Data Protection Policy

Data Protection Policy – Updated: October 2019

1. PURPOSE OF THE LAOIS SPORTS PARTNERSHIP DATA PROTECTION POLICY

   1. The purpose of this Data Protection Policy is to provide for the protection of the rights and privacy of individuals about whom Laois Sports Partnership processes personal data in accordance with The Data Protection Act 2018, which was signed into law on 24 May 2018, changes the previous data protection framework, established under the Data Protection Acts 1988 and 2003. Its provisions include: Establishing a new Data Protection Commission as the State’s data protection authority.
   2. Laois Sports Partnership is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act and acknowledges the rights that this Act confer on individuals as well as the responsibilities the Act places on Laois Sports Partnership employees and auxiliary staff who process personal data in the course of their duties.

2. DATA PROTECTION DEFINITIONS

   1. The Data Protection Act provides for the collection, processing, retention and eventual destruction of personal data in a responsible and secure way thereby avoiding its misuse.

   2. Personal Data and Sensitive Personal Data

      1. ‘Personal data’ is data that relates to a living individual who is identifiable either from the data itself or from the data in conjunction with other information held by Laois Sports Partnership.
      2. ‘Personal data’ has a very broad-ranging definition and includes, but is not limited to, a person’s name, physiological, economic, cultural, social identity, pseudonyms, occupation, address etc.
      3. The Act differentiates between ‘personal data’ and ‘sensitive personal data’. ‘Sensitive personal data’ relates to a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; physical and mental health; sexual life; criminal convictions, the alleged commission of an offence and trade union membership.
      4. For the purposes of this Policy, references to ‘personal data’ are deemed to refer to both ‘personal data’ and ‘sensitive personal data’.
      5. Personal data may be held in either electronic form (e.g. on a computer system, CCTV system) or in hard-copy.

   3. Consent

      1. At the time of providing any personal data to Laois Sports Partnership, individuals must be made aware of the use(s) for which the data is being collected and give their consent to such use(s).

   4. Personal Data related to Deceased Persons

      1. Best practice requires that where personal data relating to deceased persons is held, this data is retained and processed in the same manner as personal data relating to living individuals.

   5. Anonymised Personal Data

      1. Personal data collected anonymously or irrevocably anonymised to the extent that the individual cannot be identified from the data is not subject to the requirements of the Data Protection Act or this Policy.

3. USE OF PERSONAL DATA AT LAOIS SPORTS PARTNERSHIP

   1. In order to fulfill its functions, Laois Sports Partnership (as ‘data controller’) must collect and process certain personal data about its employees, Directors, stakeholders, programme and event participants and other individuals who come in contact with the Company. Such functions include the registration of new participants, ongoing renewals based on extended programmes, management of approved current database, registration of participants for attendance at education and training courses, the circulation of promotional and information materials, the recruitment, appointment and payment of employees and auxiliary staff, compliance with statutory obligations and other necessary administrative activities.
   2. All personal data collected and processed by Laois Sports Partnership must be treated with the highest standards of security and confidentiality in order to comply with the Data Protection Acts.
   3. Any provision for Laois Sports Partnership, as a ‘data controller’, to use a third party (known as a ‘data processor’) must be the subject of a written agreement. All proposed agreements between the Company and a third party must be developed in conjunction with the relevant legal advisors of Laois Sports Partnership.

4. PROCESSING OF PERSONAL DATA

   1. The Data Protection legislation imposes a number of restrictions on how the Company may process personal data.
   2. Laois Sports Partnership must handle personal data in accordance with the eight stated data protection principles outlined in the Act as follows:
      (a) Obtain and process the personal data fairly;
      (b) Keep only for one or more specified and lawful purpose(s);
      (c) Use and disclose only in ways compatible with the purpose(s) for which it was initially provided;
      (d) Keep safe and secure;
      (e) Keep accurate, complete and up-to-date;
      (f) Ensure that it is adequate, relevant and not excessive;
      (g) Retain for no longer than is necessary for the specified purpose(s);
      (h) Provide a copy of his/her personal data to an individual, on request.

5. RESPONSIBILITIES OF LAOIS SPORTS PARTNERSHIP EMPLOYEES

   1. This Policy applies to all departments, offices, units and areas of work that form part of the Company structure and applies to all personal data processed by Laois Sports Partnership.
   2. While Laois Sports Partnership, as a whole, has the overall responsibility for ensuring compliance with the Data Protection Act, responsibility for the implementation of this Policy rests with the Head of each area of activity to ensure good data handling practices are in place in order to uphold the privacy of personal data within their respective areas of responsibility. Consent must also be received for usage of photographs and video relating to service delivery activities.
   3. Notwithstanding the foregoing, all employees of Laois Sports Partnership who collect or use personal data as part of their duties have a responsibility to ensure that they process personal data in accordance with the conditions set down in this Policy, the Laois Sports Partnership Data Protection Compliance Regulations, the Data Protection Act and any other relevant Company policies/regulations/procedures.

   4. Laois Sports Partnership Data Protection Regulations

      1. In order to assist employees in implementing this Policy, Factsheet and statement are available at www.laoissports.ie. These regulations set out key areas of work at Laois Sports Partnership where data protection issues may arise and outline best practice in dealing with them.

6. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH

   1. A personal data breach may be defined as an incident where unauthorised disclosure, loss, destruction or alteration of personal data occurs through, for example, loss or theft of a portable device, accidental disclosure via email/other electronic system, loss of hard copy records etc.
   2. In the event of a personal data breach, the Coordinator of Laois Sports Partnership must be notified immediately (contact: 057 8671248, email: cmyers@laoissports.ie). The Coordinator will ensure, where appropriate and required, that the data subjects and the Data Protection Commissioner’s Office are notified within a maximum of two days of a breach occurring as required by the Data Protection Commissioner’s ‘Personal Data Security Breach Code of Practice’ (available at www.dataprotection.ie).
   3. Breaches of the terms and conditions of this Policy and the Laois Sports Partnership Data Protection Compliance Regulations (available at www.laoissports.ie) could result in major reputational and financial damage to the Company and may result in employee disciplinary action and termination of employment being invoked.

7. DATA SUBJECT ACCESS REQUESTS

   1. Under the Data Protection Acts, data subjects are entitled to make a request for their personal data held by Laois Sports Partnership free of charge and any additional copies can be requested for a fee not in excess of €6.35. Any such requests should be made in writing to: The Coordinator, Laois Sports Partnership, Portlaoise Leisure Centre, Moneyballytyrrell, Portlaoise, Co. Laois R32 YP11.

8. SHARING DATA WITH THIRD PARTIES

   Data subject’s information will not be shared with third parties for marketing or fundraising purposes.
   Data will only be shared with third parties for the purposes set out below:

   • Third Party Description Purpose for Sharing Data e.g. Programme Management, Certification
   • Sub-contractors to help The Company to run our business in an effective manner under our terms and conditions of contract with data subjects
   • Cloud Service Providers To store information legitimately held by The Company for business purposes
   • IT Back-up Providers To store information legitimately held by The Company for business purposes
   • IT Service Providers To store information legitimately held by The Company for business purposes and for IT security and services
   • Email Service Providers To help The Company to run our business in an effective manner for legitimate business purposes
   • Internal Customer Databases To run internal customer databases in an effective manner under The Company’s terms and conditions of contract with data subjects. Tutors are treated as third party.

9. REVIEW

   1. This Policy will be reviewed annually in line with Laois Sports Partnership Company AGM.