Data Protection Policy
In performing its functions the Clarity Locums (hereafter termed “the Company”) is required to process “Personal Data” within the meaning of the Data Protection Acts 1988 and 2003 (“the Acts”). In the pursuit of a high standard of compliance and respect for those with whom we have relationship, we set out below our Data Protection Policy for all employees of our Company.
The Company respects absolutely the privacy of all of those whose Personal Data we are obliged to hold and we are conscious of our obligations regarding the collection, storage, legitimate and lawful processing of all such Data. We hold as central a respect for privacy and commit to upholding our duties towards the Data held in accordance with strict compliance with the Data Protection Acts.
The objective of this Code of Practice is to disclose in a transparent way how the Company obtains and processes Personal Data so that anyone who provides Personal Data to us can clearly understand our practices and procedures and invoke their legal rights in a clear and efficient manner. This Code also sets out our approach to dealing with Data Access Requests under Section 4 of the Data Protection Acts.
Types of Personal Data held by us
- Telephone number and mobile
- Education Status
- Employment Status
- Date of Birth
- Services/supports Received
- Records of employment disciplinary sanctions – for the appropriate period pertaining to the sanction
- Time sheets
- Holiday request forms
- Placement details
Obligations of the Company
The Company controls the contents and use of certain Personal Data provided to it in the course of its business.
In the course of carrying out our business it is not envisaged that there will be a requirement to disclose or permit access to the Personal Data held by us to any third party, save where that third party has a legal right entitlement to enter our premises and so enquire and oblige disclosure, on foot of a Court order or where a third party is supplying us with a service which is relevant to the purposes for which the Data is being held (for example if our payroll were to be outsourced to a third party). At all times a third party will be obliged to disclose their Data Protection Policy.
It may become necessary to disclose Personal Data for funding purposes, and we reserve the right to so do.
What we do with Personal Data
The Company processes Personal Data provided to us only for the purposes of complying with statutory requirements such a taxation etc and in the future it is envisaged that we may have to disclose Personal Data held by us as part of our funder requirements.
Collection, processing, keeping, use and disclosure of personal data
In order to comply with the data protection principles set out in Section two of the Data Protection Acts, the Company will ensure Personal Data we hold meets the following criteria: -
- Obtain and process information fairly: The Company will obtain and process personal data fairly in accordance with the fulfilment of its functions and its legal obligations.
- Keep it only for one or more specified, explicit and lawful purposes: The Company will keep data for purposes that are specific, lawful and clearly stated and the data will only be processed in a manner compatible with these purposes.
- Use and disclose it only in ways compatible with these purposes: The Company will only use and disclose personal data in ways that are necessary for the purpose/s or compatible with the purpose/s for which it collects and keeps the data.
- Keep it safe and secure: The Company will take appropriate security measures to prevent unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction. The Company acknowledges that high standards of security are essential for processing all personal information and in this regard confirms that a hard copy of material relating to employment, i.e. the Employee’s personnel file will be kept in the office of EAK Systems Ltd. A computerised copy of the file will be kept on our internal web server with only the Kevin O’Neill MPSNI (Managing Director) having access at this level.
- Keep it accurate, complete and up-to-date: The Company has procedures that are adequate to ensure high levels of data accuracy and completeness and to ensure that personal data is kept up to date.
- Ensure that it is adequate, relevant and not excessive: Personal data held by the Company will be adequate, relevant and not excessive in relation to the purpose/s for which they are kept.
- Retain it for no longer than is necessary for the purpose or purposes: The Company will have a defined policy on retention periods for personal data and appropriate procedures in place to implement such a policy. For compliance purposes, this will be 5 years.
- Give a copy of his/her personal data to an individual, on request: The Company will have procedures in place to ensure that data subjects can exercise their rights under the data protection legislation.
Right of Access
Under Section 4 of the Data Protection Acts, Data Subjects are entitled to the following information from the Company:-
- Confirmation as to whether we keep Personal Data relating to them.
- A description of the categories of Personal Data processed.
- A copy of such Personal Data in intelligible form.
- A description of the purpose(s) behind the processing of the Personal Data.
- To identity of those to whom we have disclosed (or currently disclose) the data.
- The source of the Personal Data (unless this is contrary to the public interest).
The Company has detailed within this document the type of data held and the locus of said storage.
Access requests under Section 4 apply to Personal Data held by the Company and in manual form within a relevant filing system. However, where a document exists in duplicate, e.g. where correspondence is scanned into our systems, two copies of the same document will not be provided in response to a request.
Formalities for Data Access Request
A Data Access Request must meet certain requirements as specified in the Data Protection Acts:
- It must be in writing;
- It must include a reasonable level of appropriate information to help us to locate the information required;
- The Company will make reasonable enquiries to satisfy ourselves about the identity of the person making the request to ensure we are not disclosing Personal Data to a party who is not entitled to it.
Data Access Requests will be complied with within 40 days of receipt of the request. Where reasonable additional information is required to substantiate the request as described in (b) and (c), the time frame for responding runs from receipt of the additional information.
If we receive a very general Data Access Request, e.g. “please give me everything you have on me”, the Data Protection Acts allow us to seek more detailed information on the nature of the request, such as the approximate date of an interaction.
Information Which Will not be Provided
The Company will not normally disclose the following types of information in response to a Data Access Request:
- Information about other People: A Data Access
Request may cover information which relates to one or more people other than the Data
Subject. The information about the other person may be Personal Data about that person,
to which the usual data protection rules under the Data Protection Acts, including the
restrictions on disclosure, apply. In such circumstances we will not grant access to the
information in question unless either:
- the other person has consented to the disclosure of their data to the Data Subject or;
- in all the circumstances it is reasonable to make the disclosure without that person’s consent. If the person’s consent is not forthcoming and it is not reasonable to make the disclosure without consent, we will make available as much Personal Data as we can without revealing the identity of the other person (for example by excluding the person’s name and/or other identifying particulars).
- Opinions given in Confidence: Where we hold Personal Data about the Data Subject in the form of an opinion given in confidence we are not required to disclose such opinions in response a Data Access Request in all cases.
- Repeat Requests: The Data Protection Acts provide an exception for repeat requests where an identical or similar request has been complied in relation to the same Data Subject within a reasonable prior period. The Company will consider that if a further request is made within a period of twelve months of the original request and where there has been no significant change in the personal data held in relation to the individual, it will be treated as a repeat request. Accordingly, where Personal Data has recently been provided to the Data Subject or his/her legal representative, the Company will not normally provide a further copy of the same data in response to a Data Access Request. The Company will not consider that it is obliged to provide copies of documents that are in the public domain.
- Privileged Documents: Where a claim of privilege could be maintained in proceedings in a court in relation to communications between an individual and his or her professional legal advisers (or between those advisers) any privileged information which we hold need not be disclosed pursuant to a Data Access Request.
Where the Company refuses a Data Access Request, it will do so in writing and will set out the reasons for refusal. Any person who is dissatisfied with the response of the Company to their request has the right to make a complaint to the Data Protection Commissioner
- Information about other People: A Data Access Request may cover information which relates to one or more people other than the Data Subject. The information about the other person may be Personal Data about that person, to which the usual data protection rules under the Data Protection Acts, including the restrictions on disclosure, apply. In such circumstances we will not grant access to the information in question unless either:
Exceptions to Right to Data
Section 5 of the Data Protection Acts provides that individuals do not have a right to see information relating to them where any of the following circumstances apply.
- If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing/collecting any taxes or duties: but only in cases where allowing the right of access would be likely to impede any such activities;
- If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention;
- If the information is kept for certain anti-fraud functions; but only in cases where allowing the right of access would be likely to impede any such functions;
- If granting the right of access would be likely to harm the international relations of the State;
- If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation.
Format of the Response
The Data Protection Acts provide a right of access to a permanent copy of the Personal Data that is held about the Data Subject unless this is not possible or would involve disproportionate effort.
The information must be communicated to the Data Subject in an intelligible form. Usually this will mean that a photocopy or printout of the Personal Data will be provided to the Data Subject. However, where a Data Subject agrees, information can be provided in electronic format e.g. by email or on disk.
Rectification or Erasure
If a Data Subject seeks to have any of his or her Personal Data rectified or erased, this will be done within 40 days of the request being made provided there is reasonable evidence in support of the need for rectification or erasure.