Introduction

Crosscare has an ethical responsibility to maintain the highest standards of confidentiality in the safeguarding of information about its staff members, volunteers and service users.  

Information collection is essential to us fulfilling our duties.  Data Protection legislation seeks to give people control of their own personal information and so it confers certain obligations on Crosscare in relation to how personal information is collected and used.

The legislation was originally introduced to protect individual’s personal information from misuse by automated means.  This has since been extended to include processing of manual data.

The Data Protection Acts of 1988 and 2003 have a significant role to play in supporting our work.  The aim of this policy is to ensure that each Crosscare staff member has an understanding of the concepts of Data Protection and is aware of their own responsibilities in relation to the organisation’s overall compliance with the Acts.

Definitions

Data Protection is the safeguarding of the rights of individuals to privacy and integrity in relation to the processing of their personal data.  The Data Protection Acts of 1988 & 2003 confer rights on individuals as well as responsibilities on those persons handling, processing, managing and controlling personal data.

Data Controller – an individual or entity who controls the contents and use of personal data.

Data Protection Officer - the individual within an organisation who has responsibility for data protection. 

Data means information in any form, which can be processed.  It includes both automated or electronic data and manual data.

Automated data means any information created and held on computers.  Examples of this would be a word document, an email or a database.

Manual Data means information that is kept as part of a relevant filing system or with the intention that it should form part of a relevant filing system.  Examples of these are traditional paper files, reports and statements as well as personnel and financial records which are used as part of our daily operational duties.

Relevant filing systems means any sets of information, which are not computerised but are structured by reference to individuals or by reference to criteria relating to individuals so that specific information relating to a particular individual is readily accessible.  Examples of these would be files which contain information about an individual such as personal files in HR.

Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in or likely to come into the possession of the Data Controller.

Access Request is where a person makes a request to the for a copy of their personal data under Section 4 of the Acts.

Sensitive personal data relates to specific categories of data which are identified as data relating to a person’s racial origin; political opinions; religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; membership of a trade union.  Examples of these are files or entries containing details of allegations, prosecutions or convictions with regard to an individual.  A higher duty of care is required by the Data Protection Acts in relation to the processing of sensitive data.

Processing means performing any operation or set of operations on data including:

  • •Obtaining, recording or keeping data;
  • •Collecting, organising, storing, altering or adapting data;
  • •Retrieving, consulting or using data;
  • •Disclosing the data by transmitting, disseminating or otherwise making it available;
  • •Aligning, combining, blocking, erasing or destroying data.

Data Subject is an individual who is the subject of personal data.

Data Processor is a person who processes personal information on behalf of the Data Controller.

Data Protection Rules

The following are the eight Rules Data Protection, which must be adhered to at all times.

Rule 1.  Obtain and process information fairly

Crosscare will obtain and process personal data fairly and in accordance with the fulfillment of its functions. The Data Subject must be made aware of the following;

  • •The identity of the Data Controller
  • •The purpose in collecting the data
  • •The persons or categories of persons to whom the data may be disclosed and
  • •Any other information which is necessary so that processing may be fair.

To fairly process personal data it must have been fairly obtained in line with the above, the data subject must have given consent to the processing, or the processing must be necessary for one or more of the following reasons and any one or more will apply to the performance of our function:-

  • •To prevent injury or other damage to the health of the data subject
  • •To prevent serious loss or damage to property of the data subject
  • •To protect the vital interests of the data subject
  • •Where the seeking of the consent of the data subject is likely to result in those interests being damaged               

There will be circumstances when the purpose of information or data to be used is obvious.  On other occasions it may be necessary to provide an explanation.  

Rule 2.                  Keep it for only one or more specified, explicit and lawful purposes

  • •Crosscare will keep data for purposes that are specific, lawful and clearly stated and the data will only be processed in a manner compatible with these purposes.
  • •A person has the right to question the purpose for which Crosscare holds his/her data and Crosscare must be able to identify that purpose.

Crossscare holds information for a variety of purposes.  Much of this information is held for administrative and functional purposes.  Personnel files of all staff members including financial details are kept.  All such information must be obtained and processed in compliance with the Acts. 

Rule 3.  Use and disclose it only in ways compatible with these purposes.

Crosscare will only disclose personal data that is necessary for the purpose(s) or compatible with the purpose(s) for which it collects and keeps the data.  Disclosure in the context of data protection is the provision of personal data to a third party by any means whether written, verbally or electronically.

The Act places serious responsibility on every employee not to disclose data in relation to any individual to any other individual who is not entitled by law to receive it.  Personal data is used within Crosscare in the normal course of operational functions. Any use or disclosure must be necessary for the purpose(s) or compatible with the purpose(s) for which the data is collected and kept.  An employee making a disclosure should consider whether the data subject would be surprised to learn that a particular disclosure is taking place. If the potential answer to this question is yes then there is a need to question the basis for the disclosure prior to making it.

In all cases the identity of the recipient of the disclosure should be established along with the specific purpose of the disclosure and the legal basis/power to disclose the relevant data.  A record of all disclosures should be maintained.  In cases where there is any doubt as to disclosure, or the status of the data concerned, a file should be submitted to the Data Protection Officer for directions.

Examples of legitimate disclosures are;

  • •Statements or information issued to the media which are managed in conjunction with Crosscare’s Communications officer
  • •Information provided to the Pension Fund Managers regarding new employees who are entitled to join the scheme

Examples of illegitimate disclosures are;

  • •Accessing or Disclosing Personal data for any purpose other than that for which it is obtained is prohibited. 
  • •Examples of this would be an employee accessing and or disclosing personal home details of a colleague to a member of the public without their consent
  • •Accessing and or disclosing details of any person’s criminal convictions to a party not entitled to receive them

 

Rule 4.  Keep it safe and secure.

Crosscare will take appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.  Crosscare is aware that high standards of security are essential for all personal information.

Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction.  The security of personal information is all important, but the key word here is appropriate, in that it is more significant in some situations than in others, depending on such matters as confidentiality and sensitivity and the harm which might result from an unauthorised disclosure.  High standards of security are, nevertheless, essential for all personal information.  The nature of security used may take into account what is available, the cost of implementation and the sensitivity of the data in question. 

The standard of security expected of all staff members in Crosscare includes the following;

  • •Computer systems password protected
  • •Access to information restricted to authorised staff on a “need to know” basis in accordance with a defined policy
  • •Information on computer screens and manual files hidden from callers to offices
  • •Back-up procedures in operation for computer held data, including off-site back-up
  • •All waste papers, printouts etc disposed of carefully by shredding
  • •All employees must log off all computers on each occasion when they leave their work station
  • •Personal security passwords must not be disclosed to any other employees
  • •All premises must be secure when unoccupied

Each Crosscare Senior Service Manager will be responsible for all the above within Crosscare with periodic reviews of the measures and practices in place

Every contact on the computer systems leaves a trace and each staff member should be acutely aware that all activity under their password is recorded.  During an Audit or Investigation procedure they may be asked to account for the reasons they accessed a particular individual’s data at any given time and what they did with it afterwards.  Crosscare will ensure that appropriate data protection and confidentiality clauses are in place with any processors of personal information on its behalf.

 Rule 5.  Keep it accurate, complete and up-to-date.

Crosscare will ensure high levels of data accuracy.  Crosscare will keep personal data up-to-date.  Crosscare will put in place appropriate procedures to assist staff in keeping data up-to-date.

To comply with this rule Crosscare will ensure that: -

  • •Administration and computer procedures are adequate to ensure high levels of data accuracy
  • •The general requirement to keep personal data up to date has been fully implemented
  • •Appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up to date

Section 6 of the Acts gives a person the right to seek to have personal data amended or erased where it can be shown to be incorrect.

Rule 6. Ensure that it is adequate, relevant and not excessive.

Personal data held by Crosscare will be adequate, relevant and not excessive in relation to the

purpose(s) for which it is kept.

A staff member of Crosscare can fulfill this requirement by making sure they only seek and retain the minimum amount of personal data needed for the specified purpose.

To comply with this rule each employee should ensure that the information held is:

  • Adequate in relation to the purpose(s) for which it is kept;
  • Relevant in relation to the purpose(s) for which it is kept;
  • Not excessive in relation to the purpose(s) for which it is kept;
  • Retain it for no longer than is necessary for the purpose or purposes.       

Rule 7. Crosscare will have a policy on retention periods for personal data. 

This requirement places a responsibility on Crosscare to be clear about the length of time data will be kept and the reason why the information is being retained.  To meet this requirement,  Crosscare will ensure that all files are managed and appropriate Retention/Disposition schedules are in place.

For the purpose of retention, Data will be categorised into current files, non-current files and archives.  Crosscare’s archive files are stored in and are under the management of the Dublin Diocesan Archives office.

Rule 8. Give a copy of his/her personal data to that individual, on request.

Crosscare will have procedures in place to ensure that data subjects can exercise their rights under the Data Protection Acts.

On making an access request any individual, about whom Crosscare keeps personal data, is entitled to;

  • •A copy of the data being kept about him/her
  • •Know the purpose(s) for processing his/her data
  • •Know the identity of those to whom the organisation discloses the data
  • •Know the source of the data
  • •Know the logic involved in automated systems
  • •A copy of the any data held in the form of opinions, except where such opinions were given in confidence.

Crosscare has clear coordinated procedures in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is made.

To make an access request the data subject must;

  • •Apply to Crosscare for access to their personal data Section 4 of the Data Protection Acts 1988 & 2003
  • •Give any details which might be needed to help identify him/her and locate all the information you may keep about him/her e.g. previous addresses, dates of employment etc
  • •Pay the appropriate access fee €6.35

Every individual about whom a Data Controller keeps personal information has a number of rights under the Act, in addition to the right of access.  These include the right to have any inaccurate information rectified or erased and the right to complain to the Data Protection Commissioner.  In response to an access request Crosscare must;

  • •Supply the information to the individual promptly and within 40 days of receiving the request
  • •Provide the information in a form which is clear to the ordinary person, e.g. codes must be explained in ordinary language
  • •Where an access request is refused, the reasons for the refusal of the request must be clearly outlined to the Data Subject.

Method of application requests for personal data should be made in writing on the prescribed form to the: -       

            Conor Hickey

Data Protection Officer,

            Crosscare,

            Clonliffe Road,

            Dublin 3.

Responding to requests once a valid request is received.

Crosscare must respond within 40 days, even if the personal data is not held or an exemption is relied upon.

Roles and Responsibilities

Crosscare Senior Managers (CSMs)

Crosscare’s management structure comprises of a senior management team. There are six senior service managers and a Director of HR and Director of Finance. Collectively these managers are known as Crosscare Senior managers (CSMs) and there are responsible for each of the units under their span of control.

The CSMs are responsible for implementation of the Data Protection policy with advice and support from the Data Protection Officer.

The CSMs are responsible for: -

  • •Keeping personal data up to date as required.
  • •Retaining personal data no longer than necessary.
  • •Day to day security of the office environment (manual and automated records).
  • •Methods of handling personal information are clearly described and documented.
  • •All staff handling personal information are appropriately trained to do so.
  • •All staff handling personal information are appropriately supervised.
  • •Performance with handling personal information is regularly assessed and reviewed.
  • •The Data Protection Officer is kept informed of manual and automated systems storing and/or processing personal information.
  • •Continuous assessment of the need for all current personal information storage and processing and elimination of any that is not necessary.

Data Protection Officer

The responsibility for support and guidance of CSM’s in relation to compliance with Data Protection legislation lies with the Data Protection Officer.

This involves;

  • •Co-ordination of data protection within all Crosscare projects;
  • •Ensuring that reporting lines exist to allow other employees to raise matters relating to Data Protection at a senior level;
  • •Managing the organisation’s statutory obligations in respect of Data Protection Acts including compliance with the Data Protection principles, registration with the Data Protection Commissioner where applicable and securing individuals rights under the Acts;
  • •Maintaining an  up to date knowledge of Data Protection legislation and general developments in other relevant areas and to ensure that this Code of Practice is disseminated and adhered to throughout the offices
  • •Promoting data protection awareness through training, policy development, advice and guidance; 
  • •Ensuring that operating rules and general policy guidance in support of this Code of Practice and all matters relating to the Acts are available to staff
  • •Ensuring that CSMs are aware of the information and systems required to comply with the Data Protection principles and that appropriate security arrangements exist to protect data, including where necessary, that suitable contracts are drawn up relating to the processing of data held for Crosscare by third parties;
  • •To provide an initial point of contact for subject access requests.
  • •To advise CSMs on when active consent is required from people interacting with Crosscare staff members for data collection/processing;
  • •Investigation and resolution of complaints made in relation to personal data and to assist where appropriate in the investigation of disciplinary matters;
  • •Ensure that CSMs are appropriately advised that contracts with partners include strict quality, security and data protection compliance mechanisms and agreed inspection procedures;
  • •Providing for liaison on all data protection matters between Crosscare and the Data Protection Commissioner.
  • •The Data Protection Officer will conduct examinations and reviews of Data Protection procedures as part of their on-going examination and review process.

Staff Members

  • •Crosscare Staff members are responsible for ensuring that all data that they access, manage and control as part of their daily duties is done in accordance with the Data Protection Acts and this Policy.
  • •Ensure their personal information provided to Crosscare is accurate and up-to-date; inform  Crosscare of change of address or other circumstances.
  • •Ensure that third parties are aware of this policy and that they take appropriate measures to protect any personal data.  Non-disclosures agreements form part of every contract if they are subject to personal data.
  • •Ensure that personal data is factual, accurate and objective. 
  • •Work on the basis that access by staff to personal information will be audited for compliance with the law and internal policies.
  • •Hold personal data securely e.g. using locked cabinets and desk drawers.
  • •Failure to comply with this policy may result in a breach of the Data Protection Acts1988 & 2003.  Furthermore such staff members may be exposing themselves and Crosscare to litigation from an injured party.
  • •All current and former staff members of Crosscare will be held accountable, from a disciplinary perspective, in relation to all data processed, managed and controlled by them during the performance of their duties in Crosscare. 

Failure to follow these guidelines may be regarded as a breach of this policy and may be subject to disciplinary action up to and including dismissal.

Enforcement of Data Protection Legislation

Data Protection Commissioner

The Act establishes the independent office of the Data Protection Commissioner.  The Commissioner is appointed by the Government and is independent in the performance of his functions.  The Commissioner’s function is to ensure that those who keep personal data in respect of individuals comply with the provisions of the Data Protection Acts.  In furtherance of this function, the Data Protection Commissioner will also have responsibility for monitoring the implementation of this Policy.

The Data Protection Commissioner has a wide range of enforcement powers to assist him in ensuring that the principles of Data Protection are being observed.  These powers include the serving of legal notices compelling a data controller to provide information needed to assist his enquiries, or compelling a data controller to implement provisions of the Act.

The Data Protection Commissioner also investigates complaints made by the general public in relation to personal data and has wide powers in this area.  He can, for example, authorise officers to enter a premises and to inspect personal information kept on computer or relevant filing system.  Members of the public who wish to make formal complaints in respect of breaches of the Data Protection Acts may do so in writing to the office of The Data Protection Commissioner, Station Road, Portarlington, Co. Laois.  Further information is available at www.dataprotection.ie.

Any member of the public who reports breaches of the Data Protection Acts by Crosscare to individual staff members must report the matter to the Data Protection Officer.     

Where Crosscare a staff member, in the normal course of their duties, becomes aware that an individual, including staff members of Crosscare, may be breaching the Acts or have committed or are committing an offence under the Acts, they should report the matter through normal communication channels to their CSM and/or the Data Protection Officer.

Advice/Assistance

All people requesting advice and assistance on data protection issues within Crosscare should be directed to our Data Protection Officer, Conor Hickey

Useful numbers:  01 8360011

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

The Data Protection Commissioner

Tel.  1890 252231

www.dataprotection.ie

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix 1

 

Subject Access Request Form

 

 

Data Subject Request Form

  1. 1.Name & Address
 
 
 
  1. 2.Tel. No.
 
  1. 3.Email
 
  1. 4.Is the information about you?  If yes, you will need to provide a copy of photographic ID, bearing your signature, for example, a passport or driving
  1. 5.Please describe what information you require with any additional facts that may help us with the search.
 
 
 
 
 
  1. 6.Declaration to be completed by all applicants.

I, _______________________________________ (name), certify that the information given on this application to Crosscare is correct.  I understand that it is necessary for Crosscare to confirm my identity and it may be necessary to obtain more detailed information in order to locate the correct personal data.

Signed ______________________________                 Date ________________

Note: Crosscare must respond to your request within 40 days.  This time frame will not begin until your identity has been established and any relevant details obtained.

Please return the completed form and any necessary documentation to the Data Protection Officer, Crosscare,  Holy Cross College, Clonliffe Road, Dublin 3.

Documents which must accompany this application include evidence of identity; and stamped address envelope for return of the above mentioned documents.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Crosscare will process the personal information included on this form in accordance with the Data Protection Acts.  The information will only be used in order to process your request, will only be shared with those who can provide the information required and will be retained no longer than is necessary.

 

 

 

 

 

 

 

Data Subject Request Form – Third Party

  1. 1.Name & Address
 
 
 
  1. 2.Tel. No.
 
  1. 3.Email
 
  1. 4.If you are acting on behalf of another individual you will need to provide a letter from that person authorising you to act on their behalf.
  1. 5.Details of the individual whose information is being sought

Name & Address

 
 
 

Tel. No.

 

Email

 
  1. 6.Why have you been authorised to access this information?
 
 
 
  1. 7.Please describe what information you require with any additional facts that may help us with the search.
 
 
 
 
 
  1. 8.Declaration to be completed by all applicants.

I, _______________________________________ (name), certify that the information given on this application to Crosscare is correct.  I understand that it is necessary for Crosscare to confirm my identity and that of the person I am authorised to represent and it may be necessary to obtain more detailed information in order to locate the correct personal data.

Signed ______________________________                 Date ________________

Note:Crosscare must respond to your request within 40 days.  This time frame will not begin until your identity has been established and any relevant details obtained.

Please return the completed form and any necessary documentation to the Data Protection Officer, Crosscare, Holy Cross College, Clonliffe Road, Dublin 3.

Documents which must accompany this application include evidence of identity; evidence of data subject’s identity, authorisation from data subject to act on their behalf and stamped address envelope for return of the above mentioned documents.

 

 

 

 

 

Crosscare will process the personal information included on this form in accordance with the Data Protection Acts.  The information will only be used in order to process your request, will only be shared with those who can provide the information required and will be retained no longer than is necessary.

 

 

 


Appendix 2

Access Request from Staff Members to HR

Subject Access Request in relation to Personnel files

 

1. Requests for access to your own personal file should be addressed, in writing, to the Director of Human Resources. E-mails will be accepted.

 

2. The statutory period for dealing with requests is 40 days; however wherever possible HR will try to make the file available within 10 working days of receipt of any request. If you can demonstrate an urgent need requiring a quicker response, HR will treat this sympathetically. The €6.35 fee will be waived for current staff.

 

3. HR will arrange an appointment with the individual to view his/her file, if preferred. Files may only be viewed within HR, and under the supervision of a member of the Department.

 

4. Otherwise, HR will provide photocopies of documents on the file as requested by the individual.

 

5. If a member of staff wishes someone else to view the file on their behalf, or to accompany them when they view the file, they must confirm this in writing to the Director of Human Resources in advance. The authorisation must be for a named person, i.e. ‘a union rep’ will not be sufficient, the name of the individual must be given. Again, e-mail authorisation will be accepted.

 

7. A representative from HR will arrange a meeting with the subject for them to examine their file. If the person is not known to HR, their identification will be checked to see that they are who they say they are. HR can provide copies of information kept on the file on request at that meeting.

 

8. Former members of staff who wish to apply for subject access are expected to follow the standard procedures set out in section. HR reserves the right to impose the standard €6.35 fee in this case.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 3

FREQUENTLY ASKED QUESTIONS

 

What is the Data Protection Act about?

The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 requires that any organisation that collects or holds information about living people does so in a way that is fair to that person. It sets out eight rules for the processing of personal data which organisations must adhere to. The Act also gives individuals the right of access to their own information.

Is Crosscare subject to the Data Protection Act?

All organisations, whether public or private, large or small, must process personal information in accordance with the Acts.

What personal information is covered?

All recorded personal information should be processed in accordance with the Acts. This means all written documents, whether electronic or paper copies, and information contained in other recorded media – CCTV footage or other video, audio cassettes and so on are also covered. The information does not have to be factual; opinions about a person are also included in the definition of personal data.

What are my rights?

The Data Protection Act gives individuals the right to know whether an organisation is processing personal information about them. If personal information is being processed, the individual has a right to know what information is being processed, why it is being processed, how it is being processed, and for what reasons. People have a right to see this data and are also entitled to receive a copy of the information. People asking for this information are making Subject Access Requests. The Data Protection Acts also gives people the right to correct inaccurate information.

How do I exercise these rights?

You can exercise your rights by making a subject access request. Any person can make a subject access request; by writing to an organisation, asking to know what personal information is held, and what use is made of the information. To correct false information, you should write to the organisation pointing out the error, and where necessary, provide evidence that the information is incorrect.


Is there a cost for making a Subject Access Request?

There is a fixed fee of €6.35 for making a Subject Access Request. This fee is generally waived for current members of staff seeking access to their personnel file.

I am collecting personal information for Crosscare. What do I need to do?

Only collect information which you really need and make sure that the person supplying the information knows how you intend to use it. If you intend using it for any other purpose, make sure they are given an opportunity to agree or disagree to this. If they do not consent, you then cannot use the information for any other purpose. This applies whether you are collecting the information on a form, over the telephone, or via the website or email.

 

What is sensitive personal data?

Some types of personal information have been singled out as needing particularly careful handling. They are information about racial or ethnic origin, political opinions or religious beliefs, trade union membership, physical or mental health, sex life, and commission of offences and subsequent proceedings.

 

How should personal information be stored?

You must be careful not to accidentally reveal personal information. Keep paper records locked away, and ensure that electronic records are password protected. Be careful when you name files and documents, so as not to accidentally disclose personal information or give a false impression about personal information; for example, a file entitled ‘ John Smith’ within a folder called ‘Debtors’ would imply something about the state of John Smith’s finances which should not be disclosed to all staff members.

 

Can I keep information about myself?

Yes. All official copies of information about staff, e.g. absence records, or performance reports will be kept securely by the relevant department(s). If you wish to keep your own copies of such information, you should follow the same principles as you would for anyone else’s data. If you are leaving the employment of Crosscare, you should remove all personal copies of your information before your departure.


Is information in my Home folder on my computer, or in other personal drives, covered by the Acts?

Yes. All information held by Crosscare is covered by the Acts. If you are storing personal documents, such as private correspondence unconnected with Crosscare’s work, use ‘private’ folders on your C drive.

 

How long can I keep personal information?

You should only keep personal data for as long as it is necessary and for the original purpose for which it was collected. Some reasons, such as mailing lists, may not have a cut off date. Others such as the details of volunteers working on a specific project, should be destroyed when no longer needed.

 

Can I give out personal information over the phone?

You should not give out personal information over the telephone, even if the person on the phone is asking for information about themselves, unless you are absolutely certain that the person is who they say they are e.g. it is a colleague whom you recognise. You may give out the work contact details of staff members if the person on the phone wishes to contact the staff about a business matter. 

 

Who is the Data Protection Commissioner?

The Data Protection Commissioner is responsible for ensuring that bodies are compliant with the Data Protection Acts. He can investigate complaints when individuals feel their personal data has been handled incorrectly.

 

Can personal data be shared between internal departments?

You can share personal information with another department if it is to be used for a reason which is similar to the reason the information was collected in the first place.

 

Can we share personal data with external organisations?

Crosscare can only share data with other bodies if the person has consented to allow this or if there is a basis in the Data Protection Acts to rely on for the sharing.

 

Whose responsibility is it to ensure that shared data is accurate?

It is the responsibility of all CSMs to carry out regular checks to ensure the accuracy of all the personal data which it processes. Crosscare must ensure that data subjects are aware of their right to check the accuracy of data held, and their right to amend it.

 

If you receive personal information from another organisation (e.g. a mailing list from an agency) you do not have to contact the individuals on the list to ensure the accuracy of the data. However, you should check that the source of the information is aware of data protection responsibilities and has fulfilled them as far as possible.

 

If I receive a subject access request asking for ‘everything that Crosscare has about me’, what should I do?

 

Refer to the Data Protection Procedures which contains some information about handling subject access requests. The person asking for their information must prove their identity before the information can be released. You are allowed to ask the person making the request to help you to find their information, for example by asking if they were a visitor to the Offices or a member of staff, and so on.

 

I have found the personal information, but it also contains other sensitive information. What should I do?

The Acts contains exemptions that allow information to be withheld; for example, if releasing it would infringe upon another person’s data protection rights. If you are unsure whether or not information can be released, contact the Data Protection Officer.

 

How does the Freedom of Information Act affect Data Protection?

The Freedom of Information Act refers to government departments and agencies only and therefore does not impact on Crosscare’s work. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contact Us

Holy Cross College,
Clonliffe Road,
Dublin 3,
Ireland.

Tel: 01 836 0011
Fax: 01 836 7166
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Follow Us