Updated September 2021
1. PURPOSE OF THE LIMERICK SPORTS PARTNERSHIP DATA PROTECTION POLICY
1.1 The purpose of this Data Protection Policy is to provide for the protection of the rights and privacy of individuals about whom Limerick Sports Partnership processes personal data in accordance with The Data Protection Act 2018, which was signed into law on 24 May 2018, changes the previous data protection framework, established under the Data Protection Acts 1988 and 2003. Its provisions include: Establishing a new Data Protection Commission as the State’s data protection authority.
1.2 Limerick Sports Partnership is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act and acknowledges the rights that this Act confer on individuals as well as the responsibilities the Act places on Limerick Sports Partnership employees and auxiliary staff who process personal data in the course of their duties.
2. DATA PROTECTION DEFINITIONS
2.1 The Data Protection Act provides for the collection, processing, retention and eventual destruction of personal data in a responsible and secure way thereby avoiding its misuse.
2.2 Personal Data and Sensitive Personal Data
2.2.1 ‘Personal data’ is data that relates to a living individual who is identifiable either from the data itself or from the data in conjunction with other information held by Limerick Sports Partnership.
2.2.2 ‘Personal data’ has a very broad-ranging definition and includes, but is not limited to, a person’s name, physiological, economic, cultural, social identity, pseudonyms, occupation, address etc.
2.2.3 The Act differentiates between ‘personal data’ and ‘sensitive personal data’. ‘Sensitive personal data’ relates to a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; physical and mental health; sexual life; criminal convictions, the alleged commission of an offence and trade union membership.
2.2.4 For the purposes of this Policy, references to ‘personal data’ are deemed to refer to both ‘personal data’ and ‘sensitive personal data’.
2.2.5 Personal data may be held in either electronic form (e.g. on a computer system, CCTV system) or in hard-copy.
2.3.1 At the time of providing any personal data to Limerick Sports Partnership, individuals must be made aware of the use(s) for which the data is being collected and give their consent to such use(s).
2.4 Personal Data related to Deceased Persons
2.4.1 Best practice requires that where personal data relating to deceased persons is held, this data is retained and processed in the same manner as personal data relating to living individuals.
2.5 Anonymised Personal Data
2.5.1 Personal data collected anonymously or irrevocably anonymised to the extent that the individual cannot be identified from the data is not subject to the requirements of the Data Protection Act or this Policy.
3. USE OF PERSONAL DATA AT LIMERICK SPORTS PARTNERSHIP
3.1 In order to fulfill its functions, Limerick Sports Partnership (as ‘data controller’) must collect and process certain personal data about its employees, stakeholders, programme and event participants and other individuals who come in contact with the Company. Such functions include the registration of new participants, ongoing renewals based on extended programmes, management of approved current database, registration of participants for attendance at education and training courses, the circulation of promotional and information materials, the recruitment, appointment and payment of employees and auxiliary staff, compliance with statutory obligations and other necessary administrative activities.
3.2 All personal data collected and processed by Limerick Sports Partnership must be treated with the highest standards of security and confidentiality in order to comply with the Data Protection Acts.
3.3 Any provision for Limerick Sports Partnership, as a ‘data controller’, to use a third party (known as a ‘data processor’) must be the subject of a written agreement. All proposed agreements between the Company and a third party must be developed in conjunction with the relevant legal advisors of Limerick Sports Partnership.
4. PROCESSING OF PERSONAL DATA
4.1 The Data Protection legislation imposes a number of restrictions on how the Company may process personal data.
4.2 Limerick Sports Partnership must handle personal data in accordance with the eight stated data protection principles outlined in the Act as follows:
(a) Obtain and process the personal data fairly;
(b) Keep only for one or more specified and lawful purpose(s);
(c) Use and disclose only in ways compatible with the purpose(s) for which it was initially provided;
(d) Keep safe and secure;
(e) Keep accurate, complete and up-to-date;
(f) Ensure that it is adequate, relevant and not excessive;
(g) Retain for no longer than is necessary for the specified purpose(s);
(h) Provide a copy of his/her personal data to an individual, on request.
5. RESPONSIBILITIES OF LIMERICK SPORTS PARTNERSHIP EMPLOYEES
5.1 This Policy applies to all departments, offices, units and areas of work that form part of the Company structure and applies to all personal data processed by Limerick Sports Partnership.
5.2 While Limerick Sports Partnership, as a whole, has the overall responsibility for ensuring compliance with the Data Protection Act, responsibility for the implementation of this Policy rests with the head of each area of activity to ensure good data handling practices are in place in order to uphold the privacy of personal data within their respective areas of responsibility.
5.3 Notwithstanding the foregoing, all employees of Limerick Sports Partnership who collect or use personal data as part of their duties have a responsibility to ensure that they process personal data in accordance with the conditions set down in this Policy, the Limerick Sports Partnership Data Protection Compliance Regulations, the Data Protection Act and any other relevant Company policies/regulations/procedures.
6. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH
6.1 A personal data breach may be defined as an incident where unauthorised disclosure, loss, destruction or alteration of personal data occurs through, for example, loss or theft of a portable device, accidental disclosure via email/other electronic system, loss of hard copy records etc.
6.2 In the event of a personal data breach, the Coordinator of Limerick Sports Partnership must be notified immediately (contact: 061 333600, email: firstname.lastname@example.org). The Coordinator will ensure, where appropriate and required, that the data subjects and the Data Protection Commissioner’s Office are notified within a maximum of two days of a breach occurring as required by the Data Protection Commissioner’s ‘Personal Data Security Breach Code of Practice’.
6.3 Breaches of the terms and conditions of this Policy and the Limerick Sports Partnership Data Protection Compliance Regulations could result in major reputational and financial damage to the Company and may result in employee disciplinary action and termination of employment being invoked.
7. DATA SUBJECT ACCESS REQUESTS
7.1 Under the Data Protection Acts, data subjects are entitled to make a request for their personal data held by Limerick Sports Partnership free of charge and any additional copies can be requested for a fee not in excess of €6.35. Any such requests should be made in writing to: The Coordinator, Limerick Sports Partnership, University of Limerick, Castletroy, Limerick.
8.1 This Policy is required to be reviewed by the Board on a biennial basis.