Data Protection Policy

Introductory Statement

Laois Education Centre’s Data Protection Policy applies to the personal data held by the Centre, which is protected by the Data Protection Acts 1988 to 2018 and the EU General Data Protection Regulation (GDPR).

The policy applies to all Centre staff, the Management Committee, clients of the Centre, tutors, users of Centre services (including the Centre’s online bookstore) and applicants for staff positions within the Centre insofar as the measures under the policy relate to them. Data will be stored securely, so that confidential information is protected in compliance with relevant legislation. This policy sets out the manner in which personal data will be protected by the Centre.

Laois Education Centre operates a “Privacy by Design” method in relation to Data Protection. This means we plan carefully when gathering personal data so that we build in the data protection principles as integral elements of all data operations in advance. We audit the personal data we hold in order to

1. be able to provide access to individuals to their data
2. ensure it is held securely
3. document our data protection procedures
4. enhance accountability and transparency

Rationale

In addition to its legal obligations under the broad remit of educational legislation, the Centre has a legal responsibility to comply with the Data Protection Acts 1988 to 2018 and the GDPR.

This policy explains what sort of data is collected, why it is collected, for how long it will be stored and with whom it will be shared.  The Centre takes its responsibilities under data protection law very seriously and wishes to put in place safe practices to safeguard individual’s personal data. It is also recognised that recording factual information accurately and storing it safely facilitates an evaluation of the information, enabling the Director and Management Committee to make decisions in respect of the efficient running of the Centre. The efficient handling of data is also essential to ensure that there is consistency and continuity where there are changes of personnel within the Centre and Management Committee.

Scope 

The Data Protection legislation applies to the keeping and processing of Personal Data. The purpose of this policy is to assist the Centre to meet its statutory obligations, to explain those obligations to staff, and to inform staff and clients how their data will be treated.

The policy applies to all staff, the Management Committee, clients, students and others (including applicants for staff positions, coaches/tutors) insofar as the Centre handles or processes their Personal Data in the course of their dealings with the Centre.

Other Legal Obligations

Implementation of this policy takes into account the Centre’s other legal obligations and responsibilities. Some of these are directly relevant to data protection. For example:

The Freedom of Information Act 2014 provides a qualified right to access to information held by public bodies which does not necessarily have to be “personal data”, as with data protection legislation.

Under Children First Act 2015, Laois Education Centre has a responsibility to report child welfare concerns to TUSLA- Child and Family Agency (or in the event of an emergency and the unavailability of TUSLA, to An Garda Síochána).

Definition of Data Protection Terms

In order to properly understand the Centre’s obligations, there are some key terms, which should be understood by all relevant Centre staff:

Personal Data means any data relating to an identified or identifiable natural person i.e. a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller (Management Committee)

Data Controller is the Management Committee of the Centre

Data Subject - is an individual who is the subject of personal data

Data Processing - performing any operation or set of operations on data, including:

• Obtaining, recording or keeping the data,
• Collecting, organising, storing, altering or adapting the data
• Retrieving, consulting or using the data
• Disclosing the data by transmitting, disseminating or otherwise making it available
• Aligning, combining, blocking, erasing or destroying the data

Data Processor - a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work.  The Data Protection legislation places responsibilities on such entities in relation to their processing of the data. Examples here include:

• National support services who use the services of the Centre

Special Categories - special categories of Personal Data refers to Personal Data regarding a person’s

• racial or ethnic origin
• political opinions or religious or philosophical beliefs
• physical or mental health
• sexual life and sexual orientation
• genetic and biometric data
• criminal convictions or the alleged commission of an offence
• trade union membership

These types of data are not gathered by Laois Education Centre.

Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.  This means any compromise or loss of personal data, no matter how or where it occurs.

Data Protection Principles

Laois Education Centre is a data controller of personal data relating to its past, present and future staff, tutors, clients and other members of the education community it serves. As such, the Management Committee is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 to 2018 and GDPR, which can be summarised as follows:

1. Obtain and process personal data fairly

Information on clients is gathered with the help of the staff. Information is also sometimes transferred from the support services the Centre deals with. The information is generally furnished by the individuals themselves with full and informed consent and compiled during the course of their employment or contact with the Centre. All such data is treated in accordance with the Data Protection legislation and the terms of this Data Protection Policy. The information will be obtained and processed fairly.

Laois Education Centre may collect and process various kinds of information about service users. This includes information you provide when they:

• Create an account or use our products, content or services.
• Complete an online form published on this Website. This may include personal data such as your name, email address, home address, position/occupation, school/employer, telephone number, gender, unique identifiers such as teaching council number, username, password and date of birth.
• Communicate with us by email, social media, letter post or fax.
• Contact us by telephone. While we do not record telephone calls we may make and keep a record of information provided during a telephone call.
• Participate in a survey (online, by telephone, or face to face).
• Submit an information request or query by email or via the Centre’s Website.

We may also collect further personal data about you should additional information be required to fulfil your request for products, content or services, deal with your query or give effect to your information request.

Information on school contact databases or participant contact forms (name, address, institution, title, e-mail address, participant role etc.) is either in the public domain or that which service users voluntarily put on their Education Centre website user account, given to us on Expense Claims Forms (expense details, bank paying-in details, and receipts); furnished in e-mails and correspondence; kept on record in relation to details of financial transactions made, for example course fee payments taken, and grants paid out to individuals or schools.

2. Consent

Where consent is the basis for provision of personal data, the consent must be a freely-given, specific, informed and unambiguous indication of the data subject’s wishes. Laois Education Centre will require a clear, affirmative action e.g. ticking of a box/signing a document to indicate consent. Consent can be withdrawn by data subjects in these situations.

3. Keep it only for one or more specified and explicit lawful purposes

The Centre will inform individuals of the reasons they collect their data and the uses to which their data will be put.  All information is kept with the best interest of the individual in mind at all times. 

By and large we use personal data to provide, improve and further develop our products, content and services, to communicate with you, to offer you information about products, content or services that may be of interest to you, and to protect us and our users.

As data controller, Laois Education Centre collects and processes your personal data for the following purposes:

• To communicate with you about our products, content and services.
• To fulfil orders placed or to effect transactions initiated by you via this Website.
• To respond to information requests or queries submitted by you.
• To ensure that our Website content is presented effectively for you and for the device you are using to access this Website.
• To provide you with information about products, content or services that may be of interest to you, where you have consented to be contacted for such purposes.
• for having an up-to-date list of schools, managing and communicating information regarding event bookings, attendance rolls, course and project participants; communicating with schools, teachers, tutors and account users; for accounting for course fees; for compliance with the Charity Regulator’s or Department of Education & Skills’ requests for information and legally-binding accounting purposes (e.g. knowing to whom Laois Education Centre has paid grants and expenses, when, and how much has been paid); e-mail addresses and contacts necessary for administering and carrying out Laois Education Centre projects and Centre business.

We use technical information to administer our Website, compile Website usage statistics, to monitor Website usage and to help us further develop this Website. We may provide such anonymised aggregate technical information to third parties. Statistics and technical information will not include any personal identifiable information that can be used to identify any individual.

If you do not want us to use your personal data in one or more of the ways mentioned above, please let us know by contacting us at This email address is being protected from spambots. You need JavaScript enabled to view it..

Please be aware that should you decide not to provide your personal data then we may be unable to provide some or all of the products, content or services you might request.

The limited amount of data that Laois Education Centre holds is only used for the following purposes: for having an up-to-date list of schools, managing and communicating information regarding event bookings, attendance rolls, course and project participants; communicating with schools, teachers, tutors and account users; for accounting for course fees; for compliance with the Charity Regulator’s or Department of Education & Skills’ requests for information and legally-binding accounting purposes (e.g. knowing to whom Laois Education Centre has paid grants and expenses, when, and how much has been paid); e-mail addresses and contacts necessary for administering and carrying out Laois Education Centre projects and Centre business.

Finally, please note that payments received by Laois Education Centre for course fees and Bookstore purchases are handled by third party banking websites.  We ask for client bank account number, sort code and IBAN as part of these processes.

Laois Education Centre does not analyse the cookie information that may be gathered on our website, nor do we sell any information on, nor do we give any information we have to third parties unless legally obliged to do so or unless the Education Centre network has a working relationship with relevant organisations for the provision of courses and projects.

For specific courses or projects operated in collaboration with relevant organisations, such as National support services, the Health & Safety Authority or Arts organisations, the collaborative partner is identifiable at the outset. Laois Education Centre protects the devices such data are stored upon, and is obligated to report to its service users any data breaches perpetrated.

4. Process it only in ways compatible with the purposes for which it was given initially

Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. Information will only be disclosed on a ‘need to know’ basis, and access to it will be strictly controlled.

5. Keep Personal Data safe and secure

Only those with a genuine reason for doing so may gain access to information gathered. Personal Data is securely stored under lock and key in the case of manual records and protected with computer software and password protection in the case of electronically stored data. Portable devices storing personal data (such as laptops) are encrypted and password-protected.

6. Keep Personal Data accurate, complete and up-to-date

Clients and/or staff should inform the Centre of any change which the Centre should make to their personal data and/or sensitive personal data to ensure that the individual’s data is accurate, complete and up-to-date. Once informed, the Centre will make all necessary changes to the relevant records. Records must not be altered or destroyed without proper authorisation.

7. Ensure that it is adequate, relevant and not excessive

Only the necessary amount of information required to provide an adequate service will be gathered and stored.

8. Retain it no longer than is necessary for the specified purpose or purposes for which it was given

As a general rule, the information will be kept for the duration of the individual’s involvement with the particular course/project/activity they have signed up to.  In the case of members of staff, the school will comply with both DES guidelines and the requirements of the Revenue Commissioners with regard to the retention of records relating to employees.  The Centre may also retain the data relating to an individual for a longer length of time for the purposes of complying with relevant provisions of law and or/defending a claim under employment legislation and/or contract and/or civil law

9. Provide a copy of their personal data to any individual on request

Individuals have a right to know and have access to a copy of personal data held about them, by whom, and the purpose for which it is held. If any Laois Education Centre service user would like further clarification on what data are kept on them personally, or, moreover, if any service user would like us to delete/dispose of any information we have on them, you can get in touch with the Centre at any time (please note, that Laois Centre will process such a request within legal parameters within 30 days).

Personal Data

The Personal Data records held by the Centre may include:

1.        Staff records:

1. Categories of staff data:

As well as existing members of staff (and former members of staff), these records may also relate to applicants applying for positions within the Centre, persons on work placement, coaches/tutors etc. These staff records may include:

• Name, address and contact details
• PPS number
• Name and contact details of next-of-kin in case of emergency
• Original records of application and appointment to promotion posts
• Details of approved absences (career breaks, parental leave, study leave, etc.)
• Details of work record (qualifications, promotions, etc.)
• Details of any accidents/injuries sustained on Centre property or in connection with the staff member carrying out their Centre duties
• Records of any reports the Centre (or its employees) have made in respect of the staff member to State departments and/or other agencies under Children First Act 2015
• Records of disciplinary issues/investigations and/or sanctions imposed
• Psychological/psychiatric and/or medical assessments
• Attendance records
• Information on previous academic records (including reports, references assessments and other records from any previous organisation(s) attended by the person
• Records of significant achievements
• Other records e.g. records of any serious accidents etc.

1. Purposes:

Staff records are kept for the purposes of:

• the management and administration of Centre business (now and in the future)
• to facilitate the payment of staff, and calculate other benefits/entitlements (including reckonable service for the purpose of calculation of pension payments, entitlements and/or redundancy payments where relevant)
• to facilitate pension payments in the future
• human resources management
• recording promotions made (documentation relating to promotions applied for) and changes in responsibilities, etc.
• to enable the Centre to comply with its obligations as an employer, including the preservation of a safe, efficient working environment (including complying with its responsibilities under the Safety, Health and Welfare at Work Act 2005)
• to enable the Centre to comply with requirements set down by the Department of Education and Skills, the Revenue Commissioners, the National Council for Special Education, TUSLA, the HSE, and any other governmental, statutory and/or regulatory departments and/or agencies
• for compliance with legislation relevant to the Centre

1. Location and Security procedures of Laois Education Centre:
   • Manual records are kept under lock and key in a locked and password protected office and are only accessible to personnel who are authorised to use the data. Employees are required to maintain the confidentiality of any data to which they have access.
   • Digital records are stored on password-protected computers with adequate encryption software.
   • The Centre has the burglar alarm activated during out-of-school hours

2.        Client/Others’ records: 

• Categories of data:

These may include:

• Information which may be sought and recorded at registration for courses/projects/activities/purchases and may be collated and compiled during the course of the person’s involvement with these. These records may include:
  • Name, Address and contact details
  • PPS number
  • Date of birth
  • Gender
  • Nationality
  • Names and addresses of parents/guardians and their contact details (if under 18)
  • Any relevant special conditions (e.g. access issues, special educational needs, health issues, etc.) which may apply
• Attendance records
• Photographs and recorded images of clients (including at Centre events and noting achievements) are managed in line with the Centre’s policy on photography.
• Other records e.g. records of any serious injuries/accidents, etc.

• Purposes:

The purposes for keeping client records include:

• to comply with legislative or administrative requirements
• to meet the educational, social, physical and emotional requirements of the client
• photographs and recorded images of clients are taken to celebrate/publicise Centre achievements. Such records are taken and used in accordance with the ‘Centre Photography Policy’ and ‘Centre Website Privacy Statement’.

1. (Location and Security procedures as above):

3.        Management Committee Records:

1. Categories of Management Committee data:

• Name, address and contact details of each member of the Management Committee (including former members of the Management Committee)
• Records in relation to appointments to the Management Committee
• Minutes of Management Committee meetings and correspondence to the Committee which may include references to individuals

1. Purposes:

To enable the Management Committee to operate in accordance with all applicable legislation and to maintain a record of Management Committee appointments and decisions.

1. (Location and Security procedures as above):

4.        Other Records: e.g. Creditors

• Categories of Management Committee data:

The Centre may hold some or all of the following information about creditors (some of whom are self-employed individuals):

• name
• address
• contact details
• PPS number
• tax details
• bank details and
• amount paid

• Purposes:

The purposes for keeping creditor records are:

This information is required for routine management and administration of the Centre’s financial affairs, including the payment of invoices, the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.

• (Location and Security procedures as above):

5.        Other Records: Charity Tax-back Forms

1. Categories of Management Committee data:

The Centre may hold the following data in relation to donors who have made charitable donations to the Centre:

• • name
• • address
• • telephone number
• • PPS number
• • tax rate
• • signature and
• • the gross amount of the donation.

1. Purposes:

The purposes for keeping creditor records are:

Centre’s are entitled to avail of the scheme of tax relief for donations of money they receive. To claim the relief, the donor must complete a certificate (CHY2) and forward it to the Centre to allow it to claim the grossed up amount of tax associated with the donation. The information requested on the appropriate certificate is the donor’s name, address, PPS number, tax rate, telephone number, signature and the gross amount of the donation. This is retained by the Centre in the event of audit by the Revenue Commissioners. 

1. (Location and Security procedures as above)

Links to other Centre Policies and to CPD delivery

Our Centre policies need to be consistent with one another, within the framework of the overall Centre Plan. Relevant policies already in place or being developed or reviewed, shall be examined with reference to the Data Protection Policy and any implications which it has for them shall be addressed.

The following policies may be among those considered:

• Child Safeguarding Procedures
• Anti-Bullying Procedures
• ICT Acceptable Usage Policy
• Critical Incident Policy

Processing in line with a Data Subject’s Rights

Data in this Centre will be processed in line with the data subject's rights. Data subjects have a right to:

• Know what personal data the Centre is keeping on them
• Request access to any data held about them by a data controller
• Prevent the processing of their data for direct-marketing purposes
• Ask to have inaccurate data amended
• Ask to have data erased once it is no longer necessary or is irrelevant.

Data Processors

Where the school outsources to a data processor off-site, it is required by law to have a written contract in place (Written Third party service agreement). Laois Education Centre’s third-party agreement specifies the conditions under which the data may be processed, the security conditions attaching to the processing of the data and that the data must be deleted or returned upon completion or termination of the contract.

Personal Data Breaches

All incidents in which personal data has been put at risk must be reported to the Office of the Data Protection Commissioner within 72 hours.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Management Committee must communicate the personal data breach to the data subject without undue delay.

If a data processor becomes aware of a personal data breach, it must bring this to the attention of the data controller (Management Committee) without undue delay.

Dealing with a Data Access Request

Individuals are entitled to a copy of their personal data on written request.

The individual is entitled to a copy of their personal data.

Request must be responded to within one month. An extension may be required e.g. over holiday periods.

No fee may be charged except in exceptional circumstances where the requests are repetitive or manifestly unfounded or excessive.

No personal data can be supplied relating to another individual apart from the data subject.

An employee dealing with telephone enquiries should be careful about disclosing any personal information held by the Centre over the phone. In particular, the employee should:

• Ask that the caller put their request in writing
• Refer the request to the Director for assistance in difficult situations
• Not feel forced into disclosing personal information

Implementation Arrangements, Roles and Responsibilities 

The Management Committee is the data controller and the Director implements the Data Protection Policy, ensuring that staff who handle or have access to Personal Data are familiar with their data protection responsibilities.

The following personnel have responsibility for implementing the Data Protection Policy:

Name                                      Responsibility

Management Committee:      Data Controller

Director:                                  Implementation of Policy

Ratification & Communication

This policy review and update was ratified at the Management Committee meeting of 25/05/2019.

Monitoring the Implementation of the Policy

The implementation of the policy shall be monitored by the Director, staff and the Management Committee.

The Director shall liaise with staff to ensure compliance and understanding of issues pertaining to GDPR.

Reviewing and Evaluating the Policy

On-going review and evaluation will take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills or others), legislation and feedback from clients, staff and others. The policy will be revised as necessary in the light of such review and evaluation and within the framework of Centre planning.