Data Protection
Last updated: Wed, Jul 14th, 2021
Data Protection
The General Data Protection Regulation and Data Protection Acts 1988-2018 impose substantial obligations on employees to ensure compliance with data protection rules and provide for fines and other sanctions where such rules are breached.
Compliance with data protection legislation is supported by having adequate policies in place, which are communicated and consistently implemented with employees. Each school should have a Data Protection Policy. A template Data Protection Policy for schools is available here. A template Data Retention Schedule is also available.
An interactive resource on GDPR for schools is available at www.gdpr4schools.ie.
The General Data Protection Regulation and Data Protection Acts confer rights on any person (including any employee) about whom personal data is processed.
The GDPR and Data Protection Acts place duties on those who process or control persona data (including employers).
The GDPR covers personal data held either electronically or physically — this includes but is not limited to physical files, emails, Customer Relationship Management (CRM) systems, images and recording of individuals.
Data Protection training should be provided for employees who regularly process personal data as part of their role, particularly employees who process sensitive personal data.
Legal basis for processing personal data
The lawful basis for processing should, for the majority of employee data, not be the consent of employees and an alternative legal basis should be relied upon.
Additional conditions for processing special categories (e.g a person’s race, religious beliefs, sexual orientation, health data or trade union membership) of personal data
The GDPR set out various legal bases for processing special categories of personal data.
Determining appropriate security measures
Employers (Boards of Management) must implement appropriate technical and organisational controls to ensure data security. Data controllers and data processors need to ensure that their employees comply with the security measures adopted.
Data security breaches
An organisation must notify the Data Protection Commission of a data security breach within 72 hours of becoming aware of the breach, unless the risk to rights and freedoms of data subjects is not significant.
Data Access Requests
Individuals have the right to access a copy of their personal data. They can request this data through a data access request (DAR). Documents relating to the individual must be given free of charge however, where the request is ‘manifestly unfounded or excessive’, a reasonable fee may be charged.
All the data requested must be supplied within one month of the receipt of the request. This period may be extended for up to 2 further months where necessary, taking into account the complexity of the request and the number of requests.
Written contract between data controller and data processor
A written contract (or a contract in another equivalent form) is required where a data controller engages the services of a data processor (e.g payroll provider, IT company). The GDPR sets out certain requirements for what should be included in such a data processing agreement
Data protection impact assessments
Data processing that involves a high risk to individuals’ data protection rights requires a data protection impact assessment. Projects which are likely to require a DPIA include adoption of new technology or the introduction of CCTV monitoring
The Data Protection Commission
The DP Acts provides for the establishment of the Data Protection Commission (DPC).
The DPC is responsible for monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relating to data processing.