinets.

The Commission’s ICT Policy should be consulted for up-to-date guidance on the safe and secure processing of data held in electronic format.

  1. As a controller, the LRC is responsible for, and must be able to demonstrate compliance with the foregoing principles.

 

7.Data Subject Rights

The GDPR provides the following data subject rights, and the Law Reform Commission will uphold these data subject rights:

  1. The right to information about how data is processed;
  2. The right of a data subject to access and obtain a copy of their own data;
  3. The right to rectification;
  4. The right to erasure (the 'right to be forgotten');
  1. The right to restriction of processing;
  2. The right to data portability;
  3. The right to object to the processing of personal data where it is being processed on the legal basis of public interest, exercise of official authority or legitimate interest;
  4. The right to object specifically to the processing of personal data for the purpose of direct marketing;
  5. The right to be subject to automated individual decision making where such a decision has a legal or significant effect on the data subject;
  6. The right to make a complaint to the Data Protection Commission
  7. The right to sue for material and non-material damage.

 

8.Data Security by Design and Default

The GDPR sets out that data protection compliance shall be implemented by design and default.

Data protection by design is the concept that the means and purposes of the processing of personal data are designed, from the beginning, with data protection in mind. The principle requires the LRC to implement both technical and organisational measures that will guarantee and protect the privacy of data subjects. Methods of data protection by design employed by the LRC include ensuring that any new processes or procedures are designed and tested from a data protection perspective, staff training and audit and policy reviews in the context of data protection.

Data Protection by Default - The LRC shall implement appropriate technical and organisational measures to ensure that, only personal data which is necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of its processing, the period of its storage and its accessibility. In particular, such measures shall ensure that, by default, a data subject's personal data are not made accessible without the data subject's intervention to an indefinite number of natural persons

9.Data Breaches

A personal data breach is defined in the GDPR as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed'.

For example, the loss of personal information, inappropriate access to personal information on LRC systems or the sending of personal data to the wrong individuals.

A data breach can happen for several reasons, including:

  • loss or theft of data or equipment on which data is stored;
  • inappropriate access or the bypassing of controls thus allowing unauthorised use;
  • equipment failure;
  • human error;
  • unforeseen circumstances such as a flood or fire;
  • a hacking attack;
  • access where data is obtained by deceiving the organisation that holds it.

In the event of a staff member becoming aware of a breach or suspected breach, a report of the incident MUST be sent to the Data Protection Officer as soon as possible.

  • a form for reporting breaches is available at Appendix A;
  • the Data Protection Officer will assess the breach and will decide what action, if any, should be taken;
  • The LRC Data Breach Policy should be consulted for further detail.

Notification of a personal data breach to the Data Protection Commission

Having been notified of a personal data breach or suspected breach, the DPO will, not later than 72 hours after the organisation has become aware of the breach, notify the Data Protection Commission of the breach, ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms’ of the data subject.

If a reportable data breach is not notified within the 72-hour period, reasons for the delay must be provided to the Office of the Data Protection Commission.

The DPO will keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction, or alteration of personal data and will record it in the Data Protection Breaches Register. The record should include a brief description of the nature of the incident. Such records will be provided to the Data Protection Commission upon request.

 

Communication of a personal data breach to the data subject

While there is not a general obligation to notify a data subject of a data breach, where the DPO considers that the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, the DPO shall communicate certain details of the breach to the data subjects without delay, in accordance with Article 34 of the GDPR. If the decision is to advise the data subject(s) of the breach, those affected shall be provided with the following information regarding the breach:

  • the name and contact details of the DPO or other contact points where more information can be obtained;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The DPO should document the reasoning for the decisions taken in response to a breach, including if the decision is not to notify the data subjects of the breach.

If a processor used by the LRC becomes aware of a breach of the personal data it is processing on behalf of the LRC, it must notify the LRC’s Data Protection Officer 'without undue delay', as provided for in Article 33(2) of the GDPR. The processor will not assess the likelihood of the risk arising from the breach before notifying the LRC, it is the LRC’s DPO who must make this assessment on becoming aware of the breach.

How should the risk of a data breach be assessed?

The EU 'Article 29 Data Protection Working Party' has issued guidelines which set out criteria which data controllers may take into account when assessing such risks:

  • the type of breach;
  • the nature, sensitivity, and volume of personal data;
  • ease of identification of individuals;
  • severity of consequences for individuals;
  • special characteristics of the individual;
  • the number of affected individuals;
  • special characteristics of the data controller.
     

10.Subject Access Requests

The LRC is committed to compliance with all relevant EU and Irish laws in respect of personal data and the protection of the rights and freedoms of individuals whose information the LRC collects and processes.

The GDPR confers rights on individuals regarding their personal data and imposes obligations on entities which control or process personal data. In the course of its business, the LRC processes personal data (including special categories of personal data) relating to various categories of individuals, including employees, and third parties, such as job applicants, people making FOl requests, individuals making submissions and in connection with procurement applications. In all circumstances, it is the LRC'S policy to ensure that it processes personal data in accordance with the GDPR and the terms of this policy.

Article 15 of the GDPR provides data subjects with the right to access information.

Data subjects have the right to obtain the following information from the data controller:

 

  1. confirmation of whether or not personal data concerning them is being processed;
  2. where personal data concerning them is being processed, a copy of their personal data;
  3. where personal data concerning them is being processed, other additional information as follows:
  1. purpose(s) of the processing;
  2. categories of personal data;
  3. any recipients of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and where this is the case, information about appropriate safeguards;
  4. the retention period, or if that is not possible, the criteria used to determine the retention period;
  5. the existence of the following rights
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to object
  1. the right to lodge a complaint with the Data Protection Commission
  2. where the personal data has not been collected from the data subject, any available information as to their source;
  3. the existence of automated decision making, including profiling and meaningful information about how decisions are made, and the significance and consequences of such processing.

While a data subject may make a Subject Access Request in a way or format of their choosing, they can nonetheless be offered to use the form at Appendix B which will help the LRC deal with their request efficiently and expediently.

Ideally, all subject access requests will be received directly by the DPO but where a member of staff receives such a request, they should refer it to the DPO without delay.

The DPO will maintain a register of subject access and other requests.

Once a request has been made the information must be given within one month of receipt of the request. This can be extended by a further 2 months if the request is complex. There is no fee for providing this information however for any further copies requested by the data subject, a reasonable fee based on administrative costs may be charged.

A subject access request is usually made in writing, but the GDPR does not explicitly state that it must be in writing. The DPO may request additional information from a data subject in order to verify their identity and to help clarify the information sought. Where the data subject makes the request by electronic means, and unless otherwise requested, the information shall be provided in electronic form.

Processing a Subject Access Request

It is the responsibility of each Business Unit to process a subject access request which falls under their area of responsibility. The Data Protection Officer will provide guidance to the Business Unit processing the request and will undertake quality assurance checks before a subject access request is replied to.

What must be done in response to an access request?

  • the subject access request will be acknowledged by the Data Protection Officer;
  • the DPO will assign the request to the relevant section;
  • the section processing the access request will request, if considered necessary, all sections in the LRC to search their eDoc folders and relevant hard copy files as part of the search for personal data;
  • each section must document the procedures undertaken to locate records and provide the document to the section processing the request;
  • the section processing the request must provide the DPO with a copy of the records and draft a response to the DPO within 20 days of receipt of the request;
  • the DPO will examine the return for quality assurance and issue the reply to the requester.

Further details on processing a subject access request are set out in the Subject Access Request Policy.

Please note that, having received the access request, you cannot change or delete the personal data which is held.

Personal information should only be given to the individual concerned. If someone is acting on behalf of an individual, it is important to ensure that they have been given authority to act on behalf of the person.

If no information is being kept on computer or in a relevant filing system about the individual making the request, they should be informed of this within one month of making the request.

 

11.Correcting Inaccurate Factual Information

Article 5.1(d) of the GDPR provides that personal data shall be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’.

Under Articles 16 and 19 of the GDPR, if an individual’s personal data is inaccurate, they have the right to have the data rectified, by the controller, without undue delay. If personal data is incomplete, a data subject has the right to have data completed, including by means of providing supplementary information.

Each section is responsible for ensuring that personal information which it holds is accurate and up to date.

If an individual believes that the LRC holds inaccurate factual personal information about them, the individual may have the inaccurate personal information corrected by contacting the LRC’s Data Protection Officer in writing outlining the information which they believe is incorrect and providing the correct information.

The Data Protection Officer will assess whether the information is incorrect. The GDPR provides that if the information is factually incorrect, it will be rectified 'without undue delay'. The DPO will notify the individual making the request that if the amendment materially modifies the data concerned, it

will notify any person to whom the data were disclosed during the 12 months immediately before the giving or sending of the request, unless such notification proves impossible or involves a disproportionate effort.

 

12.Data Protection Impact Assessments

A Data Protection Impact Assessment ‘DPIA’ is a process designed to describe the proposed data processing, assess its necessity and proportionality and to identify the risks to the rights and freedoms of natural persons resulting from the proposed processing by assessing those risks and determining the measures to address and mitigate them.

DPIAs are important tools for accountability as they help the LRC, as a controller, to not only comply with the requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the GDPR.

A DPIA may concern a single data processing operation, e.g., operation of CCTV, or can be used to assess multiple processing operations that are similar, e.g., HR functions.

The DPIA should be carried out prior to the processing - the controller is responsible for ensuring that a DPIA is carried out. The controller must seek the advice of the Data Protection Officer, and this advice, and the decisions taken by the controller, should be documented within the DPIA.

A DPIA template is set out in Appendix C.

 

13.Definitions

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
     
  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

  1. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

 

  1. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  1. ‘processor’ means a natural or legal person, public authority, agency or other body

which processes personal data on behalf of the controller;

  1. ‘recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
     
  2. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

 

  1. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

 

  1. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;