Data Protection

Data Protection Policy

What is Data Protection?

Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of their personal data. People supply information about themselves to government bodies, banks, insurance companies, medical professionals and many others in order to avail of services or satisfy obligations. For the purpose of data protection, organisations or individuals who control the contents and use of personal data are known as data controllers (e.g. North Tipperary County Council). The Data Protection Acts 1988 and 2003 confer rights on individuals as well as responsibilities on those persons processing personal data. These rights apply where the information is held:

On computer or
In a manual form, as part of a filing system that facilitates ready access to a specific individual’s information.

The principal function of North Tipperary County Council is to provide a wide range of services to the people of North Tipperary under the following main headings:

Housing and Building Services
Transportation and Roads Services
Water and Wastewater Services
Planning and Development Services
Environmental Services
Recreation and Amenity
Agriculture, Education, Health & Welfare
Miscellaneous

In performing its functions, North Tipperary County Council is required to process significant amounts of Personal Data within the remit of the Data Protection Acts 1988 and 2003. We respect the privacy of those whose personal data we process and are aware of our obligations under the Data Protection Acts. Personal Data is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Responsibilities of North Tipperary County Council as a Data Controller:

North Tipperary County Council is registered as a Data Controller with the Office of the Data Protection Commissioner (Registration Number 0196/A). Particulars of our registration are available online at www.dataprotection.ie. Under the Rules of the Data Protection Acts North Tipperary County Council must:

1. Obtain and process data fairly.

2. Keep data only for one or more specified, explicit and lawful purposes.

3. Use and disclose data only in ways compatible with these purposes.

4. Keep data safe and secure.

5. Keep data accurate, complete and up-to-date.

6. Ensure that data is adequate, relevant and not excessive.

7. Retain data for no longer than is necessary for the purpose or purposes.

8. Give a copy of his/her personal data to that individual, on request.

Individuals who wish to obtain a copy of personal data in accordance with the Data Protection Acts 1988 and 2003 should apply in writing to the Data Controller Compliance Officer of North Tipperary County Council.

On making an access request any individual, about whom personal data is kept is entitled to:

A copy of the data that is kept on him/her
Know the purpose/s for processing his/her data
Know the identity of those to whom the data is disclosed
Know the source of the data, unless it is contrary to public interest
Know the logic involved in automated decisions
A copy of any data held in the form of opinions, except where such opinions were given in confidence.

How to apply for a copy of personal data held by North Tipperary County Council:

The application must be made in writing
The applicant must give any details which might be needed to help the Council identify him/her and locate all the information kept about him/her e.g. previous addresses, customer account numbers.

Every individual about whom a data controller keeps personal information has a number of other rights under the Act, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner.

In response to an access request the Council will:

Supply the information to the individual promptly and within 40 days of receiving the request.
Provide the information in a form which will be clear to the ordinary person, e.g. any codes will be explained.
If there is no data kept about the individual, they will be notified of same within 40 days.

Data Protection Breach:

A data security breach can happen for a number of reasons which include:

Loss or theft of data or equipment on which data is stored
Unauthorised access and use of data
Equipment failure
Human error
Unforeseen circumstances e.g. fire or flood
Network being hacked into
Data accessed by the organisation being deceived

In order to manage data protection breaches the following steps must be followed:

Any breach of data protection should be reported immediately to staff member’s line manager.
The Line Manager must then in turn report it in writing to the Data Controller Compliance Officer.
Details of a breach should be reported accurately, including date and time the incident occurred, when it was detected, who reported the incident, details of any ICT system involved.
The Data Controller Compliance Officer will notify the Data Protection Commissioner where relevant.
Arrangements must be put in place by each section to notify the person(s) involved whose personal data has been breached.
Following the Data Protection breach, the Data Controller Compliance Officer will investigate how the breach occurred, the implications of the breach and the measures required to prevent reoccurrence.

The current Data Controller Compliance Officer is Rosemary Joyce, Senior Executive Officer, Corporate Support. She can be contacted on 067 44563 or by email on rjoyce@northtippcoco.ie.

The attention of all staff will be drawn to this policy through:

Publication on the Intranet.
Circulation to all Section Heads.