What We Do With Your Personal Data
Introduction What is GDPR?
GDPR is the European Union General Data Protection Regulation. It comes into effect from 25 May 2018. It sets out a series of new EU laws concerning how data can be processed and used by organisations. The objective of the Regulation is to strengthen and standardise data protection laws for all EU citizens. This Regulation will apply to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instructions of the Data Controller (a Data Processor). Those responsible for adhering to this Regulation include employees of the relevant organisation, including contractors, consultants, agents and third parties who have access to data either directly or indirectly.
GDPR very significantly increases the obligations and responsibilities for organisations in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities. Further information on GDPR and the steps to take in ensuring compliance is available on the website of the Data Protection Commission (DPC) at GDPRandYou.ie or dataprotection.ie.
Data Privacy Summary
The Department of Employment Affairs and Social Protection take your privacy seriously. It is important that you know what we do with personal information that you and others provide to us, why we gather it and what it means to you. This document is being provided to you in line with our obligations under the General Data Protection Regulation (GDPR). From 25 May 2018, the GDPR, together with applicable Irish requirements, will amend existing data protection law and place enhanced accountability and transparency obligations on all organisations using your information. The GDPR will also introduce changes which will give you greater control over your personal information. Please take time to read this notice carefully. If you have any questions about how we use your information, please contact our Data Protection Officer at the details below.
Section 1: Who We Are
1.1 The Data Controller
The Department of Employment Affairs and Social Protection (DEASP) is the Data Controller for all personal data collected for the purpose of its business. The Department decides what personal data we need to collect from you to allow us to operate our schemes and services. Our data processes are then documented and issued to relevant staff. Each week, some 1.4 million people receive a social welfare payment. In the region of 625,000 families receive child benefit payments in respect of 1.2 million children each month. There are some 6,500 staff directly employed in the Department. Operational guidelines for all our schemes are available on our website www.welfare.ie.
You can contact the Department in any of the following ways:
- By e-mail: email@example.com
- By phone: 071 9193302 or 1890 66 22 44 (LoCall)
- By post: The Department of Employment Affairs and Social Protection, Aras Mhic Dhiarmada, Store Street, Dublin 1.
1.2 The Data Protection Officer
If you are concerned about what we do with your personal data, contact our Data Protection Officer (DPO). You can contact our DPO in any of the following ways:
- By e-mail: firstname.lastname@example.org
- By post: Data Protection Officer, Department of Employment Affairs and Social Protection, Goldsmith House, Pearse Street, Dublin 2.
Section 2: When We Collect Your Information
We collect information about you for a range of reasons and from a number of sources, as well as from yourself. The common situations where we collect personal data are as follows:-
2.1 When you apply for a Personal Public Service Number (PPSN);
2.2 In order to validate and authenticate your identity, which involves a process called Standard Authentication Framework Environment (SAFE) registration, and to provide a Public Services Card (PSC) as a token of the SAFE registration.
2.3 When you start work – we collect data on your social insurance contributions and receive information your income from the Revenue Commissioners and from your employer’s end-of-year returns;
2.4 When you make a claim for any of our schemes or services, either in person or online;
2.5 When you are in receipt of a payment and notify us of a change in your circumstances;
2.6 When we undertake a review of any claim;
2.7 When you have a child – with the child also being registered for a PPSN;
2.8 We would also receive information from other Government Departments, for example in relation to childcare applications from the Department of Children and from certain State agencies – such as from SUSI in relation to grant applications for third level colleges;
2.9 The Department also has a range of contractors which would collect information from you for the Department. These are all covered by legal contracts and would include Branch Offices, Local Employment Services, Jobs Clubs and Job Path providers;
2.10 We may also collect data from TDs or Councillors acting on your behalf, or from other people, approved by you to act on your behalf.
Section 3: What Types of Personal Data do we collect
3.1 It is the Department’s policy to only collect the information that is required for the immediate purpose, such as those outlined in section 5 below.
3.2 Personal data we collect can include the following:
- your name,
- your address,
- your date of birth,
- Your Personal Public Services Number (ppsn),
- your marital status,
- your family status,
- your phone number,
- your email address and
- certain financial information.
3.3 At times, we also need to collect personal data, such as health data and data such as photographs used for the purpose of identification. This may also include information concerning trade union membership. We acknowledge that we can also collect, indirectly, data in relation to the religious beliefs and sexual orientation of our customers.
Section 4: The Legal Basis for Processing
4.1 The Department has a number of Acts under which personal data may be legally processed. Our main legislation is included in the Social Welfare Consolidation Act, 2005, as amended. However, we have a number of other pieces of primary and secondary legislation which allows us to process personal data. Should you wish to know more about these, please see the list which is included as an appendix to this document.
4.2 The Department is also entitled to process personal data under other legislative provisions that provide the basis for all Government Departments to administer the range of services and supports as set out by successive Government decisions.
Section 5: The Categories of processing Undertaken by this Department
We process personal data for the following purposes:
5.1 To provide personal public service numbers (PPSNs)
5.2 To undertake SAFE registrations in order to validate and authenticate identity and to provide Public Services Cards (PSCs)
5.3 To collect your social insurance contributions which you use to qualify for certain schemes and payments – for example State Pension
5.4 To check if you qualify for one of our working age or illness related schemes and if so, to pay the relevant amount to you
5.5 To process applications for any of the range of supports that we provide and for related services
5.6 To provide services and supports to employers
5.7 To provide supports for people who lose their jobs due to redundancy or the insolvency of an employer
5.8 To handle contracts with external service providers
5.9 To deal with customer service queries or complaints
5.10 For internal human resources functions
In certain situations, data may also be shared with other organisations, in accordance with legislation and as outlined in Section 5 below. In all cases, data sharing arrangements will be in place.
Note: The Department undertakes to ensure that Data Protection Impact Assessments are conducted before any new data process is started and to update this document accordingly. In line with the GDPR, the Department undertakes to consult with its Data Protection Officer and, if necessary, with the Office of the Data Protection Commission before commencing any new data processing activities.
Section 6: Where do we store your personal data?
6.1 Electronic Storage of Your Personal Data
The majority of personal data stored by the Department is stored electronically on our internal ICT systems. These systems are fully protected by anti-virus and anti-malware software. Electronic data includes scanned copies of application forms, evidence of identity, contact information, financial information, family details, educational and training achievements, copies of electronic correspondence, social insurance contributions, employment history and claim history.
Access to personal data is restricted to those staff members who need the information to carry-out their official duties. Access is controlled by every staff member having a unique login username and password and with usernames being linked to the minimum permissions necessary to allow the staff member to work in a secure environment and to only access the personal data that they need for their jobs.
6.2 Storage of Hard Copy (Paper) Files
Where the Department holds paper records containing your personal data, these are stored on individual files which are secured on our premises and where only our staff can access them.
This is achieved through physical security, where access to a Department office is by a swipe card or access card and where visitors are screened, signed in and accompanied by a member of staff, so that they cannot access any personal data stored by the Department.
In addition, our staff members are not allowed to deal with claims from relatives and close friends.
Section 7: Sharing Personal Data
7.1 Categories of Recipients with Whom We May Share Your Personal Data
The Department is allowed to share your data with a range of organisations, but only where legally enforceable data sharing agreements are in place. In addition, the Social Welfare Consolidation Act allows that the Department can share a person’s public service identity* details with a range of organisations that are listed in schedule 5 of that Act.
In general, the types of organisations that the Department would normally share information with are as follows:-
- 7.1.1 Government Departments, including the Revenue Commissioners and the Department of Education and Skills, to provide for a range of shared services, supports and statistical information;
- 7.1.2 Other public sector bodies or agencies which provide services or supports to customers such as Túsla, Pobal, SUSI, Education & Training Boards etc;
- 7.1.3 Community organisations providing activation supports, work placement schemes or training and education courses (such as Tús schemes, Community Employment Schemes, local training initiatives etc);
- 7.1.4 Private contractors providing key services and supports to customers, including Branch Managers, Local Employment Service companies, Jobs Clubs and JobPath providers;
- 7.1.5 Regulators or supervisory authorities;
- 7.1.6 Public representatives who make representations on behalf of constituents;
- 7.1.7 IT consultants and general contractors hired by the Department, where they may be working on enhancing DEASP data handling systems & processes.
*Public Service Identity information includes your name, date & place of birth, contact information and nationality – used to confirm identity for services that are being provided
7.2 Will Your Personal Data be Transferred out of The European Economic Area?
No, your personal data will generally not be stored outside the European Union or the European Economic Area or EEA (EU 27, plus Iceland, Norway, and Liechtenstein). Where we do share information outside the EEA or if there are exceptional arrangements for storage of your data outside the EEA, we will always take steps to ensure that any transfer of information outside of the EEA is carefully managed to protect your privacy rights under the GDPR. This is provided for under EU Social Security Regulations.
7.3 Are We Allowed To Transfer Your Data Outside of The EU And EEA?
We may transfer information about you to a country or international organisation outside the EEA. We will always take steps to ensure that any transfer of information is carefully managed to protect your privacy rights in accordance with Data Protection law.
7.4 Are There Any Other Appropriate and Suitable Safeguards?
Personal data may only transferred if appropriate safeguards are provided and on the condition that enforceable data subject rights and effective legal remedies are available. Appropriate safeguards may include:
- 7.4.1 Legally binding and enforceable instruments between public authorities/bodies;
- 7.4.2 Binding corporate rules;
- 7.4.3 Standard data protection clauses adopted by a Supervisory Authority and approved or adopted by the EU Commission;
- 7.4.4 Standard contractual clauses between controller/processor and recipient in the third country or international organisation.
Section 8: How long will we keep your Personal Data?
8.1 We will keep information relating to you for only as long as required to provide you with access to supports and services. DEASP has an overall policy that states that certain personal data will be kept at least for the lifetime of a customer. There are a number of reasons for this.
8.2 The main reasons are that we need to keep your social insurance contribution data to figure out what benefits you might be entitled to in the future, for example, the State Pension. Some of these entitlements may even pass to your dependents! Also, we must keep any past claims information in case there might be future appeals where we may need to refer to the original documents (or scanned copies of these). In addition original documentation, including photographic images underpinning identity authentication ( SAFE registration) are retained for the purpose of internal audit requirements or instances where an offence may be subsequently investigated or prosecuted under either Social Welfare or Criminal Justice legislation.
We must also adhere to the rules of the National Archives’ Office for disposal of records and various other administrative and legal requirements.
8.3 However, the GDPR states that we cannot store any information for longer than is required and therefore each business area is also responsible for the data that it collects, for business reasons, which doesn’t need to be retained indefinitely.
8.4 It would normally be the case that such data is deleted after 7 years, in accordance with the national archives rules that apply to the business area, but each area will consider the issues affecting the storage of personal data.
8.5 Where data is captured and required for specific reasons and does not need to be retained beyond a set timeframe, then this data will be deleted as soon as its purpose has been served. An example of this is where the Department may generate customer lists for invitations to jobs fairs. These lists would then be deleted once the event that they were prepared for has concluded.
Section 9: Additional processing of Personal Data?
9.1 Will Your Personal Data Collected Be Used For Any Other Purposes?
As mentioned earlier, we are allowed by law to collect and process personal data for a range of reasons. We are also allowed to collect your data for a specific reason and use it for another related purpose. This is because the Department provides a wide range of related services and it would be impractical for us to keep asking you for the same information over and over again. Again, the Social Welfare Consolidation Act allows us to collect information for a specific purpose and use it for related purposes – for other schemes and supports offered by the Department in the area of Social Protection, or for statistical purposes.
9.2 An example of this is that information may be supplied by a customer for a Jobseekers claim, but this information may be used to later provide education or training supports. In this way, we will be better able to help this customer to find another job.
9.3 Another example is that information that may be provided by a customer for a State Pension and this information might be used to allow the customer to receive a free-travel pass or a household benefits package.
Section 10: Your rights as a Data Subject
All our customers (data subjects) have certain rights under EU (General Data Protection Regulation or GDPR) and Irish data protection legislation:
10.1 The Right to Access to Your Personal Data (The Information That We Have On You)
You are entitled to ask us for copies of any of your personal data that we have collected and stored. Such requests can be submitted in writing or by e-mail to the Data Protection Officer at the address listed at 1.2 above. You will understand that we may need to verify your identity before we deal with any request for copies of your personal data. Under the GDPR, we normally have 30 days in which to process these requests.
10.2 The Right to the Correction of Incorrect Personal Data Held By The Department And The Right To Object To The Processing Data Which May Be Incorrect
We always try to make sure that the information we have about you is accurate and up-to-date. Sometimes we may ask you to verify this information. If your information changes or you believe that we have information which is not up-to-date, please let us know. You are entitled to ask the Department to update any incorrect personal data that we may have in relation to you. We are always happy to do so, once we again verify your identity. We cannot allow anyone else but yourself to update your personal data, unless you have a fully authorised personal representative.
10.3 The Right to The Erasure of Personal Data
As mentioned, the Department has an overall data retention policy that states that some customer data may be retained indefinitely, for various reasons. Where data is held or required for the ongoing administration of social security, then this data will not be subject to erasure, even if requested by the data subject. However, each business area should only retain data for as long as is required for the purpose for which the data was collected. You have the right to seek that the Department deletes any information which is not required, for ongoing business reasons, to be retained indefinitely.
10.4 The Right to Object To Automated Decision Making By the Department
The GDPR gives you the right to object to automated decision making by DEASP computer systems, where there is a legal or significant impact on you as a customer. An automated decision is a decision which is made entirely by a computer system, without the intervention of one of our officers.
We do use a number of automated processes, but in all cases, the automated decision is limited to successful awards. You will only receive an automated notification if you have been successful in your claim. This means, where a computer system indicates that you may not qualify for a payment, the computer will refer your application to one of our officers for checking and if you have been unsuccessful, it is that officer who will correspond with you, not the machine.
In this way, there is no situation in the Department where a customer will be refused payment by a machine, or computer system. In addition, customers always have the right to appeal against a decision made by the Department.
10.5 The Right to Data Portability (The Right to Receive Your Data From One Controller To Send It To Another)
Data subjects (customers) have the right to request their data from one controller, so that it can be given to another controller (company). This right is relevant to organisations such as utilities, financial institutions or even social media sites with which you have a contract and where you may wish to seek to change provider or possibly get a better deal.
This right says that you can get your personal data in a structured, commonly used, machine-readable format to pass on to another organisation. In the event of any customer asking for their rights under data portability, the Department may have to ask for what specific data is required but we will try to provide the information as quickly as possible.
10.6 The Right to Be Notified of a Data Breach
As a customer, we are also obliged to let you know when your personal data may have been lost, destroyed or given to a person or organisation who shouldn’t have received it.
The Department of Employment Affairs and Social Protection (DEASP) has a range of security measures in place to protect your personal data. It would be very rare that one person’s personal data would accidentally be sent to another person or where any of the personal data stored by DEASP would be lost or stolen.
However, in the unlikely event that a data breach happens, the Department will write out to you to confirm what happened and which of your data was affected. We will also inform the Office of the Data Protection Commissioner, should they wish to undertake an investigation.
10.7 How to Get In Touch With Us?
If you have any queries about this policy, please contact the Data Protection Officer (DPO). The DPO for the Department can always be contacted at DPO@welfare.ie
The Department works hard to handle your data responsibly and we take our data protection responsibilities seriously. If you are unhappy about the way that we do this, please contact the DPO. We hope that the DPO will be able to address any concerns that you have.
However, you also have the right to complain to the Office of the Data Protection Commissioner (ODPC). The ODPC can be contacted:-
- By post to: Canal House, Station Road, Portarlington, R32 AP23, Co. Laois.
- By e-mail: email@example.com
- By phone: 0761 104 800 or lo call number 1890 252 231
10.8 How Can You Exercise Your Rights?
We must allow you to use the rights outlined above. You can make a request under any of these rights by contacting the Department’s DPO at this address:
- By e-mail: firstname.lastname@example.org
- By post: Data Protection Officer, Department of Employment Affairs and Social Protection, Goldsmith House, Pearse Street, Dublin 2.
We may need you to confirm your identity first, as we cannot give your personal data to others. Once we have verified your identity, we will seek to get the information that you have requested as soon as possible. However, we are committed to updating you on our progress within 30 days.
For complex requests or where there are large numbers of requests, we can extend our time to respond to you by a further 60 days (two months), but we must tell you we are going to do this within the first 30 days, together with the reason for the delay. If we are not going to respond to your request we must tell you this within 30 days. We must remind you that that you have the options of complaining to the ODPC.
If you make an electronic request, we must respond to you electronically, unless you prefer otherwise.
Anything we do in response to your request and any information we give you must be free. If you make excessive requests (e.g. make the same one repeatedly) or your requests have no basis in fact, we may either charge you a fee or refuse to act on it. We will not charge you a fee where you have made a mistake, such as the wrong location, but will not act on your request.
Due to the size of the organisation, we may ask you to clarify your request. You can help us to fulfil your request about personal data by being as specific as possible particularly about your dealing or contacts with us.
Section 11: Further information - Operational Guidelines
If you would like any more information on how an area of the Department works and what is required to make a decision on a claim or service, then please go to our website at www.welfare.ie. Information on each of our schemes includes operational guidelines.
APPENDIX 1 – List Of Primary And Secondary Legislation Under Which We Have the Authority to Collect Personal Data
Primary legislation (all as amended)
Social Welfare Consolidation Act, 2005
the Comhairle Act, 2000;
the Protection of Employees (Employers’ Insolvency) Act 1984;
the Civil Registration Acts 2004 – 2014
the Pensions Act, 1990;
the Gender Recognition Act, 2015.
Citizens Information Acts 2000 - 2007
Redundancy Payments Act, 1967
Key secondary legislation (statutory instruments)
S.I. No, 142 of 2007 - Social Welfare (Consolidated Claims, Payments and Control) Regulations 2007
S.I. No. 412 of 2007 - Social Welfare (Consolidated Supplementary Welfare Allowance) Regulations 2007.
S.I. No. 102 of 2007 - Social Welfare (Consolidated Occupational Injuries) Regulations 2007.
S.I. No. 312 of 1996 - Social Welfare (Consolidated Contributions and Insurability) Regulations 1996.
S.I. No. 108 of 1998 – Social Welfare (Appeals) Regulations 1998.
S.I. No. 188 of 1998 - Social Welfare (Rent Allowance) Regulations 1998.