Seats Are Ltd t/a Careers Unlimited operates the www.nightcourses.co.uk website. We will need to collect information and data on individuals, namely its clients, that use the services, its staff, its corporate partners and its suppliers.
This policy outlines how personal data will be processed so as to meet the company data protection policy and to comply with the law.
This policy applies to the use of the Careers Unlimited electronic files, including email and web-based applications, and any paper notes taken and filed by staff of Careers Unlimited.
Why this policy exists:
This data protection policy ensures that Careers Unlimited;
- Complies with Data Protection legislation and follows good practice
- Protects the rights of its customers, partners, staff and suppliers
- Is transparent about how its stores, processes and utilises individual’s personal data
- Protects itself from the risk of a personal data breach or breach of data protection legislation.
- Reduces the risk of a personal data breach or breach of data protection legislation
- Upholds data subject rights of access, erasure, rectification and portability.
Careers Unlimited Policy
Careers Unlimited policy and procedures are guided by the GDPR (2016/79) and Irish Data Protection Acts 1988 to 2018 and the below mentioned principles
Careers Unlimited obtains and holds data to administer its functions. Staff are provided with access to that data in order to do their jobs. Under no circumstances should personal data be accessed without a direct service requirement. Confidential customer information must never be discussed with or disclosed to any unauthorised third party, either internal or external without securing demonstrated consent from the customer.
The area of data protection and its accompanying legislation is evolving and can be complex. However, our approach can be summed up by as follows
- Processing of personal data (*1) is authorised only in circumstances where the data was obtained lawfully, the customers is aware of the data journey and the customer is aware of who it will be seen by.
- Any unauthorised processing constitutes a serious breach of discipline and will be dealt with accordingly.
If any staff are in doubt about the processing of specific information they should consult the Data Protection Officer. The Data Protection Officer for Careers Unlimited is:
|Data Protection Officer||Contact Number||Contact Email|
|Cormac O’ Meara||01 – 5311 firstname.lastname@example.org|
Appointment of a Data Protection Officer
Careers Unlimited has appointed a named Data Protection Officer, Cormac O’ Meara. The Data Protection Officer responsibilities will be to;
- Liaise with the Data Protection Commissioner
- Manage valid Data Subjects rights requests in a timely and thorough manner.
- Ensure employees are aware of their obligations under data protection legislation.
- Monitor compliance with the data protection legislation.
- Ensure that this policy is applied, review it annually and makes suggested changes for the formal approval by the board of directors.
- Lead on any investigations into personal data breaches or breaches of data protection legislation and introduces measures to prevent it reoccurring
- Brings to the attention of Careers Unlimited directors any data protection risks identified or anticipated
Data Protection Officers should note that the Data Protection Commissioner has a wide range of enforcement powers to assist in ensuring that the principles of data protection are being observed, including:
- Serving legal notices compelling Data Protection Officers to provide information needed to assist their enquires or compelling a Data Protection Officer to implement one or more provisions of the Acts.
- Investigate complaints made by the general public or carry out investigations proactively. The Commissioner may, for example, authorise officers to enter premises and to inspect the type of personal information kept, how it is processed and the security measures in place.
- Impose administrative fines of up to €20 million or 4% of turnover
- Obtain access to any premises in the course of an investigation
- Impose a temporary or definitive limitation including a ban on processing.
Data Protection Legislation
On May 25th, 2018 the EU GDPR replaced the Irish Data Protection Acts of 1988 and 2003 as the primary legislation governing the processing of personal data. The Irish Data Protection Act of 2018 is expected to be passed in conjunction with the GDPR. Under the law enhanced rights are conferred on individual’s rights as well as new responsibilities and stricter rules on data processors and data controllers processing personal data. In addition, a new principle, one of being able to demonstrate compliance was introduced under GDPR.
The main principles of the GDPR are summarised in the following Data Protection Principles;
- Data must be processed lawfully, fairly and in a transparent manner
Personal data is obtained lawfully if at the time prior to the recording of their personal details the patient has demonstrated their consent to processing by creating an account with Careers Unlimited. Personal data is obtained fairly and transparently if the data subject, is at the time the personal data is being collected made aware of.
- The identity of the Data Protection Officer
- The purpose for which Careers Unlimited is collecting the data at the point of collection
- The person or categories of persons to whom the data may be disclosed
- Any other information which is necessary so that processing may be fair.
Careers Unlimited is committed to treating the information given to us in confidence and ensure that it will not be used or disclosed except as provided by the recorded consent or where required to reveal the personal data by law.
- Data must be accurate, and where necessary, kept up to date
To comply with this rule Careers Unlimited will ensure that:
- Clerical and computer procedures are adequate to ensure high levels of data accuracy, the general requirement to keep personal data up-to-date has been fully implemented,
- Appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.
- Procedures are in place to ensure personal data held is accurate, including reviewing records on a regular basis, identifying areas where errors are most common and providing guidelines to members on eliminating errors.
Article 5 of the Regulation gives a person a right to seek to have their personal data amended or erased where it is established that it is incorrect.
- Data must have been collected for specified, explicit and legitimate purposes and not used for other purposes
Careers Unlimited may only keep data for a purpose/s that are specific, lawful, legitimate and clearly stated and the data should only be processed in a manner compatible with the purpose.
Where consent is the lawful basis of the processing any additional processing of personal data will not proceed without further consent from the data subject.
- Data must not be kept for longer than is necessary for that purpose
The Regulation requires that personal information held should be retained for no longer than is necessary for the purpose/s for which it was obtained.
Careers Unlimited will be informed of the limitations of the retention of data by generally, the data protection and privacy legislation in Ireland and specifically by the various legal requirements, e.g responsibilities to Revenue, retention for compliance with employer responsibility under the various employers, workplace, health and safety, and industrial relations Acts, limitation periods on civil actions and in the establishment, exercise or defence of legal claims.
- Data must be processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures
Careers Unlimited must provide “appropriate” security measures to protect personal data from unauthorised access when in use and in storage or in transit and must protect it from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing.
In compliance with this requirement Careers Unlimited has put in place physical and technical security measures to protect the confidentiality of personal data. Including, inter alia;
- Access to personal information is restricted to authorised staff on a
“need-to- know” basis and in compliance with the Data Protection Acts.
- Electronic personal data is protected by stringent access controls, passwords, access logs, audit logs, back-ups etc.
- Screens, print-outs, documents and files showing personal data will not be visible to unauthorised persons.
- Appropriate facilities are in place for disposal of confidential waste.
- Personal manual data will be held securely in locked cabinets, locked rooms, or rooms with limited access.
- Special care will be taken if storing personal data on mobile computing and storage devices. Where deemed high risk, the data will be encrypted, and a record kept of the nature and extent of the data and why it is being stored on a portable device. Arrangements will be in place to fully delete the data on the portable device when it is no longer being used.
- Staff are not to disclose personal security passwords to anyone within Careers Unlimited who does not have a legitimate need to know the information in the normal course of their duties, or to anyone outside Careers Unlimited, unless authorised through the proper mechanisms and in accordance with the relevant requirements (e.g. Non-Disclosure Agreements, contracts, etc.).
- Data must be adequate, relevant and limited to what’s necessary to carry out the intended processing.
When collecting personal data from customers, staff, partners or suppliers or other stakeholders that Careers Unlimited engages with, we will only collect the information we need to carry out the task, request or function it is required for.
We will not work on the basis of collecting information ‘just in case’ and we will encourage a questioning culture in Careers Unlimited so that when designing our work flows and tasks that privacy and the importance of it remains to the fore of our approach.
- Accountability and being able to demonstrate that accountability to external assessment and examination will underpin and reinforce Careers Unlimited commitment to these principals and our compliance with all data protection and privacy legislation we are subject to.
Data Subject Rights
You have the following rights, in certain circumstances and subject to certain restrictions, in relation to your personal data:
Right to access the data – You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
Right to rectification – You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
Right to erasure – You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
Right to restriction of processing or to object to processing – You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
Right to data portability – You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable forma
If you wish to exercise any of the rights set out above, please contact the Careers Unlimited Data Protection Officer at email@example.com
Please note that in order to authenticate any request we may ask you for a copy of a current driving license or passport so that we may verify your identity. This information will only be used for verification purposes, not stored and securely destroyed once the query has been closed.
You also have the right to lodge a complaint with the Irish Data Protection Commission if you are not happy with the way we have used your information or addressed your rights. Details of how to lodge a complaint can be found at on the Data Protection Commissioner website.
* Processing includes the; collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction and the erasure or destruction of personal data.