Data Protection Policy

1. Scope

This policy describes how Macro Building Management meets its obligations to individuals and the law regarding the safeguarding of personal data. The policy refers to all data collected throughout Macro Building Management supports and services, including:

· Services to resident groups

· Short term rentals

· Community supports

· Senior Citizens Club

· Classes and Courses

2. Purpose and Objectives

The policy addresses the core principles set out by the Office for Data Protection for compliance and good practice within the current EU Data Protection Legislation. The document is for all Macro Building Management Staff and Volunteers. The office of the Data Protection Commissioner outlines eight principles of data processing which are binding on all organisations who handle personal data.

These principles are to:

· Obtain and process information fairly

· Keep it only for one or more specified, explicit and lawful purposes

· Use and disclose it only in ways compatible with these purposes

· Keep it safe and secure

· Keep it accurate, complete and up-to-date

· Ensure that it is adequate, relevant and not excessive

· Retain it for no longer than is necessary for the purpose or purposes

· Give a copy of his/her personal data to an individual, on request

This policy describes how Macro Building Management adheres to those principles. For the purposes of this policy, individuals using the services of Macro Building Management and individuals and companies purchasing products and services from Macro Building Management are referred to as ‘clients’.

2.1 Fair Obtaining

Our data collection aims to be open and transparent at all times. Individuals are made aware of the uses for their information when that information is collected. This disclosure is included in our online application forms, or by email, along with a request for consent. Personal data is not subject to secondary use or disclosed to third parties without prior consent. Examples include: for assessment of application for services/membership, for planning service delivery, for provision of information, research and recruitment, for the purposes of sales.

2.2 Purpose Specification

Macro Building Management recognizes the need to hold personal data about individuals for the following purposes:

· Service Provision to individuals in the community and their families

· Information mailings

· Research

· Human Resources

· To accommodate ordering and processing of services to clients of Macro Building Management

At each point of data collection we are clear to individuals about the purposes to which that information is being put. For example, the Macro Building Management online booking form states:

‘Macro Community Resource Centre collects data through the contact and inquiry forms on this site for the purpose of:

· providing information regarding services

· dealing with general inquiries

· completing room bookings

This information is stored on a secure, password protected cloud based system, accessed through password protected devices and is only accessed by staff for the purpose of dealing with your query. It is not saved on this website. Data is stored for two years and is never passed on to a third party without your consent unless there is a legal requirement to do so. Your personal data will not be used for any purpose other than what you provided it for’.

2.3 Use and Disclosure

Use and disclosure of personal data, including health and medical data, is in line with the requirements of the Data Protection Acts, under which personal data must be obtained for a specified purpose, and must not be disclosed to any third party except in a manner compatible with that purpose.

2.3.1 Disclosures to 3rd Parties and Consent for Secondary Uses

I. Individuals are made aware of all disclosures to third parties, and consent is always sought for such disclosures.

II. Disclosures are typically related to the further provision of service (i.e. for the purposes of referral to an outside professional) to an individual and consent for this explicitly sought.

III. Information disclosed to third parties may be in written or verbal form.

IV. If disclosure of personal data to a third party is required which exceeds the terms of the provision within the consent declaration on the service application form, consent will always be sought in such cases.

V. Letters to external agencies containing personal data about an individual (e.g. letters of referral) form part of an individual’s record and are maintained as part of the person’s record.

There are special circumstances under which disclosure of personal data to third parties is allowed. These are provided for under the Data Protection legislation and are:

· As ordered by the Gardaí, or army personnel

· For the purpose of investigating an offence

· To protect the state’s international relations

· To prevent urgent injury or damage to person or property

· Under a court order or other rule of law

· Required for the purposes of obtaining legal advice or for legal proceedings in which the person making the disclosure is a party or a witness

· Made at the request of and with the consent of the subject of the data

In all such cases, full reference will be made to the current legislation via approval by the Macro Building Management CEO.

In these additional circumstances personal information may be released without the consent of persons served under the following conditions:

· For use by any Macro Building Management employee who has a need for the information in the performance of their duties to ensure continuity of care.

· To medical personnel who have a need for the information for the purpose of treating a condition which poses an immediate threat to the health of a person served (e.g. in the case of a seizure, or sudden collapse)

· To recover or collect the costs of medical care from third party health care insurance carriers contracted with by the persons served and required by the health plan to be disclosed.

· To government agencies or entities charged under applicable laws with the protection of public health and safety. In such cases, the information may be released with the consent of the individual whose records are being requested, or upon receipt of a written request from the relevant and appropriate representative of the government entity.

· To relevant government agencies in relation to concerns regarding the health and wellbeing of vulnerable people. (See Macro Building Management Safeguarding Vulnerable Adults Policy ).

· To relevant health care professionals and/or designated next of kin if the person served presents with a significant risk to their own health or wellbeing (e.g. suicide risk).

· To relevant government agencies and/or health care professionals (e.g. An Garda Síochána, Psychiatric services), in situations where the person served is deemed to pose a credible threat to the health/wellbeing of another person (e.g. staff member, another person served, member of the public)

2.4 Security

Personal data is held within a number of secure systems within Macro Building Management, according to application. Personal data for client service provision and research is held within a cloud based storage systems, Microsoft Office 365 (Macro Building Management) and Google Drive (Macro Building Management Productions), and in hard copy client files. All personal data is maintained in a secure manner. The following physical and software safeguards are in place to protect personal data:

2.4.1 Confidential Client Records

I. Hard copies of medical and health data relating to clients are maintained on site in locked cabinets. Access is limited to management and staff providing services directly to clients.

II. Electronic records are held on secure, password protected cloud based systems. Access is granted to management and staff providing services directly to clients.

2.4.2 Human Resource Management System

I. Human Resource paper files are maintained securely in locked cabinets with access controlled and limited to the CEO, relevant service managers and the Board of Directors.

II. Electronic records are maintained securely on a secure, password protected cloud based system.

2.4.3 Network Data

I. All data held on Macro Building Management Networks is maintained behind a secure firewall on password protected PCs and is restricted access only to authorized employees.

2.4.4 Laptop and PC Security

I. All Laptops and PCs for use with client personal data are password protected. No data is stored on hard drives.

2.4.5 Data Transfers Abroad

I. Macro Building Management uses web based systems for hosting personal data which involves transfers of that data to countries outside the EU. To comply with Data Protection Legislation, the countries must be considered as offering an adequate level of protection in accordance with Article 25 of the Data Protection Directive.

II. Macro Building Management uses one country which have been subject to EU approval, the US (under Safe Harbor Principles).

2.4.6 Microsoft Office 365

Full breakdown of data privacy tools and certifications (including EU Safe Harbor agreement) for Microsoft Office 365 (SharePoint) can be found at https://www.microsoft.com/enus/legal/intellectualproperty/copyright/default.aspx

2.4.7 Google Drive

Full breakdown of data privacy tools and certifications (including EU Safe Harbor agreement) for Google Drive (G-Suite) can be found at https://support.google.com/googlecloud/answer/6056694?hl=en.

2.4.8 Dropbox

Full breakdown of data privacy tools and certifications (including EU Safe Harbor agreement) for Dropbox can be found at Dropbox Standards and Regulations Compliance - Dropbox

2.5 Adequate, relevant and not excessive

I. We collect and maintain sufficient information for the declared purpose in order to provide a fair and comprehensive service to each person.

III. We only hold that information which is adequate and relevant to the purpose it serves. If we are in receipt of personal data e.g. in the form of medical records, which is extra to requirement, we ensure that the information is returned to the referring agent or destroyed as appropriate.

IV. Annual reviews are conducted of the information collected to ensure that it is sufficient and not excessive.

V. All records of staff client interactions are maintained in a professional manner and done so with the expectation that the information can be shared with the person served.

2.6 Accurate and up-to-date

Macro Building Management employees who maintain personal data are responsible for correcting and maintaining that information on an ongoing basis. For example:

· Managers and staff are responsible for maintaining the contact information and the personal data held.

· The Administrator is responsible for maintaining the accuracy of client data.

· The CEO and Assistant Manager are responsible for maintaining the accuracy of the HR Management system.

Data is reviewed annually or when change or development to a service renders a review necessary

2.7 Data Retention

I. Personal information (e.g. about a client) processed/kept for any purpose should not be kept longer than is necessary for that purpose.

II. This gives some flexibility and Macro Building Management occasionally needs to make a professional judgement about how long is “necessary”. The minimum period set down for the retention of records is eight years generally, 20 years in the case of persons with mental health challenges or disability. Because litigation may occur sometime after contact has finished, any destruction of material must be considered carefully if it is to be carried out before the minimum time period. Any such actions may need to be justified to others including the client. Consultation is made with relevant professionals (i.e. psychologists, GP’s) if required to gain advice on the recommended duration of retention of records. It is advisable for clinicians within Macro Building Management to follow the following guidelines on retention of notes, records etc.

Retention Schedule

Support and Service Provision to clients: 8 Years following final closure of case, or duration since final contact, whichever most recent. Exception to this is in case of death by suicide, in which case duration is 10 years after death. See appendix 2

Information mailings: Data is retained for as long as mailing list is relevant, then subsequently deleted

Fund-raising and development: Data is retained for as long as mailing list is relevant, then subsequently deleted

Research: Subject to same retention schedule as Client Records (see above and appendix 2)

Human Resources: See appendix 1 HR record retention schedule

2.8 The Right of Access

I. All individuals have the right to access all the personal data held on them by Macro Building Management and to have that information corrected and deleted. Personal data will normally be accessible under the terms of the Data Protection Acts, using the procedure outlined below (see Personal Data Access Procedure).

II. Macro Building Management takes the stance that individuals may need assistance to request access to their own personal data. Macro Building Management will provide advice on the easiest route to achieve this.

2.9 Training & Education

I. This policy is circulated to all new staff as part of their induction process

II. Awareness of Data protection issues is through updates from the Information and Support Manager.

2.10 Co-ordination and Compliance

I. The data protection co-ordinator and compliance person is the CEO (Data Protection Officer)

II. All staff are made aware of this role via email updates

III. All breaches of this policy will be reported to the Data Protection Officer following the Data Loss Notification Procedure below.

IV. A formal review by the co-ordinator of data protection activities within Macro Building Management will take place annually across the organization.

3. Procedures

3.1 Personal Data Access Procedure

I. All requests must be made in writing with the consent of the person served (except for the conditions outlined under section 3 this policy).

II. All requests should be made using the form attached (appendix 3) and sent to:

Aileen Cruise- Macro Building Management CEO

Macro Community Resource Centre,

1 Green Street, Dublin 7

III. Where requests are received in writing not using the standard form, e.g. from solicitors, staff should check the validity of the request before notifying the Data Protection Officer. The request must quote the Data Protection legislation and also include the person served written consent. When in doubt, revert to the requestor with the standard form in appendix 3.

IV. The Data Protection Officer must be notified of all requests for disclosure of personal information.

V. The Data Protection Officer will record the request and notify the Manager(s) connected with the case.

VI. The Manager will coordinate the file duplication and disclosure. VII. The information will be supplied within 40 days.

3.2 Requests made under the Freedom of Information Act (1997 and 2003)

I. Macro Building Management is not prescribed body under the terms of the Freedom of Information Act. However, records that are created in dedicated services subject to contracted service level agreements with HSE are deemed to be held by the HSE and thus, may be subject to come within the scope of the act.

II. “Section 6(9) provides that the records of contractors to public bodies are deemed, insofar as they relate to the contracted service, to be held by the public body concerned.”

III. Macro Building Management’s policy is to comply fully in a timely manner with all Freedom of Information requests made by the HSE under the terms of the service level agreements.

IV. If a request is received by Macro Building Management under the terms of the Freedom of Information Acts, it should be immediately forwarded to the Data Protection Officer for further action and processing.

3.3 Procedure for Data Loss Notification

A breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, for an authorized purpose, have access or potential access to personal data in usable form, whether manual or automated. This could mean:

· Loss of a laptop, memory stick or mobile device that contains personal data

· Lack of a secure password on pc’s and applications

· Emailing a list of service users to someone in error

· Giving a system login to an unauthorised person

· Failure of a door lock or some other weakness in physical security which compromises personal data

What happens if a breach occurs?

Actual, suspected, or potential breaches should be reported immediately to the Macro Building Management Data Protection Officer. Any employee who becomes aware of a likely data breach and fails to notify the DPO will be subject to Macro Building Management’s disciplinary procedure. A team comprising the DPO and other relevant staff will be established to assess the breach and determine its severity. Depending on the scale and sensitivity of data lost and the number of Data Subjects impacted, the Office of the Data Protection Commissioner and relevant regulatory bodies will be informed as quickly as possible following detection. In certain circumstances Macro Building Management may (e.g. if required by the Office of the Data Protection Commissioner), inform the data subjects of the loss of their data and provide them with an assessment of the risk to their privacy. Macro Building Management will make recommendations to the data subjects which may minimise the risks to them. Macro Building Management will then implement changes to procedures, technologies or applications to prevent a recurrence of the breach.

When will the Office of the Data Protection Commissioner be informed?

All incidents in which personal data has been put at risk will be reported to the Office of the Data Protection Commissioner. The only exceptions to this policy are when the data subjects have already been informed, where the loss affects fewer than 100 data subjects, and where the loss involves only non-sensitive, nonfinancial personal data. Where devices or equipment containing personal or sensitive personal data are lost or stolen, the Data Protection Commissioner is notified only where the data on such devices is not encrypted. Data Loss Incident logging All data breaches will be recorded in an incident log as required by the Office of the Data Protection Commissioner. The log will maintain a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record will include a brief description of the nature of the incident and an explanation of why the Office of the Data Protection Commissioner was not informed (if relevant). Such records will be provided to the Office of the Data Protection Commissioner.

3. Persons responsible for implementation

The Board of Macro Building Management is responsible for approval and oversight of policies.

The CEO is responsible for communicating policy and review to all management and staff.

Managers are responsible for security of data relating to their services.

The DPO is responsible for overall security, reviews, investigating, reporting and addressing breaches.

Staff are responsible for adhering to the policy and maintaining security of the data they access.

4. Definitions

General Data Protection Regulation (GDPR): The GDPR came into effect on 25 May 2018, replacing current Irish and EU data protection legislation. New concepts, such as ‘data protection by design and default’, are legislated for. This means that Privacy Impact Assessments should be used to embed data privacy directly into the design of projects at an early stage Data Protection Officer

(DPO): A Data Protection Officer is a designated person appointed by an organisation to advice on data protection practices. The DPO for Macro Building Management Ireland is the CEO.

Personal Health Information: Personal data relating to the physical or mental health of an individual; including its use for the provision or registration of health and social care services, which reveal information about a person’s physical or mental health status. May also be referred to in this policy as Medical/Health Information.

Personal Data: "personal data" shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.