Data Protection Policy

 

In Ireland Data Protection law applies to the processing of personal data of living individuals. In addition every Torc employee, associate and contractor has obligations to ensure confidentiality of personal and business data under their contract of employment or engagement on a specific assignment.

 

This policy is focused on informing Torc, its employees, associates, contractors and agents of their responsibilities under data protection to obtain, process and disclose personal data in accordance with the Data Protection legislation requirements.

 

 

As a data controller Torc has obligations under the Data Protection Acts of 1988 and 2003 and General Data Protection Regulation 2018 to ensure that personal data is managed in accordance with the eight principles of data protection. At a high level, Torc must ensure that personal data is:

1. obtained and processed fairly
2. kept only for specified, explicit and legitimate purposes
3. not used in a manner incompatible with purpose for which it was provided
4. protected against unauthorised access, alteration, disclosure or destruction or unlawful processing
5. accurate, complete and, where necessary, kept up to date
6. adequate, relevant and not excessive in relation to the purpose for which the data was collected
7. not kept for longer than is necessary
8. disclosed to the data subject on request and corrected or destroyed where they so request.

The Acts also provide that a “duty of care” is owed to data subjects, which means that those controlling or processing the data should take care that their activities do not cause damage or distress to the people concerned by, for example, maintaining inaccurate information on our files, or disclosing personal data to someone who is not entitled to this data.

 

To ensure that all staff and others who process personal data on behalf of Torc are doing so in accordance with these principles at all times, we have developed this Data Protection Policy together with a Data Protection Code of Practice for general application.

 

Paddy Collins is Torc’s Data Protection Officer (Full details of the role and responsibilities of the Data Protection Officer are in the Appendix.)

 

 

Personal data is any data that identifies a living individual. If an individual can be identified directly from the data or indirectly, by using that data in conjunction with other information that is in Torc’s possession then that constitutes personal data.

 

This means if we have a piece of data on one system such as a mobile number that can be input to another system and matched to other data – name, address, date of birth etc., then that mobile number constitutes personal data.

 

 

Torc holds personal data for a narrow range of individuals such as current and former clients, prospective clients, candidates, course participants and employees.

 

 

Torc can use personal data to complete the purpose for which the data was obtained.

 

 

Data subjects include any person about whom the Torc processes personal data.

 

All data subjects have the right to access the information held about them, ensure that it is correct and fairly held, and to complain to the Data Protection Commissioner if they are dissatisfied.

 

All data subjects have the right to ask for their personal data to be deleted and not to be processed any longer.

 

All requests to access or delete personal data will be handled in accordance with the procedures as detailed in the Data Protection Code of Practice and in the General Data Protection Regulation.

 

• You may not access any personal data records or databases for your own purposes, or for your friends or family. This is a serious offence.
• If you plan to use personal data for a new business purpose, you must first obtain formal permission from the Data Protection Officer.
• If a third party requests any personal data, you must always validate the identity and authority of the third party to ensure that he or she is entitled to the information and you must ensure that any disclosure is permissible under this policy.

 

If Torc is providing any personal data to a third party we must have consent to do so. In addition, we can only provide this data where there is a contract established which includes adequate provisions for data protection. Torc must include comprehensive provisions for data protection which state and limit the purposes for which data is provided, limit access only to essential contract staff/associates and ensure data copies are recovered/destroyed when services have been provided or the contract comes to an end.

 

We must also take appropriate operational measures to ensure the contractor/associate has appropriate organisational and technical measures to safeguard any personal data provided.

 

 

Paddy Collins, Data Protection Officer p.collins@torc.ie

 

Torc Consulting Group

 

 Appendix

 

Torc’s Data Protection Officer

 

The responsibilities of the Data Protection Officer are:

• to implement Data Protection training and awareness for staff ;
• to advise Directors on any relevant Data Protection issues;
• to supervise the application of the Data Protection Acts;
• to review and update the Data Protection Code of Practice / Data Protection Policy as necessary;
• to undertake any necessary coordinated consultation and be the primary contact for all consultation with any other body regarding any new development in Data Protection e.g. any new EU Regulation on Data Protection;
• to be the primary contact for all Data Protection matters with Data Protection Commissioner, including reporting to Data Protection Commissioner on Data Protection breaches;
• to ensure requests for personal data submitted to Torc are processed in a timely manner by the appropriate person;
• to receive complaints and respond if anyone in Torc is not happy with how the Data Protection Code of Practice is being applied;
• to receive complaints and respond if any data subject believes that their request for personal data has not been processed appropriately;
• following a formal evaluation of the request, which approves it as valid, to ensure requests from other organisations for access to personal data in Torc’s possession are processed in a timely manner by the appropriate person.