Working towards a sustainable environment

OCAE Ltd. -Data Protection Policy

Background

All policies, guideline and procedures of OCAE Ltd reflects OCAE Ltd’s commitment to the protection of the rights and privacy of individuals (including customers, staff and others) whose personal information is held by OCAE Ltd. OCAE Ltd has in place a range of systems and procedures, which it reviews on a regular basis, in order to protect these rights and to be compliant with the provisions of the General Data Protection Regulation and the Data Protection Act 2018.

In order to carry out its core functions, OCAE Ltd needs to collect and use personal data about its customers, staff and other individuals who come into contact with OCAE Ltd. OCAE Ltd needs to process such data for purposes that include the advice and administration of financial transactions, recruitment and payment of staff and compliance with statutory and regulatory obligations.

OCAE Ltd is legally obliged to safeguard the privacy rights of individuals in relation to the processing of their personal information for such purposes. The General Data Protection Regulation and the Data Protection Act 2018 provides for this by conferring rights on individuals as well as responsibilities on those persons processing personal data. Personal data, both automated and manual is data relating to a living individual who is or can be identified, either from the data itself or from the data in conjunction with other information held by OCAE Ltd.

Principles of Data Protection

OCAE Ltd undertakes to perform its responsibilities under the regulation in accordance with the following Data Protection Principles;

Obtain and process information fairly:

OCAE Ltd obtains and processes personal data fairly and in accordance with its statutory and other legal obligations.

 Keep it only for one or more specified, explicit and lawful purposes / Use and disclosure only in ways compatible with these purposes;

OCAE Ltd keeps personal data for purposes that are specific, lawful and clearly stated. Personal data will only be processed in a manner compatible with these purposes. OCAE Ltd only uses and discloses personal data in circumstances that are necessary for the purpose, for which it collects and keeps the data.

 Keep it safe and secure: To ensure confidentiality OCAE Ltd takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of data and against accidental loss or destruction.

 Keep it accurate, complete and up-to-date: OCAE Ltd operates procedures that ensure high levels of data accuracy, completeness and consistency.

 Ensure it is adequate, relevant and not excessive: Personal data held by OCAE Ltd is adequate, relevant and not excessive in both the gathering of the information and in data retention terms.

Retain for no longer than is necessary: OCAE Ltd has a policy on retention periods for personal data and a specific rationale for each chosen retention period.

Roles & Responsibilities: OCAE Ltd has overall responsibility for ensuring compliance with Data Protection legislation as the Data Controller of personal data. However, all employees of OCAE Ltd who separately collect and / or control the content and use of personal data are individually responsible for compliance with the regulation and legislation.

OCAE Ltd provides support, assistance, advice and training to all staff to ensure that they are in a position to comply with the regulation and legislation. OCAE Ltd has responsibility for coordination and compliance relating to all Data Protection matters, including responding to general queries and SAR requests (subject access request) received from Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.

GDPR

OCAE Ltd. Procedures & Best Practice Guidelines

There are clear procedures in place at OCAE Ltd for the collection, processing and maintenance of personal information, required by OCAE Ltd to carry out its core functions. This Data Protection Procedures Manual and Best Practice Guidelines sets out these procedures in order to raise general awareness of the systems and procedures that are in place and to assist OCAE Ltd’s employees to comply with OCAE Ltd’s regulatory and legislative requirements under GDPR. OCAE Ltd’s Data Protection Procedures and Best Practice Guidelines identify the areas of work in which Data Protection issues arise and outline best practice in dealing with these issues.

Obtaining and processing personal data

Personal data is obtained fairly if the data subject is aware of the purpose for which OCAE Ltd is collecting the data, of the categories of person/organisations, to which the data may be disclosed/shared, of non-obligatory or optional answers in forms, of the right of access to the data and of the right of rectification of the data.

 Obtain personal data only when there is a clear purpose for so doing, obtain only whatever personal data is necessary for fulfilling that purpose and ensure data is used only for that purpose.

The use of firm data processing facilities in capturing and storing personal data for non- business purposes must not take place.

 Inform data subjects of what personal information is held by OCAE Ltd, what it will be used for and to whom it may be disclosed/shared.

 Obtain explicit consent in writing for processing sensitive data and retain a copy of that consent. Consent cannot be inferred from non-response in the case of sensitive data.

Disclosing personal data

Personal data should only be disclosed in ways that are necessary or compatible with the purpose for which the data is kept. Special attention should be paid to the protection of sensitive personal data.

 Except where there is a statutory obligation to comply with a request for personal data, or where a data subject has already been made aware of disclosures, do not disclose to any third party any personal data without the consent of the data subject.

 Disclosure of personal data to a third party is not permitted unless there is a statutory obligation to disclose, or the information is released, to the Gardaí for example, for the prevention of crime and if informing the subject of the disclosure would prejudice the enquiries, or unless it is in the vital interest of the data subject.

 Personal data should only be disclosed to work colleagues where they have a legitimate interest in the data in order to fulfil administrative functions. Be satisfied of the need to disclose.

 Personal data should not be disclosed outside of the EU unless written consent has been obtained, unless disclosure is required for the performance of a contract to which the data subject is a party, or unless disclosure is necessary for the purpose of legal proceedings.

Securing personal data

OCAE Ltd protects personal data from unauthorised access when in use and in storage or being destroyed and such data is protected from inadvertent destruction, amendment or corruption. Personal electronic data is be subject to appropriate stringent controls, such as passwords, encryption, restricted access / access logs, backup, etc. Screens, printouts, documents, and files showing personal data are not visible to unauthorised persons. Personal manual data is held securely in locked cabinets, locked rooms or rooms with limited / controlled access. Special care is taken where laptops and PCs containing personal data are used outside OCAE Ltd.  Special care is also taken to ensure the safety and security of any personal data held on mobile storage media.

Accuracy and completeness of personal data

Administrative procedures include review and audit facilities so that personal data is accurate, complete and kept up-to-date.

Retention of personal data

Data is not be kept for longer than is necessary for the purpose for which it was collected. Data already collected for a specific purpose, is not be subject to further processing that is not compatible with the original purpose. All data held by OCAE Ltd is  stored and catalogued in accordance with a Data Retention Schedule (onfile) and destroyed in accordance with that schedule and in compliance with regulatory and statutory obligations.

Disposal of personal data

Personal data is disposed of when it is no longer needed for the effective functioning of OCAE Ltd and its employees. The method of disposal is appropriate to the sensitivity of the data. Shredding is appropriate in the case of manual data and reformatting or overwriting in the case of electronic data. Please contact OCAE Ltd for any shredding requirements. OCAE Ltd is informed immediately when PCs are transferred from one person to another or outside OCAE Ltd or are being disposed of.

Rights of the Individual

The Data Protection Acts provide for the right of access by a Data Subject to his or her personal information. Data subjects must be made aware of how to gain access to their personal data. A Data Subject is entitled to be made aware of his or her right of access and to the means by which to access the data. A Data Subject is entitled to the following on written application within 30 days;

 a copy of his or her personal data;

 the purpose of processing the data;

 the persons to whom OCAE Ltd discloses the data;

an explanation of the logic used in any automated decision-making (where applicable);

a copy of recorded opinions about him or her, (all staff should be conscious of this when making notes on a customer’s file or sending internal communications which relate to the data subject)

The right of access is restricted where the data are:

required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing moneys due to the State;

 subject to legal professional privilege;

 kept only for statistical or research purposes and the results are not made available in a way that identifies data subjects;

back-up data.

Provision of access to third parties

A Data Subject is entitled to access his or her own personal data only. The personal information of a Data Subject, including confirmation of attendance at OCAE Ltd or contact details, is not be disclosed to a third party, be they civil partner or spouse, potential employer, another employer, professional body, sponsor, etc., without the consent of the individual concerned. An agreement may be made to forward a communication to a Data Subject on behalf of a third party, but no information is disclosed about the Data Subject. In the case of research surveys where there is an agreement to forward documentation to Data Subjects, a notice would be included to the effect that no personal information has been released.

Limitations on the use of personal data for research / analysis

If research data is retained in personally identifiable format it may be subject to an access request from a data subject but would only be used where consent was freely given by the data subject.

Right of rectification or erasure

Data subjects have a right to have personal data rectified or blocked from being processed or erased where the Data Controller has contravened the Act. In order to comply with the above rights of access, rectification or erasure, OCAE Ltd ensures that personal data can be located and collated quickly and efficiently;

Personal data is in a format that is easy to locate and collate;

The access request is verified and the personal data released to the same individual;

Know exactly what data is held on individuals, where and in some circumstances by whom;

Personal data is held in a secure central location.

Responsibilities of Data Subjects

OCAE Ltd is dependent on Data Subjects themselves for maintaining the accuracy and currency of records held about them. OCAE Ltd cannot be responsible for any inaccuracies resulting directly from the submission of such information by Data Subjects nor can it be accountable for any subsequent changes to such information unless notified. All Data Subjects have the right to review personal information, about themselves, recorded and stored by OCAE Ltd and to have it amended if necessary. All Data Subjects (including staff and others) are entitled to be informed as to how their personal data can be kept up to date and accurate by OCAE Ltd.

All staff and other data subjects are responsible for;

checking that any information that they provide to OCAE Ltd is accurate and up to date;

informing OCAE Ltd of any changes of information, that they have provided, e.g. a change of address;

checking / reviewing the information OCAE Ltd sends out from time to time, giving details of information kept and processed, to ensure it remains accurate;

informing OCAE Ltd of any errors or changes (OCAE Ltd cannot be held responsible for any errors unless previously informed).

Where any such changes have been advised to OCAE Ltd, these must be updated and corrected immediately or as soon as is reasonably possible.

Risk and Control Review / Assessment

OCAE Ltd will effectively and periodically assess any gaps in our DP Policies; ensuring any and all revisions applicable to GDPR are updated. We will review our firm’s framework and best practices at least annually and make any necessary changes and/ or provisions in order to fill any identified gaps. We will sustain Data management through the monitoring, reviews and communication specific to our firm’s data protection framework e.g. recording, monitoring, retention of personal information, monitoring of clear desks, regular data protection training and awareness. We will align our processes with the Data Protection Principles for any information requests, incident handling and legal compliance e.g. complaints, subject access request, breach reporting processes. We will routinely review and assess both Internal and external threats to OCAE Ltd’s data security. We will annually review, however the Policy may be reviewed between such intervals in the event of any legislative or other relevant developments.

The timeline for each review cycle should be determined by OCAE Ltd but should take account of the level of risk associated with each process, ad hoc reviews resulting from a process failure, but also any regulatory or legislative updates as and when they occur. The outcome of the review will be a decision to revise, amend, consider recommendations or reconfirm and approve the existing process document.

Training

We will train our staff annually, and further training and communications will be provided if the policy changes/or if there are any legislative or other relevant developments.

Queries

OCAE Ltd has responsibility for coordination and compliance relating to the administration of all data protection matters, including responding to general queries and requests by Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.

Any queries relating to data protection issues, including requests by individuals for access to and/or correction of any personal data held by OCAE Ltd and relating to such individuals should be directed to the Joe Packman, OCAE Ltd, Ballinderry House, Enfield, Co.Meath. Tel 046-9555591 joe@ocae.ie

The most effective and efficient way to contact the Data Protection Commission regarding queries or complaints is by means of the webforms.

It is important to note that the Data Protection Commission is not a public office and therefore we are not in a position to provide face-to-face meeting. If however, you are not in a position to engage with this office by the above mentioned means, please contact the Data Protection Commission.