Governance

Living  /  Your Council  /  Governance  /  Data Protection - GDPR

Data Protection - GDPR

Introduction

Wicklow County Council is the unit of Local Government in County Wicklow responsible for providing a range of services to meet the economic, social and cultural needs of the people of our County.

In order to provide the most effective and targeted service to meet the needs of the citizens, communities and businesses of County Wicklow we will be required to collect, process and use certain types of information about people and organisations.

Depending on the service being offered, information sought may include ‘personal data’ as defined by the Data Protection Acts and the General Data Protection Regulation (GDPR) and may relate to current, past and future service users; past; current and prospective employees; suppliers; and members of the public who may engage in communications with our staff.

In this context the Council is a Data Controller under the Data Protection Acts and the General Data Protection Regulation (GDPR) and is obliged to comply with a range of requirements under this legislation.

In addition, staff may be required, from time to time, to collect process and use certain types of personal data to comply with regulatory or legislative requirements or to carry out functions in the public interest.

Data in this policy document means both personal data and special personal data.

Given the range of services and activities conducted by the Council full details of personal data for each process cannot be specified in this statement, however the personal data that you may typically be asked to supply can be categorised as follows,

  • Contact details to allow for efficient communication
  • Details of your personal circumstances which you are required by law to supply as part of your application for a service offered by the Council
  • Your own financial details which you are required by law to supply as part of your application for a service offered by the Council

In compliance with the GDPR the Council maintains records of processing regarding personal data received and collected for its functions.

What is the purpose of this Data Protection Statement?

The Council is committed to meeting all relevant Data Protection, privacy and security requirements, whether originating from legal, regulatory or contractual obligations and is committed to protecting the rights and privacy of individuals in accordance with current Data Protection legislation. This statement should be read in conjunction with the Data Protection Acts, and any amendments thereto or regulations made thereunder and the General Data Protection Regulation (GDPR).

This statement has been created to demonstrate the Council’s commitment that the personal data you may be required to supply to us in order to access services, will be processed in accordance with data protection principles, which state that personal data will be;

  • Obtained lawfully, fairly and in a transparent manner
  • Obtained for only specified, identified and legitimate purposes
  • Processed for purposes which we have identified or purposes compatible with the purposes that we have identified.
  • Adequate, relevant and limited to what is necessary for purpose for which it was obtained
  • Personal data collected and processed must be accurate and (where necessary) kept up to-date.
  • Kept only for as long as is necessary for the purposes for which it was obtained.
  • Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing.

This statement shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law, regulation or other contracts or binding agreements.

Compliance with the Data Protection Acts and GDPR

The Council has designated a Data Protection Officer (DPO) in accordance with requirements of the GDPR. Contact details are provided at the end of this document. The DPO’s role is:

  1. to inform and advise the Council and the employees who carry out processing of their obligations pursuant to the GDPR;
  2. to monitor compliance with GDPR, regarding the policies of the Council in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
    to cooperate with the supervisory authority - the Office of the Data Protection Commissioner;
  4. to act as the contact point for the Office of the Data Protection Commissioner; on issues relating to processing, and to consult, where appropriate, with regard to any other matter.

The Council is committed to carrying out all duties and functions as set out in the Acts and to adhere to guidelines issued by the Office of the Data Protection Commissioner.

Wicklow County Council is presently registered on the Data Protection Commissioners Public Register at www.dataprotection.ie - The Council’s registration reference is

High level statement - Implementation of GDPR Principles

The following is intended to provide a summary of activities of the Council to ensure that its management of personal data adheres with the principles of GDPR. These principles require that personal data shall be:

·         Processed lawfully, fairly and in a transparent manner.

The Council has developed a transparency programme to endeavour to ensure that at the earliest practical point in the collecting or processing of personal data that the individual is provided with written details, or made aware of how to access, a written statement of their privacy rights. This is in the form of a Privacy Statements that are available on our website, at our public counters and with our application forms. Means to access information on your privacy rights should also be notified to you when you communicate with our employees by email or over the phone, where personal data is involved.

·         Collected for specified, explicit and legitimate purposes

The Council base personal data processing on lawful processing conditions, set out in Article 6 of the GDPR. The basis and purpose of the processing will be stated in our Privacy Statements relevant to the process or application forms that you are using.

·         Adequate, relevant and limited to what is necessary for the purpose for which it was obtained

The Council endeavour to ensure that personal data sought is minimal and aligned to the purpose or activity for which it is required.

It should however be noted that staff may be required, from time to time, to collect process and use certain types of personal data to comply with regulatory or legislative requirements or to carry out functions in the public interest. This may extend to sharing or disclosure of personal data to other bodies to comply with our statutory obligations. Sharing of data specific to a process or activity will be stated in our Privacy Statements.

·         Accurate and, where necessary, kept up to date

The Council will provide reasonable opportunities for individuals to ensure personal data that is inaccurate can be deleted or corrected as required.
In practical terms this can often relate to changes in customers addresses and contact details. If you find that personal data we have about you is inaccurate or needs to be updated (for instance, you may have changed your name, address, contact details etc.) then please contact us so that we can correct it.

You can do this by:

Writing to us at: Wicklow County Council, County Buildings, Wicklow, Co Wicklow, A67FW96

Emailing us at: dpo@wicklowcoco.ie 

Please note that to help protect your privacy, we take steps to verify your identity before granting access to personal data. When making a request to update your records please provide evidence to support this - for example a copy of a document containing your new address – utility (Gas, Electricity, Phone) bill etc. and proof of your identity.

·         Kept only for as long as is necessary for the purposes for which it was obtained.

The National Retention Policy for Local Authority Records is under review. The revised Policy will provide information on the criteria for determining retention, archival and deletion or end dates for Council records in all the functions it operates. Links to the Policy will be provided in our Privacy Statement and updated as the Policy is renewed.

·         Processed in an appropriate manner to maintain security

The Council, taking into account the nature, scope, purposes and related risks of processing, employ appropriate physical, technical and organisational measures to secure personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. There are a range of internal policies, controls and practices supporting this principle and reducing risks to the data from the point of collection to the point of destruction. We also maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

  • Confidentiality means that only people who are authorised to use the data can access it.
  • Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
  • Availability means that authorised users should be able to access the data if they need it for authorised purposes.
  • In addition the Council provide support, assistance, advice and Data Protection Awareness training, which includes physical and IT security training for staff to ensure compliance with the legislation, and to ensure a secure environment for your personal data.

Disclosure to third parties

It should be noted that staff of the Council may be required, from time to time, to collect process and use certain types of personal data to comply with regulatory or legislative requirements or to carry out functions in the public interest. This may extend to sharing or disclosure of personal data to other bodies to comply with our statutory obligations.

Typically, disclosure requests will involve requests from law enforcement/investigation agencies for purposes involving preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other monies owed or payable to the State, a local authority and/or to prevent injury or other damage to the health of a person or serious loss of or damage to property. There are certain other limited circumstances where disclosures may be made.
Council Officials who perform statutory duties involving preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other monies owed or payable to the Council, may also access personal data where relevant to the performance of such duties. Access of this nature is confined to those staff performing such functions and the Council has in place controls to govern such access, which are under review.   

Requests of this nature from such external agencies should:

  • Be made in writing.
  • Provide detail in relation to the data required.
  • State the reason it is required.
  • Quote the relevant legislation which applies to their request for data.
  • Be signed by a person at management level in the organisation, e.g. Garda Sergeant in Charge, Investigating Manager etc.
  • Seek access to or confirmation of the minimal amount of data required.

The Rights of the Data Subject

Applicants should note that there are restrictions, included in the Data Protection Acts and the General Data Protection Regulation (GDPR) to some of the following rights. The Council will examine each request to ensure that requests that can be granted are granted and where we are obliged to apply a restriction to a request, under the Acts, that we do so. On this basis general guidance on likely outcomes cannot be provided and requests from individuals seeking to exercise their rights will be assessed on a case-by-case basis against the various criteria to determine applicability. Nonetheless individuals have the right to apply to:

  • obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to same
  • obtain from the controller without undue delay rectification of inaccurate personal data concerning him or her
  • obtain from the controller the erasure of personal data concerning him or her without undue delay
  • obtain from the controller restriction of processing
  • object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, in certain circumstances.

Full details of data subject rights and restrictions are outlined in Chapter 3 of the GDPR.

Any applications to exercise your Data Protection Rights must be addressed to the Councils DPO, to ensure they are properly managed.  More information and forms relevant to this are available below.

Data Protection Officer – Wicklow County Council

Our Data Protection Officer (DPO) advises and guides the staff of the Council in how they collect, use, share and protect your information to ensure your rights are fulfilled in compliance with the Data Protection Legislation. The DPO also acts as the contact point for individuals with concerns about the processing of their personal data and is also the liaison between the Council and the Office of the Data Protection Commissioner. You can contact our DPO at:

Post                                       Data Protection Officer,
                                               Wicklow County Council,
                                               County Buildings,
                                               Wicklow Town, 
                                               A67FW96

eMail                                     dpo@wicklowcoco.ie 

Phone                                   0404 20100

Any applications to exercise your Data Protection Rights must be addressed to the Councils DPO, to ensure they are properly managed in accordance with your rights. 

More information and forms relevant to this are available online below

Right of Complaint to the Data Protection Commissioner

If you are not satisfied with the outcome of the response received from the Council or the Council’s DPO you are entitled to make a complaint to the Data Protection Commissioner who may investigate the matter for you. 

The Data Protection Commissioner’s website is www.dataprotection.ie or you can contact their Office at:

Lo Call Number 1800 437 737
Dubin 01 7650100 

Postal Address:

Data Protection Commissioner,
21 Fitzwilliam Square South,
Dublin 2,
D02 RD28.

Governance, Monitoring and Review

Governance:

The Council has regard to the significant requirements under the Data Protection legislation and on this basis operates a governance structure as below to underpin compliance with its varied obligations.

A GDPR Governance Group has been established to address the arrangements for assessing and improving internal governance, policies and procedures in order to achieve compliance with the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Membership

Chairperson - DPO

Representatives from Each Directorate/Function:

Community, Cultural and Social Development                    

Enterprise and Corporate Services                                           

Personnel                                                                                          

Planning, Development and Environment                            

Housing and Corporate Estate                                                   

Transportation, Water and Emergency Services                 

Finance                                                                                               

FOI                                                                                                        

Information Systems                                                                     

Internal Audit                                                                                   

Law Dept                                                                                            

Records Mgmt/Archives                                                               

 

Role of Governance Group:

  1. Oversee the development and implementation of policies and processes governing the collection, handling and sharing of data and personal information.
  2. Oversee the development and implementation of policies and processes governing subject access requests, breach notifications and staff awareness.
  3. Monitor adherence to these policies and processes
  4. Review and consider data breach notifications to agree mitigation measures
  5. Agree new or changed policies or approaches required for organisation wide elements of GDPR.
  6. Develop and lead teams across Wicklow County Council to ensure data governance processes are embedded throughout the organisation and specifically within own departments.
  7. Establish ownership and accountability for corporate data systems.
  8. Develop and agree action plans and assign responsibilities
  9. Oversee a detailed audit of Wicklow County Council’s core systems; personal data sets that are held in these systems and teams and processes that use these systems. 

Working Groups

For the purposes of ensuring compliance with GDPR the DPO will agree Working Groups with the Governance Group. These will include the Directorates representative on the governance group together with appropriate staff from the directorate and required staff from Law, IT, Internal Audit, FOI and Records Management.

Role of Working Groups:

  • Review Departmental data management processes, policies and procedures and ensure compliance with action plans as agreed by Governance Group.
  • Ensure Departmental data management processes, policies and procedures are consistent with all relevant local and national programmes and initiatives.
  • Review Departmental project planning and management to ensure best practice and legal frameworks are followed with regard to GDPR
  • Review Departmental acquisition, deployment and operational use of manual and electronic systems of data and information management. Ensure these are underpinned by appropriate safeguards, with specific reference to the statutory environment.
  • Review Departmental risks arising from GDPR and ensure appropriate mitigations strategies are adopted
  • Prepare conduct and document periodic assessment and audit of GDPR policies, procedures and arrangements.
  • Develop policies and guidelines consistent with best practice compliance regarding all data protection principles for adoption by Governance Group.
  • Review existing data processing activities to ensure compliance with Data Privacy related laws and regulations.
  • Review proposed data processing activities to recommend security measures and processes and ensure compliance with Data Privacy related laws and regulations.
  • Develop processes for managing data access requests, breach notifications and staff awareness.
  • Review and consider data breach notifications to propose mitigation measures

Procedures

  • The Governance Group will initially meet on a monthly basis to agree a programme of work and composition of Working Groups. Thereafter it is anticipated that meeting should take place on a quarterly basis.
  • The Working Group will operate on the basis of papers provided by the relevant Service Directorates as required. 
  • Meeting agendas, working papers and minutes for Governance Group & Working Groups will be retained by the DPO.
  • Decisions of the Group shall be made by consensus, where a consensus cannot be reached the Chair will recommend a course of action.

Review:

Wicklow County Council will review this statement, and supporting policies and actions periodically in light of its operation and in terms of new legislative or other relevant factors such as publication of guidance from the Office of the Data Protection Commissioner. The statement shall be reviewed by the DPO in consultation with relevant Data Controllers for each Council Department and approved by the Council's Management Team.