The General Data Protection Regulation (GDPR), together with the new Data Protection Bill 2018 form part of the data protection regime within the Republic of Ireland, regulating the processing of information relating to individuals. The main provisions came into force on 25/05/2018 and apply to both manual and electronic data.
The Irish Association of Funeral Directors recognises its responsibility to treat such information with confidentiality and with care to ensure compliance with the law and for the protection of our members. Compliance with Data Protection regulations and annual registration with the Information Commissioner are the responsibilities of the Data Protection Officer, although responsibility for the implementation of the Data Protection Policy is placed on all members of staff.
Personal data is defined as information that relates to an identified or identifiable individual. It can include data such as name, contact details and date of birth or could include other identifiers such as staff number, IP address or other factors. If it is possible to identify an individual directly or indirectly from the information you are processing, then that information may be personal data.
Special Category Data is personal data which the GDPR says is more sensitive and so needs more protection. It includes data such as race, ethnic origin, diversity and health data, details of sexual orientation, religion etc. In order to lawfully process special category data, both a lawful basis and a separate condition for processing must be identified.
Controllers & Processors - The GDPR applies to both ‘controllers’ and ‘processors’ of personal data, and puts specific legal obligations on both controllers and processors. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
As IAFD is recognised as a Data Controller and is required to hold certain personal data in order to operate (eg. regarding members, business contacts, employees etc), it falls within the GDPR and is required to register on an annual basis with the Information Commissioner.
The IAFD has appointed Tom Lawless as Data Protection Officer (DPO), responsible for monitoring internal compliance and act as a contract point for data subjects and the supervisory authority. Tom Lawless can be contact at – firstname.lastname@example.org
The GDPR sets out seven key principles which underpin the protection of personal data:
The GPDR requires that there must be a valid lawful basis in order to process personal data. There are six available lawful basis for processing, and it will depend on the purpose and relationship with the individual which one is the most appropriate. Most of the lawful bases require that processing is ‘necessary’ for a specific purpose (so if the same purpose can reasonably be achieved without the processing, there won’t be a lawful basis).
The lawful basis must be determined before processing begins and should be documented. It should not be swapped to a different lawful basis at a later date without good reason, and both the lawful basis for processing and the purposes of processing should be included in IAFD’s Privacy Notice.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal date:
The GDPR provides the following rights for individuals over their personal data and how it is collected, processed and retained:
IAFD is committed to protecting personal data and keeping it safe. Our responsibilities in relation to the protection and security of personal data is set out in our Privacy Notice which informs individuals as to how we collect, process and look after your personal data, and outlines the individual’s privacy rights and how the law protects them.
The Privacy Notice is available in paper or electronic form and is available on our website. It should be provided or available to an individual at the point where their personal data is given (eg. Where a firm becomes a member of IAFD). It is reviewed on an annual basis and updated if necessary.
Individuals can make requests to IAFD under the rights detailed above either verbally or in writing. We will aim to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests, and in this case, we will notify you and keep you updated.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
If we are unable to comply with your request for any reason (eg for specific legal or regulatory reasons) these will be notified to you in writing.
You will not normally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
All data protection subject requests will be entered into a Subject Rights Requests Register together with the date the request was received, the form it was received in, our assessment of whether the request can be complied with, and the date and summary of the response given.
Whenever a controller uses a processor it needs to have a written contract in place so that both parties understand their responsibilities and liabilities. As a Controller, IAFD is liable for the compliance with GDPR and should only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
Contracts should include the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data provided and the obligations and rights of the controller. This may include putting an onus on the third party that they only use the data for the purposes for which it was provided and not for any other purposes (such as their own marketing), that they have appropriate security in place to protect the data, that the data is kept confidential and not shared with anyone else, that the data is not retained for any longer than is necessary, and that the data must be deleted or returned to the controller as requested at the end of the contract.
We have completed a data audit, together with our key processing activities (including purpose of processing, lawful basis relied upon, data sharing and retention). This is reviewed and updated on an annual basis to ensure it reflects our current processing activities.
A Data Protection Impact Assessment (DPIA) is required for processing that is likely to result in a high risk to individuals. It should describe the nature, scope, context and purposes of the processing, assess compliance measures taken, identify and assess the risk to individuals and identify any additional measures to mitigate those risks.
In order to assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
A DPIA must be completed if you plan to use systematic and extensive profiling with significant effects, process special category or criminal offence data on a large scale, or systematically monitor publicly accessible places on a large scale. A DPIA may also be required in other specific circumstances such as use of new technologies, process biometric or genetic data, track individuals location or behaviour or profile children or target marketing at them.
A key principle of data protection is that personal data is processed securely by means of ‘appropriate technical and organisational measures’. Both ‘state of the art’ and costs of implementation should be considered when deciding what measures to take, and they must be appropriate both to our circumstances and the risk that our processing poses.
The measures taken should ensure the confidentiality, integrity and availability of systems and services and the personal data processed within them. They must also enable the user to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
The GDPR places duties on IAFD to record any personal data breach, and in some circumstances to report to the ICO. When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. Think of the consequences – what are the potential effects of a breach on individuals, how severe are these, and how likely are they to happen?
If it’s likely there will be a risk, then we must notify the ICO by calling the Helpline 0303 123 1113, or reporting it online within 72 hours of becoming aware of the breach where feasible. Give as much information as possible and be as accurate as you can. The individuals affected must also be informed without undue delay.
If any data breach is discovered, no matter how minor, the DPO should be informed immediately. An immediate assessment of the data breach will be undertaken by the senior management team and actions required to contain the breach or to mitigate its negative effects should be taken as soon as possible. An assessment of the risks to individuals should then be undertaken, the ICO (and any other supervisory body) notified if necessary and affected individuals informed if required. The cause of breach, and the subsequent actions taken should then be fully assessed and evaluated in order to ascertain how to prevent such a breach occurring in the future (eg implementing changes to procedures).
All staff have a responsibility to report any data breach they have detected, however minor. The DPO will be responsible for co-ordinating the response to any data breach, although it is likely that other senior management personnel will also be involve
Any breach of the Data Protection Policy, whether deliberate, or through negligence, may lead to disciplinary action being taken or even to criminal prosecution.
The Data Protection Policy is subject to annual review to reflect changes to legislation or to the structure or policies of the organisation.