1 SCOPE
This policy applies to the processing by or on behalf of the Meath Foundation of personal data on natural persons (data subjects) resident in the European Economic Area regardless of whether the data is processed in the EEA or in another location. The policy is designed to ensure that the Meath Foundation complies with its obligations under the General Data Protection Regulation and any other relevant data protection laws and codes of conduct (herein collectively referred to as “the data protection laws”) operable within the EEA.
The policy is binding on all directors, external members of Board Committees, managers, officers, and staff of the Meath Foundation. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action in accordance with the Meath Foundation Constitution and contracts of employment.
2 POLICY STATEMENT
The Meath Foundation processes personal data in the course of maintaining the following:
- Register of Directors, External Members of Board Committees;
- Register of Members;
- Staff
Register of Recipients of:
- Research Grants; Research Fellowships;
- MSc Fellowships
- Awards
- Quality Improvement & Innovation Awards
Personal data is collected from Data Subjects including directors, members, suppliers, contractors and consultants. “Personal data” is “any information relating to an identified or identifiable natural person” and includes (but is not limited to), name, address, email address, date of birth, IP address, identification numbers, bank details along with special categories of personal data as defined below. ‘Special Categories of Personal Data’ are data relating to “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
The Meath Foundation is committed to processing all personal data in accordance with the General Data Protection Regulation (GDPR), and any other relevant data protection laws and codes of conduct (herein collectively referred to as “the data protection laws”) in the countries in which we operate. Protecting the privacy of Data Subjects by ensuring and maintaining the security and confidentiality of personal and/or special category data is a compliance priority for The Meath Foundation. In addition to supporting our wish to be exemplary in terms of compliance, meeting our obligations also reduces the potential financial, legal and reputational risks that may arise from non-compliance.
3 PURPOSE AND OBJECTIVES
3.1 PURPOSE
The purpose of this policy is to set out the Meath Foundation’s commitment to personal data protection and to outline the arrangements the Meath Foundation has made to meet its obligations under data protection laws. This policy also serves as a reference document for staff and third-parties on the responsibilities associated with processing personal data.
3.2 OBJECTIVES
Our data protection objectives are to:
- Ensure that individuals especially members who entrust us with their personal data feel confident that it will be handled in accordance with their rights under data protection laws;
- Ensure that all directors, managers, officers, and staff involved in processing personal data are competent and knowledgeable about our data protection obligations and how they apply to their specific roles in the Meath Foundation;
- Enhance the Meath Foundation’s reputation as a reputable, trustworthy organisation which is committed to high standards of compliance and ethical behaviour;
- Minimise as far as possible the legal, financial or reputational risks to the Meath Foundation that can
arise from processing personal data.
4 GOVERNANCE
In relation to the governance of our data protection policies and processes the Meath Foundation has:
- Assigned leadership and management responsibility for data protection across the Meath Foundation;
- Allocated responsibility for data protection compliance ensuring that the designated person(s) has sufficient access, support and resources to perform the role;
- Educated directors, officers, and staff about the requirements under the data protection laws, the benefits of applying good personal data management practices and the potential implications of non-compliance;
- Provided effective data protection training for all staff consistent with their roles.
Responsibility for Data Protection – Summary
Board Oversee data protection management practices.
Allocate responsibilities and provide sufficient resources.
Approve policies.
Lead by example: make data protection a priority and incorporate it into management systems and processes.
Staff Process personal data under their control in a compliant fashion.
Uphold data subject rights in relation to personal data under their control.
Chief Executive Officer Facilitate delivery of data protection training and awareness raising of staff.
Allocate data protection responsibilities and resources within the Meath Foundation.
Inform and advise the Meath Foundation of its obligations under GDPR and other data protection laws.
Monitor compliance with the GDPR, other data protection provisions and policies in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
Provide advice where requested as regards data protection impact assessment and monitor its performance pursuant to Article 35.
Cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to processing.
We have appointed our Chief Executive Officer as the Data Protection Lead whose role it is to identify and mitigate any risks to the protection of personal data, to act in an advisory capacity to the Meath Foundation, its directors, and staff and to actively stay informed and up-to-date with all legislation and changes relating to data protection.
The Data Protection Lead will also maintain adequate and effective records and management reports in accordance with the data protection laws and the internal objectives and obligations of the Meath Foundation.
5 COMPLIANCE WITH MAJOR PRINCIPLES
The principles of personal data management as described in GDPR are detailed in Appendix 2. In summary, these principles to which the Meath Foundation adheres are as follows:
5.1 TRANSPARENCY, PURPOSE AND LAWFUL BASIS FOR PROCESSING
The Meath Foundation advises all Data Subjects about what data it collects, what it is used for, who it might be shared with, where and for how long it may be retained, and how it is secured in addition to other relevant details about processing personal data. We also advise data subjects of their rights, where to get further information and how to make a complaint.
The Meath Foundation establishes the purpose and lawful basis for processing before processing any personal data.
5.2 PURPOSE LIMITATION
The Meath Foundation processes personal data only for the stated purpose or for purposes that are compatible with the original purpose. If processing for an incompatible process is contemplated we seek the consent of Data Subject before processing the data for the new purpose.
5.3 DATA MINIMISATION
The Meath Foundation only ever obtains, retains, processes and shares the minimum amount of personal data that is essential for carrying out our services and/or meeting our legal obligations.
5.4 ACCURACY AND QUALITY
The Meath Foundation takes steps to ensure the accuracy and quality of personal data processed and acts to rectify any inaccuracies where they occur.
5.5 RETENTION AND STORAGE LIMITATION
The Meath Foundation retains and stores personal data only for as long as is necessary for the purpose for which the data is processed.
5.6 SECURITY AND CONFIDENTIALITY
The Meath Foundation has adequate and appropriate technical and organisational measures commensurate with the risk to the Data Subjects to ensure the security and maintain the confidentiality of personal data processed.
6 OUR OBLIGATIONS AS A DATA CONTROLLER
In addition to complying with the above principles of personal data management the Meath Foundation recognises that it has specific obligations as a Data Controller. These obligations, and the measures taken or planned to address them, are:
6.1 PRIVACY NOTICE
Where personal data is obtained directly from the individual we provide the Data Subject with a Privacy Notice setting out the identity and the contact details of the controller, the contact details of our data protection lead, the purpose(s) and legal basis for the processing, the existence of the rights of data subjects and how to exercise them, the right to lodge a complaint with the Supervisory Authority and other information as required by law.
Where the Meath Foundation obtains and/or processes personal data that has not been obtained directly from the data subject, the Meath Foundation ensures that required information disclosures are provided to the data subject within 30 days of our obtaining the personal data.
6.2 RECORD OF PROCESSING ACTIVITIES
The Meath Foundation maintains a record of personal data processing activities in its Office in Tallaght University Hospital.
6.3 DATA BREACHES
The Meath Foundation sits on the Tallaght University Hospital (TUH) platform and has extensive technical and organisational security measures in place through TUH to protect the security and confidentiality of personal data. However, the Meath Foundation recognises that breaches i.e. unauthorised release of, or access to, personal data can occur. The Meath Foundation understands and has procedures to assess, record and, where appropriate, notify the TUH Data Protection Officer and/or the Data Subject in the event that a breach occurs.
6.4 CONTRACTS WITH DATA PROCESSORS
The Meath Foundation contracts with TUH through an Information Governance & Data Protection Agreement to provide certain services that entail the processing of personal data e.g. IT Systems and Services. We assess the service provided by TUH carefully and are satisfied TUH have measures in place to Process personal data appropriately on behalf of the Meath Foundation. All processing of personal data is subject to the Information Governance & Data Protection Agreement.
6.5 DATA SUBJECT RIGHTS
The Meath Foundation understands and upholds the rights of Data Subjects under Data Protection Law and has arrangements in place to ensure that these rights are understood by staff who process personal data and to respond to requests in a timely fashion.
6.6 DATA PRIVACY IMPACT ASSESSMENT
Where the Meath Foundation processes, or is considering the processing of, personal data utilising new technologies, and/or where there is a likelihood that such processing could result in a high risk to the rights and freedoms of data subjects, we carry out a Data Protection Impact Assessment (DPIA).
6.7 DATA PROTECTION OFFICER
The Meath Foundation has assessed whether it meets the criteria requiring the appointment of a DPO and has concluded that a DPO is not required because the Meath Foundation does not meet the criteria requiring appointment of a DPO.
6.8 OVERSEAS TRANSFER
The Meath Foundation is aware of its obligations to safeguard personal data transferred to third countries.
7 AUDITS AND MONITORING
We carry out regular audits and compliance monitoring with a view to ensuring that our measures and controls to protect personal data are effective and compliant. The Data Protection Lead has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Leadership Team
where applicable.
8 TRAINING
The Meath Foundation will provide training for directors, managers, and staff in relation to data protection the content of which is tailored to the requirements of their roles and the extent to which they are involved in processing personal data. Staff who process personal or special category information will be provided with extensive data protection training and other continuing professional development and mentoring.
Data Protection Policy V1 2022
Policy reviewed by FAR Board Committee on 25th August 2022 and recommended to the Board for approval
Policy approved by the Board at their meeting on 22nd September 2022
Review date Q3 2024