privacy

Keane McDonald Privacy Policy  

 

The General Data Protection Regulation and Data Protection Acts apply to the processing of personal data. This organisation is committed to complying with its legal obligations in this regard. The organisation collects and processes personal data relating to employees and the candidates we represent in the course of business in a variety of circumstances, e.g., recruitment, training, payment, performance reviews, and to protect the legitimate interests of the organisation.

This policy covers any employee or candidate about whom this organisation processes data. This may include current and former employees and candidates. Processing of data includes collecting; recording; storing; altering; disclosing; destroying; and blocking.


Personal data kept by this organisation shall normally be stored on the employee’s personnel file and the candidates on our electronic database. Highly sensitive data, such as medical information, will be stored in a separate file, in order to ensure the highest levels of confidentiality. The organisation will ensure that only authorised personnel have access to an employee’s personnel file.


The organisation has appropriate security measures in place to protect against unauthorised access. These security measures include an encrypted database and encrypted computer access.



Collection and storage of data

This organisation processes certain data relevant to the introduction of candidates to clients in compliance with relevant legal obligations and, where necessary, to ensure protection of its legitimate business interests and the rights and entitlements of candidates. We will ensure that personal data will be processed in accordance with the principles of data protection, as described in the GDPR and Data Protection Acts.


Personal data is normally obtained directly from the employees and candidates concerned. In certain circumstances, it will, however, be necessary to obtain data from third parties, e.g., references from previous employers. Where relevant to the nature of the work, the organisation may make an application to the Garda Vetting Bureau for Garda clearance of an employee or candidate.


Personal data collected by the organisation is used for ordinary management purposes. Where there is a need to collect data for another purpose, the organisation shall inform you

 

of this. In cases where it is appropriate to get your consent to such processing, the organisation will do so.


Employees and candidates are responsible for ensuring that they inform the company of any changes in their personal details, e.g., change of address. We endeavour to ensure personal data held by the organisation is up to date and accurate.


Retention of data

The organisation is under a legal obligation to keep certain data for a specified period of time. In addition, the organisation will need to keep personal data for a period of time in order to protect its legitimate interests. This period of time will be agreed with employees and candidates alike.



Security and disclosure of data

The organisation will take all reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and manual data. Security measures will be reviewed from time to time, having regard to the technology available, the cost and the risk of unauthorised access. Employees must implement all organisational security policies and procedures, e.g., use of computer passwords, locking the office etc.


HR files are normally stored by the Managing Director and employees who have access to these files must ensure that they treat them confidentially.


All employees will have access to personal data relating to candidates, clients, customers and other third parties. Employees must play their part in ensuring its confidentiality. They must adhere to the following data protection principles:

• Process data fairly, lawfully and transparently

• Keep data only for specified, explicit and legitimate purpose(s)

• Process data only in ways which are compatible with the purpose(s) for which it was given

• Ensure data is accurate and up to date

• Ensure data is adequate, relevant and limited to what is necessary for the purpose for which it was given

• Keep data safely and securely

• Retain personal data for no longer than is necessary for the purpose for which it is processed and in line with the company’s data retention policy



Employees must not disclose personal data, except where necessary in the course of their employment, or in accordance with law. They must not remove or destroy personal data except for lawful reasons and with the permission of the organisation. Employees may only disclose candidate personal data, with the permission of that candidate.

 

Any breach of the data protection principles is a serious matter and may lead to disciplinary action up to and including dismissal. If employees are in any doubt regarding their obligations, they should contact the Managing Director.


E-mail monitoring

The organisation provides e-mail facilities and access to the internet. In order to protect against the dangers associated with e-mail and internet use, screening software is in place to monitor e-mail and web usage. Mailboxes are only opened:

• upon specific authorisation by a manager in cases where the screening software or a complaint indicates that a particular mailbox may contain material that is dangerous or offensive.

• where there is a legitimate work reason or in the legitimate interest of the organisation.


Data Protection/Privacy Officer

Eddie Kelly is the data protection officer for this organisation. She is responsible for assisting the organisation in monitoring and maintaining compliance with data protection legislation. All employees must co-operate with the data protection officer when carrying out their duties.


The data protection officer is also available to answer queries or deal with employees’ concerns about data protection.


Access requests

Employees and candidates are entitled to request data held about them on computer or in relevant filing sets. The organisation will, in most circumstances provide this data within one month. In some cases, due to the complexity of the request or the number of requests being handled by the organisation, the organisation may require a further two months to provide this data. There is no charge for requesting this data.


An employee or candidate should make a request in writing to the data protection officer, stating the exact data required. Employees and candidates are only entitled to access data about themselves and will not be provided with data relating to other employees or candidates or third parties. It may be possible to block out data relating to a third party or conceal his or her identity, and if this is possible the organisation may do so.


Data that is classified as the opinion of another person will be provided unless it was given on the understanding that it will be treated confidentially. Employees who express opinions about candidates in the course of their employment should bear in mind that their opinion may be disclosed in an access request.

In some circumstances where relevant exemptions apply, certain personal data may not be provided to an employee or candidate. An employee or candidate will be informed where personal data is not being disclosed on the basis of such an exemption.

 

An employee or candidate who is dissatisfied with the outcome of an access request has the option of using the organisation’s grievance procedure. He/she may also refer a complaint to the Data Protection Commissioner.


Right to object

Employees and candidates have the right to object to data processing that is causing them distress and/or correct personal data which is inaccurate. Where such objection is justified, the organisation will cease processing the data unless it has a legitimate interest that prevents this. The organisation will make every effort to alleviate the distress caused to the individual.


An objection should be made in writing to the data protection officer, outlining the data in question and the harm being caused to the employee.


Transmission of data outside the State

As the organisation operates internationally, it may be necessary in the course of business to transfer candidate’s personal data within the organisation and to clients in countries outside the European Economic Area, which do not have comparable data protection laws to Ireland. The transfer of such data is necessary for normal business operations. When this is necessary, the organisation will take steps to ensure that the data has the same level of protection as it does inside the State. The organisation will only transmit to companies that agree to guarantee this level of protection.


Review

This policy will be reviewed from time to time to take into account changes in the law and the experience of the policy in practice.







Share by: