Data Protection

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union Regulation that has been designed to strengthen and unify Data Protection within the EU. The GDPR will come into effect on 25 May 2018 and will replace the existing Irish Data Protection Acts.

The GDPR will harmonise Data Protection practices across the EU and emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to privacy of their personal data.

The New Data Protection Bill 2018 has been  published and will be signed into Irish law in May to replace the existing Data Protection Act 1988 and (Amendment) Act 2003.

For more information on the General Data Protection Regulation (GDPR) rules/regulations and what it means for you please consult the websites listed below:

 

CEIST Data Protection Policy

Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data, in both paper and electronic format. The Irish Data Protection Acts 1988 and 2003 (the “Data Protection Acts”) and also the EU General Data Protection Regulation (effective 25 May 2018) lay down strict rules about the way in which personal data and sensitive personal data are collected, accessed, used and disclosed. The Data Protection Acts also permit individuals to access their personal data on request, and confer on individuals the right to have their personal data amended if found to be incorrect.

CEIST is committed to ensuring that the retention of data by it is carried out, processed and retained in a responsible manner and that the rights of those about whom information is processed and retained is protected.

CEIST will administer its responsibilities for the retention of personal data in accordance with the eight data protection principles outlined in the Act as follows:

  1. Obtain and process personal data fairly.
  2. Keep only for one or more specified and lawful purposes.
  3. Use and disclose it only in ways compatible with these purposes.
  4. Keep it safe and secure.
  5. Keep accurate, complete and up-to-date.
  6. Ensure that it is adequate, relevant and not excessive.
  7. Retain it for no longer than is necessary for the specified purpose or purposes.
  8. Give a copy of his/her personal data to an individual, on request.

Click here for a copy of the CEIST Data Protection Policy

 

Making an Access for Information Request

Right of access

Under the Data Protection Act all individuals for which CEIST hold data are entitled, on foot of a written request, to be:

  • informed by CEIST of any personal data relating to him/her;
  • supplied with a description of the categories of data being processed, what personal data relates to him/her, the purposes(s) of the processing, and the recipients to whom the data have or may be disclosed to;
  • supplied with a copy of the information, in a permanent form, and any information CEIST may have as to the source of the data; and
  • (where the processing of the personal data is by automatic means, and this forms the sole basis for any decisions affecting the data subject) to be informed by CEIST of the logic involved in the processing.

If any of the information is expressed in terms that are not intelligible to the average person, the information will be accompanied by an explanation. The individual will be given a copy of the information unless supplying a copy is not possible, or would involve disproportionate effort, or the data subject agrees otherwise. All data requests will be complied with within 40 days of request receipt as per Data Protection guidelines.   

Proof of Identity

The individual making the access request must provide CEIST with:

  • proof of identity, and
  • reasonable information to locate any relevant personal data.

CEIST is not obliged to disclose to a data subject personal data relating to another individual, without his/her consent.

Exceptions to the right of access

Section 5 of the Data Protection Act sets out a small number of circumstances in which your right to see your personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand. For example, the right of access to medical data and social workers’ data is restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data. Your right to obtain access to examination results, and to see information relating to other people, is also curtailed.

A refusal to comply with a request for access will be provided by CEIST in writing, with a statement of the reasons for the refusal, and an indication that a complaint can be made to the Data Protection Commissioner.

Please refer to the  CEIST Data Protection Policy for full details.

Access Request Procedure 

Please complete the form below and send it by post to:

CEIST, Summit House, Embassy Office Park, Kill, Co. Kildare, Eir Code: W91 VK0T

Date Protection – Access to Information Request Form