At North Tipperary Hospice Movement we endeavour to reflect best practice in all aspects of business. In line with the introduction of the General Data Protection Regulation (GDPR) senior management at North Tipperary Hospice Movement have initiated the steps to ensure that the company is compliant in response to regulatory stipulations as and from 25thMay 2018.
The North Tipperary Hospice Movement will review company obligations and responses to new policy introduction for GDPR.
North Tipperary Hospice Movement acknowledges and accepts Data Subject Rights in terms of personal data in respect of:
1. Right of Access
2. Right of Erasure
3. Right to Restrict Processing
4. Right to Data Portability
5. Right to Object
6. Right to Rectification
Personal data means any information relating to an identified or identifiable person (data subject). An identifiable person is one who can be identified, directly or indirectly.
Sensitive Personal Data / Special Categories of Personal Data
Special categories of personal data include:
racial or ethnic origin, sexual orientation, political opinions, data concerning health, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person.
Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on the data.
Consent means any freely given agreement from the data subject to process his/her personal data.
Pseudonymisation means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.
Genetic data means personal data relating to the genetic characteristics of a person which gives unique information about the health of that person.
Biometric data means data relating to the physical, physiological or behavioural characteristics of person which can identify them such as facial images or fingerprints.
Data concerning health
Data concerning health means personal data related to the physical or mental health of a person, which reveal information about his or her health status.
Personal data breach
A personal data breach is a security incident in which personal, sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
RESPONSIBILITIES OF THE ‘CONTROLLER’ AND ‘PROCESSOR’
Data controller means a person (or persons) who determine the purposes and the manner that personal data is processed.
Controller Responsibilities at North Tipperary Hospice Movement –
• Implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation
• Implement appropriate data protection policies and procedures
• Ensure compliance with GDPR regulation
• Ensure Data Protection Impact Assessments (DPIA’s) are carried out where appropriate
• Co-operate with the supervisory authority including notification of a data breach (within 72 hours of breach)
• Notify data subject of a data breach
Data Processor means any person (other than an employee) who processes the data on behalf of the company or controller.
Processor Responsibilities at North Tipperary Hospice Movement:
• Process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Respect the conditions for engaging with another processor;
• Consider the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights outlined above.
• At the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
• Make available to the controller all information necessary to demonstrate compliance with the obligations under this regulation and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Controller to be advised
All North Tipperary Hospice Movement employees will be trained in relation to GDPR and their individual responsibilities.
North Tipperary Hospice Movement aim to ensure information security for all stakeholders in the organisation. North Tipperary Hospice Movement has and will continue to consider the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. The pseudonymisation and encryption of personal data.
2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Transfer of data to third countries or international organisation
A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
In the absence of a decision based on adequacy, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data authorisation from a supervisory authority include:
1. A legally binding and enforceable instrument between public authorities or bodies
2. Binding corporate rules in accordance with Article 47
3. Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2)
4. Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93 (2)
5. An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
6. An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Subject to the authorisation from the supervisory authority, the appropriate safeguards may be provided by;
1. Contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
2. Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
SUBJECT ACCESS REQUEST FORM:
North Tipperary Hospice Movement has created a subject access request form. This form includes the data subjects name, address, telephone number and email for the purposes of contacting the data subject. This form is located on www.northtipphospice.ie .This form must be accompanied by a valid form of ID (Passport / Drivers licence). North Tipperary Hospice Movement will respond to subject access request forms within 30 days, if reasonably practicable to do so. Where requests are complex or numerous this period may extend by 2 additional months. Where requests are manifestly unfounded or excessive North Tipperary Hospice Movement reserve the right to charge a reasonable fee taking administrative costs into consideration.
Data Protection Commissioner:
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
In Ireland complaints can be made directly in writing to Data Protection Commissioner or online at firstname.lastname@example.org . The complaint will need to include:
• Details of the specific data protection issue you are raising
• Signed authority from you/a solicitor/representative that has made the contact
• Documentary evidence to support the allegation being made
• Copy of relevant correspondence exchanged with the data controller on the matter
North Tipperary Hospice Movement will issue a privacy notice to all existing stakeholders affected by the change in the general data protection regulation.