Data Privacy and Protection Policy
First Western Training Ltd respects the right to privacy and this statement sets out the company’s policy towards safeguarding information and data which is disclosed to us either by yourself or through a third party to whom you have permitted that third party to disclose that information to us.
Any personal information which you volunteer to the company will be treated with the highest standards of security and confidentiality, strictly in accordance with applicable data protection rules, including the General Data Protection Regulation.
In any case, where the company asks you for personal information, such as your name and address, from which you can be identified on an individual basis, we will only do this where we require that information for specific purposes, for example maintaining a register of attendees at a training programme. In every case, we will let you know what we intend doing with that information before collecting it, how long it will be retained and when it will be deleted or destroyed.
Types of information we collect
We collect information, which includes personal data, about our customers / clients, suppliers / service providers, staff, customers, partners and associates of our clients and other entities with which the company deals with such as local authorities, statutory bodies, NGO’s and members of the pubic with whom we interact (collectively “individuals”) for the purposes of and in connection with the company’s dealings with those individuals and / or relevant entities.
Personal data means any information which the company has or obtains,or which you provide to the company, and specifically your name, address, email address, phone number(s), title or position, date of birth, gender, employment status, employment details, employer address, work email, work phone, work experience, bank details, credit / debit card details, CV, exam records and educational details or any other such details from which you can be directly or indirectly personally identified. Some of this personal data may be special category personal data, namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or sex life or sexual orientation.
We may also collect certain statistical and other analytical information collected on an aggregate basis relating to all visitors to our website and social media accounts. This non-personal data comprises information that cannot be used to identify or contact you, such as demographic information regarding browser types, mobile device equipment, mobile network and other anonymous statistical data involving the use of the website or social media accounts. We collect this information to help us monitor traffic and enhance the visitor experience of the website and social media accounts
How we obtain your personal data
We will obtain some of your personal data directly from you where we interact directly with you in the course of our business. We may also obtain personal data directly from you through our website, such as (i) when you make an enquiry about our services using the contact form (ii) when you sign up to our mailing list, or (iii) use contact details available on our website or social media accounts to contact us.
We obtain personal data indirectly from our clients and other bodies (including where you request that such bodies provide information directly to us) that we work with on a professional basis where they provide us with such data so as to allow us to carry out the commercial obligations that they have contracted us to provide. This can involve for example the following (i) developing, managing and implementing training programmes, (ii) maintaining professional databases of professional experience and education, (iii) preparing plans such as grant and funding applications, (iv) maintaining payroll and customer databases so as to undertake financial transactions on behalf of clients. The above are examples of typical commercial functions performed by the company but is not an exhaustive list.
Use of personal data
The company will use the personal data where necessary:
- For the purposes of performing our contract with you, or in anticipation of you becoming a client of the company, namely:
a. for the purpose of providing services to you in accordance with an agreed contract for the provision of goods or services
b. for the purposes of providing you with a quotation or details in respect of the nature of the commercial services and offerings that the company supplies
c. for the purposes of adding you to mailing or distribution lists to keep you informed of events and news about the company should you wish to receive this data
d. to deal with your queries or complaints;
- Where we have a legitimate interest in using it, including:
a. for the purposes of managing our commercial and non commercial contracts and relationships with our clients, suppliers, staff, service providers and other entities that we work with in the course of our commercial activities
b. for the purposes of discharging our regulatory obligations in relation to payment of taxes and social insurance, maintenance of employee and contractor records in accordance with statutory obligations,
c. for the processing of complaints and queries how so ever arising
d. maintenance of and / or provision of information to registers and databases where we are contracted by a client to maintain such registers under a commercial arrangement. This for example includes the maintenance of the Fáilte Ireland National Tour Guides database
e. To ensure compliance with employment regulations and CDP requirements for staff
f. for day to day operational and business purposes;
g. for reporting to our clients of performance and progress under commercial contracts that we are engaged for
h. to take advice from our external legal and other advisors such as tax advisors, accountants, pension and investment advisors and others as appropriate
i. Where we are ordered to disclose information by a court with appropriate jurisdiction;
- Where use or sharing is for a legitimate interest of a third party to which we provide the personal data, including for day to day operational and business purposes;
- Where necessary to establish, exercise or defend legal rights or for the purpose of legal proceedings;
- If we need and you have given your consent to use of your personal data for a particular purpose.
- Where we have your permission, the company may direct information relating to subject matter, services or proposals to you which we feel will be of interest to you. If you subsequently decide that you no longer wish to receive such information, you can manage this through contacting the company.
- We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purposes and applicable laws. If we need to use your personal data for a purpose unrelated to the original purpose for which we collected it, we will notify you and either seek permission for the use of the data for this purpose or explain the legal basis which allows us to do so.
Disclosures of personal data
We will not disclose any personal data to any third party, except as outlined above and / or as follows:
- to enable us to carry out the obligations under and fulfil our contracts with our customers, suppliers, service providers, vendors and other commercial entities;
- to anyone providing a service to us or acting as our agent, as data processors, for the purposes of providing services to us and on the understanding that they will keep the Personal Data confidential;
- where we need to share personal data with our auditors, and legal and other advisors;
- where we are required or requested to share information with a regulatory or oversight body, including where you request that we confirm details with such bodies;
- in the event of a merger, takeover or sale of the company, to the extent necessary to give effect to such transaction;
- if the disclosure is required by law or regulation, or court or administrative order having force of law.
Personal Data may be transferred outside Ireland in connection with the uses described above and / or as otherwise required or permitted by law.
Many of the countries will be within the European Economic Area (the “EEA”), or will be ones which the European Commission has approved, and will have data protection laws which are the same as or broadly equivalent to those in the European Union. However, some transfers may be to countries which do not have equivalent protections, and in that case we shall use reasonable efforts to implement contractual protections for the Personal Data. While this may not always be possible, any transfers will be done in accordance with applicable data protection laws, including through the implementation of appropriate or suitable safeguards in accordance with such applicable data protection laws.
For the avoidance of doubt, safeguards in the form of EU Commission approved standard contractual clauses will be implemented for transfers to service providers outside the EEA, including in India. Further information in relation to international data transfers can be obtained by contacting us at the address specified below.
Third party personal data
Where you provide us with personal data relating to other people, such as your clients, customers, suppliers, employees, advisors or other related persons, you represent and warrant that you will only do so in accordance with applicable data protection laws. You will ensure that before doing so, the individuals in question are made aware of the fact that we will hold information relating to them and that we may use it for any of the purposes set out in this statement, and where necessary you will obtain their consent to our use of their information. We may, where required under applicable law, notify those individuals that you have provided their details to us.
Third party providers of information
We may obtain personal data relating to you indirectly, such as where your employer provides your contact details to us in connection with our business. The person providing the information will in the ordinary course be asked to warrant that it will only do so in accordance with applicable data protection laws, and that it will ensure that before doing so, you are made aware of the fact that we will hold information relating to you and that we may use it for any of the purposes set out in this statement, and where necessary that it will obtain consent to our use of the information.
Recipients of the personal data
In any case where we share personal data with a third party data controller, the use by that third party of the personal data will be subject to the third party’s own privacy policies.
Updates to personal data
We will use reasonable efforts to keep personal data up to date. However, you will need to notify us without delay in the event of any change in your personal or business circumstances, so that we can keep the personal data up to date.
Retention of personal data
We are obliged to retain certain information for legitimate business purposes only due to contractual conditions of commercial contracts, which the company has entered into with its customers, clients and suppliers and our obligations with other bodies such as regulatory authorities such as the Revenue Commissioners
Information will be retained for no longer than is necessary for the purpose for which it was obtained by us, or as required or permitted for legal and regulatory purposes and for legitimate business purposes. In general, the company (or their service providers acting on our behalf) will hold this information for a period of six years after you cease to interact with us, unless we are obliged to hold it for a longer period under law or applicable regulations.
In cases where data was obtained or provided for a particular business purposes the data will be retained only for the period relating execution of our commercial and business obligations as contracted with our client and also in accordance with our clients data protection and privacy policies.
In certain circumstances, where required by law or applicable regulations or where the company deems it necessary for our legitimate business purposes, we may hold the data for a longer or shorter period.
Your rights in relation to your personal data
You may at any time request a copy of your personal data from us. This right can be exercised by writing to us at the address specified below.
You also have the right to correct any inaccuracies in, and in certain circumstances, to request erasure, or restriction on the use, of your personal data, and to object to certain uses of your Personal Data, in each case subject to the restrictions set out in applicable data protection laws. Further information on these rights, the circumstances in which they may arise in connection with our processing of personal data, and any restrictions on them, can be obtained by writing to us at the address specified below.
In any case where we are relying on your consent to process your personal data, you have the right to change your mind and withdraw consent by writing to the address specified below.
Where we are relying on a legitimate purpose of the company or a third party recipient of the personal data, in order to use and disclose personal data, you are entitled to object to such use or disclosure of your personal data, and if you do object, we will cease to use and process the Personal Data for that purpose unless we can show there are compelling legitimate reasons for us to continue or we need to use the personal data for the purposes of legal claims.
You also have the right to lodge a complaint about our processing of your personal data with the Data Protection Commission by emailing email@example.com or writing to the following address: Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23, Co. Laois. You can visit the website of the Data Protection Commission at www.dataprotection.ie for more details.
Dealing with Data Breaches
Under the General Data Protection Regulation (GDPR), the company has a requirement to report personal data breaches within 72 hours of becoming aware of the breach to the Office of the Data Protection Commissioner, where the breach presents a risk to the affected individuals. Also where a breach is likely to result in a high risk to the affected individuals, the company must also inform those individuals without undue delay. First Western Training Ltd will follow the code of conduct for Data Breaches as issues by the Data Protection Commission.
A data breach is defined as an incident that where unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form occurs.
In the case of a data breach or suspected data breach, First Western Training Ltd will:
- Determine through its data management procedures and systems whether a breach has taken place.
- If a breach has taken place, notify the Data Protection Commissioner using the designated process if relevant.
- Access what level of risk the breach has posed to affected individuals, and inform them if necessary. Low risk breach which is unlikely to have an impact on individuals, or the impact is likely to be minimal will not be communicated.
- Maintain an internal record of the details, the means for deciding the risk involved, who decided there was no risk and the risk rating that was recorded.
- Investigate how the breach occurred and develop and implement measures to prevent this in future. These can include increasing security and mitigation factors, encryption and security measures for electronic data, review of access rights of data users, and any other relevant measures.
Data Protection and Security
Data Protection and Security is a shared responsibility for all staff, contractors and those working with First Western Training Ltd. The company implement the following steps to ensure data security of physical, paper and electronic stored data.
Protecting Data and Information
- Staff operate a clear desk policy at the end of each working day and when away from the desk or the office for long periods.
- Personal and sensitive records held on paper and/or on screens must be kept hidden from visitors to offices and work stations. Staff must also familiarise themselves with colleagues access levels to data and ensure that data is hidden from a colleague who does not have such access rights to that data, whether data is on paper or screen.
- Records containing personal information must never be left unattended where they are visible or maybe accessed by unauthorised staff or members of the public.
- If computers or VDUs are left unattended, staff must ensure that no personal information may be observed or accessed by unauthorised staff or members of the public.
- All computers and VDU’s will be set to go to screen save mode after 90 seconds of inactivity and lock mode after 600 seconds of inactivity. This helps reduce the chances of casual observation
- Rooms, cabinets or drawers in which personal records are stored will be locked when unattended.
- A record tracing system will be maintained of files removed and/or returned.
- While appreciating the need for information to be accessible, staff must ensure that personal records and data are not left on desks or workstations at times when unauthorised access might take place.
- Staff must only access service user information on a need to know basis and should only view or share data that is relevant or necessary for them to carry out their duties.
- Staff must not leave laptops/portable electronic devices and/or files containing personal information unattended in cars or in any public place such as a restaurant, hotel etc where business might take place.
- In cases where staff removes files/records from offices to attend meetings, work at home, etc the records should always be contained in a suitable brief case/bag to avoid any inappropriate viewing and also to secure the records.
- All files and portable equipment must be stored securely. If files containing personal information must be transported in a car, they should be locked securely in the boot for the minimum period necessary.
Transmitting information by Fax or Post or Email
Staff must respect the privacy of others at all times and only access fax messages where they are the intended recipient or they have a valid work related reason. In so far as, possible First Western Training Ltd discourages the use of fax and instead promote the use of encrypted email or electronic file transfer
Where possible the information should be encrypted and transmitted via email. It is acceptable to transmit confidential and personal information by fax only when: 1. All persons identified in the fax message have fully understood the risks and agreed. 2. There are no other means available. 3. Before sending the fax message, contact the intended recipient to ensure he/she is available to receive the fax at an agreed time. ‐ Ensure that the correct number is dialled. ‐ Keep a copy of the transmission slip and confirm receipt of the fax message. ‐ Ensure that no copies of the fax message are left on the fax machine.
When using the postal system, mail containing sensitive personal information should be marked clearly with “Strictly Private and Confidential”. If proof of delivery is necessary, information of this nature should be sent by registered post. Also provide “return to sender” information in the event that the mail is undeliverable.
All Staff must adhere to the Password Standards Policy All passwords must be unique and must be a minimum of 8 characters. Passwords must contain a combination of letters (both upper & lower case), numbers (0‐9) and at least one special character (for example: “, £, $, %, ^, &, *, @, #, ?, !, €). Passwords must not be left blank. Users must ensure passwords assigned to them are kept confidential at all times and are not shared with others including co‐workers or third parties. In exceptional circumstances where a password has to be written down, the password must be stored in a secure locked place, which is not easily accessible to others. Passwords must be changed every 3 months and IT systems will remind you to change password when necessary.
Staff must adhere to the Encryption Policy. Information stored on the company shared server, whether based physically or cloud based will be protected by the use of strict access controls and encryption.
Company staff are only allowed to use approved external software and services for storage or transmission of data and information. These refers to services such as electronic file transfer (e.g. dropbox), data capture (e.g. online surveys), Zoom (video conferencing). First Western Training Ltd maintain an approve panel of external providers where the levels of data security, encryption and security match those of our data protection policy. Currently this list consists of:
• Survey Monkey
• We Transfer
• Ulster Bank Software
• Bank of Ireland Software
• Thesarus Payroll
This list will be revised from time to time and the data controller will make all staff and contractors aware. Use of any non authorised system for handling data or company information may result in disciplinary action being taken. Employees are not allowed to use non company owned computers for work purposes. Where working from home, a company supplied laptop will be provided and must be used.
All company laptop computer devices will have approved encryption software installed prior to their use within the company. In addition to encryption software the laptop will be password protected and have up to date anti‐virus software installed. Only company approved USB memory sticks may be used to store or transfer data. No personally owned memory sticks will be allowed for storage of data. Employees who have been issued with an approved USB memory stick must take all reasonable measures to ensure the memory stick is kept secure at all times and is protected against unauthorised access, damage, loss and theft. USB memory sticks must only be used on an exceptional basis where it is essential to store or temporarily transfer confidential or personal data. They must not be used for the long term storage of confidential and personal data, which must where possible be stored on a secure network server.
Staff must ensure their company mobile phone device is protected at all times. At a minimum all mobile phone devices must be protected by the use of a Personal Identification Number (PIN) of at least 6 characters. The phone will be set to auto lock after 15 seconds of inactivity and lock permanently after 3 incorrect pin attempts. Users must take all reasonable steps to prevent damage or loss to their mobile phone device. This includes not leaving it in view in an unattended vehicle and storing it securely when not in use. The user may be held responsible for any loss or damage to the mobile phone device, if it is found that reasonable precautions were not taken. Confidential and personal information must not be stored on a mobile phone device without the prior authorisation. Where confidential and personal information is stored on a mobile phone device, the information must be encrypted in accordance with the Encryption Policy. Mobile phone devices equipped with cameras must not be used inappropriately within the company. Confidential and/or personal information regarding the company, its employees or clients by text message or other SMS service. All email messages sent from mobile phone device will be encrypted. Users must report all lost or stolen mobile phone devices to their manager immediately.
Disposal of Data and Records
It is vital that the process of record disposal safeguards and maintains the confidentiality of the records. This will be done internally using a shredder located at the main office premises which shreds to confetti like particles. A register of records destroyed will be maintained as proof that the record no longer exist. The register should show: ‐ name of the file ‐ former location of file ‐ date of destruction ‐ who gave the authority to destroy the records. All electronic records will be permanently deleted from all locations when no longer needed. The same evidence base will be retained as with paper records. The duration that files are maintained for are set out in individual service contracts with clients or in the case of internal documents such as employment records, they shall be maintained for a period of 6 years after last contact.
Website cookies and tracking
You should be aware that each time you visit a website, general information about your visit is retained. Statistical and other analytical information is collected on an aggregate and non-individual specific basis of all browsers who visit the site. This statistical and analytical information provides us with general and not individually specific information about the number of people who visit this website; the number of people who return to this site; the pages that they visit; where they were before they came to this site and the page and site at which they exited.
However, you should realise that cookies may be necessary in order to provide you with certain features such as the customised delivery of certain information.
Updates to this policy
The company reserves the right in its sole discretion to amend this statement at any time (for example, to comply with changes in laws or regulations, our practices, procedures and organisational structures, or otherwise).
Contacting the Company
Any queries or complaints regarding our use of your personal data and / or the exercise of individual rights should be addressed to the:
First Western Training Ltd,
Co. Sligo F52 N226
Or by email to: firstname.lastname@example.org