Who We Are

Data Protection

Under the Data Protection Acts, 1988 and 2003, Government Departments, Offices and Agencies, as data controllers, have a legal responsibility to:

  • Obtain and process personal data fairly;
  • Keep it only for one or more specified and explicit lawful purposes;
  • Process it only in ways compatible with the purpose of which it was given initially;
  • Keep personal data safe and secure;
  • Keep data accurate, relevant and not excessive;
  • Retain it no longer than is necessary for the specified purpose or purposes; and,
  • Provide a copy of his/her personal data to any individual, on request.

The purpose of these guidelines is to assist the Department, Offices and Agencies in implementing systems and procedures that will ensure, as much as possible, that personal data in their possession is kept safe and secure and to help the Department, Offices and Agencies meet their legal responsibilities as set out above. This document can be expanded upon by the Department’s Offices and Agencies to create detailed policies and procedures which reflect their specific business requirements.

Any queries in relation to the content of this document should be forwarded via email to ronnie.breen@djei.ie.

1. About this Policy

This Department of Jobs, Enterprise and Innovation Data Protection Policy outlines the general principles to be applied to the collection, use, retention, and disclosure of Personal Information of the Department and its Offices employees, external appointees to Boards and Committees, and clients, whose information is considered personal under the Data Protection Acts 1988 and 2003.

This Policy also serves as guidance to the Department and its Offices in the development of specific operating polices and business practice guidelines which it is intended will apply within the organisation. Definitions of words/phrases used in relation to the protection of personal data and referred to in the text of this Policy are outlined in Appendix 1 and again referred to in FAQ.

The Department of Jobs, Enterprise and Innovation is registered with the Office of the Data Protection Commissioners as required by legislation.

  • The Department’s Registration No. is 9072/A,
  • Registration No. 0723/A – refers to the Employment Appeals Tribunal
  • The Labour Court, LRC, ODCE, NCA, Equality Tribunal and Nera look after their own Registration with the DPC.

2. Scope

 The intent of this Policy is to ensure compliance with Data Protection legislation and establish a common foundation for the processing and protection of Personal Information by the Department of Jobs, Enterprise and Innovation, its Offices & Agencies. This Policy operates in conjunction with the Departments ICT’s Information Security Policy.

The Policy refers to all processing of personal data/information in an electronic format (including electronic mail and documents created with word processing software) and information held in paper files that reference individuals. 

DJEI will make its employees aware of this Policy and require them to comply with the Policy. DJEI will provide staff with appropriate training with respect to this Policy. Staff who violate the Policy may be subject to disciplinary action.

In addition, DJEI, where necessary, will make third parties who process Personal Information for and on behalf of the Department, and its Offices aware of this Policy. Agreement to comply with this Policy will be obtained from third parties, whether companies or individuals, who have access to Personal Information prior to the Department and its Offices granting such access.

3. Principles of data protection

The eight principles of data protection (as per the website of the Office of the Data Protection Commissioner) are as follows :

  1. You must obtain and process information fairly
  2. Keep it only for one or more specified, explicit and lawful purposes
  3. Use and disclose it only in ways compatible with these purposes
  4. Keep it safe and secure
  5. Keep it accurate, complete and up-to-date
  6. Ensure that it is adequate, relevant and not excessive
  7. Retain if for no longer than is necessary for the purpose or purposes for which it was collected
  8. Give a copy of his/her personal data to that individual on request 

4. Guidelines regarding the practical application of the eight principles of data protection

The Department and its Offices will obtain Personal Information only by lawful and fair means and with the knowledge and consent of the individual concerned. Examples include personal information provided by staff on commencement of employment, personal information provided by external appointees to Board/Committees and personal information provided by clients when applying for grants/support/participation on programmes.

The following guidelines outline practical application of the eight principles of data protection:

Obtain and Process data fairly

The Department and its Offices will collect and process (or use) personal data fairly.

Forms (either electronic or paper) requesting personal data issued from DJEI or its Offices will state what the data will be used for and who will have access to the data.

Secondary or future uses for the data, which might not be obvious to individuals, will be brought to their attention at the time of obtaining personal data. Individuals will be given that option of saying whether or not they wish their data to be used in these other ways.

If the Department and its Offices has data about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the data was collected), individuals will be given an option, except in exceptional circumstances where DJEI and/or its Offices are obliged by law to disclose data or is permitted by law to use the data in this manner without the consent of the individual.

Keep the data only for one or more specified, explicit and lawful purposes

The Department and its Offices cannot keep data about people unless it is held for a specific, lawful and clearly stated purpose. It is therefore unlawful to collect data about people routinely and indiscriminately, without having a sound, clear and legitimate purpose for so doing.

Personal data obtained and processed in the context of administrative work will state clearly what these data items are; the purpose for collecting it; and that it is obtained and processed in compliance with the Data Protection Acts.

Personal Information for which the Department and its Offices are responsible may be stored in a number of different places such as, on servers, desktop PCs. Laptops, hard copy printouts and other paper documentation.

Use and disclosed only in ways compatible with the purpose(s) for which data were initially given

The Department and its Offices will process, store and disclose Personal Information only for business purposes or for purposes in connection with the employment or engagement of individuals by DJEI.

The Department and its Offices employees also have responsibility with regard to the processing of Personal Information when performing services for and on behalf of DJEI. This might include for example, DJEI employees processing information about other employees as part of a Human Resources/Payroll function; the processing by DJEI employees of information about DJEI and its Offices Board/Committee Members;

And the processing by DJEI employees of personal information about individual clients. All DJEI staff shall ensure that they use, access and process such Personal Information only for purposes connected with their work.

Personal Information retained by Department will be retained only for as long as is necessary for the purpose for which it was collected or as required by law.

Personal data obtained for a particular purpose, may not be used for any other purpose and the Department and Offices may not divulge the personal data to a third party, except in ways that are “compatible” with the specified purpose. Staff must follow the procedures set out in Section 4 of the Department’s Data Protection Policy when dealing with enquiries for access to personal data.

Transfers of personal data to agents who are carrying out operations upon the data on behalf of DJEI and/or its Offices and retaining it for their own purposes, does not constitute “disclosures” of data for the purposes of the Act. Examples of such transfers would include the transfer of staff data to a separate pension company for pension administration purposes. Such data transfers are covered by a contract Data Processing Agreement.

The restriction on processing of personal data (including disclosure to a third party) is lifted in a limited number of circumstances, specified in Section 8 of the Data Protection Acts as follows:

  • Required for the purpose of safeguarding the security of the State
  • Required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid
  • Required in the interests of protecting the international relations of the State
  • Required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property
  • Required by or under any enactment or by a rule of law or order of a court
  • Required of, legal proceedings in which the person making the disclosure is a party or a witness.

Keep data safe and secure

High standards of physical and technical security are essential to protect the confidentiality of personal data. The Department has established technical and organisational safeguards to reasonably and appropriately protect Personal Information from unauthorised use, disclosure, destruction and alteration. DJEI will continually monitor and amend these safeguards to ensure an appropriate level of protection is in place to secure Personal Information relative to the risks.

The Department’s ICT Information Security Policy has established safeguards (e.g. password protected encryption protocols) will be the means by which personal information via PC’s, mobiles etc are protected by the Organisation.

Key standards in place in DJEI are:

  • Premises are kept secure, especially when unoccupied.
  • Access to information is restricted to authorised staff in accordance with Data Protection Policy and ICT’s Information Security Policy and local staff security protocols such as HR and Grant payments.
  • Appropriate facilities are in place for disposal of confidential waste.
  • Computer systems are password protected.
  • Personal data is protected by strong encryption when being sorted on portable devices or transferred electronically (including via email outside an Departments and its Offices addresses.
  • Information on computer screens and paper files is kept secure from callers to offices.
  • Appropriate data protection and confidentiality clauses are in place in arrangements with any processors of personal data on the Department’s behalf. Where third parties are used to process data this is covered by contract.

All staff are required to meet these standards and managers must carry out periodic reviews of measures and procedures.

Keep data accurate, complete and, where necessary, up-to-date

The Department seeks to ensure that personal data held is accurate complete and up to date.

The relevant Manager of the Department and its Offices, which hold or processes Personal Information must identify the Personal Information held and ensure adequate procedures are put in place to ensure such information is accurate, complete, current and not excessive for purpose. The manager must assess the risk to data managed and controlled by them and ensure systems and procedures are in place to eliminate these risks.

The Data Protection Officer will on an ongoing basis work with individual Departments, to assess the adequacy of the control systems in place for the purpose of minimising the risk of any breach of data protection regulations.

Every individual has a right to have any inaccurate data rectified or erased.

Ensure that data are adequate, relevant and not excessive in relation to the purpose for which they were collected

Personal data held by the Department and its Offices should be adequate to enable the organisation to achieve its purpose. DJEI will not collect or keep personal information that is not required for a specific purpose, or ask intrusive or personal questions, if the information obtained in this way has no bearing on the specified purpose for which the personal data is held.

DJEI will adopt appropriate processing measures (including additional security protections and fair obtaining measures) for particular types of Personal Information defined by law as Sensitive Personal Data (for example security surrounding use and access to personnel files).

Forms used to collect personal data (in either manual or electronic form) will state what the data will be used for, who will have access to the data and that the data will be processed in accordance with the Data Protection Acts.

Retain data for no longer than is necessary for the specified purpose or purposes

This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the data is being retained. Data should never be kept “just in case” a use can be found for it in the future.

The Department and its Offices will prepare a “retention schedule” for records which will state how long data will be retained and the reasons for retaining data. The Data Protection Officer will liaise with individual departments/Sections/Units to ensure this schedule is prepared and maintained.

Destruction of data will be carried out in secure manner e.g appropriate complete tracking records retained within Sections/Units for inspection if required. Another example “Certificates of Destruction” for ICT equipment either been sold on and/or destroyed.

Give a copy of his/her personal data to an individual on request and in some cases correct the data, block or erase the data where an individual requests

Individuals including employees, have the right to request a copy of the Personal Information held by the Department and its Offices. The Department and its Offices may charge a fee for this, which will not exceed €6.35. Individuals/employees also have the right to access their Personal Information and the right to have any inaccuracies in the details held about them corrected or erased, by means of a request in writing to the Data Protection Officer, DJEI, Kildare St., Dublin 2.

5. Breach of the Data Protection Act

In the event of a breach of the Data Protection Act, i.e. when the security of Personal Information held by the Department and its Offices has been compromised, the Personal Data Security Breach Code of Practice, as issued by the Data Protection Commissioner will be followed – See Appendix 2.

Further Information

For further information on Data Protection in DJEI contact: 

Michael O'Leary
Data Protection Officer,
DJEI, 23 Kildare St, Dublin 2, D02 TD30.
Tel: 01 631 2880 

Ronnie Breen
Data Protection Unit
DJEI, 23 Kildare St, Dublin 2, D02 TD30.
Tel: 01 631 2485

Geraldine Fitzpatrick
Data Protection Unit
DJEI, 23 Kildare St, Dublin 2, D02 TD30.
Tel: 01 631 2375

Appendix 1 - Definitions

  • The Data Protection Acts – The Data Protection Acts 1998 and 2003 confer rights on individuals as well as responsibilities on those persons handling, processing, managing and controlling personal data. All Department staff must comply with the provisions of the Data Protection Acts when collecting and storing personal data. This applies to personal data relating both to employees of and individuals who interact with the Department and its Offices.
  • Data- Information in a form that can be processed. It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a relevant filing system or with the intention that is should form part of a relevant filing system).
  • Personal Information / Data – Information or data relating to a living individual who is or can be identified either from the information or from the information in conjunction with other information that is in, or likely to come into, the possession of the Data Controller. An identifiable person is a person who can be identified, directly or indirectly, by reference to an identification number or other factors specific to his or her physical, physiological, mental, economic, financial, cultural or social identity.
  • Data Controller – The natural or legal person or entity which alone or with others controls the contents and use of and/or the manner in which any Personal Information or data is, or is to be, processed/used.
  • Data Processor – A person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment.

Appendix 2 - Personal Data Security Breach Code of Practice

{As per Data Protection Commissioner under Section 13 (2) (b) of the Data Protection Acts, 1988 and 2003} 

  1. The Data Protection Acts 1988 and 2003 impose obligations on data controllers to process personal data entrusted to them in a manner that respects the rights of data subjects to have their data processed fairly (Section 2(1)). Data controllers are under a specific obligation to take appropriate measures to protect the security of such data (Section 2(1) (d)).
  2. The Code of Practice addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration. The focus of the Office of the Data Protection Commissioner is such cases is on the rights of the affected data subjects in relation to the processing of their personal data.
  3. Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction of alteration of personal data, in manual or electronic form, the data controller mush give immediate consideration to informing those affected. Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures. In appropriate cases, data controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Siochána, financial Institutions etc.
  4. If the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard.
  5. All incidents of loss of control of personal data in manual or electronic form by a data processor must be reported to the relevant data controller as soon as the data processor becomes aware of the incident.
  6. All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature. In case of doubt – in particular any doubt related to the adequacy of technological risk-mitigation measures – the data controller should report the incident to the Office of the Data Protection Commissioner.
  7. Data controllers reporting to the Office of the Data Protection Commissioner in accordance with this Code should make initial contact with the Office within two working days of becoming aware of the incident, outlining the circumstances surrounding the incident. This initial contact may be by e-mail (preferably), telephone or fax and must not involve the communication of personal data. The Office of the Data Protection Commissioner will make a determination regarding the need for a detailed report and/or subsequent investigation based on the nature of the incident and the presence or otherwise of appropriate physical or technological security measures to protect the data.
    • The amount and nature of the personal data that has been compromised;
    • The action being taken to secure and / or recover the personal data that has been compromised;
    • The action being taken to inform those affected by the incident or reasons for the decision not to do so;
    • The action being taken to limit damage or distress to those affected by the incident;
    • A chronology of the events leading up to the loss of control of the personal data; and
    • The measures being taken to prevent repetition of the incident.
  8. Should the Office of the Data Protection Commissioner request a data controller to provide a detailed written report of the incident, the Office will specify a timeframe for the delivery of the report based on the nature of the incident and the information required. Such a report reflect careful consideration of the following elements
  9. Depending on the nature of the incident, the Office of the Data Protection Commissioner may investigate the circumstances surrounding the personal data security breach. Investigations may include on-site examination of systems and procedures and could lead to a recommendation to inform data subjects about a security breach incident where a data controller has not already done so. If necessary, the Commissioner may use his enforcement powers to compel appropriate action to protect the interests of data subjects.
  10. Even where there is no notification of the Office of the Data Protection Commissioner, the data controller should keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record should include a brief description of the nature of the incident and an explanation of why the data controller did not consider it necessary to inform the Office of the Data Protection Commissioner. Such records should be provided to the Office of the Data Protection Commissioner upon request.
  11. This Code of Practice applies to all categories of data controllers and data processors to which the Data Protection Acts 1988 and 2003 apply.

Back to Top