DATA PROTECTION POLICY

Mission Statement

Follow Your Dream believes that every young person is gifted in some way and has the right to develop and express this giftedness. Its mission is to afford young people the opportunities whereby they can grow and develop, giving expression to their talents and acquiring skills which increase their confidence and self esteem.

 

Introduction

 

Data Protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights. Data Protection legislation safeguards the privacy rights of individuals in relation to the processing of personal data.

 

Follow Your Dream is fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR), effective from 25th May 2018 (replacing the existing data protection framework under the EU Data Protection Directive) and the Data Protection Act 2018.

 

Follow Your Dream collects and processes personal information relating to its members, volunteers and benefactors in order to carry out its administrative and statutory functions and it operates responsibly under the privacy and data protection rights. As both data controller and a data processor, Follow Your Dream is fully aware of and abides by their duties and responsibilities under data protection legislation.

Policy Scope Application

 

This policy is a statement of Follow Your Dreams commitment to protect the rights and privacy of the personal data of individuals in accordance with GDPR and the Data Protection Act 2018. This policy applies to all volunteers and others in so far as the measure of the policy applies to them.

This policy applies to all personal data whether it is collected and kept on paper, computer or some other material.

 

Follow Your Dream needs to collect and use certain types of personal data. These categories of personal data include but are not limited to:

 

Membership forms;

Consent forms

Attendance records

Incidents records

Complaints records

Organisations details

Minutes of Meetings

Accounts and financial records

Garda Vetting

Child Protection Training

Volunteer details: Name, address, phone numbers, Email address.

 

 

When you join FYD you trust us with your information. This privacy policy is meant to help you understand what data we collect, why we collect it, and what we do with it. We have tried to make it as simple as possible but if you have any questions please contact us.

 

  • Information we collect

  • Where we get our information

  • How we use the information we collect

  • Information we share

  • How and when consent is obtained

  • How we protect your data

  • Protecting your rights to data

  • Security of your personal data

 

1.         Information we collect

 FYD holds personal data as part of running its programmes for young children. The data follows under the following headings: personal record, general administrative records and financial records.

1.1       Personal record  

A personal record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. In order to provide a high quality service, a range of information may be collected.

Examples of data collected and held on all current and active participants include the following:

Contact details: Name, address.

Personal details: Date of birth.

Parent/guardian: Name, address and phone numbers.

Other contacts: Name, address, phone number of person named by parent/guardian in case it is needed.

Medical condition if applicable

 

1.2       General administrative records

FYD may hold information regarding:  

Membership forms

Consent forms

Attendance records

Incidents records

Accident report forms

Complaints records

Indemnity forms

Organisations’ details.

 

1.3       Financial records

 A financial record pertains to all financial information concerning the participants, e.g. invoices, receipts, information for Revenue. FYD may hold data in relation to: receipts and invoices. This information may include name of bill payer, client name, address, e-mail address and record of invoices and payments made.

2. Where we get our information

`Personal data will be provided by the participants, or in the case of a child (under 16 years), their parent(s)/guardian(s). This information will be collected when signing up to FYD on the date of first contact or when first becoming a member or when renewing membership.

 

3 .        How we use the information that we collect

 We use the information we collect to contact participants as well as to maintain the general running of our activities and programmes.

3.1       Data retention periods

The retention periods are the suggested time periods for which the records should be held based on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.

3.2       Client Records

3.2.1        Financial Records

FYD keeps paper records of financial data from those who use our services.

Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally.

Financial Data is kept for 6 years to adhere to Revenue guidelines.

 3.2.2         Contact Data

Contact Data is kept for 2 years after participation in our programmes.  

 3.3       Exceptions

If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.

 

4.         Information we share

 We do not share personal information with companies, organisations and individuals outside FYD unless one of the following circumstances apply:

4.1       With your consent:

We will share personal information when we have your written consent to do so. We require opt-in consent for the sharing of any sensitive information.

4.2       For legal reasons:

 We will share personal information with companies or organisations outside of FYD if disclosure of the information is reasonably necessary to:

Meet any applicable law, regulation, legal process or enforceable governmental request.

Meet the requirements of the Children First Act 2015.

To protect against harm to the rights, property or safety of FYD, our users, volunteers or the public as required or permitted by law.

4.3       For processing by third parties/external processing

 The following third parties are engaged for processing data:

Who

Type of data

Purpose

Accountant

Financial

Processing financial

Accounts

Virgin Media

Phone Numbers

Text notifications and reminders

 

5.         Sharing Data

5.1       Legal requirements

FYD is required to share data with external parties in the following circumstances:

  • Compliance with local tax and audit laws.

  • Compliance with child protection.

  • Compliance with law enforcement.

5.2       Financial requirements

FYD is required to share financial data with Knowles O’ Dowd Accountants in order to comply with local tax laws.  FYD is obtaining a copy of Knowles O’Dowd’s own Data protection policy.

5.3       Other parties

 Any transfers outside the above which contain Personal Identifying Information (PII) to third parties are only made once the owner of the data has given express written permission by letter or email to do so.

6.         How and when we obtain consent

A copy of our data protection policy is available on our website, parents and guardians of participants are made aware of this on our membership form.  Parents/Guardians will give their consent for their data and their child’s data to be processed and retained by FYD, for as long as is required, by signing the membership form.  

Should a parent or guardian wish to withdraw their consent for data to be processed, they can do so by contacting FYD in writing.

 

7.         How we protect your data

In accordance with the General Data Protection Regulation (GDPR), we will endeavour to protect your personal data in a number of ways:

 7.1       By limiting the data that we collect in the first instance

All data collected by us will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes.  The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary.

 7.2       By transmitting the data in certain specified circumstances only

 Data will only be shared and transmitted, be it on paper or electronically only as is required, and as set out in section 3.

7.3       By keeping only the data that is required, when it is required and by limiting its accessibility to any other third parties.

 7.4       By disposing of/destroying the data once the individual has stopped engaging with FYD.

 Data will be confidentially destroyed 2 years after finishing, apart from the special categories of personal data as set out at 1.1. Where data is required to be held by us for longer than the period of 2 years post-discharge, we will put in place appropriate organisational measures to ensure a level of security appropriate to the risk.

 7.5       By retaining the data for only as long as is required which in this case is 2 years post-discharge except for circumstances in which retention of data is required in circumstances set out at part 1.1 above or in certain specific circumstances as set out at Article 23(1) of the GDPR.

 7.6       By destroying the data securely and confidentially after the period of retention has elapsed.

 This could include the use of confidential shredding facilities.

7.7       By ensuring that any personal data collected and retained is both accurate and up-to-date. 

 

8.        Protecting your Rights to Data

 8.1       Adult clients

Adults have the right to request data held on them as per article 15 of GDPR. A request must be made in writing. Further information regarding accessing your personal data are available in the document ‘Rights of Individuals under the General Data Protection Regulation’, downloadable from: www.gdprandyou.ie

 8.2       Children

 For children under the age of 16, data access requests are made by their guardians. When a child turns 16, then they may make a request for their personal data. However, this is subject to adherence with the Children First Act.

 9.      Security

FYD is aware of the need for privacy. As such, we aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.

All persons volunteering with FYD are briefed on the proper management, storage and safekeeping of data.

 All data used by FYD, including personal data may be retained in any of the following formats:

  • Electronic Data

  • Physical Files

 The type of format for storing the data is decided based on the format the data exists in. Where applicable, FYD may convert physical files to electronic records to allow us to provide a better service to clients.

9.1       Data Security

FYD understands that the personal data used in order to provide a service belongs to the individuals involved. The following outlines the steps which FYD use to ensure that the data is kept safe.

 We currently use Virgin Media to send out text messages by way of reminders and notifications. All numbers are entered manually and not saved to contacts.

If we choose to use A Web based system in the future to send texts we will ensure that

- The system provider is aware of their requirements for GDPR compliance.

– The system has an FYD administrator.

– The system has a Live Update for security enabled

– there will be a shared single Log on and Password in order to access the records.

– The data controller in FYD can change the password.

 Physical Files

 All physical data relating to current clients is located in: 91 Ashwood Road, Bawnogue,Clondalkin.

 Volunteers working in FYD have access to these records on a need to know basis.

These records are kept in locked cabinet.

All physical data relating to lapsed members are located at 91 Ashwood Road, Bawnogue, Clondalkin.

 – All Directors of FYD have access to these records.

– These records are kept in a locked cabinet.

 

 9.2       Security Policy

9.2.1      All physical devices used by persons working in FYD which may contain any identifiable PII are password protected.

9.2.2         All persons working in FYD are aware of and briefed on and refresh the requirements for good data hygiene every year. This briefing compliance is monitored by the FYD Data Controller and includes, but is not limited to:

  • Awareness of client conversations in unsecure locations.

  • Enabling auto-lock on devices when leaving them unattended

  • Use of non-identifiable note taking options. (initials, not names).

  • The awareness of FYD procedure should a possible data breach occur, either through malicious (theft) or accident (loss) of devices or physical files.

 

10.  Roles and responsibilities

In Follow Your Dream data will be processed in line with the data subjects’ rights. Data subjects have a right to:

  1. Request access to any data held about them by a data controller

  2. Prevent the processing of their data for direct marketing purposes

  3. Ask to have inaccurate data amended

  4. Prevent processing that is likely to cause damage to themselves or distress to themselves or anyone else.

The Board of Directors is the data controller and the Chairperson is responsible for ensuring the implementation of the Data Protection Policy. All volunteers who handle or who have access to personal data should be familiar with data protection responsibilities.

The following personnel have responsibility for implementing the Data Protection Policy:

Board of Directors                         Data controller

Chairperson                                    Implementation of policy

Volunteers                                      Awareness of responsibilities

Administrative personnel             Security, confidentiality

IT                                                       Security, confidentiality

The board have a key role in driving data protection awareness and compliance throughout FYD.

 

Subject Access Requests:

Data Subjects have the right of access to information held by FYD subject to the provision of GDPR and the Data Protection Act 2018. Any data subject wishing to access their personal data should put their request in writing to FYD.  Requests will be responded to as soon as is reasonably practicable and in any event, within one month.

If you are not satisfied with the outcome of the response you receive from FYD in relation to your request, then you are entitled to make a complaint to the Data Protection Commissioner who may investigate the matter for you. The Data Protection Commissioner’s website is www.dataprotection.ie            

 

Data Breach policy: FYD acknowledges the importance of information security. This policy sets out a framework for addressing any breach that occurs. See Appendix 1.

 

Data Protection Contact Details

For all enquiries relating to Data Protection contact Phone: 01-4571792

Postal Address: 93 Ashwood Road, Bawnogue, Clondalkin. Dublin 22.

                

Ratification, Monitoring and Evaluation

When the Data Protection Policy has been ratified by the Board it becomes FYD’s agreed Data Protection Policy. It will then be dated and circulated to all volunteers and posted on our website for parents/members. All volunteers must be familiar with this policy and put it into practice.

The implementation will be monitored by the Board.

The policy will be reviewed and evaluated at certain times and as necessary. This will take cognisance of changing information or guidelines from Data Commissioner, legislation, the feedback from volunteers and members.

 

Signed: Chairperson    ______________________

              Director            _______________________

 

Date of document:          April 2020

Review Date:                    April 2021 

 

 

 

 

 

APPENDIX 1. 

Data Protection Breach Management Policy

1. Purpose

Follow Your Dream is legally required under the Irish Data Protection Act 1988,2003,2018 and the General Data Protection Regulations(GDPR) to ensure the security and confidentiality of information/ personal data it processes on behalf of all of its members and volunteers.

Information /personal data special category of data are our most important assets and each of us has a responsibility to ensure the security of this information.                                                                This policy is required to manage any breach of information/personal data being accidentally disclosed to unauthorised persons or, lost due to a fire or flood or, stolen as a result of a targeted cyber attack or the theft of a mobile computer devise.

The purpose of this policy is to ensure that a standardised management approach is implemented by Follow Your Dream in the event of an information/personal data breach. This policy is mandatory and by accessing any of Follow your Dream’s/personal data, users are agreeing to abide by the terms of this policy.

2. Scope                                                                                                                                                                                      The policy applies to all Follow your Dreams volunteers, service providers and third parties that access, use, store or process information on behalf of Follow Your Dream.

3. Legislation                                                                                                                                                        Follow Your Dream has an obligation to abide by all relevant Irish legislation and European legislation in relation to the protection of personal data. The relevant acts, which apply in Irish law to information Systems, include but are not limited to:

  • The Data Protection Act (1988/2003)

  • The Data Protection Act (2001)

  • European Communities Data Protection Regulations (2001)                                                                    

  • European Communities(Data Protection and privacy in Telecommunications) Regulations(2002)  

  • Data Protection EU Directive 95/46/EC                                                                                                               

  • General Data Protection Regulations                                                                                                      

  • Criminal Damages Act (1991)

4. Policy                                                                                                                                                                             It is the policy of Follow Your Dream that in the event of any information/personal data breach occurring, the following breach management plan will be strictly adhered to.

There are five elements to this breach management plan:

  1. Identification and Classification

  2. Containment and Recovery

  3. Risk Assessment

  4. Notification of Breach

  5. Evaluation and Response

 

5. Breach Management Plan

5.1 Identification and Classification

Follow your Dream requires any volunteer who becomes aware of any information/ personal data breach to report such information/ personal data security breach immediately.

  • All Breaches are to be immediately reported to the Chairperson of the Board.

  • Having the procedure in place will allow for early recognition of the data breach and ensure that it will be dealt with in the most appropriate manner.

  • Details of the breach should be accurately recorded, including the date and time the breach occurred, the date and time it was detected, who reported the breach, description of the breach, details of any information and communication technology(ICT) systems involved, corroborating material such as error messages, log files, etc.

  • A “breach” may be defined as the unintentional release of Follow Your Dream’s confidential or personal information/data to unauthorised persons, either through the accidental disclosure, loss or theft of the information/ personal data.

5.2 Containment and Recovery

Containment involves limiting the scope and impact of the breach of personal data/information. If a breach occurs, Follow Your Dream will:

Decide on who will take the lead in investigating the breach and ensure that the appropriate resources are made available for the investigation.

Establish who in the organisation needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. For example, this might entail isolating a compromised section of the network, finding a lost file or piece of equipment, or simply changing access codes to computers, etc.

5.3 Risk Assessment                                                                                                                                                In assessing the risk assessment from the security breach, Follow Your Dream will consider the following points:

  • What type of information/ personal data is involved?

  • How sensitive is the information/data?

  • Are there any security mechanisms in place (e.g. password, encryption, other protection)?

  • What could the information/data tell a third party about the individual?

  • How many individuals are affected by the breach?

 

5.4 Notification of Breaches

 All information/ personal data breaches must be reported to the Chairperson of the Board who will notify the Data Protection Commissioner’s office of any personal breach.

5.5 Evaluation and Response

Subsequent to any information/ personal data security breach, a thorough review of the incident will occur. The purpose of this review is to ensure that the steps taken during the incident were appropriate as well as to identify areas that may need to be improved.                                                         

Any recommended changes to policies and/or procedures should be documented and implemented as soon as possible thereafter.

 

6.  Roles and Responsibilities                                                                                                                                                               

6.1 Board, Volunteers

All are responsible for the implementation of this policy and all other relevant policies within the business areas for which they are responsible.

 

 

 

7. Review and Update

This policy will be reviewed and updated annually or more frequently, if necessary, to ensure that any changes to Follow Your Dream organisational structure and business practices are properly reflected in this policy.