Privacy Policy
The WellSchools Network Privacy & GDPR Policy
TABLE OF CONTENTS
1 Introduction
1.1 Purpose of the Document
1.2 Legislation
1.3 Scope of the Document
1.4 Overview of GDPR
1.5 Definitions and Terminology Personal Data
1.6 Roles and Responsibilities
1.7 Lawful Bases for Processing
1.8 Data Subject Rights
1.9 International Data Transfers
1.10 Environmental changes that may affect the quality of data
2 Roles & Responsibilities
2.1 WSN as a Data Controller
2.2 Data Processor
2.3 Data Protection Officer (DPO)
2.4 Security Officer Responsibilities
2.5 Data Subjects
2.6 Third Parties and Subprocessors
2.7 The Data Protection Principles
2.8 Implementation
2.9 Data Storage & Archiving
2.10 Contingency Plan for Data Security Breach
2.11 Compliance with recognised data security standards
2.12 Data Privacy
3 Security Controls
3.1 Physical Access Controls
3.2 Network Infrastructure
3.3 Storage Infrastructure
3.4 Computer Accounts
3.5 Passwords
3.6 System Upgrading or Software Updating
3.7 Security Status Checking
3.8 Breach of Security
3.9 Outsourcing and Third-Party Access
4 Staff Training and Compliance
4.1 Overview
4.2 Training Type & Frequency
4.3 Data Protection Awareness
4.4 Ongoing Compliance
5 International Data Transfers Policy
5.1 Introduction
5.2 Transfer Mechanisms
5.3 Adequacy Decisions
5.4 Standard Contractual Clauses
5.5 Binding Corporate Rules
5.6 Exceptions for Specific Situations
5.7 Documentation and Record-Keeping
5.8 Review and Monitoring
6 Data Subject Rights
6.1 Introduction
6.2 Data Subject Rights
6.3 Exercising Data Subject Rights
7 Data Subject Access Request Policy
7.1 Introduction
7.2 Right to Establish Existence of Personal Data (Section 3 of Data Protection Act)
7.3 Making an Access Request (Section 4 of the Data Protection Act)
7.4 Responsibility and Review
8 Data Breach Policy & Management Procedure
8.1 Introduction
8.2 Identifying a Data Breach
8.3 Response and Containment
8.4 Notification to Supervisory Authority
8.5 Communication to Data Subjects
8.6 Documentation and Record Keeping
8.7 Post-incident Analysis and Follow-up
9 Data Collection Policy & Procedure
9.1 When should Customer Data be collected?
9.2 How should Customer Data be collected?
9.3 Restrictions on the use of Customer Data
9.4 Retention of Customer Data
9.5 Requests from Customers regarding Customer Data
9.6 General remarks regarding Customer Data outside of the office
1 Introduction
1.1 Purpose of the Document
This GDPR Policy Document provides an overview of how WSN complies with the General Data Protection Regulation (GDPR) concerning the processing of personal data.
Electronic and non-electronic communications of this nature by WSN are only to non-individual, business contacts and institutional subscribers. These come in the form of hard- copy mailings and e-mails. Hard copy mailings go to business/company addresses while business subscribers receive electronic mailings through their company email addresses.
In its role as an employer, WSN may keep information relating to a staff memberâs physical, physiological or mental well-being, as well as their economic, cultural or social identity.
1.2 Legislation
To the extent that WSN âs use of personal data qualifies as âbusiness to customerâ processing, including the organisationâs communications to its staff and volunteers, the organisation is mindful of its obligations under the relevant Irish legislation, namely:
⢠The Irish Data Protection Act (1988);
⢠The Irish Data Protection (Amendment) Act (2003);
⢠The EU Electronic Communications Regulations (2011); and
⢠The General Data Protection Regulation (GDPR) (EU) 2016/679 (25 May 2018).
1.3 Scope of the Document
This document applies to all personal data processing activities undertaken by WSN, including data processing on our website, customer transactions, and interactions with suppliers.
1.4 Overview of GDPR
The GDPR is a regulation that protects the privacy and personal data of individuals within the European Union (EU) and the European Economic Area (EEA). It establishes requirements for data processing and mandates certain rights for individuals whose data is processed.
1.5 Definitions and Terminology Personal Data
Information relating to an identifiable person. Data Subject: An individual whose personal data is processed. Data Controller: Entity that determines the purposes and means of processing personal data. Data Processor: Entity that processes personal data on behalf of the controller.
Data Protection Principles WSN adheres to the following principles for data protection:
⢠Lawfulness, Fairness, and Transparency Personal data shall be processed lawfully, fairly, and in a transparent manner.
⢠Purpose Limitation Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
⢠Data Minimisation Personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
⢠Accuracy Personal data shall be accurate and, where necessary, kept up to date.
⢠Storage Limitation Personal data shall be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.
⢠Integrity and Confidentiality Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
⢠Accountability The data controller shall be responsible for and able to demonstrate compliance with the principles.
1.6 Roles and Responsibilities
⢠Data Controller - As a data controller, WSN determines the purposes and means of processing personal data.
⢠Data Processor - We use third-party data processors who adhere to GDPR for certain processing activities such as payment processing and email services.
⢠Data Protection Officer (DPO) - Our DPO ensures compliance with GDPR and serves as a point of contact for data subjects.
⢠Data Subjects Data subjects have rights concerning their personal data which are outlined in section 5.
1.7 Lawful Bases for Processing
WSN processes personal data based on obtaining explicit consent from data subjects for specific processing activities, such as marketing.
1.8 Data Subject Rights
Data subjects have right to be informed about the collection and use of their personal data.
1.9 International Data Transfers
WSN uses standard contractual clauses for international data transfers.
1.10 Environmental changes that may affect the quality of data
The WSN policy is to be aware of environmental changes that affect the quality of data and to pre-empt the impact to our business and that of our clients. GDPR was the most recent change, one that we had spent two years preparing for. This meant that we had cleansed our databases and remodelled our business processes well ahead of the May 2018 deadline, enabling us to continue without any loss of continuity to our business.
â
2 Roles & Responsibilities
2.1 WSN as a Data Controller
In the course of its daily organisational activities, WSN acquires, processes and stores personal data in relation to living individuals. To that extent, WSN is a Data Controller, and has obligations under the Data Protection legislation, which are reflected in this document. Responsibilities of the Data Controller include:
⢠Determining why the data is being processed and ensuring that there is a lawful basis for processing.
⢠Ensuring that data subjects are informed of how their data is being used.
⢠Implementing and maintaining security measures to protect personal data.
⢠Ensuring that data processing is carried out in accordance with applicable data protection laws.
⢠Selecting Data Processors that are capable of ensuring compliance with data protection laws.
⢠Responding to data subjectâs requests concerning their data.
As a Data Controller, WSN and its staff (hereafter referred-to collectively as WSN ) comply with the Data Protection principles set out in the relevant Irish legislation. A substantial proportion of the communications sent by WSN to its member organisations is considered âbusiness to businessâ, and thereby exempt from obligations under the Data Protection legislation.
In accordance with Irish Data Protection legislation, this data must be acquired and managed fairly.
WSN is committed to ensuring that all staff have sufficient awareness of the legislation in order to be able to anticipate and identify a Data Protection issue, should one arise. In such circumstances, staff must ensure that the Data Protection Officer (DPO) is informed, in order that appropriate corrective action is taken.
Due to the nature of the services provided by WSN , there is a regular and active exchange of personal data between WSN and its Data Subjects. In addition, WSN exchanges personal data with Data Processors on the Data Subjectsâ behalf. This is consistent with WSN âs obligations under the terms of its contracts with its Data Processors.
This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a staff member is unsure whether such data can be disclosed. In general terms, the staff member should consult with the Data Protection Officer to seek clarification.
2.2 Data Processor
The Data Processor is the entity that processes personal data on behalf of the Data Controller. Responsibilities of the Data Processor include:
⢠Processing data only as instructed by the Data Controller.
⢠Implementing and maintaining security measures to protect personal data.
⢠Assisting the Data Controller in ensuring compliance with data protection laws.
⢠Notifying the Data Controller of any data breaches without undue delay.
⢠Ensuring that any subprocessors or third parties employed in processing data comply with data protection laws.
2.3 Data Protection Officer (DPO)
The Data Protection Officer is WSNs individual designated roller to oversee data protection strategy and implementation to ensure compliance with GDPR requirements. The DPO for WSN is:
Name David Cashman
Position CEO
Email [email protected]
Phone 021 242 7237
Their responsibilities include:
⢠Informing and advising the Data Controller and its employees about their obligations to comply with the GDPR and other data protection laws.
⢠Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, and conducting internal audits.
⢠Serving as the first point of contact for supervisory authorities and for individuals whose data is processed.
2.4 Security Officer Responsibilities
The IT Security Officer is responsible forÍ
1. Advising the Management Board or appropriate persons on compliance with this policy and its associated supporting policies and procedures.
2. Reviewing and updating the Security policy and supporting policies and procedures
3. The promotion of the policy throughout the Company
4. Periodical assessments of security controls as outlined in the Security Policy
5. Investigating Security Incidents as they arise
6. Maintaining Records of Security Incidents. These records will be encrypted and stored securely for six months after which time information pertaining to individuals will be removed. The records will then be held in this anonymous format for a further two years for statistical purposes.
7. Reporting to the Management Board on the status of security controls within the Company.
The Nominated Security Officer for WSN is:
Name David Cashman
Position CEO
Email [email protected]
Phone 021 242 7237
2.5 Data Subjects
Data Subjects are the individuals whose personal data is being processed. Responsibilities of Data Subjects include:
⢠Being aware of their rights under data protection laws.
⢠Providing accurate and up-to-date information to the Data Controller.
⢠Communicating their preferences regarding data processing to the Data Controller.
⢠Making informed decisions regarding the consent for data processing.
⢠Contacting the Data Controller or DPO to exercise their rights under data protection laws.
2.6 Third Parties and Subprocessors
Third Parties are entities other than the Data Subject, Data Controller, Data Processor, and persons under the direct authority of the Data Controller or Processor. Subprocessors are third parties employed by a Data Processor to carry out specific processing activities. Responsibilities include:
⢠Complying with the instructions from the Data Controller (via the Data Processor for subprocessors).
⢠Ensuring that appropriate security measures are in place to protect the data.
⢠Notifying the Data Processor or Data Controller of any security breaches.
⢠Ensuring that they are transparent with the Data Processor or Data Controller about how data is processed.
⢠Assisting the Data Controller or Data Processor in fulfilling their obligations under data protection laws.
2.7 The Data Protection Principles
The following key principles are enshrined in Irish legislation and are fundamental to WSN âs Data Protection policy. In its capacity as Data Controller, WSN ensures that all data shall:
⢠Be obtained and processed fairly and lawfully.
⢠Be obtained only for one or more specified, legitimate purposes.
⢠Not be further processed in a manner incompatible with the specified purpose(s).
⢠Be kept safe and secure.
⢠Be kept accurate, complete and up-to-date where necessary.
⢠Be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed.
⢠Not be kept for longer than is necessary to satisfy the specified purpose(s).
⢠Be managed and stored in such a manner that, in the event a Data Subject submits a valid Subject Access Request seeking a copy of their Personal Data, this data can be readily retrieved and provided to them.
2.8 Implementation
As a Data Controller, WSN ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation through the Data Processor Agreement. Regular audit trail monitoring is done by the Data Protection Officer to ensure compliance with this Agreement by any third-party entity which processes Personal Data on behalf of WSN . Failure of a Data Processor to manage WSN âs data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts. Failure of WSN âs staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.
2.9 Data Storage & Archiving
2.9.1 Security & Storage
The following policies apply to company computer, server and database:
⢠WSN only provide limited access to personal data on a Íneed to knowÍ basis
⢠Servers including the database server for hosting web content, web services and personal or non-personal data is within the WSN Computer Centre (CCC) with a specific IP address in Ireland.
⢠The CCC is managed by a trusted IT operator with SLA.
⢠Any access to the computer systems is monitored and logged on a 24/7 basis. The log includes the username, access time and duration. Data Protection & Security Policy for WSN
⢠Computing devices, including PC, laptop, or mobile phones etc are located within the Company office (with a specific IP address). Each device is protected by a unique password and have one designated owner. On a shared device, each user has their own unique password for access.
⢠All computing/storage devices in the company and office are equipped with anti-virus software and protected with firewall. Unattended devices are locked automatically with a screen saver.
⢠WSN maintains a list of restricted databases and application along with a defined business owner for each listing. Only the account (contract) manager can authorise an individual to have any access to the restricted database or applications.
⢠Unescorted access is restricted to authorised persons for valid and documented business purposes.
⢠Visitors to the company or area for above infrastructures must be escorted by authorised staff, and their access must be logged with the visitor identity, time in and time out and reason for entry. This information is maintained in a central record system for one year.
⢠Computing and storage devices should be viewable by members of public. Disposal papers are kept in the green box for collected paper.
⢠Email attachments from unexpected sources are not be opened unless first screened by anti-virus software.
2.9.2 Network Access
⢠Staff can access the Company network inside the office. Remote access is only allowed via VPN.
⢠Modems must be locked in a case and the key removed and secured. They can only be accessed by the Security Officer.
⢠The Company WIFI network is protected by password.
⢠LANs shall be designed so as to limit the aggregation of data subject to unauthorised interception.
⢠Active ports are not allowed on network backbones unless the port is located in the Company Computer Centre
⢠If a data port is located in the Company Public Space (e.g. reception), it must be supervised at all times while it is active.
2.9.3 Storage & Archive
⢠Contents, web services and database are hosted and stored on designated Company storage servers, not on any local devices.
⢠If downloading of personal data from above servers is necessary for data processing, such downloading can easily be blocked by technical means (disabling drives etc.). Also, the downloaded data must be deleted immediately after the data processing.
⢠Content, web services and database are backed up automatically on a daily basis.
⢠Content, web services and database are archived from backups and retained for 1 year.
⢠Storage backup media are stored in the Company Computer Centre at all times.
⢠All databases including backups are in encrypted format and protected by password.
⢠Records of data wiping are stored electronically in the central record system.
⢠Cloud based or file sharing systems are only used when agreed with all parties and data files should be password protected and removed once transfer is completed.
2.10 Contingency Plan for Data Security Breach
WSN communications strategies are predicated on establishing a comprehensive understanding of the relevant audience so as to produce an appropriate response and management to a data security breach. To this end WSN and our PR partners has extensive experience in the organisation and management of community consultation processes, including extensive engagement with local and regional media. We would envisage, as part of a communications strategy that would fall within client engagements, the design of a communications toolkit to underpin the process, in order to ensure best practice in engagement with key media, stakeholders and effected citizens.
2.11 Compliance with recognised data security standards
WSN 's IT Security management structure was built with influence from several industry security standards and frameworks such as, National Institute of Standards and Technology (NIST) and International Organisation for Standardisation (ISO). WSN is not ISO third party certified assessments performed across various WSN business offerings and locations.
The International Organisation for Standardisation (ISO) is a worldwide federation of national standards bodies from some 140 countries. The vast majority of ISO standards are highly specific to a particular product, material, or process. WSN meets ISO certifications through normal WSN practices and processes.
WSN uses third party services providers to provide technology support services.
These organisations are certified as follows:
⢠ISO 9001 (quality management system)
⢠ISO 14001 & ISO 50001 (environmental system); and
⢠ISO 45001 (occupational health and safety) standards.
Business units within these organisations have the following certifications as appropriate:
⢠ISO 20000 (IT services management)
⢠ISO 22301 (business continuity), ISO 27001 (information security management system)
⢠ISO 27017 (information security for cloud services)
⢠ISO 27018 (PII in public clouds)
⢠ISO 27701 (privacy information management system); and
⢠ISO 31000 (risk management.
2.12 Data Privacy
WSN is committed to protecting the privacy and confidentiality of Personal Information about its Employees, Customers, Business Partners (including contacts within Customers and Business Partners) and other identifiable individuals. Uniform practices for collecting, using, disclosing, storing, accessing, transferring or otherwise processing such information assist WSN to process Personal Information fairly and appropriately, disclosing it and/or transferring it only under appropriate circumstances.
This Policy Letter sets forth the general principles that underlie WSN 's specific practices for collecting, using, disclosing, storing, accessing, transferring or otherwise processing Personal Information, including the general principle of Privacy by Design. These general principles apply to the processing of Personal Information by WSN .
Data Privacy Principles
Fairness WSN will collect and process Personal Information fairly, lawfully, and in a transparent manner.
Purpose Limitation
WSN will only collect Personal Information that is relevant to and necessary for a particular purpose(s) and will only process Personal Information in a manner that is not incompatible with the purposes for which it is collected.
Data Minimisation WSN will only process Personal Information that is adequate, relevant and not excessive for the purpose for which it is processed.
Accuracy
WSN will keep Personal Information as accurate, complete and upâtoâdate as is necessary for the purpose for which it is processed.
Retention WSN will keep Personal Information in a form that permits identification for no longer than necessary for the purpose for which such Personal Information was collected.
Disclosure
WSN will only make Personal Information available inside or outside WSN in appropriate circumstances.
Information Security WSN will implement appropriate technical and organisational measures to safeguard Personal Information and will instruct third parties processing Personal Information on behalf of WSN , if any, to process it only in a manner that is consistent with processing it on WSN 's behalf, and to implement appropriate technical and organisational measures to safeguard the Personal Information.
Individual Rights WSN will provide individuals with appropriate rights such as right of access and correction relating to their Personal Information, as set out in the Binding Corporate Rules and in applicable law.
Custodianship WSN will have appropriate policies and practices for the safe handling of Personal Information that it processes on behalf of its customers.
Accountability WSN will have appropriate governance, including corporate instructions, guidelines, appropriately trained personnel and other measures to be able to demonstrate that the processing of Personal Information is performed in compliance with this Policy Letter.
WSN Employees who come in contact with Personal Information must act consistently with the principles contained in this Policy Letter.
â
3 Security Controls
3.1 Physical Access Controls
The following policies apply to company computer, server and database:
1. WSN only provide limited access to personal data on a Íneed to knowÍ basis
2. Servers including the database server for hosting web content, web services and personal or non-personal data must be located within the Company Computer Centre (with a specific IP address) in Ireland.
3. The Company Computer Centre must be managed by a trusted IT operator with SLA (Service Level Agreement attached).
4. The Company Computer Centre must be locked when not attended, and also have a clearly defined area owner.
5. Any access to the Company Computer Centre must be monitored and logged on a 24/7 basis. The log must include the username, access time and duration. Data Protection & Security Policy for WSN
6. Computing devices, including PC, laptop, or mobile phones etc must be located within the Company office (with a specific IP address). Each device must be protected by a unique password and have one designated owner. On a shared device, each user should have their own unique password for access.
7. All computing/storage devices in the Company Computer Centre and office should be equipped with anti-virus software and protected with firewall. Unattended devices should be locked automatically with a screen saver.
8. WSN shall maintain a list of restricted databases and application along with a defined business owner for each listing. Only the business owner can authorise an individual to have any access to the restricted database or applications. The IT operator shall have real time access to this information. The Security Officer should send a list of those who have access to the restricted database and application to the business owner on a semi-annual basis.
9. Unescorted access is restricted to authorised persons for valid and documented business purposes.
10. Visitors to the company or area for above infrastructures must be escorted by authorised staff, and their access must be logged with the visitor identity, time in and time out and reason for entry. This information should be maintained in a central record system for one year.
11. Computing and storage devices should be viewable by members of public. Disposal papers should be kept in the green box for collected paper.
12. Email attachments from unexpected sources should not be opened unless first screened by anti-virus software.
3.2 Network Infrastructure
1. Staff can access the Company network inside the office. Remote access is only allowed via VPN.
2. Modems must be locked in a case and the key removed and secured. They can only be accessed by the Security Officer.
3. The Company WIFI network is protected by password.
4. LANs shall be designed so as to limit the aggregation of data subject to unauthorised interception.
5. Active ports are not allowed on network backbones unless the port is located in the Company Computer Centre
6. If a data port is located in the Company Public Space (e.g. reception), it must be supervised at all times while it is active.
3.3 Storage Infrastructure
1. Contents, web services and database must be hosted and stored on designated Company storage servers, not on any local devices.
2. If downloading of personal data from above servers is necessary for data processing, such downloading can easily be blocked by technical means (disabling drives etc). Also, the downloaded data must be deleted immediately after the data processing.
3. Content, web services and database should be backed up automatically on a daily basis.
4. Storage backup media must be stored in the Company Computer Centre at all times.
5. All databases including backups should be in encrypted format and protected by password.
6. Records of data wiping should be stored electronically in the central record system.
7. Cloud based or file sharing systems are only used when agreed with all parties and data files should be password protected and removed once transfer is completed.
3.4 Computer Accounts
1. Only active staff can have a IT account.
2. Each user ID shall be identified to an individual except when technical limitations require the sharing of an administrative ID.
3. Temporary accounts may be created for the purpose of providing pre-determined access for the use of a temporary employee or outsourced partner. In which case, the following rules should be applied to temporary accounts:
a. -This account must be authorised by the Security officer.
b. The account record should include the individual/organisation name, account name, list of read/write accesses granted for shared file system, application or database with access start and end date.
c. Each account name should be unique.
4. Default access is made available to active company employeesÍ as follows:
a. an email account
b. an individual network with unique read/write access
c. read/write access to the shared network drive for their department.
5. On notification of the employment termination, the user account and access to the application and database should be revoked within one business day.
6. User account and access to the application and database shall be reviewed by the Security Officer on a semiannual basis to ensure the authorised account usage.
3.5 Passwords
1. When default passwords are shipped with system or applications, the default passwords shall be changed immediately on their initial use.
2. The following password syntax rules must be followed and apply to all systemsÍ
a. at least 6 characters
b. contains at least one upper case letter, one lower case letter and one digit
3. Password should be changed every 186 days
4. Passwords should not be written down and left in convenient places
5. Passwords should not be shared amongst colleagues
6. Passwords can only be communicated via the following approaches:
a. in person
b. encrypted attachment in email
3.6 System Upgrading or Software Updating
It is essential to regularly upgrade the operation system on servers and computing devices and update anti-virus software and applications to ensure up-to-date security protection. Before upgrading, necessary backup should be run to avoid any content/data loss. A record of the upgrading/updating should be kept includingÍ
1. software name
2. update date and time
3. previous version and current version
4. the IT engineer who is responsible for the upgrading/updating
3.7 Security Status Checking
The IT operator shall be responsible for performing a Security Health Check process on all servers and hosts that they support according to SLA attached.
3.8 Breach of Security
1. The IT Operator shall monitor the system and network usage on 24/7 basis
2. Any individual suspecting that there has been, or is likely to be, a breach of information systems security should inform the IT Security Officer immediately who will advise the company on what action should be taken.
3. The IT Security Officer has the authority to invoke the appropriate disciplinary procedures to protect the Company against breaches of security.
4. Clients will be notified of any data breach and appropriate further communication to be agreed by involved parties.
In the event of a suspected or actual breach of security, the IT Security Officer may, after consultation with the relevant Administrator make inaccessible/remove any unsafe user accounts, data and/or programmes on the system from the network.
In the event of personal data damage, the IT Security Officer shall follow the Data Protection Policy to deal with the incident.
3.9 Outsourcing and Third-Party Access
Granting system access to a third-party provider is a risk that can introduce security threats and technical and business dangers into the company.
1. Contracts
A formal contract between WSN and the outsourcer/third party must exist to protect both parties.
2. Service Level Agreement
Following on from the contract, a clear and unambiguous service level agreement must be agreed which will be reviewed annually or as per agreement.
Performance against SLA should be reviewed annually/as agreed.
The service level agreement must indicate the frequency of service level review meetings.
The service level agreement must indicate the consequence of non-adherence to agreed service levels.
3. Nondisclosure Agreement (NDA)
A formal NDA between WSN and the outsourcer/third party must be in place to protect both parties. Upon termination of the main contract, the NDA must be revisited to determine whether confidentiality has to be extended beyond the tenure of the contact.
4. Responsibility and Policy Violation
The outsourcer and third party should be aware of this policy. It is the responsibility of all third parties to whom activities have been outsourced to ensure they are familiar with the contents of this policy, all contracts and agreements and all supporting documents.
It is the responsibility of the business data owners to ensure that appropriate contracts and agreements are in place and to schedule formal periodic reviews of third party compliance with this policy.
Contravention of the policy will lead to the removal of the third-party access and/or termination of contractual arrangements.
5. Access
When 1-3 are in place, the business owner will send a request to IT Security Officer to create a unique account and grant only the necessary access to the system/network/database from a registered IP address.
At a minimum, security controls include but are not limited to:
a. Authorisation and granting of system access on a need only basis
b. Appropriate and timely review and removal of user access
c. Data encryption of sensitive data
d. Appropriate audit logging of third party activity
â
4 Staff Training and Compliance
4.1 Overview
No matter what technical or physical controls are placed on a system, the most important security measure is to ensure that staff are aware of their responsibilities.
1. New staff will be notified of the relevant policy documents when they initially request access to the WSN network.
2. Existing staff, authorised third parties and contractors given access to the Company network will be advised of the existence of this policy.
3. Updates to policies and procedures will be made periodically and notified to staff and authorised third parties.
The objective of our staff training is to ensure that all employees of WSN are well-informed and trained on the principles and practices of GDPR.
4.2 Training Type & Frequency
We employ training as follows:
Training Type Description
Induction Training All new employees shall undergo a GDPR induction training as part of the onboarding process. This will include an overview of GDPR, the companyâs data protection policies, and the employee's responsibilities concerning data protection.
Regular Training Existing employees shall undergo regular training at least once a year to ensure they are up to date with any changes or updates in data protection regulations and company policies.
Targeted Training Employees in roles that involve the processing of personal data shall receive additional targeted training addressing the specific data protection considerations relevant to their role.
4.3 Data Protection Awareness
To foster a data protection culture within WSN where data protection is regarded as a fundamental responsibility by all employee we:
⢠Conduct data protection awareness campaigns throughout the year to reinforce the importance of data protection.
⢠Dessiminate educational resources and materials, such as posters, brochures, and online content, to employees, that emphasise best practices in data protection.
⢠Establish and maintain communication channels (such as the monthly âtown-hallâ meeting through which employees can ask questions, raise concerns, and provide feedback regarding data protection practices.
4.4 Ongoing Compliance
To ensure that data protection practices remain compliant with GDPR and that employees are consistently observing these practices.
⢠Regular audits and assessments are conducted to evaluate compliance with data protection policies and GDPR.
⢠Feedback from employees, as well as findings from compliance monitoring, are used to continuously improve data protection practices.
⢠Employees must report any non-compliance they become aware of. Non-compliance with data protection policies may be subject to disciplinary action in accordance with company policy.
⢠Employees can report any issues or concerns about data protection through the established reporting mechanism. Reports can be made anonymously, and no employee shall be subject to retaliation for making a report in good faith.
â
5 International Data Transfers Policy
5.1 Introduction
WSN recognizes the importance of safeguarding personal data, especially when it is transferred across borders. This policy sets out the principles and procedures that WSN follows when transferring personal data internationally. This policy applies to all international transfers of personal data by WSN, whether as a data controller or processor. For the avoidance of doubt, this policy refers to a transfer of personal data to a country outside of the European Economic Area (EEA).
5.2 Transfer Mechanisms
When transferring personal data outside the EEA, WSN will use appropriate transfer mechanisms compliant with data protection laws, such as adequacy decisions, standard contractual clauses, binding corporate rules, or specific exceptions.
5.3 Adequacy Decisions
WSN may transfer personal data to countries that the European Commission has deemed to provide an adequate level of data protection. No additional safeguards are required for transfers to these countries.
5.4 Standard Contractual Clauses
For transfers to countries that have not received an adequacy decision, WSN may use Standard Contractual Clauses (SCCs) approved by the European Commission. These clauses provide contractual obligations on both the data exporter and importer, ensuring that the transfer complies with data protection standards.
5.5 Binding Corporate Rules
If WSN engages in intra-group international data transfers, Binding Corporate Rules (BCRs) may be used as a basis for transfers. BCRs are internal rules that define the global data protection policy with regard to international data transfers within the same corporate group or union.
5.6 Exceptions for Specific Situations
In the absence of an adequacy decision, SCCs, or BCRs, WSN may rely on specific derogations in exceptional cases, such as explicit consent, the performance of a contract, or the establishment, exercise, or defense of legal claims.
5.7 Documentation and Record-Keeping
WSN shall keep records of all international data transfers, including the type of data transferred, the countries involved, and the transfer mechanism used.
5.8 Review and Monitoring
This policy will be reviewed at least annually or more frequently if required by changes in data protection laws or business practices.
6 Data Subject Rights
6.1 Introduction
WSN is committed to protecting the privacy and rights of individuals whose personal data is processed by our organization. This policy outlines the rights of data subjects in accordance with the General Data Protection Regulation (GDPR) and how these rights can be exercised. This policy applies to all personal data processing activities undertaken by WSN and concerns all individuals whose personal data is processed (data subjects).
6.2 Data Subject Rights
Right Description
5.1. Right to Be Informed Data subjects have the right to be informed about the collection and use of their personal data. WSN will provide clear and transparent information about why we are processing personal data, the categories of data processed, and the recipients or categories of recipients of the personal data.
5.2. Right of Access Data subjects have the right to access their personal data and obtain a copy of it. Upon request, WSN will provide a copy of the personal data being processed, free of charge, within one month of the request.
5.3. Right to Rectification Data subjects have the right to have inaccurate personal data rectified or completed if it is incomplete. WSN will rectify the data within one month of the request or inform the data subject if an extension is needed.
5.4. Right to Erasure (âRight to Be Forgottenâ) Data subjects have the right to have their personal data erased in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. WSN will respond to the erasure request within one month.
5.5. Right to Restrict Processing Data subjects have the right to request the restriction of processing of their personal data in specific circumstances, such as when the accuracy of the data is contested. During the period of restriction, WSN will only store the data and not process it further.
5.6. Right to Data Portability Data subjects have the right to receive personal data they have provided in a structured, commonly used, and machine-readable format. They also have the right to request that WSN transmit this data directly to another controller.
5.7. Right to Object Data subjects have the right to object to the processing of their personal data for direct marketing purposes, or when processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
5.8. Rights Related to Automated Decision Making and Profiling Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or significantly affects them. WSN will inform data subjects if automated decision-making is used and provide information on the logic involved and the significance and consequences of the processing.
6.3 Exercising Data Subject Rights
Data subjects may exercise their rights by contacting WSNâ Data Protection Officer (DPO) through the contact details set out in section 2 of this document. WSN will acknowledge receipt of the request and will respond within one month. In complex cases or when there are multiple requests, this period may be extended by two further months, in which case the data subject will be informed of the extension.
â
7 Data Subject Access Request Policy
7.1 Introduction
As part of the day-to-day operation of the organisation, WSN âs staff engages in active and regular exchanges of information with Data Subjects. Where a valid, formal request is submitted by a Data Subject in relation to the personal data held by WSN which relates to them, such a request gives rise to access rights in favour of the Data Subject.
Data subjects privacy and data protection rights are very important to us. The object of this Data Access Request Policy is to define the necessary procedure to permit the data subjects to access their personal data, and amended if found to be incorrect according to the Data Protection Acts 188 and 2003 (the Data Protection Acts).
7.2 Right to Establish Existence of Personal Data (Section 3 of Data Protection Act)
Under section 3 of the Data Protection Acts an individual may write to WSN asking whether we keep any personal data in relation to him or her. Where we hold such personal data for this individual, we shall respond within 21 days of receipt of the request, giving the individual a description of the data we hold on him/her and the purposes for which it is kept. The requestor does not have to pay a fee for making a request of this type under section 3 of the Data Protection Acts. The request shall be in writing to us at WSN, 4 The Fairways, Maryborough Hill, Douglas T12T9VK, Ireland., stating that the request is under section 3 of the Data Protection Acts. Please note that before responding to such a request, WSN may require the requestor to provide us with satisfactory evidence of his/her identity and address. We do not accept section 3 requests via telephone, email or text message.
7.3 Making an Access Request (Section 4 of the Data Protection Act)
Under section 4 of the Data Protection Acts, the requestor may receive a copy of his/her personal data held by WSN upon written request. In order to respond to the request made under the provisions in section 4 request, WSN shall ask the data subjects to:
⢠Complete, date and sign the Access Request Form and be specific as possible about the information to access, attach a photocopy of your proof of identity and address to the Access Request Form and post the Access Request Form toÍ Data Protection Officer, WSN, 15-16 Leinster Street S, Dublin 2. Please note we reserve the right not to process and release data requested where you have not complied with the requirements of section 4 of the Data Protection Acts including where the request is not made in writing; the request is made via telephone, email or text message or where he request is manifestly unfounded or excessive.
⢠On receiving the fully completed Access Request Form, the proof of identity and address and the prescribed fee, WSN shall respond within the statutory period of forty (40) days. If the requestor is not satisfied with the outcome of access request, he/she is entitled to make a complaint to the Data Protection Commissioner who may investigate the matter for the requestor. The process is as follows:
Step Description
1. Authentication of the Requestorâs Identity Before processing the Data Access Request, WSN verify the identity of the person making the request to ensure that they are the data subject or an authorised representative. This might involve asking for proof of identity, such as a copy of a government-issued ID.
2. Logging and Acknowledgement of the Request Once the identity is verified, the request is logged, and an acknowledgment is sent to the data subject. The acknowledgment includes information on the expected timeline for the completion of the request, which must be within one month according to GDPR.
3. Evaluation of the Request The Data Protection Officer (DPO) or designated person evaluate the request to determine what data is being sought and ensure that providing such data does not infringe on the rights and freedoms of other individuals.
4. Data Retrieval The relevant departments is notified to retrieve all the personal data pertaining to the data subject. This might include data stored in different formats, such as databases, email records, or paper files.
5. Review and Compilation of Data The retrieved data is reviewed to ensure that only the personal data requested is included. It then be compiled into a format that is understandable and accessible to the data subject.
6. Provision of Data to the Requestor The data is provided to the data subject, along with an explanation of the types of data processed, the purposes of processing, and information on their rights to rectification or erasure. This information is communicated in a concise, transparent, and easily accessible form.
7. Document the Process
WSN keep a record of the Data Access Request, including the date it was received, steps taken, and the date the information was provided to the data subject. This documentation is important for demonstrating compliance with GDPR.
8. Follow-up and Feedback
After providing the data, WSN inform the data subject that they can contact the DPO if they have any questions or need further clarifications regarding their data. Additionally, WSN ask for feedback on how the process was handled to improve future Data Access Requests.
9. Closing the Request
Finally, the request can be closed once the data subject has been provided with the information they requested, and all other necessary actions have been taken.
7.4 Responsibility and Review
⢠Overall responsibility for ensuring compliance with the requests made under the Data Protection Acts rests with WSN, however, our responsibility varies depending upon whether we are acting as either a data controller or a data processor. All employees and contractors of WSN who separately collect, control or process the content and use of personal data are individually responsible for compliance with the Data Protection Acts.
⢠This Access Request Policy will be reviewed regularly in light of any legislative or other relevant developments.
8 Data Breach Policy & Management Procedure
8.1 Introduction
This section outlines the policy and management procedures that should be followed by WSN in the event of a data breach. A data breach is defined as an incident where personal data is lost, disclosed, accessed, altered, or destroyed in an unauthorised manner.
8.2 Identifying a Data Breach
It is our policy to proactively identify data breaches and apply the following procedures:
⢠Systems are monitored regularly to detect unusual activity or unauthorised access to personal data.
⢠Establish clear channels for employees and third parties to report suspected data breaches.
⢠Once a data breach or a suspected data breach is identified, it should be immediately reported to the Data Protection Officer (DPO) and the incident response team.
8.3 Response and Containment
Once identified an Incident Response Team (IRT) is established, led by the DPO, and includes representatives from all relevant departments including IT, legal, and communications departments. The IRT will first assess the breach to determine the scale, the data involved, and potential consequences.
Once these parameters have been established the IRT will work to contain the breach by isolating the affected systems, revoking access, or taking other necessary steps to prevent further data loss or unauthorised access. All actions taken by the IRT are documented, including the nature of the breach, the data involved, and the steps taken to contain it.
8.4 Notification to Supervisory Authority
If a data breach is likely to result in a risk to the rights and freedoms of individuals, WSN must notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
The notification must include details of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
The DPO is responsible for contacting the supervisory authority.
8.5 Communication to Data Subjects
If the data breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must be informed without undue delay. The communication to the data subjects should describe the nature of the breach, the steps they can take to protect themselves, and what measures have been taken by WSN to mitigate the risks. Communication channels such as email, telephone, or postal mail are used depending on the nature of the data breach.
8.6 Documentation and Record Keeping
The following documentation and records are maintained:
Documentation Description
Incident Report An incident report should be created by the IRT documenting the breach, the response, and the subsequent actions taken.
Records Management All documentation related to the data breach should be securely stored and managed in accordance with GDPR requirements.
Lessons Learned The IRT should conduct a review of the incident to determine any lessons learned, and if necessary, update policies and procedures accordingly.
8.7 Post-incident Analysis and Follow-up
After the data breach incident is resolved, a thorough review, led by the DPO is conducted to assess how the breach occurred and how it was handled. Based on the post-incident analysis, data security policies and procedures may need to be updated to prevent future data breaches. The DPO will ensure that staff members are trained or re-trained in data security best practices, especially if the breach was due to human error.
Â
â
9 Data Collection Policy & Procedure
9.1 When should Customer Data be collected?
When migrated, stored or processed within or to an environment managed by WSN , data ownership of this Customer Data will NOT transfer to WSN . The Customer will remain the âdata controllerâ while WSN functions as the âdata processorâ. Additional processor agreements will define the detailed role of WSN in processing and protecting this Customer Data.
It is WSN âs policy that collecting Customer Data, especially âlive dataâ, should be a âlast resortâ. WSN should aim to only collect and process Customer data when it is vital to resolving a support or technical issue, executing an agreement with the Customer, or is required for product development, verification and/or validation.
It is WSN âs policy that the collection of âsensitive personal dataâ (data that relates to an individualâs racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health condition, sexual life, the commission or alleged commission of any offence or proceedings for any actual or alleged offence, the disposal of such proceedings, or the sentence of any court in such proceedings) should be avoided. If the collection of this kind of personal data is unavoidable, the data should be clearly marked as âSensitiveâ and subjected to additional safeguards.
9.2 How should Customer Data be collected?
If it is necessary to collect Customer Data based on one or more of the reasons mentioned previously, the Customer Data must be directly collected from the Customer and not from a third party (unless you have the consent of the Customer). To comply with this requirement, the following points should be considered:
⢠Where possible you should request that the Customer submits âtest dataâ (i.e. not âlive dataâ). The type of data that is supplied should always be clearly indicated as âTest Dataâ or âLive Dataâ. You must gain email or an alternative form of written confirmation from the Customer that the Customer Data is âtest dataâ. If you are unable to obtain written confirmation, you must assume that Customer Data is âlive dataâ. You should -where practically possible- never accept data with live personal bank accounts or credit card details, and you should - where practically possible- request the Customers to scramble or remove such data before providing it to us.
⢠Customers must always be informed of:
⢠The purpose(s) for which WSN is collecting and processing their data;
⢠The identity of WSN as the âdata processorâ for statutory purposes and how they may contact WSN ;
⢠How their data will be stored by WSN ;
⢠Their rights regarding the collection and processing of their data, including but not limited to, the right of access, the right to rectification, the right to erasure, the right to data portability, and the right to object.
⢠When Customer Data is provided electronically, the aim must be to ensure that appropriate security measures are in place to protect the Customer Data when it is being transferred from the Customer to WSN . Such security measures include, but are not limited to:
⢠Secure ftp (file transfer protocol) methods. Support desk and Technical Services have appropriate means of providing this when required;
⢠Removable media (e.g. CD/DVD/hard drive/tape media) sent by secure or registered post; and
⢠Encrypted e-mail when other methods are not available, or for urgency on behalf of the customer.
⢠Prior to accepting âlive dataâ, permission must be sought from either your local quality manager (where applicable), your company manager, or the Data Protection Officer.
⢠You should always consider whether Customer Data will need to be transferred to other companies within the WSN group or other third parties (e.g. to provide a service request). If Customer Data needs to be transferred to another party, the Customer should always be notified and their consent must be obtained before the transfer takes place. Sensitive data (as described in paragraph 1.3) must never be transferred outside of the European Economic Area (EEA). For every change in the data transfer process, consent must be obtained from the Customer.
It is important to keep in mind that once Customer Data has been collected, it should only be retained by WSN for as long as there is a business need to retain it or as required under any applicable data retention periods. For every data processing process a retention schedule must be in place to ensure data retention occurs in accordance with the GDPR and other applicable laws. If you have any question regarding these data retention periods, please contact your local quality manager (where applicable) or the Global Data Protection Officer in Utrecht, the Netherlands.
9.3 Restrictions on the use of Customer Data
The use of Customer Data is bound to restrictions. Customer Data must:
⢠Only be accessed and used when there is a specific business purpose to do so;
⢠Not be:
o Used for electronic direct marketing (for example, by e-mail, fax, telephone and/or SMS) without having previously gained the Customer's consent to such use;
o Used for your own personal purposes; or
o Shared with third parties (unless approved by the Customer)
When you have a business need to access and use Customer Data, you must:
⢠Only use Customer Data for the purpose for which it was collected; and
⢠Obtain consent if you need to use the Customer Data for a new purpose.
9.4 Retention of Customer Data
All Customer Data is to be deleted or returned to the Customer immediately following completion of the purpose for which it was collected, unless WSN is:
⢠Expressly asked to keep it by the Customer; or
⢠Required to keep the Customer Data in accordance with any applicable data retention periods. If you have any questions relating to these data retention periods, please contact your local quality manager (where applicable) or the Global Data Protection Officer in Utrecht, The Netherlands
Any Customer Data retained by WSN must only be stored in locked machine rooms (preferably in safes) and must not -where practically possible- be stored on WSN laptops or other mobile storage media.
9.5 Requests from Customers regarding Customer Data
When a Customer exercises his/her rights regarding the collection and processing of their data, you must escalate any such request immediately to your local quality manager (where applicable), or the Global Data Protection Officer.
9.6 General remarks regarding Customer Data outside of the office
It is WSN âs policy that Customer Data (whether that be âlive dataâ or âtest dataâ) must not be taken out of the office/off-site on laptops, memory sticks, USB sticks, CD or other storage media without the prior written permission of both the Customer and your manager.
Where you have gained consent, you must ensure that:
⢠The Customer Data and storage media on which it is held is not left in an unlocked car or unattended in a place where it could be viewed or removed by others; and
⢠Any and all security systems on the storage media on which the Customer Data is held (such as password protection and disk encryption) are activated.
Â