1. Introduction
Paul Walsh, trading as Walsh Training Solutions, is committed to best practice in data protection and all data retained by Walsh Training Solutions will be kept no longer than necessary to achieve the stated purpose for which it was originally collected.
Under the Data Protection Acts 1998 and 2003, as amended, and the General Data Protection Regulation (GDPR), Walsh Training Solutions has certain obligations as a data controller to process personal data in a fair and transparent manner.
The term “data subject” refers to any living person whose personal data might be collected or processed by Walsh Training Solutions. For the purpose of this policy, Paul Walsh will hold the role of ‘Data Protection Officer’ and be responsible for certain processes outlined in this document.
2. What data will we collect?
“Personal data” refers to any information which can be used to identify a living person. Personal data can only be collected by Walsh Training Solutions if doing so meets one of the following criteria:
1. Consent has been received from the data subject that their personal data can be stored and processed for a stated purpose.
2. The data is required for the performance of a contract with you or a service provided to you by Walsh Training Solutions.
3. Walsh Training Solutions has a legal or regulatory requirement to do so.
Certain forms of data are categorised as “sensitive personal data”, which require stricter rules if they are to be collected or processed. Sensitive personal data is any information which records a living person’s:
1. Racial and/or ethnic origin
2. Political, religious or philosophical belief(s)
3. Trade union membership
4. Physical or mental health condition(s)
5. Sexual life or health information
6. Criminal record or accusations of criminal offences
7. Genetic or biometric data
Walsh Training Solutions can only collect and process sensitive personal data if doing so satisfies one of the following criteria:
1. Explicit consent has been received from the data subject that their personal data can be stored and processed for a stated purpose.
2. It is necessary for Walsh Training Solutions to fulfil its obligations as an employer or under social security/social protection law
3. It is necessary to protect the vital interests of the data subject or of another person, and the data subject is incapable of giving consent
4. The data has clearly and obviously been made public by the data subject
5. It is necessary for the purpose of a legal claim
6. It is necessary for certain medical reasons, including the assessment of the working capacity of an employee
7. It is necessary for public health reasons
In all cases of personal or sensitive data collection, the preferred condition for collection and processing by Walsh Training Solutions is that consent has been received by the data subject.
3. What data will we process?
“Data processing” refers to any operation performed on personal data, e.g., collection, recording, organising, structuring, storage, adaptation or alteration.
Walsh Training Solutions can only process personal data for the specific purpose or purposes for which it was originally gathered. Personal data should only be retained by Walsh Training Solutions for as long as it takes to fulfil this purpose and no longer, or until the data subject makes a legitimate request to exercise their right of erasure.
4. Data Storage
All personal data held by Walsh Training Solutions must be stored in a secure manner. Data should only be accessible to appropriate named members of staff or contracted instructors for whom accessing the data in question forms a part of their job.
Be advised that Walsh Training Solutions is required to retain certain records containing personal information for a pre-set amount of time to satisfy our legal and regulatory obligations, including with professional bodies such as PHECC. Premature destruction of such data could result in serious repercussions for Walsh Training Solutions.
5. Data Access Requests
Any individual whose personal data is held by Walsh Training Solutions has a right to request a copy of all their personal data currently held by us. The information must be clear, free, comprehensive, explain the purpose for which their data is being processed, and be delivered within one month of their initial request.
Walsh Training Solutions staff who receive a data access request must use the following step-by-step procedure:
1. Notify Paul Walsh, the designated Data Protection Officer (DPO), that a data access request has been received as soon as possible, preferably immediately.
2. The DPO will attempt to determine whether the individual who made the request is definitely the subject of the data in question; the DPO will request clear identification which may include a passport or other form of state-issued I.D., and, if deemed necessary, proofs of address, as well as requesting clarification, if needed, on the nature of the individual’s relationship or former relationship with Walsh Training Solutions.
3. If the DPO is satisfied with the above, they will identify the member of staff best placed to handle the data access request.
4. The designated member of staff will acknowledge receipt of the request to the requester, and inform them of the timeframe (no more than one month from the original staff member receiving the request) in which they can expect a full reply.
6. Right of Erasure
Walsh Training Solutions recognises the legal right of data subjects to be forgotten, withdrawing their consent for Walsh Training Solutions to hold and process their personal data. All individuals with personal data held by Walsh Training Solutions may request at any time that all data held on them by the organisation be destroyed.
Data subjects are free to exercise this right, except in cases where to destroy such data would violate Walsh Training Solutions’ legal obligations, e.g. in the case of certain contractual information, which must be held for a period of years even in the event of an employee ceasing their period of employment with us.
7. Data Destruction
Personal data held by Walsh Training Solutions which has served the purpose for which it was collected must be destroyed. Likewise, personal data on which a legitimate right of erasure claim has been made must also be destroyed.
The destruction of personal data stored in paper form must be conducted by shredding, either by Walsh Training Solutions or a shredding service contracted for this purpose. Where personal data is stored electronically, care must be taken to ensure it is properly and entirely deleted from all sources and by all employees of Walsh Training Solutions.
In the event of legal proceedings being launched against Walsh Training Solutions, Walsh Training solutions cease any data destruction operations currently underway. Destruction should resume as soon as legal proceedings have come to a close.
8. Data Retention Periods
Different categories of personal data must be retained by Walsh Training Solutions for different periods of time in order to fulfil their purpose. In general, records should not be retained if there is no clear business reason for doing so.
9. Data Breaches
A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by Walsh Training Solutions. Data breaches can be large or small in scale: for instance, accidentally sending an email to the wrong recipient.
In the event any member of staff becomes aware of a possible personal data breach, however small, they must inform Paul Walsh without delay.
Upon being notified of a potential personal data breach, Paul Walsh, as data protection officer must determine the following:
i. Whether there has been a breach of personal data held by Walsh Training Solutions or, if this cannot be definitively proven, whether it is likely such a breach has occurred;
ii. Whether this breach or likely breach is damaging to the individuals whose personal data has been compromised;
iii. As far as possible, who accessed what data and when, how that data is being used, and which individuals are likely to be affected.
iv. The data protection officer must assess whether the data breach is significant enough to bring to the attention of the Data Protection Commission and if so must inform the Commission within 72 hours. If, for whatever reason, the Data Protection Commission is not notified within 72 hours, the Data Protection Officer must include reasons for the delay with their submission. The Data Protection Officer will also inform the affected individuals whose data has been compromised.
The DPO’s notification must include the following information:
i. A description of the nature of the breach including, if possible, the categories and approximate numbers of individual data subjects and/or data records involved;
ii. The name and contact details of the data protection officer or another person who can be contacted for more information;
iii. The likely consequences arising from the breach;
iv. A summary of the measures taken and proposed to be taken to address the breach and, where possible, to mitigate its possible effects.
v. Once all relevant parties have been informed, the data protection officer will work to implement the proposed measures to address the personal data breach, including revision of policies and practices as necessary.
10. Data Sharing
In some cases, Walsh Training Solutions may engage in relationships with other organisations in which data is shared between both parties, e.g. sharing of data with awarding and regulatory bodies for certification of courses. The sharing of data will only occur where consent has been obtained from the data subject or where it is required by law or regulation.