On the 25th May 2018 the General Data Protection Regulation (GDPR) came into effect. In Ireland GDPR has been given legislative effect in the new Data Protection Act 2018.
This new legislation updates the current law in relation to data protection and seeks to strengthen and unify data protection for all individuals within the European Union including Ireland. It grants new and enhanced rights for all individuals in relation to their own personal information. An individual about whom data is held by an organisation is referred to as a data subject.
Kildare and Wicklow Education and Training Board (KWETB) is the state education and training authority for the Kildare and Wicklow region established by the Education and Training Boards Act 2013.
To fulfil its statutory obligations KWETB gathers, stores and processes large amounts of data on a variety of data subjects. This would include students, learners, staff, third parties and members of the public. This personal data can range from some personal details and CCTV footage to financial transactions. Personal data is any data that permits an individual to be identified.
KWETB is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
The Data Protection regulations and legislation require the staff of KWETB to process data fairly and to ensure the security of that data. KWETB is required to:
- explain why personal data is being gathered
- outline the purpose for which it will be used
- only gather the minimum amount of data necessary
- inform persons whether KWETB will share data with anyone else
- only keep data for as long as it is needed
- protect data from loss or theft
- keep data accurate and up to date
GDPR places restrictions on what KWETB is allowed to do with personal data such as passing personal information on to third parties, transferring information outside the EU or using it for direct marketing.
GDPR also provides individuals with important rights. GDPR therefore:
- reinforces the right of a person to ask for a copy of all personal data held relating to them personally
- gives a right to object to direct marketing practices,
- allows a person to ask for inaccuracies in their personal data to be corrected,
- give a right to data portability,
- in certain cases it allows for personal data to be erased,
- gives the right to seek compensation through the courts where privacy rights have been infringed.
Also under the new legislation the digital age of consent has been set at 16. This means that social media and other online companies will need parental consent where they wish to use the personal data of a child under the age of 16 for marketing purposes or for creating personality profiles.
KWETB has developed a range of policies that must be adhered to in order to comply with GDPR. These policies are available as below:
- Data Protection Policy
- CCTV Policy
- CCTV Privacy Notice
- Data Breach Protocol
- KWETB Records Management Policy
- KWETB Record Retention Schedule
- Covid 19 Privacy Notice
- Covid 19 Fógra Príobháideachais
- Privacy Notice to Students, Parents/Guardians
- Privacy Notice Employees/Board Members/Volunteers
- Programme and Learner Support System Data Protection Statement
Making an Access Request
A data subject can exercise the right of access at any time by contacting KWETB’s Data Protection Office in writing. This can be done via email to firstname.lastname@example.org, or via post to Kildare and Wicklow Education and Training Board, Áras Chill Dara, Devoy Park, Naas, Co. Kildare. A Data Access Request Form will be provided. Access requests regardless of KWETB School or Centre should be sent to the Data Protection Officer of KWETB.
Due to COVID-19, KWETB are working, in the main, remotely, and our schools and centres remain closed until the Government of Ireland advise otherwise. We ask you to bear this in mind in the event of making an access request. As an organisation, due to the impact of COVID-19, there is a possibility we cannot respond to a request in full or in part within the usual 30 days period and shall be in contact with the data subject if this is the case. The GDPR provides for an extension of two months to respond to a request where necessary taking into account the complexity. Please see this article by the Data Protection Commission in relation to Access Requests during COVID-19.
Contact details for queries in relation to Data Protection in KWETB:
Via email: email@example.com
Post: Data Protection Officer
Kildare and Wicklow ETB
Áras Chill Dara
Telephone: 045 988 000