8.1. Data Subject Requests
8.1.1. Under Articles 13 and 15 of GDPR, on your request we will confirm if we are keeping your personal data and provide it to you in a transparent and easily accessible form (please see our ‘How to contact us' section). Where the data will be used for a purpose other than that initially communicated, we will inform you of this other purpose in advance.
8.1.2. Access requests under Article 15 of GDPR apply to personal data held by the Council in both a computerised and manual form (where it is requested by electronic means, it will be provided in a commonly used electronic form). However, where a document exists in duplicate, e.g., where correspondence is scanned into the Council’s case management system, it is not necessary to provide two copies of the same document in response to a request. Usually, a photocopy or printout of the personal data will be provided. However, where the individual agrees, information can be provided in electronic format, e.g., by email or on a memory stick.
8.1.3. The Council will process data subject access requests that meet certain criteria:
a) they must be in writing;
b) the Council is entitled to make reasonable enquiries to satisfy itself about the identity of the person making the request to ensure that we are not disclosing personal data to a party who is not entitled to it under GDPR;
c) the requester must supply a reasonable level of appropriate information to help us to locate the information required (where it concerns a recorded image, they should also provide a passport-sized photo of themselves); however, no reason for the request needs to be provided; and
d) the Council will deal with a data subject access request free of charge, save where requests are either manifestly unfounded or excessive, in which case the Council may either charge a reasonable fee to take into account the administrative costs, or refuse the request.
8.1.4. Valid and (where required) paid-up data subject access requests will be complied with within one month of receipt of the request, although this period may be extended by two further months where necessary, taking into account the complexity and number of requests (Article 12 GDPR).
8.1.5. All data subject access requests should be directed to the Council’s Data Protection Officer, who will assess them in light of the provisionsin GDPR. The Council will not normally disclose the following types of information in response to a data subject access request: a) data that is not personal data; b) personal data that includes information about other people, unless we gain the consent of that other person (as may be necessary). If we cannot gain consent, we may need to withhold that information or edit the data to remove the identity of that person, if possible. o opinions given in confidence; o open-ended requests; o nuisance/repeat requests; and o privileged documents.
8.1.6. Where the Council refuses a data subject access request, it will be in writing and will set out the reasons for our refusal.
8.1.7. Article 23 of GDPR provides that individuals may not have a right to see information relating to them where proportionate restrictions are taken for the following reasons (while most of these circumstances would not ordinarily apply to the Council, they are set out below for the sake of completeness):
a) national security;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
f) the protection of judicial independence and judicial proceedings; g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
i) the protection of the data subject or the rights and freedoms of others; and
j) the enforcement of civil law claims.
8.1.8. Some documents may need to be “redacted” so as to remove data that is not required to be disclosed.
8.2. Right to Rectification
8.2.1. If a person who has made a data subject access request subsequently seeks to have any of his or her personal data rectified, this will be done within 40 days of the request being made, provided there is reasonable evidence in support of the need for rectification or erasure. You need to tell us what information is incorrect and what should replace it. We will inform recipients to whom that personal data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.
8.2.2. It is your responsibility that all of the personal data provided to us is accurate and complete. If any information you have given us changes, please let us know as soon as possible. Section 36(3) of the Teaching Council Acts requires registered teachers to inform the Council in writing, of:
(a) any errors in the register of which he or she is aware in relation to his or her registration; and,
(b) any change in the information entered in the register in relation to him or her.
The Council will update the Register on receipt of valid s.36 notifications.
8.3. Right to Restrict or Prevent Processing of Personal Data
8.3.1. In accordance with Data Processing Legislation, you may request that we stop processing your personal data temporarily if:
a) you do not think that your data is accurate (but we will start processing again once we have checked and confirmed that it is accurate);
b) the processing is unlawful but you do not want us to erase your data;
c) we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
d) you have objected to processing because you believe that your interests should override the basis upon which we process your personal data.
8.3.2. If you exercise your right to restrict us from processing your personal data, we will continue to process the data if:
a) you consent to such processing;
b) a legal basis exists for such processing;
c) the processing is necessary for the exercise or defence of legal claims;
d) the processing is necessary for the protection of the rights of other individuals or legal persons; or
e) the processing is necessary for public interest reasons.
8.4. Right to Erasure
8.4.1. In accordance with Data Protection Legislation, you can ask us to erase your personal data where:
a) you do not believe that we need your personal data in order to process it for the purposes set out in this Policy;
b) if you had given us consent to process your personal data, you withdraw that consent and we cannot otherwise legally process your personal data;
c) you object to our processing and we do not have any legal basis for continuing to process your personal data;
d) your data has been processed unlawfully or have not been erased when it should have been; or
e) the personal data has to be erased to comply with law.
8.4.2. We may continue to process your personal data in certain circumstances in accordance with Data Protection Legislation.
8.4.3. Where you have requested the erasure of your personal data, we will inform recipients to whom that personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We will also inform you about those recipients if you request it.
8.4.4. Your request for erasure of your data will be carried out within 40 days.
8.5. Rights in Relation to Automated Decision-Taking
8.5.1. If we are evaluating you, you may request that we do not base any decisions solely on an automated process and that we ensure any decision is reviewed by a member of staff.
8.5.2. These rights will not apply in all circumstances, for example where the decision is: i. authorised or required by law, ii. necessary for the performance of a contract between you and us, or iii. is based on your explicit consent. In all cases, we will endeavour that steps have been taken to safeguard your interests.
8.6. Right to Data Portability
In accordance with Data Protection Legislation, you may ask for an electronic copy of your personal data that you have provided to us and which we hold electronically, or for us to provide this directly to another party. This right only applies to personal data that you have provided to us – it does not extend to data generated by us. The right to data portability also only applies where:
a) the processing is based on your consent or for the performance of a contract; and
b) the processing is carried out by automated means.
8.7. Right to Complain to the DPC
If you do not think that we have processed your personal data in accordance with this Policy, please contact us in the first instance (see Section 15). If you are not satisfied, you can complain to the DPC or exercise any of your other rights pursuant to Data Protection Legislation. Information about how to do this is available on the DPC website at www.dataprotection.ie