Parents Plus Ltd
Data Protection and Confidentiality
All officers and agents of Parents Plus are obliged to comply with the Data Protection and confidentiality provisions set out in the Employee Handbook.
Parents Plus is a Data Controller for the purposes of compliance with the requirements of the Data Protection Legislation.
The following pages sets out the requirements for such compliance when data is being collected and when data is being processed through, for example, reporting to relevant authorities.
Parents Plus is a Data Controller and the CEO is in charge of the administration of this policy.
The CEO appoints two assistants, the Operations and Communications Manager and the Finance Manager to assist in carrying out the Data Protection Controller responsibilities, with the CEO, however, retaining ultimate responsibility for administration of this Policy.
The purpose of this document is to provide a concise policy statement regarding the Data Protection obligations of Parents Plus. This includes obligations in dealing with personal data, in order to ensure that the organisation complies with the requirements of the relevant Irish legislation, namely the Data Protection Act (1988), and the Data Protection (Amendment) Act (2003) and GDPR 2018 (May 25th)
Parents Plus must comply with the Data Protection principles set out in the relevant legislation below. This Policy applies to all Personal Data collected, processed and stored by Parents Plus in relation to its staff, service providers in the course of its activities. Parents Plus makes no distinction between the rights of Data Subjects who are employees, and those who are not. All are treated equally under this Policy.
Irish Data Protection Act 1988:
- To regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically. (13th July 1988)
Irish / UK Data Protection (Amendment) Act 1988 / 2003
- The protection of individuals with regard to the processing of personal data and on the free movement of such data
EC (Privacy & Electronic Communications) Regulations, 2011
- Applying to the processing of personal data in connection with the provision of publicly available electronic communications services, including networks supporting data collection and identification devices.
The policy covers both personal and sensitive personal data held in relation to data subjects by Parents Plus. The policy applies equally to personal data held in manual and automated form.
All Personal and Sensitive Personal Data will be treated with equal care by Parents Plus and both categories will be equally referred-to as Personal Data in this policy, unless specifically stated otherwise.
This policy should be read in conjunction with the associated Subject Access Request procedure, the Data Retention and Destruction Policy, the Data Retention Periods List and the Data Loss Notification procedure.
Parents Plus as a Data Protection Controller
In the course of its daily organisational activities, Parents Plus acquires, processes and stores personal data in relation to:
- Employees of Parents Plus
- Trainers, Service Users & Suppliers of Parents Plus
- Funders of Parents Plus
- Members & Directors of Parents Plus
- Third party service providers engaged by Parents Plus
In accordance with the Irish Data Protection legislation, this data must be acquired and managed fairly and legally. Not all staff members will be expected to be experts in Data Protection legislation. However, Parents Plus is committed to ensuring that its staff have sufficient awareness of the legislation in order to be able to anticipate and identify a Data Protection issue, should one arise. In such circumstances, staff must ensure that the CEO is informed, and in order that appropriate corrective action is taken.
Due to the nature of the services provided by Parents Plus, there is regular and active exchange of personal data between Parents Plus and its Data Subjects. In addition, Parents Plus exchanges personal data with Data Processors on the Data Subjects’ behalf.
This is consistent with Parents Plus’s obligations under the terms of its contract with its Data Processors.
This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a Parents Plus staff member is unsure whether such data can be disclosed.
In general terms, the staff member should consult with the CEO or Assistants to seek clarification.
Subject Access Requests
Any formal, written request by a Data Subject for a copy of their personal data (a Subject Access Request) will be referred, as soon as possible, to those assigned with the responsibility of looking after Data Protection issues for Parents Plus, and will be processed within the timeframe set out by the legislation.
It is intended that by complying with these guidelines, Parents Plus will adhere to best practice regarding the applicable Data Protection legislation.
In the course of its role as Data Controller, Parents Plus engages a number of Data Processors to process Personal Data on its behalf. In each case, a formal, written contract (Confidentiality Agreement) is in place with the Processor, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Irish Data Protection legislation.
These Data Processors are:
- Enclude – IT company supporting charities
- Information Technology Consultants contracted by Parents Plus
- Eprint- printing and distribution service
- Research Assistants conducting research work for Parents Plus
The Data Protection Principles
The following seven key principles echo the current data protection regime under the GDPR and Irish legislation and are fundamental to this Data Protection policy.
In its capacity as Data Controller, Parents Plus ensures that all data shall comply with all the Data Protection Rules.
These provisions are binding on every Data Controller. Any failure to observe them would be a breach of the Act.
Data Protection Principles Rebranded
- Lawful, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity and Confidentiality
- Lawfulness, Fairness and Transparancy
For data to be obtained fairly, the data subject will, at the time the data is being collected, be made aware of:
- The identity of the Data Controller Parents Plus
- The purpose(s) for which the data is being collected
- The person(s) to whom the data may be disclosed by the Data Controller
- Any other information that is necessary so that the processing may be fair.
Parents Plus will meet this obligation in the following ways:
- Where possible, the informed consent of the Data Subject will be sought before their data is processed;
- Where it is not possible to seek consent, Parents Plus will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.;
- Where Parents Plus intends to record activity on video or in photographs, Parents Plus staff will always inform the subjects and seek their consent before proceeding.
- Processing of the personal data will be carried out only as part of Parents Plus lawful activities, and Parents Plus will safeguard the rights and freedoms of the Data Subject;
- The Data Subject’s data will not be disclosed to a third party other than to a party contracted to Parents Plus and operating on its behalf.
- Purpose Limitation
Parents Plus will obtain data for purposes, which are specific, lawful and clearly stated. A Data Subject will have the right to question the purpose(s) for which Parents Plus holds their data, and Parents Plus will be able to clearly state that purpose or purposes. See the Privacy Notice on why Parents Plus collects data and the ways in which it is used.
An inventory of all personal data that Parents Plus holds is available for review as an additional document.
- Data Minimisation
- Any use of the data by Parents Plus will be compatible with the purposes for which the data was acquired.
- Data is not relevant to such processing will not be acquired or maintained.
Parents Plus will:
- Ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy;
- Conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. Parents Plus conducts a review of sample data every six months to ensure accuracy;
- Staff contact details and details on next-of-kin are reviewed and updated every two years.
- Conduct regular assessments in order to establish the need to keep certain Personal Data.Review of data takes place at the end of every calendar year.
- Storage Limitation
- Parents Plus only keeps personal data in a form which permits the identification of Data Subjects for no longer than is necessary and for the purposes for which the personal data is processed.
- Anonymisation of data takes place if necessary in order to minimise the length of time that personal data is held by the organisation.
- Some identifiable data needs to be kept for statistical, scientific or historical research purposes. Data in particular in relation to those people who have trained with Parents Plus will be recorded in this way if there is a specific request to do so.
- Parents Plus has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format.
- Once the respective retention period has elapsed Parents Plus undertakes to destroy, erase or otherwise put this data beyond use. See a list of retention periods for data storage later in this policy.
- Integrity and Confidentiality
Parents Plus will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by Parents Plus in its capacity as Data Controller.
Access to and management of staff and customer records is limited to those staff members who have appropriate authorisation and password access. No third parties are given access to data unless it is required to do a job for Parents Plus. Any third parties/contractors are bound by Parents Plus confidentiality agreements and the Data Protection legislation that is in place in Irish law and under GDPR.
All laptops and computers under the control of Parents Plus are password protected. Data is only accessed by those who ‘need to know’ the information.
- Parents Plus manages and stores data in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them within the allotted timeframe of 30 days as per the GDPR regulations.
Parents Plus has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the legislation.
Data Subject Access Requests
As part of the day-to-day operation of the organisation, Parents Plus’s staff engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted in writing and accompanied by proof of ID by a Data Subject in relation to the data held by Parents Plus such a request gives rise to access rights in favour of the Data Subject.
Parents Plus’s staff will ensure that, where necessary, such requests are forwarded to the Data Protection Officer in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than 30 days from receipt of the request. The request must be a valid request and must be in writing in order for Parents Plus to process it within this time frame and the Data Subject must also provide photographic ID to Parents Plus.
Parents Plus has a Subject Access Request Form which is filled out when a request comes in and will be used to fulfil the Access Request from the Data Subject within the allotted time frame.
As a Data Controller, Parents Plus ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation.
Failure of a Data Processor to manage Parents Plus’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the Courts.
Failure of Parents Plus’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.
Data Subject – Rights and Freedoms
- Right to be Forgotten
The Data Subject has the right to the erasure of personal data. The Data Subject can request from the Controller the deletion of personal data, without undue delay, on particular grounds.
- If a Data Subject wishes to have personal data deleted from Parents Plus records, they must write to Parents Plus with the request and send in photographic ID. Parents Plus will then respond to their Access Request in a timely manner and within the 30 day time frame as set out by the legislation.
- However, Parents Plusneeds to keep some identifiable data for statistical, scientific or historical research purposes. Data in particular in relation to those people who have trained with Parents Plus will need to be kept on record. To record this data if a request has been made by a Data Subject to delete personal data, Parents Plus will record it ina way so that personal data has been anonymised.
- Right to Restriction of Processing
In certain circumstances, the Data Subject can request Parents Plus to restrict processing either permanently or temporarily. For example, the accuracy of data may be contested, there may be concerns that the processing may be unlawful or there are queries over the legitimate interests of the Controller overriding the rights and freedoms of the Data Subject.
Parents Plus will process all requests for the restriction of processing of data if a Data Subject sends in a written request.
- Right to Object to Certain Processing
The Data Subject is entitled to object to the processing of their personal data based on his or her situation, preference or state of mind. Where data is processed, for example, for the purpose of direct marketing, consent may be withdrawn at any time and free of charge. An objection to processing may be overridden in certain circumstances. For example, Irish law may require the Controller to continue keeping fundraising records for financial auditing reasons. However, the organisation has to bear in mind that the burden of complying with such an overriding factors rests with the Controller and not the Data Subject.
The Data Subject can withdraw consent from Parents Plus from processing their data at any time, by unsubscribing directly within any emails, emailing us directly, phoning the Parents Plus office or via post.
- Right to Data Portability
Where a Data Subject is moving their account from one provider to another (or one organisation to another), the Data Subject should be able to receive a copy of his or her personal data in a structured, commonly used, machine readable format. There are some exceptions to this right.
Parents Plus is able to provide a copy of personal data to a Data Subject upon written request.
- Right of Access to Information
Where the Data Subject submits a written request, the Controller must provide a copy of any information relating to the Data Subject without undue delay and at the latest, within one month of receipt of the request. Any reference to other individuals in the data must be removed or redacted before the information is handed over. This deadline may be extended to two months in certain situations. There will be no fee for this facility under the GDPR.
Parents Plus will provide access to information to a Data Subject when a written request along with photographic ID is provided to Parents Plus. This will be done within the 30 day timeline set out in the legislation.
- Right to Complain, Right to Judicial Remedy
Where a Data Subject is not satisfied that the Controller adhered to its obligations under the GDPR, he or she can consider bringing a complaint to the Irish Data Protection Commissioner or seek a judicial remedy in the Irish courts.
Parents Plus also has a feedback and complaints policy.
Gaining Consent from Data Subjects
Parents Plus gains consent from Data Subjects in order to process data requests.
Parents Plus gains consent from Data Subjects in the following ways:
- Verbally – Over the phone – if someone contacts us and wants to be signed up to the mailing list we can get their details and sign them up over the phone.
- Email – A data subject emails us directly or via the website requesting to be added to the mailing list or to receive information from us.
- Website – A data subject signs up to the newsletter or inputs information when they are ordering/booking a training with us. They give consent at the check out page on the website by ticking a box.
- Feedback forms – At trainings that our clients attend, they fill out a feedback form at the end of the training and they give consent for their information to go on the parent section of the website or to be shared with any parents that contact us.
- Verbally – At training – they give us consent to take group photos of them that are used online and on social media. They also give consent for us to film them if PP needs video footage of the training. Signs are clearly displayed at the training to indicate that this will be taking place; the trainer also lets them know in advance and anyone whodoes not want to be on camera or in any photos can step out.
- Parents Plus DVDs –Consent was given at the time these DVDs were created by the parents and future DVD’s consent will also be requested.
- Reviewing of videos for practitioners – As part of the Parents Plus Accreditation Process, Parents Plus Supervisors are given access to videos which practitioners record at their group sessions with parents. For the most part the videos focus on the practitioners and don’t focus on any individuals taking part in the group. The consent is given by the parents in the group in the service the parents are attending and informs them of the purpose of the video and what it will be used for.The consent forms are held by the practitioner and their service under their own data protection policies.
Parents Plus holds the videos securely for reviewing the practitioner’s facilitation skills for their accreditation. The videos are only held for the period of time that it takes to review the video content for the accreditation and there are then returned to the practitioner in their services. Parents Plus does not hold onto this video content for longer than is necessary. It’s up to the practitioners to store it in a secure way in their own service. Parents Plus does have a ‘Video Consent form for parents’ available for practitioners to use if they need one.
Data Processing Log
Data that Parents Plus processes on a regular basis and data processed with the assistance of other third party processors is recorded in a Data Processing Log that is maintained by Parents Plus. This log is available for review if requested by the Office of the Data Protection Commissioner.
Inventory of all personal data that Parents Plus holds
An inventory of all personal data that Parents Plus holds is available for review in an additional document.
Parents Plus commitment to privacy
Our www.parentsplus.ie website is maintained by Parents Plus and Dreamsedge Studios, with our head office at The Mater Hospital, Eccles Street, Dublin 7; email email@example.com; phone: 01 8307984.
What personally identifiable information is collected by Parents Plus?
When you visit our website, you may provide us with personal information (such as name, address, email address, telephone numbers) that you knowingly choose to disclose, which is collected on an individual basis for various purposes. These purposes include registering to receive email newsletters or other materials, requesting further information from us about projects and services, booking Parents Plus training, ordering Parents Plus training materials, making requests, submitting a form on our website, or simply asking a question. We receive and store any information you enter on our website or give us in any other way, whether it is online or offline. We ask for personal information so that we can fulfil your request and return your message. This information is retained and used in accordance with existing laws, rules, regulations, and other policies.
Parents Plus does not collect personal information from you unless you provide it to us. If you choose not to provide any of that information, we may not be able to fulfil your request or complete your order, but you will still be free to browse the other sections of our website owned and administered by Parents Plus. This means that you can visit our site without telling us who you are or revealing any personally identifiable information about yourself.
The way we use information
When you supply information about yourself for a specific purpose, we use the information for only that purpose (such as to provide the service or information you have requested). For example, you may be asked to give us individual information to receive information, to book a training or to order Parents Plus training materials. Similarly, we use information you provide about yourself or someone else when placing an order only to provide tax compliant receipts, ship the products and to confirm delivery. We do not share this information with outside parties except to the extent necessary to complete that order. In order to complete your order, your delivery address and delivery phone number that you provide for products are shared with our print company who dispatch the products for Parents Plus directly to you.
You can register with our website if you would like to receive updates on our new training, projects and services. Information you submit on our website or over the phone will not be used for this purpose unless you ‘opt-in’ specifically.
We use return email addresses to answer the email we receive, to receipt any transactions or if follow-up for that specific function is required. Such addresses are carefully guarded by Parents Plus for their specific purpose and are not shared with outside parties. An individual’s information is stored on a secure cloud system which we use to process data and keep in contact with you.
Parents Plus does not sell, rent, give-away or share its email addresses or other personal contact information with outside sources. Parents Plus also does not send mailings on behalf of other organisations.
Should any material changes be made to the ways in which we use personally identifiable information, Parents Plus will take commercially reasonable measures to obtain written or email consent from you. We will also post the changes to our use of personally identifiable information on our website at least 30 days prior to a change.
Our commitment to data security
Personally identifiable information is stored on our database which is a secure cloud system and is linked to the Parents Plus website. It is not publicly accessible. Further, personally identifiable information is only accessed by Parents Plus personnel on a “need to know” basis. To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online. Parents Plus has data protection policies and procedures in place to ensure data security.
Your Choice and how you can Opt-out of communications
If you have registered to receive communications from us and later change your mind, you may either unsubscribe from within the email you’ve received or you can contact us to have your name and contact information removed from our distribution lists. You have the following options to do this:
- You can send an email to: firstname.lastname@example.org
- You can send mail to the following address:
Parents Plus, The Mater Hospital, Eccles Street, Dublin 7
- Or phone the office on: 01 8307984 delete this option as we need proof to Opt out
How to correct/update your information
If you would like to verify the data we have received from you or to make corrections to it, you may contact us directly at the email and mail addresses provided above.
What anonymous information is collect by Parents Plus
Anonymous information is collected for every visitor to this site. This includes pages viewed, date and time, and browser type. IP numbers are not stored, but are temporarily used to determine domain type and in some cases, geographic region.
Automatically generated information on the website
When you visit our website, our server makes a log of basic information corresponding to the sites and pages you have visited. This information is stored primarily to track the effectiveness of our website and individual sections and pages within them.
Further details around the cookies policy are available here.
Online or offline registration information
You will provide us with information about yourself and your organisation when you register for information services or to buy products or book training with Parents Plus. This information is not used for any other purpose than to fulfil your request and is not shared with outside parties. However, visitors should be aware that information collected online or offline may be subject to examination and inspection if such information is a public record or not otherwise protected from disclosure.
Email Links on the website
We use email links located on this site to allow you to contact us directly via email. We use the information provided in your email to respond to your questions or comments. We may also store your comments for future reference.
We publish a regular email newsletter and other email communications that are sent periodically to persons who have requested it. The email newsletter and other communications/announcements are distributed by email via an email marketing platform and also via our database on the secure cloud system. Back issues of email newsletters may also be viewed on our website and on our social media channels. You may subscribe to or unsubscribe from the email list at any time. This email address you provide for the mailing list is securely stored and managed in line with best practice and data protection policies.
Changes to this privacy statement
We may disclose personal information when required by law or in the good-faith belief that such action is necessary in order to conform to the edicts of the law or comply with legal process served on Parents Plus.
For more information
If you have any questions, concerns or comments about your privacy, please send us a description of your concern via email to email@example.com or call us at 01 8307984.
For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy.
This includes both automated and manual data.
Automated data means data held on a computer, or stored with the intention that it is processed on a computer.
Manual data means data that it is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.
Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller. (If in doubt, Parents Plus refers to the definition issued by the Article 29 Working Party, and updated from time to time.)
Sensitive Personal Data
A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation, information in relation to commission of a crime and information relating to conviction for a criminal offence.
A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed.
A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly.
A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment.
Data Protection Officer
A person appointed by Parents Plus to monitor compliance with the appropriate Data Protection legislation, to deal with Subject Access Requests, and to respond to Data Protection queries from staff members and service recipients
Relevant Filing System
Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.