Data Protection Acts (including – General Data Protection Regulation 2018 (GDPR))
The Data Protection Acts provide similar rights of access as the FOI Acts, the main difference being that the Data Protection Acts do not apply to records of deceased persons. As with the FOI Acts, these rights extend to an individual’s own personal records and in specific circumstances, to those of their children. There are exemptions provided for in the Acts, this means that there are specific circumstances when the requested information will not be released. If any of these exemptions are used to withhold information, the reasons will be clearly explained to you.
Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. An individual supplies information about themselves to many organisations, including the Waterford and Wexford Education and Training Board (WWETB) in order to avail of services or satisfy obligations. For the purpose of Data Protection, such organisations or individuals who control the contents and use of personal data are known as Data Controllers.
Waterford and Wexford Education and Training Board, as a Data Controller must adhere to the principles of GDPR. These principles apply whether the information is held on a computer or in a manual form, are:
- Obtain and process information with fairness and transparency – (Fairness and Transparency)
- Keep it only for one or more specified, explicit, and lawful purposes – (Lawfulness)
- Use and disclose it only in ways compatible with these purposes – (Purpose Limitation)
- Keep it safe and secure – (Integrity and Confidentiality)
- Keep it accurate, complete, and up to date – (Accuracy)
- Ensure that it is adequate, relevant, and not excessive – (Data Minimisation)
- Retain it for no longer than is necessary for the purpose or purposes – (Storage Limitations);
- Demonstration compliance with these principles – (Accountability)
- Give a copy of his/her personal data to that individual upon request – (Under Article 15 of GDPR Act)
When to use the Data Protection Acts:
An individual may use either the Freedom of Information Acts or the Data Protection Acts to access personal information held by public bodies. However, the Data Protection Acts apply only to an individual’s own personal information. Also, the Data Protection Acts apply to all holders of personal information, not just public bodies.
Entitlements under the Data Protection Acts (GDPR):
- A decision will, in normal circumstances, issue within 30 days of receipt of your request.
- If the request is complex or involves a large number of records, the data controller can extend the time to respond by a further two months. Notification of same should issue within the initial 30 days accompanied by a written explanation.
- Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter.
Access to Information
To make a Subject Data Access Request under Article 15 of the General Data Protection Regulations (GDPR), an individual should apply in writing and simply refer to the General Data Protection Regulations (GDPR). Photographic proof of I.D. and proof of address maybe required. There is a Data Access Request Form which can be made available for completion to assist with the request. Please note that the request should describe the records sought to the greatest detail possible to enable WWETB to identify the relevant records that are being sought.