top of page

DATA PROTECTION POLICY

Follow Your Dream (FYD)


 

DATA PROTECTION POLICY

Mission Statement

Follow Your Dream believes that every young person is gifted in some way and has the right to develop and express this giftedness. Its mission is to afford young people the opportunities whereby they can grow and develop, giving expression to their talents and acquiring skills which increase their confidence and self esteem.

 

Introduction

 

Data Protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights. Data Protection legislation safeguards the privacy rights of individuals in relation to the processing of personal data.

 

Follow Your Dream is fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR), effective from 25th May 2018 (replacing the existing data protection framework under the EU Data Protection Directive) and the Data Protection Act 2018.

 

Follow Your Dream collects and processes personal information relating to its members, volunteers and benefactors in order to carry out its administrative and statutory functions and it operates responsibly under the privacy and data protection rights. As both data controller and a data processor, Follow Your Dream is fully aware of and abides by it’s duties and responsibilities under data protection legislation.

 

 

Policy Scope Application

 

This policy is a statement of Follow Your Dreams commitment to protect the rights and privacy of the personal data of individuals in accordance with GDPR and the Data Protection Act 2018. This policy applies to all volunteers and others in so far as the measure of the policy applies to them.

This policy applies to all personal data whether it is collected and kept on paper, computer or some other material.

 

Follow Your Dream needs to collect and use certain types of personal data. These categories of personal data include but are not limited to:

 

Membership forms;

Consent forms

Attendance records

Incidents records

Accident reports

Complaints records

Organisations details

Minutes of Meetings

Accounts and financial records

Garda Vetting

Child Protection Training

Volunteer details: Name, address, phone numbers, Email address.

 

 

When you join FYD you trust us with your information. This privacy policy is meant to help you understand what data we collect, why we collect it, and what we do with it. We have tried to make it as simple as possible but if you have any questions please contact us.


 

  • Information we collect

  • Where we get our information

  • How we use the information we collect

  • Information we share

  • How and when consent is obtained

  • How we protect your data

  • Protecting your rights to data

  • Security of your personal data


 

1.         Information we collect

Follow Your Dream holds personal data as part of running its programmes for young children. Data is held under the following headings: personal records, general administrative records and financial records.

1.1       Personal records  

A personal record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. In order to provide a high quality service, a range of information may be collected.

Examples of data collected and held on all current and active participants include the following:

Contact details: Name, address.

Personal details: Date of birth.

Parent/guardian: Name, address and phone numbers.

Other contacts: Name, address, phone number of person named by parent/guardian in case it is needed.

Medical condition if applicable


 

1.2       General administrative records

Follow Your Dream may hold information within:

Membership forms

Consent forms

Attendance records

Incident records

Accident reports *

Complaints records

Indemnity forms

Organisations’ details.


 

*Accident reports will be sent to Crosscare to whom we are affiliated and who provide insurance cover for Follow Your Dream. These reports will be kept securely by Crosscare until the relevant member reaches 21 years of age.


 

1.3       Financial records

 A financial record pertains to all financial information concerning the participants, e.g. invoices, receipts and any other information FYD are required to retain for the purposes of good governance. Follow Your Dream may hold such data. This information may include name of bill payer, client name, address, e-mail address and record of invoices and payments made.


 

2.         Where we get our information

Personal data will be provided by the participants, or in the case of a child (under 16 years), their parent(s)/guardian(s). This information will be collected when signing up to Follow Your Dream on the date of first contact or when first becoming a member or when renewing membership.


 

3 .        How we use the information that we collect

We use the information we collect to contact participants, maintain the general running of our activities and programmes and fulfil our obligations as per our affiliation to Crosscare and under our insurance cover provided by Crosscare.

3.1       Data retention periods

The retention periods are the suggested time periods for which the records should be held based on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.

3.2       Client Records

3.2.1        Financial Records

Follow Your Dream keeps paper and electronic records of financial data from those who use and supply our services.

Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally. Financial Data is kept for 6 years to adhere to Revenue guidelines.

3.2.2         Contact Data

Contact Data is kept for 2 years after participation in our programmes. Consent forms are maintained until the member reaches the age of 21.

3.3       Exceptions

If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.


 

4.         Information we share

 We do not share personal information with companies, organisations and individuals outside FYD unless one of the following circumstances apply:

4.1       With your consent:

We will share personal information when we have your written consent to do so. We require opt-in consent for the sharing of any sensitive information.

4.2       For legal reasons:

We will share personal information with companies or organisations outside of Follow Your Dream if disclosure of the information is reasonably necessary to:

  • Meet any applicable law, regulation, legal process or enforceable governmental request.

  • Meet the requirements of the Children First Act 2015.

  • To protect against harm to the rights, property or safety of FYD, our users, volunteers or the public as required or permitted by law.


 

4.3       For processing by third parties/external processing

 The following third parties are engaged for processing data:

​Who

  • Three Ireland

  • WhatsApp

Type of data​

  • Phone Numbers

Purpose​

  • Text notifications and reminders


 

5.         Sharing Data

5.1       Legal requirements

FYD is required to share data with external parties in the following circumstances:

  • Compliance with child protection.

  • Compliance with law enforcement.

5.2      Other parties

Any transfers outside the above which contain Personal Identifying Information (PII) to third parties are only made once the owner of the data has given express written permission by letter or email to do so.


 

6.         How and when we obtain consent

A copy of our data protection policy is available on our website, parents and guardians of participants are made aware of this on our consent form. Parents/Guardians will give their consent for their data and their child’s data to be processed and retained by Follow Your Dream, for as long as is required, by signing the consent form.

Should a parent or guardian wish to withdraw their consent for data to be processed, they can do so by contacting Follow Your Dream in writing.


 

7.         How we protect your data

In accordance with the General Data Protection Regulation (GDPR), we will endeavour to protect your personal data in a number of ways:

 7.1       By limiting the data that we collect in the first instance

All data collected by us will be collected solely for the purposes set out at Clause 1 above and will be collected for specified, explicit and legitimate purposes.  The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary.

7.2       By transmitting the data in certain specified circumstances only

Data will only be shared and transmitted, be it on paper or electronically only as is required, and as set out in section 3 and 5.

7.3       By keeping only the data that is required, when it is required and by limiting its accessibility to any other third parties.

7.4       By disposing of/destroying the data once the individual has stopped engaging with Follow Your Dream.

Data will be confidentially destroyed 2 years after finishing, apart from the special categories of personal data as set out at 1.1 and 3.3.2. Where data is required to be held by us for longer than the period of 2 years post-discharge, we will put in place appropriate organisational measures to ensure a level of security appropriate to the risk.

7.5       By retaining the data for only as long as is required which in this case is 2 years post-discharge except for circumstances in which retention of data is required in circumstances set out at part 1.1 and 3.2.2.

above or in certain specific circumstances as set out at Article 23(1) of the GDPR.

 7.6       By destroying the data securely and confidentially after the period of retention has elapsed.

 This could include the use of confidential shredding facilities.

7.7       By ensuring that any personal data collected and retained is both accurate and up-to-date. 

 

8.        Protecting your Rights to Data

 8.1       Adult clients

Adults have the right to request data held on them as per article 15 of GDPR. A request must be made in writing. Further information regarding accessing your personal data are available in the document ‘Rights of Individuals under the General Data Protection Regulation’, downloadable from: www.gdprandyou.ie

 8.2       Children

For children under the age of 16, data access requests are made by their guardians. When a child turns 16, then they may make a request for their personal data. However, this is subject to adherence with the Children First Act.


 

 9.      Security

Follow Your Dream is aware of the need for privacy. As such, we aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.

All persons volunteering with Follow Your Dream are briefed on the proper management, storage and safekeeping of data.

All data used by Follow Your Dream, including personal data may be retained in any of the following formats:

  • Electronic Data

  • Physical Files

The type of format for storing the data is decided based on the format the data exists in. Where applicable, Follow Your Dream may convert physical files to electronic records to allow us to provide a better service to clients.

9.1       Data Security
FYD understands that the personal data used in order to provide a service belongs to the individuals
involved. The following outlines the steps which FYD use to ensure that the data is kept safe.
We currently use Three Ireland on a specific FYD number to send out text messages by way of
reminders and notifications. Phone numbers are saved to the FYD phone and used solely for the
dissemination of reminders and information pertaining to FYD.
By using WhatsApp to send texts we will ensure that
- The system provider is aware of their requirements for GDPR compliance.
– The system has an FYD administrator.
– The system has a Live Update for security enabled
– There will be a shared single Log on and Password in order to access the records.
– The data controller in FYD can change the password.
Members of FYD can opt out of the WhatsApp group should they wish and texts will be sent to them
individually from the FYD phone number.

 

Physical Files
All physical data relating to current clients are located in: 93 Ashwood Road, Bawnogue,Clondalkin.
All physical data relating to lapsed members are located at 93 Ashwood Road, Bawnogue,
Clondalkin.
These records are kept in a locked cabinet.
Volunteers working in FYD have access to these records on a need to know basis.

​

9.2       Security Policy

9.2.1      All physical devices used by persons working in Follow Your Dream which may contain any identifiable PII are password protected.

9.2.2         All persons working in Follow Your Dream are aware of and briefed on and refresh the requirements for good data hygiene every year. This briefing compliance is monitored by the FYD Data Controller and includes, but is not limited to:

  • Awareness of client conversations in unsecure locations.

  • Enabling auto-lock on devices when leaving them unattended

  • Use of non-identifiable note taking options. (Initials, not names).

  • The awareness of Follow Your Dream’s procedures should a possible data breach occur, either through malicious (theft) or accident (loss) of devices or physical files.


 

10. Roles and responsibilities

In Follow Your Dream data will be processed in line with the data subjects’ rights. Data subjects have a right to:

  1. Request access to any data held about them by a data controller.

  2. Prevent the processing of their data for direct marketing purposes.

  3. Ask to have inaccurate data amended.

  4. Prevent processing that is likely to cause damage to themselves or distress to themselves or anyone else.

The Committee is the data controller, and the Chairperson is responsible for ensuring the implementation of the Data Protection Policy. All volunteers who handle or who have access to personal data should be familiar with data protection responsibilities.

The following personnel have responsibility for implementing the Data Protection Policy:

Committee Data controller

Chairperson Implementation of policy

Volunteers Awareness of responsibilities

Administrative personnel Security, confidentiality

IT Security, confidentiality

The Committee have a key role in driving data protection awareness and compliance throughout Follow Your Dream.


 

Subject Access Requests:

Data Subjects have the right of access to information held by FYD subject to the provision of GDPR and the Data Protection Act 2018. Any data subject wishing to access their personal data should put their request in writing to FYD. Requests will be responded to as soon as is reasonably practicable and in any event, within one month.

If you are not satisfied with the outcome of the response you receive from FYD in relation to your request, then you are entitled to make a complaint to the Data Protection Commissioner who may investigate the matter for you. The Data Protection Commissioner’s website is www.dataprotection.ie

 

Data Breach policy: FYD acknowledges the importance of information security. This policy sets out a
framework for addressing any breach that occurs. See Appendix 1.
Data Protection Contact Details
For all enquiries relating to Data Protection contact:
37 Commons Road,
Clondalkin,
Dublin 22.

​

Ratification, Monitoring and Evaluation

Once the Data Protection Policy has been ratified by the Committee it becomes Follow Your Dream’s agreed Data Protection Policy. It is then dated and circulated to all volunteers and posted on our website for parents/members. All volunteers must be familiar with this policy and put it into practice.

The implementation will be monitored by the Committee.

The policy will be reviewed and evaluated at certain times and as necessary. This will take cognisance of changing information or guidelines from Data Commissioner, legislation, the feedback from volunteers and members.


 

Signed: Chairperson ______________________

Secretary _______________________


 

Date of document:  April 2021

Review Date: April 2022 


 

APPENDIX 1. 

 

Data Protection Breach Management Policy

1. Purpose

Follow Your Dream is legally required under the Irish Data Protection Act 1988,2003,2018 and the General Data Protection Regulations(GDPR) to ensure the security and confidentiality of information/ personal data it processes on behalf of all of its members and volunteers.

Information /personal data special category of data are our most important assets and each of us has a responsibility to ensure the security of this information. This policy is required to manage any breach of information/personal data being accidentally disclosed to unauthorised persons or, lost due to a fire or flood or, stolen as a result of a targeted cyber attack or the theft of a mobile computer devise.

The purpose of this policy is to ensure that a standardised management approach is implemented by Follow Your Dream in the event of an information/personal data breach. This policy is mandatory and by accessing any of Follow your Dream’s/personal data, users are agreeing to abide by the terms of this policy.

 

2. Scope The policy applies to all Follow your Dreams volunteers, service providers and third parties that access, use, store or process information on behalf of Follow Your Dream.

 

3. Legislation Follow Your Dream has an obligation to abide by all relevant Irish legislation and European legislation in relation to the protection of personal data. The relevant acts, which apply in Irish law to information Systems, include but are not limited to:

  • The Data Protection Act (1988/2003)

  • The Data Protection Act (2001)

  • European Communities Data Protection Regulations (2001)

  • European Communities(Data Protection and privacy in Telecommunications) Regulations(2002)

  • Data Protection EU Directive 95/46/EC

  • General Data Protection Regulations

  • Criminal Damages Act (1991)

​

4. Policy It is the policy of Follow Your Dream that in the event of any information/personal data breach occurring, the following breach management plan will be strictly adhered to.

There are five elements to this breach management plan:

  1. Identification and Classification

  2. Containment and Recovery

  3. Risk Assessment

  4. Notification of Breach

  5. Evaluation and Response

​

5. Breach Management Plan

5.1 Identification and Classification

Follow your Dream requires any volunteer who becomes aware of any information/ personal data breach to report such information/ personal data security breach immediately.

  • All Breaches are to be immediately reported to the Chairperson of the Committee.

  • Having the procedure in place will allow for early recognition of the data breach and ensure that it will be dealt with in the most appropriate manner.

  • Details of the breach should be accurately recorded, including the date and time the breach occurred, the date and time it was detected, who reported the breach, description of the breach, details of any information and communication technology(ICT) systems involved, corroborating material such as error messages, log files, etc.

  • A “breach” may be defined as the unintentional release of Follow Your Dream’s confidential or personal information/data to unauthorised persons, either through the accidental disclosure, loss or theft of the information/ personal data.

5.2 Containment and Recovery

Containment involves limiting the scope and impact of the breach of personal data/information. If a breach occurs, Follow Your Dream will:

Decide on who will take the lead in investigating the breach and ensure that the appropriate resources are made available for the investigation.

Establish who in the organisation needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. For example, this might entail isolating a compromised section of the network, finding a lost file or piece of equipment, or simply changing access codes to computers, etc.

5.3 Risk Assessment In assessing the risk assessment from the security breach, Follow Your Dream will consider the following points:

  • What type of information/ personal data is involved?

  • How sensitive is the information/data?

  • Are there any security mechanisms in place (e.g. password, encryption, other protection)?

  • What could the information/data tell a third party about the individual?

  • How many individuals are affected by the breach?

5.4 Notification of Breaches

All information/ personal data breaches must be reported to the Chairperson of the Committee who will notify the Data Protection Commissioner’s office of any personal breach.

5.5 Evaluation and Response

Subsequent to any information/ personal data security breach, a thorough review of the incident will occur. The purpose of this review is to ensure that the steps taken during the incident were appropriate as well as to identify areas that may need to be improved.

Any recommended changes to policies and/or procedures should be documented and implemented as soon as possible thereafter.

​

6. Roles and Responsibilities

6.1 Committee

All are responsible for the implementation of this policy and all other relevant policies within the business areas for which they are responsible.

 

7. Review and Update

This policy will be reviewed and updated annually or more frequently, if necessary, to ensure that any changes to Follow Your Dream organisational structure and business practices are properly reflected in this policy.

bottom of page