Go to Navigation
|
Skip Navigation
|
Accessibility Information
|
Site Search
|
Quick Links
Find a Course
Find a Job
Career Directions
Construction Skills Certification Scheme
Disability
eCollege
Employment by occupation
Find Staff/Add a Vacancy
Freedom of Information
Jobs Ireland
Publications & Resources
Safe Pass
Screen Training Ireland
Social Inclusion & Equal Opportunities
Work Placement Programme
Search
Home
|
Accessibility
|
A - Z
|
Forms
Home
Jobseeker
Employer
Training
Communities
About Us
Contact Us
Corporate Structure
FÁS Management
Regional Structure
Customer Charter
Complaints Procedures
Quality Policy
Freedom of Information
Data Protection
Frequently Asked Questions
Contact Communications Unit
Publications & Resources
News
Contact Communications Unit
About Us
home
»
About Us
»
Corporate Structure
»
Data Protection
»
Frequently Asked Questions
Frequently Asked Questions
What is Data Protection?
What are the main principles of Data Protection?
Are there exceptions or limitations on the right of access to personal data?
Additional Information on Data Protection
Who can I contact in FÁS with regard to Data Protection?
How do I make a Data Access Request?
How soon will I get a response to my request?
How much will it cost?
What details have FÁS registered with the Data Protection Commission?
What is Data Protection?
The purpose of the Data Protection Acts 1988 and 2003 (the "Acts") is to protect the privacy of individuals whose personal data is being processed. Processing data includes the obtaining, recording, storing, collecting, and retrieving of information or data. It relates to both automated data (i.e. computer held records) and manual data. However, the application of certain parts of the Acts to existing manual data is deferred until October 2007.
Personal data is information relating to a living individual who can be identified from the data itself or in conjunction with other information held.
The Acts give individuals a right to get a copy of all personal data relating to them, by making a written "access request", which applies to both automated data and manual data in the possession of a data controller (i.e. a person who controls the contents and use of personal data). In addition, where personal data consists of an opinion about an individual (e.g. references, hand-written notes of interviewers where they express opinions about the suitability of certain individuals for certain positions etc.), the individual may also request this, except in limited cases, for example, where an opinion is given in confidence.
Additionally, there is a right for an individual to block uses of personal data, i.e., prevent it from being used for certain purposes and the right to have any inaccurate information rectified or erased. Also, an individual has a right to object to a data controller using personal data which is likely to result in substantial and unwarranted damage or distress to an individual. The data controller must write back to the individual within 20 days confirming compliance with the request, or stating its reasons for non-compliance. If an individual is unhappy with the data controller's response, he/she can complain to the Data Protection Commissioner, who can use his enforcement powers if necessary.
FÁS is a Data Controller under the Data Protection Acts 1988 and 2003. 'Data Controller' means a person who, either alone or with others, controls the contents and use of personal data.
What are the main principles of Data Protection?
Fair Obtaining and Fair Processing
The fundamental principle of data protection is that all personal information must be obtained and processed "fairly". If FÁS (as a data controller) wishes to keep personal information about staff/clients, then it must collect the information fairly, and it must be used fairly.
An individual, when providing information of a personal nature, must be fully aware of the identity of the person/s who is/are collecting it, to what use the information will be put and the persons or category of persons to whom the information will be disclosed. Also, the individual must give their consent to such disclosure of personal information.
When dealing with personal data of a sensitive nature, which includes personal data as to racial or ethnic origin, political opinions, religious or philosophical beliefs of an individual, the data controller must have obtained the explicit consent of the individual in advance to the processing of his/her personal data.
Any future use of the information which might not be obvious to individuals should be brought to their attention at the time of obtaining personal data. Individuals should be given the option of saying if they wish their information to be used in any other way.
If a data controller such as FÁS holds personal information and wishes to use it for a new purpose, they are obliged to give an option to the individuals concerned to indicate whether or not they wish their personal information to be used for the new purpose.
Specifying the Purpose
Personal data shall be kept only for one or more specified and legitimate purposes. It is unlawful to collect information about people routinely without having a legitimate purpose for doing so.
Use and Disclosure of Personal Information
Personal data of an individual shall not be used or disclosed in any manner incompatible with the purpose or purposes for which the personal information was provided unless the consent of the individual has been obtained for such. If personal information is obtained for a particular purpose, it may then not be used for any other purpose. Further, such personal information may not be divulged to a third party except in ways that are 'compatible' with the specified purpose.
Security of Personal Data
All data controllers, including FÁS, must take appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of the personal information held and against accidental loss or destruction of the data.
Accurate and Up-to-Date
All personal information obtained shall be kept accurate and, where necessary, kept up-to-date. Apart from ensuring compliance with the Acts, data controllers may be liable to an individual for damages if they fail to observe the duty of care provision in the Acts applying to the handling of personal data.
Adequate, Relevant and not Excessive
Personal data kept should be enough to enable a data controller to achieve its purpose and no more. It should be adequate, relevant and not excessive in relation to the purpose or purposes for which the data was provided. A data controller should not ask intrusive or personal questions if the information obtained in this way has no bearing on the specified purpose for which it holds personal data.
Retention of Personal Data
Data controllers must not keep personal data for longer than is necessary for that purpose or those other purposes specified. If there is no good reason for retaining personal information on computer, then that information should be routinely deleted. Information should never be kept 'just in case'.
Rights as regards Access to Personal Data?
Any individual about whom a data controller keeps personal information is entitled to a copy of the personal data, on making a written request and payment of the access fee. This "right of access" is subject to a limited number of exceptions which are set out below.
Individuals have rights under the Acts such as the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and, the right to complain to the Data Protection Commissioner.
Are there exceptions or limitations on the right of access to personal data?
Yes. The restrictions upon the right of access include the following:
The right of access does not apply in a number of cases in order to strike a balance between the rights of the individual on the one hand and some important needs of civil society on the other hand, such as the need to investigate crime effectively, and the need to protect the international relations of the state.
The right of access to medical data and social workers' data is also restricted in some very limited circumstances, to protect the individual from hearing something about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being.
The right of access does not include a right to see personal data about other individuals without that other person's consent. It is necessary to protect the privacy rights of the other person.
Where an expression of opinion has been given in confidence, such an opinion shall not be given to the individual making an access request.
Additional Information on Data Protection
Organisations that transfer personal data from Ireland to third countries, i.e., places outside of the European Economic Area (EEA) will need to ensure that there are adequate levels of data protection provided.
With regard to the level of security measures that organisations must have in place to protect personal data, generally organisations must take all necessary and reasonable steps having regard to the state of current technology, and to the sensitivity of the personal data in question.
If a data controller retains the services of an agent to process personal data on its behalf - a data processor - then it must put in place a contract in writing (or equivalent form) which deals adequately with issues of security, confidentiality and other data protection matters.
The Acts apply to all data controllers established in Ireland - this may include a foreign data controller which operates through an Irish intermediary. The Acts will also apply to data controllers established outside the EEA which use equipment in Ireland to process personal data. These non-EEA data controllers must designate a representative in Ireland.
When processing personal data, other legitimate processing requirements are imposed on those processing such data which are in addition to the data protection rules (point 6 above). Essentially, the individual must consent to the processing of personal data. However, there are a number of other methods for legitimising the processing of personal data such as processing necessary for the performance of a contract to which the data subject is party.
In the case of sensitive personal data, it will be necessary, in addition to the data protection rules and one of the methods for legitimising the processing of personal data, to comply with one of the conditions for processing sensitive personal data, which includes obtaining the "explicit" consent of the individual to such processing. There are a number of alternative methods by which sensitive personal data processed by a data controller will be regarded as legitimate.
The Acts impose obligations on those data controllers that obtain personal data from other data controllers to notify the individuals in question that they hold information about them, to inform them of the uses and disclosures being made of that data and to ensure that they are aware of their right to access their data and modify it if it is incorrect.
Who can I contact in FÁS with regard to Data Protection matters?
Michael
Bowden
Manager Legal Services/Freedom of Information Unit
FÁS Head Office
27-33 Upper Baggot Street
Dublin 4
work
Tel.:
+353 (01) 607 0500
How do I make a Data Access Request to FAS?
In making a Data Access request to FÁS, you must make an application in writing, identifying yourself and stating that you wish to receive information under the Acts. This shall be accompanied by the prescribed access fee, which in the case of FÁS is €6.35 (see further '
How much will it cost?
'). You may also contact FÁS at the above number and request a copy of the "Application for Data Access" Form. This will be forwarded to you immediately. It is not compulsory in making access requests to use a prescribed form.
How soon will I get a response to my request?
Generally, copies of the personal data must be supplied to the requestor within 40 days of FÁS receiving the request. FAS cannot change any personal data upon receiving a request.
FÁS will provide you with the personal information in a form which will be clear to the ordinary person (e.g., codes explained).
FÁS will provide personal information only to the individual concerned or someone acting on their behalf or with their authority. Personal information will not be given over the phone.
If no personal information is held about you, you will be informed of this within the 40 days.
How much will it cost?
The maximum fee that a requestor can be required to pay is a fee of €6.35 at the time of making the written request. FÁS is under no obligation to refund the access fee of €6.35 if it is discovered that no personal data is in fact on record. However, the fee must be refunded if FÁS does not comply with the request or if it rectifies, supplements or erases the data concerned.
What details has FÁS registered with the Data Protection Commission?
FÁS is registered as a Data Controller with the Office of the Data Protection Commissioner. See
registration details
.
This information is intended only as a general guide and not as a detailed legal analysis. The information should not be used as a substitute for professional advice based on the facts of a particular case.
