2014

Version 01.1

Sinead O'Brien

BORD IASCAIGH MHARA

DATA PROTECTION POLICY
This policy is intended as a guide to BIM staff with control over the contents and use of personal
data. It outlines the eight fundamental rules of data protection and how they apply to the
organisation.
 Introduction
This policy is intended as a guide to BIM staff with control over the contents and use of personal
data. It outlines the eight fundamental rules of data protection and how they apply to the
organisation.

The policy undergoes regular review and audit to ensure compliance with current legislation,
organisation growth and development.

Each subsequent review of policy will be reflected in the incremental version number of the
document.

Purpose
The purpose of this Data Protection Policy is to make staff aware of BIM’s data protection
responsibilities, in particular, to process personal data fairly.

On reading the policy staff should have a clear understanding of the eight fundamental data
protection rules and how to apply them to the organisation.

If staff cannot find a particular piece of information, or have difficulty understanding any information
then they should contact the Data Protection Officer.

Officer’s name: Sinead O’Brien

Email: [email protected]

Extension: 246

Version 01.1 28 July 2014 Page 1

 Useful Data Protection Definitions

What is data protection?

Data protection is the means by which the privacy rights of individuals are safeguarded in relation to
the processing of their personal data. The Data Protection Acts 1988 and 2003 (the Acts) confer
rights on individuals, as well as placing responsibilities on those persons processing personal data, in
this case BIM.

What constitutes ‘personal data’?

Personal data means data relating to a living individual who is or can be identified either from the
data or from the data in conjunction with other information that is in, or is likely to come into, the
possession of the data controller.

In BIM a living individual is generally:

• BIM personnel,
• Clients or customers not registered as a company and
• Sole traders.

Data means information in a form which can be processed. It includes both:

1. automated data - broadly speaking, any information on computer, or information recorded

with the intention of putting it on computer, and

2. manual data - information that is kept as part of a relevant filing system, or with the
intention that it should form part of a relevant filing system.

A relevant filing system means any set of information that, while not computerised, is
structured by reference to individuals, or by reference to criteria relating to individuals, so
that specific information is accessible.

A Data Subject is an individual who is the subject of personal data.

What does ‘processing’ mean?

Processing means performing any operation or set of operations on data, including:

• obtaining, recording or keeping data,

• collecting, organising, storing, altering or adapting the data,
• retrieving, consulting or using the data,
• disclosing the information or data by transmitting, disseminating or otherwise making it
available,
• aligning, combining, blocking, erasing or destroying the data.

Version 01.1 28 July 2014 Page 2

 What are BIM’s responsibilities under The Acts?
In order to carry out the day to day functions of the organisation it is necessary for BIM staff to keep
and use personal information, on computer or in structured manual files.

This information includes but is not exclusive to the following:

1. Grant applicants’ information

2. Training applicants’ information
3. Ice account holders’ information
4. Data Collection Regulation applicants’ information
5. Financial information of individuals* (AP Payments)
6. Personnel files
7. Payroll
8. Client or customer’s contact details held locally by BIM personnel

BIM controls the contents and use of personal data which it holds and as such BIM is a ‘data
controller’ for the purpose of the Acts.

In its responsibility as a data controller:

• BIM registers annually with the Data Protection Commissioner, in order to make transparent
our data handling practices. See appendix 01
• we ensure that staff are made aware of their responsibilities through:
• appropriate training with refresher training as necessary and
• the availability of this internal data protection policy on the organisations Intranet
See appendix 02

Our internal policy is enforced through supervision and undergoes an annual review and audit.

How are the Acts enforced?

The Commissioner has a wide range of enforcement powers to assist him in ensuring that the
principles of data protection are being observed by BIM. These powers include:

• the serving of legal notices compelling data controllers to provide information needed to
assist his enquiries, and
• Compiling a data controller to implement one or more provisions of the Acts in a particular
prescribed manner.

The Commissioner may investigate complaints made by the general public or carry out investigations
proactively. For example, he may authorise officers to enter BIM’s premises and to inspect the type
of personal information kept, how it is processed and the security measures in place. BIM is required
to co-operate fully with such officers.

What is the penalty for non-compliance?

BIM if found guilty of an offence under the Acts can be fined amounts up to €100,000, on conviction,
on indictment and/or may be ordered to delete all or part of the database.

Version 01.1 28 July 2014 Page 3

 ___The eight fundamental rules of data protection
The following pages outline the eight fundamental rules of data protection and how they apply to
BIM.

Version 01.1 28 July 2014 Page 4

 Data Protection Rule 1: Obtain and process information fairly
To fairly obtain personal data, when collecting the data you must ensure that the individual
understands clearly:

1. Who you are in your capacity as an employee of BIM

2. Your purpose in collecting their data

- see rule 2: Specifying the Purpose

3. To whom their data may be disclosed

- see rule 3: Use and further processing of personal information

4. Any disclosures of their data to third parties which might not be obvious to them
- see rule 3: Use and further processing of personal information

5. How their data will be used by the organisation

- see:
Rule 3: Use and further processing of personal information
Rule 4: Security of personal information
Rule 5: Keep data accurate and up-to-date data
Rule 6: Adequate, relevant and not excessive

6. Any secondary uses of their personal data (consent must be sought)

- see:
Rule 3: Use and further processing of personal information and
Rule 7: Retention of personal data

7. The existence of the right of access to their personal data

- see rule 8: Right of access to personal data

8. The right to rectify their data if inaccurate or processed unfairly

- see rule 8: Right of access to personal data

To fairly process personal data:

1. the data subject must have given consent to the processing (see list item no. 5 and 6 above)
or
2. the processing must be necessary in the performance of a contract with us.

If processing is sought outside of the above you must obtain the advice of the appointed Data
Protection Officer to establish how any new requirement for the use of data can be addressed
observing the principles of data protection.

Version 01.1 28 July 2014 Page 5

 Data Protection Rule 2: Specifying the Purpose
Any individual has the right to ask you to state the purposes for which you keep their personal
information.

In conjunction with rule one (obtain and process information fairly), the provisions amount to a general
requirement that individuals should be made aware, at the time of the collection of their personal data, of
the purposes to which their data will be put. In consequence, the data may not subsequently be used for
different purposes, without first obtaining the authorisation of the data subjects.

This simple principle of fairness and transparency is the very bedrock of data protection law.

Statement of the purpose or purposes for which BIM hold information about others

 Grants
Personal information is held for the purposes of administering grant applications and
subsequent claims.
 Training
Personal information is held for the purposes of administering training, processing payment
of course fees, issuing certification and the provision of BIM Basic Safety Training Cards and
Passenger Boat Cards.
 Ice Plants
Personal information is held for the processing of payment for Ice supplies.
 Personnel
Personal information is held for the purposes of administration of pensions, salaries and the
general management of BIM personnel.
 Finance
Personal information is held for the purposes of processing payments for good or services to
and by BIM
 Payroll
Personal information is held for the purposes of administering salaries and liaising with
Revenue
 DCR
Personal information is held for the purposes of complying with our obligations under The
Data Collection Framework.

If keep or use personal information for any purpose other than the above specified purpose, BIM
may be guilty of an offence under the Acts.

If retention or use of personal information is sought outside of the above you must obtain the advice
of the appointed Data Protection Officer to establish how any new requirement for the use of the
data can be addressed observing the principles of data protection.

Version 01.1 28 July 2014 Page 6

 Data Protection Rule 3: Use and further processing of personal
information
Personal information must be:

1. used only in ways consistent with the purpose or purposes for which it is kept, and
2. disclosed (to third parties or internally) only in ways consistent with that purpose or purposes.

In other words use and disclose the data in a way in which those who supplied the information
would expect it to be used and disclosed.

BIM inventory of all current and proposed disclosures

 Grants
Personal information may be disclosed to:

o Fisheries Investment Committee

o Business Development Investment
o Aquaculture Investment Committee
o Management Investment Committee
- Fisheries: Co-Funded Grants > €20,000, Exchequer Grants > €3,000
o Board of Management
o Auditors
o Legal advisors
o Revenue (from 01 January 2014)

 Training
Personal information may be disclosed to:
o Marine Survey Office
o FETAC and HETAC Award Bodies
o Laminated Services for the processing by a third party of BIM Basic Safety Training
Cards and Passenger Boat Cards (Individual’s name, photograph and copy of
signature)

 Ice Plants
Personal information may be disclosed to:

o Auditors
o Accountants
o Legal advisors

 Finance
Personal information may be disclosed to:

o Auditors
o Accountants
o Legal advisors
o Bankers

Version 01.1 28 July 2014 Page 7

  Payroll
Personal information may be disclosed to:

o Auditors
o Accountants
o Legal advisors
o Revenue and other regulatory authorities
o Trade unions
o Insurance companies

 Personnel
Personal information may be disclosed to:

o Auditors
o Legal advisors
o Trade unions
o Insurance companies
o Pension scheme trustees
o Doctors and other health advisors

 DCR
Personal information may be disclosed to:
o Auditors

All Data may also be disclosed inadvertently to computer maintenance personnel.

Version 01.1 28 July 2014 Page 8

 Data Protection Rule 4: Security of personal information
Security of personal information is all-important. The following procedures have been implemented
by BIM to ensure high standards of security:

 Laptops
Your company laptop is encrypted with two levels of security:
1. Encryption password
2. VPN Password

Note: All laptops issued in the last two years are encrypted and the Data Protection Officer
is currently undertaking an audit of all laptops issued to staff to establish if they are
encrypted and we are currently revoking the unencrypted laptops and issuing encrypted
laptops in their place.

 Webmail
Access to BIM webmail is password protected

 Mobile devices
BIM has a policy on the use of mobile devices to ensure high standards of security (Draft)

Note: The Data Protection Officer is currently undertaking an audit of all mobile devises
held by staff to establish if high standards of security are in place on the devices.

 Memory sticks
BIM issues only encrypted memory sticks and we are currently revoking the unencrypted
sticks and issuing encrypted sticks in their place.

 Access to your personal computer is password protected

 Access to the BIM network (local and remote) is password protected with access rights to
network drives granted on a divisional and sub-divisional basis

 Databases - the following security measures are in place for BIM’s databases:

Fisheries Grants Databases

Access to the application is password protected with access restricted to staff administering
the grant and the Divisional Director.
The back end database is housed on the BIM network with access rights to the network drive
restricted to BIM IT officers.

Training Databases
Access to the training application is password protected with level of access allocated
according to pre-set roles.
Student role – read access to student’s personal records only.

Version 01.1 28 July 2014 Page 9

 Trainer role - read and write access to course material and student records.
Administrator role – write access to course creation, course bookings, student records and
financial records.
Super Admin role - read and write access to all data.
Finance role – read access to financial records.

The back end database is under a Hosting Services Agreement with a third Party that
provides one of the highest levels of security available.

Ice Plants Database

Ice supply customer records are administered using the Sybase system. Access to applicaton
is password protected with level of access allocated according to pre-set roles:
Operator role – may view customer records and raise (and print) an Invoice
Credit Controller – may view customer account history and record payment of invoices
System Manager – may amend all customer records

A review of the Sybase system is planned for Spring of 2014.

Data Collection Framework Databases

Access to the applications front ends are password protected with access restricted to
appointed administrators.
The back end databases are housed on the BIM network with access rights to the network
drive restricted to BIM IT officers.

Finance Database
Finance records are administered using the Exchequer system. Access to the application is
password protected with levels of access allocated according to pre-set roles.
The back end database is housed on the BIM network with access rights to the network drive
restricted to BIM IT officers.

Payroll Database
Payroll records are administered using the ? system. Access to the application is password
protected with levels of access allocated according to pre-set roles.
The back end database is housed on the BIM network with access rights to the network drive
restricted to BIM IT officers.

Personnel Database
Personnel records are administered using the HR Wiz system. Access to the application is
password protected with levels of access allocated according to pre-set roles.
The back end database is housed on the BIM network with access rights to the network drive
restricted to BIM IT officers.

 BIM has a back-up procedure in operation for all network data.

 Manual files - the following security measures are in place for BIM’s paper files:

Version 01.1 28 July 2014 Page 10

 Grant Application Forms
Files are kept in a locked cabinet in the offices of grant administration staff with access
restricted to authorised staff.

BIM has an appointed member of staff with sole responsibility for ensuring the secure
storage of grant application records off site on the request of the authorised grant
administration staff (while awaiting the allocated destruction date).

Training Course Application Forms

Files are kept in a locked cabinet with access restricted to course administration staff and
training center principles.

Data Collection Framework

DCR forms are kept in a locked cabinet with access restricted to the staff member
responsible for the collection and use of the data.

Ice Accounts
Files are kept in locked cabinets with access restricted to Ice plant operator and account
administration staff.

Finance
Files are kept in a locked cabinet with access restricted to allocated staff.

Payroll
Files are kept in a locked cabinet with access restricted to payroll administration staff and
the Finance Manager.

 You must ensure all waste papers containing personal information are disposed of carefully.

As part of our annual audit BIM conducts a review of security procedures to ensure they encompass
technological and organisation growth and development.

Version 01.1 28 July 2014 Page 11

 Data Protection Rule 5: Keep data accurate and up-to-date data
BIM has a duty of care for any personal information that we hold and as such you must ensure that
the personal information you keep is accurate and up-to-date.

In order to ensure that each data item is kept up-to-date, specific responsibility for data accuracy has
been assigned to an appropriate member of staff for each of the following data sets.

 Grant Applicant Records

The robust checking of the grant applications ensures that any update to personal
information is captured.
 Training Course Student Records
 Ice Plants Customer Records
 Personnel Staff Records
 Finance Customer Records
 Payroll Staff Records
 Data Collection Regulation for Records

Appointed member of staff are provided with appropriate training and a procedure is in place for
each data set to ensure data accuracy. Implementation practices are included in BIM’s regular
internal policy review and audit.

Please note that the accuracy requirement does not apply to back-up data that is, to data kept for
the purpose of replacing other data in the event of their being lost, destroyed or damaged.

Version 01.1 28 July 2014 Page 12

 Data Protection Rule 6: Adequate, relevant and not excessive
BIM only holds the personal information that is really necessary to enable us to carry out our day to day
functions. As such, information you do not need should never be kept "just in case" a use can be found for
it in the future.

To ensure that the information we keep is necessary BIM has specific criteria by which we decide what is
adequate, relevant, and not excessive for each of the following data sets:

 Fleet Grant Applicant Forms

The data collected is determined by the eligibility criteria and requirements of each scheme.

We are currently undertaking a review of the data collected in the fisheries grant application
forms with recommendations to remove the Date of Birth (DoB) field in the Fleet Safety
Scheme and if approved to subsequently remove all legacy DoB data from the database.

 Aquaculture Grant Applicant Forms

The data collected is determined by the eligibility criteria and requirements of each scheme.

 Business Development and Innovation Grant Applicant Forms

The data collected is determined by the eligibility criteria and requirements of each scheme.

 Training Course Application Forms

The data collected is determined by requirements of MSI and third party certification bodies.

 Ice Plants Customer Records

 Personnel Staff Records
 Finance Customer Records
 Payroll Staff Records

 Data Collection Framework Records

The data collected is determined by requirements of the Data collection Framework
regulation (EC) No 199/2008.

Version 01.1 28 July 2014 Page 13

 Data Protection Rule 7: Retention of personal data
This requirement places a responsibility on BIM to be clear about the length of time for which data
will be kept and the reason why the information is being retained.

BIM has retention procedures for:

 Grant Application Records

The destruction date for grant applications records are specified in the relevant EU
Development Programme and are synchronized with the grant control period.

Grant Control Periods:

Fisheries: five years for most cases with a ten year control period for new vessels.
Aquaculture:
Processing:

BIM has an appointed member of staff with sole responsibility for ensuring the careful
storage and destruction of grant application records on the request of the authorised grant
administration staff (on the allocated date).

 Vessel Mortgage Documents

BIM has an appointed member of staff with sole responsibility for discharging the Vessel
Mortgage Documents to the register of shipping on request from the Investments Services
Section.

 Training Course Student Records

If there was no certification, Basic Safety Training Card or Passenger Boat Card issued by BIM
to the student or the student did not undertake training that led to certification by a third
party the student’s personal information should be deleted after three years.

 Ice Plant Customer Records

BIM’s Ice Plant Record Destruction Policy documents the procedures to be followed for the
retention and destruction of customer records.

 Client Contact Details (held locally by BIM personnel)

Old information about former clients, which might have been necessary to hold in the past
for a particular purpose, but which you do not need to hold any longer should be routinely
deleted. The same applies to paper records.

 Data Collection Framework Records

The retention and destruction of data is determined by requirements of the Data collection
Framework regulation (EC) No 199/2008.

If you would like to retain information about customers or clients to help you provide a better service to
them in the future, you must obtain the customers' consent in advance.

Version 01.1 28 July 2014 Page 14

 Data Protection Rule 8: Right of access to personal data
Any individual about whom BIM keeps personal information on computer or in a relevant filing
system is entitled to:

• a copy of the data

• a description of the purposes for which it is held
• a description of those to whom the data may be disclosed

Access requests are handled by the Data Protection Officer and BIM has 40 days in which to supply
the information to the individual.

An individual also has the right to have any inaccurate information rectified or erased and to have
personal data taken off any BIM marketing list. Again, all requests are handled by the Data
Protection Officer.

Version 01.1 28 July 2014 Page 15