Under the Data Protection Acts 1988 and 2003 and the General Data Protection Regulation (GDPR), spunout has certain obligations as a Data Controller to process personal data in a fair and transparent manner.
spunout is committed to best practice in data protection and all data retained by the organisation will be kept no longer than necessary to achieve the stated purpose for which it was originally collected.
The term “data subject” refers to any living human whose personal data might be collected or processed by spunout. The “Data Protection Officer” will be an assigned member of spunout staff with responsibility for certain processes outlined in this document.
2. Data Collection
“Personal data” refers to any information which can be used to identify a living person. Personal data can only be collected and processed by spunout if doing so satisfies one of the following conditions:
- Consent has been received from the data subject that their personal data can be stored and processed for a stated purpose
- The data is required for the performance of a contract
- spunout has a legal obligation to do so
- spunout has a vital interest in doing so
- There is a public or legitimate interest in doing so
Some forms of personal data are categorised as “special category data”, which have stricter rules for collection and processing. Sensitive personal data is any information which records a living person’s:
- Racial or ethnic origin
- Political, religious or philosophical beliefs
- Trade union membership
- Physical or mental health condition
- Sexual life information
- Criminal record or accusations of a criminal offence
- Genetic or biometric data
spunout can only collect and process sensitive personal data if doing so satisfies one of the following conditions:
- Explicit (clear, unambiguous) consent has been received from the data subject that their personal data can be stored and processed for a stated purpose
- It is necessary for spunout to fulfill its obligations as an employer or under social security/social protection law
- It is necessary to protect the vital interests of the data subject or of another person, and the data subject is incapable of giving consent
- The data is being used for legitimate activities arising from our status as a not-for-profit body
- The data has clearly and obviously been made public by the data subject
- It is necessary for the purpose of a legal claim
- It is necessary for reasons of substantial public interest (while respecting and safeguarding as far as possible the rights of the data subject)
- It is necessary for certain medical reasons, including the assessment of the working capacity of an employee
- It is necessary for public health reasons
- It is necessary for archiving purposes in the interest of the public, scientific or historical research, or certain statistical purposes (while respecting and safeguarding as far as possible the rights of the data subject)
In all cases of personal or sensitive data collection, the preferred condition for collection and processing by spunout is that consent has been received by the data subject.
3. Data Processing
“Data processing” refers to any operation performed on personal data, e.g. collection, recording, organising, structuring, storage, adaptation or alteration.
spunout can only process personal data for the specific purpose or purposes for which it was originally gathered. Personal data should only be retained by SpunOut.ie for as long as it takes to fulfill this purpose and no longer, or until the data subject makes a legitimate request to exercise their right of erasure.
4. Data Storage
All personal data held by spunout must be stored in a secure manner. Data should only be accessible to appropriate named members of staff for whom accessing the data in question forms a part of their job.
Be advised that spunout is required to retain certain records containing personal information for a pre-set amount of time to satisfy our legal obligations. Premature destruction of such data could result in serious repercussions for the organisation.
5. Data Access Requests
Any individual whose personal data is held by spunout has a right to request a copy of all their personal data currently held by the organisation. The information must be clear, free, comprehensive, explain the purpose for which their data is being processed, and be delivered within one month of their initial request being received.
spunout staff who receive a data access request must use the following step-by-step procedure:
- Notify the Data Protection Officer (DPO) that a data access request has been received as soon as possible, preferably immediately
- The DPO will attempt to determine whether the individual who made the request is definitely the subject of the data in question; the DPO will request clear identification which may include a passport or other form of state-issued I.D., and, if deemed necessary, proofs of address, as well as requesting clarification, if needed, on the nature of the individual’s relationship or former relationship with spunout
- If the DPO is satisfied with the above, they will identify the member of staff best placed to handle the data access request
- The designated member of staff will acknowledge receipt of the request to the requester, and inform them of the timeframe (no more than one month from the original staff member receiving the request) in which they can expect a full reply
- If necessary, confirm the identity of the person making the request beyond reasonable doubt
- Agree a timeframe with DPO for collation of all information held by spunout on the requester, treating one month as an outer limit for delivery. If possible, the process should be completed well in advance of one month.
- The designated member of staff will raise the issue at the next Team Meeting, after which all members of staff will search their records for relevant data and share any such data with the designated member of staff as soon as possible
- Upon completion of the data file, the designated member of staff must state in writing that no additional data has been withheld to their knowledge
- With the approval of the DPO, the file containing all relevant data will be sent to the requester.
6. Right of Erasure
spunout recognises the legal right of data subjects to be forgotten, withdrawing their consent for spunout to hold and process their personal data. All individuals with personal data held by spunout may request at any time that all data held on them by the organisation be destroyed.
Data subjects are free to exercise this right, except in cases where to destroy such data would violate spunout’s legal obligations, i.e. in the case of employee contractual information, which must be held for a period of years even in the event of an employee ceasing their period of employment with the organisation.
7. Data Destruction
Personal data held by spunout which has served the purpose for which it was collected will be destroyed. Likewise, personal data on which a legitimate right of erasure claim has been made will also be destroyed.
The destruction of personal data stored in paper form will be conducted by shredding. Where personal data is stored electronically, care must be taken to ensure it is properly and entirely deleted from all sources (e.g. CRM, Google Drive, Dropbox, etc) and by all employees of spunout.
In the event of legal proceedings being launched against spunout, the CEO may instruct members of staff to cease any data destruction operations currently underway. Destruction should resume as soon as legal proceedings have come to a close.
8. Data Retention Periods
Different categories of personal data must be retained by spunout for different periods of time in order to fulfill their purpose. In general, records should not be retained if there is no clear business reason for doing so.
- Child Protection Documentation: Indefinite
- “Withholding” Documentation: Indefinite
- Contractual and Audit: Up to seven years from year of issue
- Insurance information: Seven years from date of issue, or longer/indefinite if required by policy
- HR for roles funded by grant: Up to seven years from termination of grant
- Garda vetting documentation (volunteers): Not longer than one year, or upon termination of involvement with spunout
- Garda vetting documentation (staff or job applicants): Not longer than the statutory period in which a claim arising from the recruitment process may be brought
Other: Until purpose for collection expires, or consent is withdrawn
9. Data Breaches
A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by spunout. Data breaches can be large or small in scale: for instance, accidentally cc’ing instead of bcc’ing people in an email could constitute a personal data breach.
In the event any member of staff becomes aware of a possible personal data breach, however small, they must inform the Data Protection Officer without delay.
Upon being notified of a potential personal data breach, the DPO must determine the following:
- Whether there has been a breach of personal data held by spunout or, if this cannot be definitively proven, whether it is likely such a breach has occured;
- Whether this breach or likely breach is damaging to the individuals whose personal data has been compromised;
- As far as possible; who accessed what data and when, how that data is being used, and which individuals are likely to be affected.
The DPO must assess whether the data breach is significant enough to bring to the attention of the Data Protection Commission based on A, B and C, and if so must inform the Commission within 72 hours. If, for whatever reason, the Data Protection Commission is not notified within 72 hours, the DPO must include reasons for the delay with their submission. The DPO will also inform the affected individuals whose data has been compromised.
The DPO’s notification must include the following information:
- A description of the nature of the breach including, if possible, the categories and approximate numbers of individual data subjects and/or data records involved;
- The name and contact details of the DPO or another person who can be contacted for more information;
- The likely consequences arising from the breach;
- A summary of the measures taken and proposed to be taken to address the breach and, where possible, to mitigate its possible effects.
Once all relevant parties have been informed, the DPO will work with relevant staff to implement the proposed measures to address the personal data breach, including revision of policies and practices as necessary and subject to the normal processes of spunout policy change.
10. Data Sharing
In some cases, spunout may engage in peer-to-peer relationships with other organisations in which data is shared between both parties, and both become responsible for the proper use and protection of that data. All such relationships require a Joint Controller Agreement (otherwise known as a Data Sharing Agreement) to be agreed and in place before any data can be shared.
A Joint Controller Agreement must clearly set out:
- Which party is responsible for which particular elements or phases of data processing;
- Which party is responsible for responding to requests from data subjects regarding their rights, e.g. for data access requests;
- The point of contact with whom data subjects can communicate in relation to certain aspects of processing.
In other cases, spunout may hire a third party service provider to process personal data on the organisation’s behalf, with spunout remaining responsible for the proper use and protection of the data. In order for data to be shared in such a manner, a formal Data Processor Contract must be in place with the service provider, which must include:
- The subject matter and duration of the data processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of spunout
11. Contacting the Data Protection Officer
The Data Protection Officer (DPO) of spunout can be contacted at [email protected].
Data access requests, data destruction requests, requests to exercise a right of erasure and any queries about data protection policies should be addressed to the DPO and will be actioned within one month of receipt of request.
Please note that the [email protected] email will only respond on issues relating to data protection. All other matters should be directed to [email protected].
12. spunout, Community Creations and 50808
spunout is a project of Community Creations Company Limited by Guarantee, a registered charity that also runs the 50808 service. Each of these names refers to a single legal entity with one charity number, one CEO and one Board of Directors.