Data Protection Policy

1 Purpose of Policy

The purpose of this Data Protection Policy is to inform employees of their obligations under the Data Protection Act 2018, and Regulation (EU) 2016/679 – of the European Parliament and the Council of the European Union; the General Data Protection Regulation (GDPR) and to provide employees with an understanding of confidentiality and clear guidelines regarding the handling of confidential information.

2 Introduction

This policy applies to the employees of IT.ie (IT.ie/we), including temporary and fixed term employees and contractors who process any personal data.  Employees have obligations as a user of personal data (e.g. personal data of a customer) and as an employee of IT.ie.  The Data Privacy legislation give individuals certain rights regarding information held about them.  It places obligations on those who process information while giving rights to those who are the subject of that data.  Personal information covers both data privacy legislation and opinions about an individual.

It is crucial that all staff understand the reasons for processing personal information.  This policy will describe the purpose of obtaining personal data and special categories of personal data (SCOPD) from service users, the principles to follow to safe-keep the information provided in confidence and circumstances when this information may need to be shared, disclosed, accessed or deleted.

If employees handle persona data in any way, they should take as much case as possible to ensure they are acting in accordance with IT.ie’s procedures and practices.

3 Purpose(s) for which we process Customer Data

We use Personal Data: 

·         To send information and materials regarding our products and services.

·         To send administrative information such as changes to our terms, conditions, and policies.

·         To send marketing communications, including via email and SMS in compliance with applicable laws and in accordance with customers’ preferences.

·         To personalise experience on websites, applications, social media by presenting products and offers tailored to the PII principal/data subject.

·         For our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products, enhancing, improving or modifying our websites and services, identifying usage trends, determining the effectiveness of our promotional campaigns and operating and expanding our business activities.

·         As we believe to be necessary or appropriate: (a) under applicable law, including laws outside the country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our Affiliates; (f) to protect our rights, privacy, safety or property, and/or that of our Affiliates, PII principal/data subjects or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

 

3 Six Data Protection Principles

IT.ie will administer its responsibilities under the Data privacy legislation in accordance with the six data protection principles as follows:

 

Personal data shall be:

1.       processed lawfully, fairly and in a transparent manner in relation to the PII principal/data subject (‘lawfulness, fairness and transparency’);

 

We will process personal data fairly, lawfully and in a transparent manner.

 

2.       collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

We will only collect and process personal data for purposes that are specified, explicit and legitimate and not in a manner that is incompatible with these purposes.

 

3.       adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

 

All information we collect is adequate, relevant and necessary for the purpose for which it was collected

4.       accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

 

We ensure a high level of data accuracy and when made aware of inaccuracies, we will update the personal data without undue delay.

 

5.       kept in a form which permits identification of PII principal/data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the PII principal/data subject (‘storage limitation’);

 

IT.ie does not retain information any longer than is necessary.

 

6.       processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

We take our security responsibilities seriously, employing the most appropriate physical, organisational and technical measures, including staff training and awareness.  We review our security measures and procedures regularly.

 

Any breach of the Data Protection Policy, whether deliberate, or through negligence may lead to disciplinary action been taken or even a criminal prosecution, so all employees need to be aware of the provisions under the privacy legislation.  If in doubt, please consult the CTO of IT.ie. 

The CTO must be informed of all actual and suspected personal data breaches as soon as you become aware of the personal data breach/potential personal data breach, so that actions can be taken to mitigate the risk to the rights and freedoms of the PII principal/data subjects.

 

4 Direct Marketing

PII principal/data subjects are given the opportunity to update their marketing preferences via the website, phone and email.  It is critical that we do not communicate with a person who has opted out of receiving contact.

 

5 Data Security

All employees are responsible for ensuring that:

§  Any personal data they hold, whether in electronic or paper format, is kept securely.

§  Personal data is not disclosed deliberately or accidentally either orally or in writing to any unauthorised third party.

§  Any papers with personal data are placed shredded or securely destroyed.  Do not use normal waste bins for disposal of personal data.

§  All papers containing customer information must be collected from the printer as quickly as possible and should not be left on your desk. 

§  Work documents should be kept at work unless prior approval has been received from the CTO.

§  You should always lock your PC/Laptop/iPad when you leave your desk unattended.

§  Clear your desk at the end of each day – maintain a tidy desk.

§  Any transfers of customer personal data should be via a secure file transfer with suitable encryption and password protection.

The deliberate manipulation or alteration of data is considered a serious breach of the data privacy legislation.  Divulging passwords or discussing company and customer information outside of work is also a serious breach.

All employees should ensure they are familiar with, and following, the Information Security Policy.

 

6 PII principal/data subject’s Rights

         I.            Right to be Informed – when we are collecting personal data directly from an individual or indirectly via a third party, the Individual has a right to be informed about what personal data we hold, why we hold it and what we are doing with it.  IT.ie meets this right by providing our Data Privacy Notice online and to our customers.

       II.            Right of Access – any individual has the right to access any personal data that is being kept about them either electronically or in structured and accessible manual files.  IT.ie must ensure that any request of access is completed without undue delay and at the very least within one month.

     III.            Right to Rectification – any individual has a right to have their personal data rectified if the data is inaccurate or incomplete.  IT.ie must honour this right without undue delay and at the very latest within one month.

    IV.            Right to Erasure – any individual has a right to request their personal data be forgotten in one of the following circumstances:

a.       Where processing is no longer necessary in relation to the purpose for which it was collected.

b.       If the PII principal/data subject withdraws consent and where there is no other legal ground for the processing.

c.       Where the PII principal/data subject objects to the processing and there are no legitimate overriding grounds for ongoing processing.

d.       Where the processing is unlawful.

e.       Where the personal data must be erased to comply with a legal obligation.

f.        Where personal data was collected for information society services.

IT.ie must honour this right without undue delay and at the very latest within one month.

      V.            Right to Restrict Processing – any individual has a right to restrict the processing of their personal data when one of the following conditions applies:

a.       Individual contests the accuracy of the personal data – processing will be restricted for a period that enables IT.ie to verify accuracy of data.

b.       Individual has objected to the processing pending verification that the legitimate grounds of IT.ie override those of PII principal/data subject.

c.       If the processing is unlawful and the individual opposes erasure and requests restriction instead.

d.       If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

IT.ie must honour this right without undue delay and at the very latest within one month.

    VI.            Right to Data Portability – any individual has the right to receive personal data back from IT.ie in a structured and machine-readable format and transmit the data to another processor or controller.  The right to data portability only applies:

a.       To personal data an individual has provided to a controller;

b.       Where the processing is based on the individual’s consent or for the performance of a contract; AND

c.       Where the processing is carried out by automated means.

IT.ie must honour this right without undue delay and at the very latest within one month.

   VII.            Right to Object – any individual has the right to object to the processing of their personal data when one of the following three conditions applies:

a.       When processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) – you must stop this processing unless: 

                                                               i.      You can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the individual; or

                                                             ii.      The processing is for the establishment, exercise or defence of legal claims.

b.       Direct marketing (including profiling).

c.       Processing for purposes of scientific/historical research or statistics – Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object.  Where the processing of personal data is necessary for the performance of a public interest task, you are not required to comply with an objection to the processing.

IT.ie must honour this right without undue delay and at the very latest within one month.

 VIII.            Right in relation to Automated Decision Making and Profiling – any individual has the right not to be subjected to automated decision making or profiling unless:

a.       The processing is necessary for entering into, or performance of, a contract between PII principal/data subject and controller;

b.       The processing has been authorised by member state law that includes measures to safeguard PII principal/data subject’s rights; or

c.       The processing is based on explicit consent.

IT.ie must honour this right without undue delay and at the very latest within one month.

7 Confidentiality and Disclosure Responsibilities

IT.ie is responsible for ensuring that all employees involved in dealing with confidential information receive appropriate training, supervision and support regarding this policy and their legal responsibilities.

Employees are required to act in accordance with this policy and failure to do so will be considered an act of gross misconduct and may result in disciplinary action up to and including dismissal.  General responsibilities of employees include, but are not limited to:

§  Notify management if the employee detects any improper usage, modification or disclosure of any private or personal information.

§  Not to access any confidential information without the express authorisations or management.  An employee should only have access to confidential information on a strictly “need to know” basis.

§  Employees are strictly prohibited from viewing or making amendments to the personal data of other individuals, unless it is necessary for the role they are performing.

§  Not to disclose any trade secrets or other information of a confidential nature relating to the company or any of its businesses or in respect of which the company owes an obligation of confidence to any third party during or as required by a lawful authority.  Specifically, you should:

(a)    Confirm the identity of who you are speaking to before disclosing personal details.

(b)    Do not discuss personal data, special categories of personal data or payment details with anyone except as required for the role you are performing.

(c)     Do not remove, reproduce or transfer any documents, storage media or any other means of recording data or any confidential information at any time without proper authorisation.  All such documents, storage media and any other copes are the property of IT.ie.

(d)    On termination of employment (however caused), all books, documents, customer lists, samples and other documentation or items including notes prepared in the course of your employment shall be returned by you to the company and no copies of such documentation or items shall be retained by you.

(e)    Following termination of employment (however caused), you will not discuss the business of the company, its subsidiaries or associated companies with any competitor or interested person.

If you become aware of an incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, you should refer to IT.ie’s Personal Data Security Breach procedure.  This procedure addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration.

If you are in any doubt with regards your responsibilities regarding confidentiality, please contact the CTO immediately for clarification.

 

8 Wrongful Disclosure

Wrongful disclosure can occur in at least two ways, be either act or omission.  The first being when confidential information is deliberately passed on to a third party.  The second being when confidential information is disclosed to a third part through negligence.  Wrongful disclosure will be considered as an act of gross misconduct and will result in disciplinary action.

 

9 Limits to Confidentiality

In exceptional circumstances, IT.ie may need to break confidentiality, for example when it is required to be disclosed to a court of law, regulatory authority or tribunal of competent jurisdiction.  In so far as is possible, in such cases a full explanation will be given regarding the necessary procedures that may need to be taken.

 

10 Applicable Legislation

For all staff, the relevant legislation is the Data Protection Act 2018 and Regulation (EU) 2016/679 – of the European Parliament and the Council of the European Union; the General Data Protection Regulation (GDPR).

 

11 Penalties

Any breach of the Data Protection Policy, whether deliberate, or through negligence may lead to disciplinary action being taken or even a criminal prosecution, therefore it is imperative that all employees are aware of the provisions of the Data privacy legislation. 

If you are in any doubt with regards your responsibilities, please contact the CTO immediately for clarification.

 

12 Transfers of data

IT.ie does not transfer any data outside of the European Economic Area (EEA).

 

13 Review

This Policy will be reviewed regularly in light of any legislative or other relevant developments, but at the very latest, on an annual basis.

 

14 Contact

If you have any questions about this Policy, please contact the CTO.

 

Glossary

As per the General Data Protection Regulation:

Ø  ‘personal data’ means any information relating to an identified or identifiable natural person (‘PII principal/data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Ø  ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Ø  ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Ø  ‘third party’ means a natural or legal person, public authority, agency or body other than the PII principal/data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Ø  ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council; [in summary, this means any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service].

Ø  Confidential Information refers to any information, material or data that the organisation considers and treats as confidential, special (formerly sensitive) or proprietary and is not in the public realm through due process of the company, shall be defined as confidential, whether or not it is explicitly marked as such.

 

Document Owner and Approval

The Managing Director is responsible for ensuring that this document is reviewed in line with the review requirements of the PIMS.

Change History Record

Issue

Description of Change

Approval

Date of Issue

1

Initial issue

Wayne Morgan

08th December 2020

2

Document reviewed

Eamon Gallagher

04th April 2022

3

Document reviewed

Eamon Gallagher

25th October 2023

 

 

Download The Social Engineering Guide

Fill in your details below and hit download.