DATA PROTECTION POLICY

The General Data Protection Regulation (GDPR), together with the new Data Protection Bill 2018 form part of the data protection regime within the Republic of Ireland, regulating the processing of information relating to individuals. The main provisions came into force on 25/05/2018 and apply to both manual and electronic data.

The Irish Association of Funeral Directors recognises its responsibility to treat such information with confidentiality and with care to ensure compliance with the law and for the protection of our members. Compliance with Data Protection regulations and annual registration with the Information Commissioner are the responsibilities of the Data Protection Officer, although responsibility for the implementation of the Data Protection Policy is placed on all members of staff.

DEFINITIONS

Personal data is defined as information that relates to an identified or identifiable individual. It can include data such as name, contact details and date of birth or could include other identifiers such as staff number, IP address or other factors. If it is possible to identify an individual directly or indirectly from the information you are processing, then that information may be personal data.

Special Category Data is personal data which the GDPR says is more sensitive and so needs more protection. It includes data such as race, ethnic origin, diversity and health data, details of sexual orientation, religion etc. In order to lawfully process special category data, both a lawful basis and a separate condition for processing must be identified.

Controllers & Processors - The GDPR applies to both ‘controllers’ and ‘processors’ of personal data, and puts specific legal obligations on both controllers and processors. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.

REGISTRATION & APPOINTMENTS

As IAFD is recognised as a Data Controller and is required to hold certain personal data in order to operate (eg. regarding members, business contacts, employees etc), it falls within the GDPR and is required to register on an annual basis with the Information Commissioner.

Current Registration:

The IAFD has appointed Tom Lawless as Data Protection Officer (DPO), responsible for monitoring internal compliance and act as a contract point for data subjects and the supervisory authority. Tom Lawless can be contact at – dpo@iafd.ie

THE PRINCIPLES OF DATA PROTECTION

The GDPR sets out seven key principles which underpin the protection of personal data:

1. Lawful, Fair & Transparent - there must be valid grounds (‘lawful basis’) for collecting and using personal data and other laws are not breached by doing so (eg an infringement of copyright or breach of contractual agreement). The personal data must be used in a way that is fair and not detrimental, unexpected or misleading to the individuals concerned. The user must be clear, open and honest with people from the start about how their personal data will be used.
2. Purpose Limitation – the purpose for processing personal data must be clear from the start, and must be recorded as part of the documentation obligations. Personal data can only be used for a new purpose if either this is compatible with the original purpose, consent is gained or there is a clear basis in law.
3. Data Minimisation – the personal data being processed must be adequate (sufficient to properly fulfil the stated purpose), relevant (has a rational link to that purpose) and limited to what is necessary for that purpose.
4. Accuracy - all reasonable steps should be taken to ensure the personal data held is not incorrect or misleading as to any matter of fact. This may mean that personal data needs to be updated, although this may depend on what it is being used for. Where incorrect or misleading personal data is discovered, all reasonable steps should be taken to correct or erase it as soon as possible.
5. Storage Limitation – personal data must not be held for any longer than is necessary. Users must be able to justify how long personal data is held (will depend on the purpose) and must have retention policies in place. Data should also be periodically reviewed, and erased or anonymised when it is no longer needed.
6. Integrity & Confidentiality (Security) – appropriate security measures must be in place to protect any personal data held.
7. Accountability – The user must take responsibility for what is done with the personal data and how the other principles are complied with. There also must be appropriate measures and records in place to be able to demonstrate compliance.

LAWFUL BASIS FOR PROCESSING

The GPDR requires that there must be a valid lawful basis in order to process personal data. There are six available lawful basis for processing, and it will depend on the purpose and relationship with the individual which one is the most appropriate. Most of the lawful bases require that processing is ‘necessary’ for a specific purpose (so if the same purpose can reasonably be achieved without the processing, there won’t be a lawful basis).

The lawful basis must be determined before processing begins and should be documented. It should not be swapped to a different lawful basis at a later date without good reason, and both the lawful basis for processing and the purposes of processing should be included in IAFD’s Privacy Notice.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal date:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent means offering individuals real choice and control, and requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent, and keep consent requests separate from other terms and conditions. It also must be easy for people to withdraw their consent at any time.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract (eg provide a quotation). The processing must be necessary and justifiable, and should be documented.
3. Legal obligation: the processing is necessary for you to comply with the law or statutory obligations (not including contractual obligations). The processing must be necessary and justifiable, and should be documented.
4. Vital interests: the processing is necessary to protect someone’s life. You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This basis is the most flexible lawful basis for processing but it cannot be assumed that it will always be the most appropriate. Is people’s data being used in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing? However, in using this basis, people’s rights and interests must be considered and protected.

INDIVIDUAL RIGHTS

The GDPR provides the following rights for individuals over their personal data and how it is collected, processed and retained:

1. The right to be informed – under the transparency principle of GDPR, information must be provided to individuals about the collection and use of their personal data, including the purpose for processing their personal data, your retention periods and who it will be shared with. This information must be provided to individuals at the time you collect the personal data from them. If personal data is obtained from other sources, individuals must be provided with privacy information within a reasonable period of obtaining the data and no later than one month.
2. The right of access – individuals have a right to access their personal data and can make a subject access request verbally or in writing. A response must be made within one month and a fee cannot be charged in most circumstances.
3. The right to rectification – individuals have the right to have inaccurate personal data rectified or completed if incomplete. Requests can be made verbally or in writing and a response must be made within one month. The accuracy of the new data may need to be verified and there are a few circumstances where a request for rectification can be refused.
4. The right to erasure – the GDPR introduced a right for individuals to have personal data erased, also known as ‘the right to be forgotten’. Requests can be made verbally or in writing and a response must be made within one month. The right is not absolute and only applies in certain circumstances, for example where the personal data is no longer necessary for the purpose it was originally collected or processed for, where consent is being relied upon as the lawful basis of holding the data and that consent has been withdrawn, or the data has been processed unlawfully.
5. The right to restrict processing – individuals have the right to request the restriction or suppression of their personal data, where the data may be stored but not used. Requests can be made verbally or in writing and a response must be made within one month. The right is not absolute and only applies in certain circumstances, for example when the accuracy of personal data is contested by the individual and this needs to be verified, the personal data is no longer needed, but the individual wants you to keep it in order to establish, exercise or defend a legal claim, or the individual has objected to you using their data and consideration is being given to whether legitimate interest grounds override those of the individual.
6. The right to data portability – this right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
7. The right to object – individuals have the right to object to the processing of their personal data in certain circumstances, and have an absolute right to stop their data being used for direct marketing. Requests can be made verbally or in writing and a response must be made within one month.
8. Rights related to automated decision making including profiling – there are certain additional rules to protect individuals where automated decision making, including profiling, is being carried out without human intervention that has legal or similar significant effects on them.

PRIVACY NOTICE

IAFD is committed to protecting personal data and keeping it safe. Our responsibilities in relation to the protection and security of personal data is set out in our Privacy Notice which informs individuals as to how we collect, process and look after your personal data, and outlines the individual’s privacy rights and how the law protects them.

The Privacy Notice is available in paper or electronic form and is available on our website. It should be provided or available to an individual at the point where their personal data is given (eg. Where a firm becomes a member of IAFD). It is reviewed on an annual basis and updated if necessary.

SUBJECT RIGHTS REQUESTS REGISTER

Individuals can make requests to IAFD under the rights detailed above either verbally or in writing. We will aim to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests, and in this case, we will notify you and keep you updated.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

If we are unable to comply with your request for any reason (eg for specific legal or regulatory reasons) these will be notified to you in writing.

You will not normally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

All data protection subject requests will be entered into a Subject Rights Requests Register together with the date the request was received, the form it was received in, our assessment of whether the request can be complied with, and the date and summary of the response given.

THIRD PARTY CONTRACTS

Whenever a controller uses a processor it needs to have a written contract in place so that both parties understand their responsibilities and liabilities. As a Controller, IAFD is liable for the compliance with GDPR and should only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

Contracts should include the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data provided and the obligations and rights of the controller. This may include putting an onus on the third party that they only use the data for the purposes for which it was provided and not for any other purposes (such as their own marketing), that they have appropriate security in place to protect the data, that the data is kept confidential and not shared with anyone else, that the data is not retained for any longer than is necessary, and that the data must be deleted or returned to the controller as requested at the end of the contract.

DOCUMENTATION OF PROCESSING ACTIVITIES

We have completed a data audit, together with our key processing activities (including purpose of processing, lawful basis relied upon, data sharing and retention). This is reviewed and updated on an annual basis to ensure it reflects our current processing activities.

DATA PROTECTION IMPACT ASSESSMENTS

A Data Protection Impact Assessment (DPIA) is required for processing that is likely to result in a high risk to individuals. It should describe the nature, scope, context and purposes of the processing, assess compliance measures taken, identify and assess the risk to individuals and identify any additional measures to mitigate those risks.

In order to assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.

A DPIA must be completed if you plan to use systematic and extensive profiling with significant effects, process special category or criminal offence data on a large scale, or systematically monitor publicly accessible places on a large scale. A DPIA may also be required in other specific circumstances such as use of new technologies, process biometric or genetic data, track individuals location or behaviour or profile children or target marketing at them.

DATA SECURITY

A key principle of data protection is that personal data is processed securely by means of ‘appropriate technical and organisational measures’. Both ‘state of the art’ and costs of implementation should be considered when deciding what measures to take, and they must be appropriate both to our circumstances and the risk that our processing poses.

The measures taken should ensure the confidentiality, integrity and availability of systems and services and the personal data processed within them. They must also enable the user to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.

MANAGEMENT OF PERSONAL DATA BREACHES

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

The GDPR places duties on IAFD to record any personal data breach, and in some circumstances to report to the ICO. When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. Think of the consequences – what are the potential effects of a breach on individuals, how severe are these, and how likely are they to happen?

If it’s likely there will be a risk, then we must notify the ICO by calling the Helpline 0303 123 1113, or reporting it online within 72 hours of becoming aware of the breach where feasible. Give as much information as possible and be as accurate as you can. The individuals affected must also be informed without undue delay.

If any data breach is discovered, no matter how minor, the DPO should be informed immediately. An immediate assessment of the data breach will be undertaken by the senior management team and actions required to contain the breach or to mitigate its negative effects should be taken as soon as possible. An assessment of the risks to individuals should then be undertaken, the ICO (and any other supervisory body) notified if necessary and affected individuals informed if required. The cause of breach, and the subsequent actions taken should then be fully assessed and evaluated in order to ascertain how to prevent such a breach occurring in the future (eg implementing changes to procedures).

All staff have a responsibility to report any data breach they have detected, however minor. The DPO will be responsible for co-ordinating the response to any data breach, although it is likely that other senior management personnel will also be involve