JWB DATA PROTECTION POLICY
JW Balfour Ltd. Data Protection Policy
JW Balfour Ltd. needs to collect information and data on individuals, namely its clients and partners.
This policy outlines how personal data will be processed so as to meet the company’s data protection policy and to comply with the law.
This policy applies to the use of the JW Balfour Ltd. computerised records and any paper notes taken and filed by staff of JW Balfour Ltd.
Why this policy exists:
This data protection policy ensures JW Balfour Ltd.;
- Complies with Data Protection legislation and follows good practice
- Protects the rights of its client and partners
- Is transparent about how its stores, processes and utilises individual’s personal data
- Protects itself from the risk of a personal data breach or breach of data protection legislation.
- Reduces the risk of a personal data breach or breach of data protection legislation
JW Balfour Ltd. Policy
JW Balfour Ltd. policy and procedures are guided by the GDPR (2016/79) and Irish Data Protection Act 2018 below mentioned principles and the informational Annex’s.
JW Balfour Ltd. obtains and holds data to administer its functions. Staffs are provided with access to that data in order to do their jobs. Under no circumstances should personal data be accessed without a direct service requirement. Confidential client information must never be discussed with or disclosed to any unauthorised third party, either internal or external without getting written consent.
The area of data protection and its accompanying legislation is evolving and can be complex. However our approach can be summed up by as follows;
- Processing personal information is authorised only in circumstances where there is a clear official business requirement requiring such access; and
- Any unauthorised processing constitutes a serious breach of discipline and will be dealt with accordingly.
Appointment of a Data Protection Officer
JW Balfour Ltd. may appoint a named Data Protection Officer. The Data Protection Officer responsibilities will be to;
- Liaise with the Data Protection Commissioner
- Manage valid Data Subjects rights requests in a timely and thorough manner.
- Ensure employees are aware of their obligations under data protection legislation.
- Monitor compliance with the data protection legislation.
- Ensure that this policy is applied, review its annual and makes suggested changes for the formal approval by the partners of the practice
- Lead on any investigations into personal data breaches or breaches of data protection legislation and introduces measures to prevent it reoccurring
- Brings to the attention of JW Balfour Ltd. partners any data protection risks identified or anticipated
Data Protection Officers should note that the Data Protection Commissioner has a wide range of enforcement powers to assist in ensuring that the principles of data protection are being observed, including:
- Serving legal notices compelling Data Protection Officers to provide information needed to assist their enquires or compelling a Data Protection Officer to implement one or more provisions of the Acts.
- Investigate complaints made by the general public or carry out investigations proactively. The Commissioner may, for example, authorise officers to enter premises and to inspect the type of personal information kept, how it is processed and the security measures in place.
- Impose administrative fines of up to €20 million or 4% of turnover
- Obtain access to any premises in the course of an investigation
- Impose a temporary or definitive limitation including a ban on processing
Data Protection Legislation
On May 25th, 2018 the EU GDPR replaced the Irish Data Protection Acts of 1988 and 2003 as the primary legislation governing the processing of personal data. The Irish Data Protection Act of 2018 was passed in May 2018 and sits alongside the GDPR in Irish Law. Under the new laws enhanced rights are conferred on individual’s rights as well as new responsibilities and stricter rules on data processors and data controllers processing personal data. In addition, a new principle, one of being able to demonstrate compliance was introduced under GDPR.
The main principles of the GDPR are summarised in the following Data Protection Principles;
- Data must be processed lawfully, fairly and in a transparent manner
Personal data is obtained lawfully by the necessity of the performance of which our clients and partners are parties to. Our personal data is also processed due to legal obligations we have. Occasionally we may send out information on the business under as part of our legitimate business interests
Personal data is obtained fairly and transparently if the data subject, is at the time the personal data is being collected made aware of.
- The identity of the Data Protection Officer, if one is required
- The purpose for which the JW Balfour Ltd. is collecting the data at the point of collection
- The person or categories of persons to whom the data may be disclosed
- Any other information which is necessary so that processing may be fair
JW Balfour Ltd. is committed to treating the information given to us in confidence and ensure that it will not be used or disclosed except as provided for by law, and will collect no more information than is necessary.
- Data must be accurate, and where necessary, kept up to date
To comply with this rule JW Balfour Ltd. will ensure that:
- Clerical and computer procedures are adequate to ensure high levels of data accuracy, the general requirement to keep personal data up-to-date has been fully implemented,
- Appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.
- Procedures are in place to ensure personal data held is accurate, including reviewing records on a regular basis, identifying areas where errors are most common and providing guidelines to members on eliminating errors.
- Data must have been collected for specified, explicit and legitimate purposes and not used for other purposes
JW Balfour Ltd. may only keep data for a purpose/s that are specific, lawful, legitimate and clearly stated and the data should only be processed in a manner compatible with the purpose.
Where consent is the lawful basis of the processing any additional processing of personal data will not proceed without further consent from the data subject.
- Data must not be kept for longer than is necessary for that purpose
The Regulation requires that personal information held should be retained for no longer than is necessary for the purpose/s for which it was obtained.
JW Balfour Ltd. will be informed of the limitations of the retention of data by generally, the data protection and privacy legislation in Ireland and specifically by the various legal requirements, e.g. responsibilities to Revenue, retention for compliance with employer responsibility under the various employers, workplace, health and safety, and industrial relations Acts, limitation periods on civil actions and in the establishment, exercise or defence of legal claims.
- Data must be processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures
JW Balfour Ltd. must provide “appropriate” security measures to protect personal data from unauthorised access when in use and in storage or in transit and must protect it from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing.
In compliance with this requirement JW Balfour Ltd. has put in place physical and technical security measures to protect the confidentiality of personal data. Including, inter alia;
Access to personal information is restricted to authorised staff on a
“need-to- know” basis and in compliance with the Data Protection Acts.
Electronic personal data is protected by stringent access controls, passwords, access logs, audit logs, back-ups etc.
Screens, print-outs, documents and files showing personal data should not be visible to unauthorised persons.
Appropriate facilities are in place for disposal of confidential waste.
Personal manual data should be held securely in locked cabinets, locked rooms, or rooms with limited access.
Special care must be taken if storing personal data on mobile computing and storage devices. Where deemed high risk, the data must be encrypted, and a record kept of the nature and extent of the data and why it is being stored on a portable device. Arrangements should be in place to fully delete the data on the portable device when it is no longer being used.
Members are not to disclose personal security passwords to anyone within JW Balfour Ltd. who does not have a legitimate need to know the information in the normal course of their duties, or to anyone outside JW Balfour Ltd., unless authorised through the proper mechanisms and in accordance with the relevant requirements (e.g. Non-Disclosure Agreements, contracts, etc.).
- Data must be adequate, relevant and limited to what’s necessary to carry out the intended processing.
When collecting personal data from clients, partners, employees, suppliers or their stakeholders that JW Balfour Ltd. engages with we will only collect the information we need to carry out the task, request or function it is required for.
We will not work on the basis of collecting information ‘just in case’ and we will encourage a questioning culture in JW Balfour Ltd. so that when designing our work flows and tasks that privacy and the importance of it remains to the fore of our approach.
- Accountability and being able to demonstrate that accountability to external assessment and examination will underpin and reinforce JW Balfour Ltd.’s commitment to these principals and our compliance with all data protection and privacy legislation we are subject to.