Data Protection Statement
Kildare County Council (the Council) is the democratically elected unit of Local Government in County Kildare and is responsible for providing a range of services to meet the economic, social and cultural needs of the people of our County.
In order to provide the most effective and targeted services to meet the needs of the citizens, communities and businesses of County Kildare we will be required to collect, process and use certain types of information about people and organisations. Depending on the service being offered, information sought may include ‘personal data’ as defined by the Data Protection Acts and the General Data Protection Regulation (GDPR) and may relate to current, past and future service users; past; current and prospective employees; suppliers; and members of the public who may engage in communications with our staff.
In this context the Council is a Data Controller under the Data Protection Acts and the General Data Protection Regulation (GDPR) and is obliged to comply with a range of requirements under this legislation.
In addition, staff may be required, from time to time, to collect process and use certain types of personal data to comply with regulatory or legislative requirements or to carry out functions in the public interest. Data in this policy document means both personal data and special personal data.
Given the range of services and activities conducted by the Council full details of personal data for each process cannot be specified in this statement, however the personal data that you may typically be asked to supply can be categorised as follows,
- Contact details to allow for efficient communication (including web-based communication platforms)
- Details of your personal circumstances which you are required by law to supply as part of your application for a service offered by the Council
- Your own financial details which you are required by law to supply as part of your application for a service offered by the Council
In compliance with the GDPR the Council maintains records of processing regarding personal data received and collected for its functions.
The Council is committed to meeting all relevant Data Protection, privacy and security requirements, whether originating from legal, regulatory or contractual obligations and is committed to protecting the rights and privacy of individuals in accordance with current Data Protection legislation. This statement should be read in conjunction with the Data Protection Acts, and any amendments thereto or regulations made thereunder and the General Data Protection Regulation (GDPR).
This statement has been created to demonstrate the Council’s commitment that the personal data you may be required to supply to us in order to access services, will be processed in accordance with data protection principles, which state that personal data will be;
- Obtained lawfully, fairly and in a transparent manner
- Obtained for only specified, identified and legitimate purposes
- Processed for purposes which we have identified or purposes compatible with the purposes that we have identified.
- Adequate, relevant and limited to what is necessary for purpose for which it was obtained
- Personal data collected and processed must be accurate and (where necessary) kept up to-date.
- Kept only for as long as is necessary for the purposes for which it was obtained.
- Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing.
This statement shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law, regulation or other contracts or binding agreements.
The Council has designated a Data Protection Officer (DPO) in accordance with requirements of the GDPR. Contact details are provided at the end of this document. The DPO’s role is:
- to inform and advise the Council and the employees who carry out processing of their obligations pursuant to the GDPR;
- to monitor compliance with GDPR, regarding the policies of the Council in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority - the Office of the Data Protection Commissioner;
- to act as the contact point for the Office of the Data Protection Commissioner; on issues relating to processing, and to consult, where appropriate, with regard to any other matter.
The Council is committed to carrying out all duties and functions as set out in the Acts and to adhere to guidelines issued by the Office of the Data Protection Commissioner.
Kildare County Council is presently registered on the Data Protection Commissioners Public Register at www.dataprotection.ie - The Council’s registration reference is 0173/A.
The following is intended to provide a summary of activities of the Council to ensure that its management of personal data adheres with the principles of GDPR. These principles require that personal data shall be:
Processed lawfully, fairly and in a transparent manner.
The Council has developed a transparency programme to endeavour to ensure that at the earliest practical point in the collecting or processing of personal data that the individual is provided with written details, or made aware of how to access, a written statement of their privacy rights. This is in the form of a Privacy Statement that is available on our website, at our public counters and with our application forms. Means to access information on your privacy rights should also be notified to you when you communicate with our employees by email or over the phone, where personal data is involved.
Collected for specified, explicit and legitimate purposes
The Council base personal data processing on lawful processing conditions, set out in Article 6 of the GDPR. The basis and purpose of the processing will be stated in our Privacy Statements relevant to the process or application forms that you are using.
Adequate, relevant and limited to what is necessary for the purpose for which it was obtained
The Council endeavour to ensure that personal data sought is minimal and aligned to the purpose or activity for which it is required.
It should however be noted that staff may be required, from time to time, to collect process and use certain types of personal data to comply with regulatory or legislative requirements or to carry out functions in the public interest. This may extend to sharing or disclosure of personal data to other bodies to comply with our statutory obligations. Sharing of data specific to a process or activity will be stated in our Privacy Statements.
Accurate and, where necessary, kept up to date
The Council will provide reasonable opportunities for individuals to ensure personal data that is inaccurate can be deleted or corrected as required.
In practical terms this can often relate to changes in customers addresses and contact details. If you find that personal data we have about you is inaccurate or needs to be updated (for instance, you may have changed your name, address, contact details etc.) then please contact us so that we can correct it.
You can do this by:
Writing to us at: Kildare County Council, Áras Chill Dara, Devoy Park, Naas, Co Kildare. W91 X77F
Emailing us at firstname.lastname@example.org
Please note that to help protect your privacy, we take steps to verify your identity before granting access to personal data. When making a request to update your records please provide evidence to support this - for example a copy of a document containing your new address – utility (Gas, Electricity, Phone) bill etc. and proof of your identity.
Kept only for as long as is necessary for the purposes for which it was obtained.
The National Retention Policy for Local Authority Records is under review. The revised Policy will provide information on the criteria for determining retention, archival and deletion or end dates for Council records in all the functions it operates. Links to the Policy will be provided in our Privacy Statement and updated as the Policy is renewed.
Processed in an appropriate manner to maintain security
The Council, taking into account the nature, scope, purposes and related risks of processing, employ appropriate physical, technical and organisational measures to secure personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. There are a range of internal policies, controls and practices supporting this principle and reducing risks to the data from the point of collection to the point of destruction. We also maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes.
In addition the Council provide support, assistance, advice and Data Protection Awareness training, which includes physical and IT security training for staff to ensure compliance with the legislation, and to ensure a secure environment for your personal data.
It should be noted that staff of the Council may be required, from time to time, to collect process and use certain types of personal data to comply with regulatory or legislative requirements or to carry out functions in the public interest. This may extend to sharing or disclosure of personal data to other bodies to comply with our statutory obligations.
Typically, disclosure requests will involve requests from law enforcement/investigation agencies for purposes involving preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other monies owed or payable to the State, a local authority and/or to prevent injury or other damage to the health of a person or serious loss of or damage to property. There are certain other limited circumstances where disclosures may be made.
Council officials who perform statutory duties involving preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other monies owed or payable to the Council, may also access personal data where relevant to the performance of such duties. Access of this nature is confined to those staff performing such functions and the Council has in place controls to govern such access, which are under review.
Requests of this nature from such external agencies should:
- Be made in writing.
- Provide detail in relation to the data required.
- State the reason it is required.
- Quote the relevant legislation which applies to their request for data.
- Be signed by a person at management level in the organisation, e.g. Garda Sergeant in Charge, Investigating Manager etc.
- Seek access to or confirmation of the minimal amount of data required.
Applicants should note that there are restrictions, included in the Data Protection Acts and the General Data Protection Regulation (GDPR) to some of the following rights. The Council will examine each request to ensure that requests that can be granted are granted and where we are obliged to apply a restriction to a request, under the Acts, that we do so. On this basis general guidance on likely outcomes cannot be provided and requests from individuals seeking to exercise their rights will be assessed on a case-by-case basis against the various criteria to determine applicability. Nonetheless individuals have the right to apply to:
- obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to same
- obtain from the controller without undue delay rectification of inaccurate personal data concerning him or her
- obtain from the controller the erasure of personal data concerning him or her without undue delay
- obtain from the controller restriction of processing
- object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, in certain circumstances.
Full details of data subject rights and restrictions are outlined in Chapter 3 of the GDPR.
Any applications to exercise your Data Protection Rights must be addressed to the Councils DPO, to ensure they are properly managed. More information and forms relevant to this are available online in the area www.kildare.ie/CountyCouncil/DataProtection/forms/
Data Protection Officer – Kildare County Council
Our Data Protection Officer (DPO) advises and guides the staff of the Council in how they collect, use, share and protect your information to ensure your rights are fulfilled in compliance with the Data Protection Legislation. The DPO also acts as the contact point for individuals with concerns about the processing of their personal data and is also the liaison between the Council and the Office of the Data Protection Commissioner. You can contact our DPO at:
Any applications to exercise your Data Protection Rights must be addressed to the Councils DPO, to ensure they are properly managed in accordance with your rights. More information and forms relevant to this are available online in the area www.kildare.ie/CountyCouncil/DataProtection/YourRights/
Right of Complaint to the Data Protection Commissioner
If you are not satisfied with the outcome of the response received from the Council or the Council’s DPO you are entitled to make a complaint to the Data Protection Commissioner who may investigate the matter for you. The Data Protection Commissioner’s website is www.dataprotection.ieor you can contact their Office at:
Lo Call Number 1890 252 231
Postal Address Data Protection Commissioner
Portarlington, Co. Laois. R32 AP23.
The Council is reviewing existing practice in respect of CCTV systems operated by the Council in the County and will comply with revised guidance of the Data Protection Commissioner on this matter, which is pending.
Our policy will specify legitimate purposes for the use of CCTV and distinguish between covert and public CCTV, body worn equipment and any proposed use of drones or similar technologies.
It will provide for:
- a maximum 31 day deletion of images,
- restricted access to monitors, servers and recording equipment and security to ensure images are neither deleted nor modified
- the signage and other transparency measures to ensure fair and transparent processing, where such CCTV is public.
- the recommended practice of the Council regarding contractors involved in provision of CCTV related services
- procedures for management of access requests.
Requests for images can be made by the Garda Síochána, other enforcement or investigation agencies or the public, who must demonstrate a legitimate reason for a request. Images released must be pixilated or redacted to ensure the privacy of others captured on CCTV. The Council has provided a separate access request document for such requests available at our data protection homepage - http://kildare.ie/CountyCouncil/DataProtection/Forms/
It is the position of the Council that the proposed use of technologies involving CCTV, body worn equipment and drones will be reported to the Council’s DPO from May 25th 2018 to enable a privacy impact assessment to be carried out, to assess the proportionality of use of technologies and, where required, the measures to ensure its use in compliance with Data Protection legislation and guidance.
The Council has regard to the significant requirements under the Data Protection legislation and on this basis operates a governance structure as below to underpin compliance with its varied obligations. Development and implementation of our policies and protocols will be monitored by the Data Protection Officer and delegated Data Controllers for each Council Department. The DPO is both formally and informally in regular communication with senior management and line management in relation to ongoing advice and monitoring of our compliance.
Kildare County Council will review this statement, and supporting policies and actions periodically in light of its operation and in terms of new legislative or other relevant factors such as publication of guidance from the Office of the Data Protection Commissioner. The statement shall be reviewed by the DPO in consultation with relevant Data Controllers for each Council Department and approved by the Council's Management Team.