Opting Out Data Protection Policy

Introductory Statement

Opting Out’s Data Protection Policy applies to the personal data held by Arukas Limited, (the limited company that owns Optingout.ie), which is protected by the EU General Data Personal Regulation (GDPR).

The policy applies to all users of Opting Out insofar as the measures under the policy relate to them. No private information will be requested by Opting Out from schools. However, data will be stored securely, so that all information is protected in compliance with relevant legislation. This policy sets out the manner in which data will be protected by the site.

Data Protection Principles

The webmaster is the data controller of personal data relating to its past, present and future users of Opting Out. As such, the site is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 to 2018 and GDPR, which can be summarised as follows:

Obtain and process Personal Data fairly

Information on users is gathered through their interaction with the website. In relation to information the site holds on individuals, the information is generally furnished by individuals within schools themselves and/or families that send their children to these schools with full and informed consent and compiled during the course of their use or contact with the site. However, the site is open to any member of the public and, as such, any inaccurate information can be removed within 1 month of receiving notification. All such data is treated in accordance with the Data Protection legislation and the terms of this Data Protection Policy. The information will be obtained and processed fairly.

Consent

Any member of the public can register a school on Opting Out. However, consent for this information to be uploaded to this website can be withdrawn by schools at any time. 

Keep it only for one or more specified and explicit lawful purposes

Opting Out collects users’ data to: 

  • create statistical information about how schools accommodate children and teachers from minority and non-faith backgrounds
  • provide a searchable portal for users to find schools with opting out policies
  • publish blog posts and social media posts with information gained from data provided by schools

Process it only in ways compatible with the purposes for which it was given initially

Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. These reasons are outlined above.

Keep Personal Data safe and secure

Only those with a genuine reason for doing so may gain access to the information. All data is stored on Blacknight’s shared server.

Keep Personal Data accurate, complete and up-to-date

Users have full control over the data they provide to the school and can log into the site at any time to make changes. For any part of the website, schools can request any piece of information about their specific school to be removed from the website by contacting the website. Once informed, the site will make all necessary changes to the relevant records within 1 month. 

Ensure that it is adequate, relevant and not excessive

Only the necessary amount of information required to provide an adequate service will be gathered and stored.

Retain it no longer than is necessary for the specified purpose or purposes for which it was given

As a general rule, the information will be kept online unless the user specifically asks for all of their information to be removed from the site. Once data is deleted, it is irretrievable and a school will have to re-register on the site.

Provide a copy of their personal data to any individual on request

Individuals have a right to know and have access to a copy of personal data held about them, by whom, and the purpose for which it is held. 

Scope

The Data Protection legislation applies to the keeping and processing of any Data. The purpose of this policy is to assist the site to meet its statutory obligations, to explain those obligations to users how their data will be treated

The policy applies to all users of the website, Opting Out.ie.

Definition of Data Protection Terms

In order to properly understand the school’s obligations, there are some key terms, which should be understood by all users of Opting Out.ie:

Personal Data means any data relating to an identified or identifiable natural person i.e. a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller (BoM)

Data Controller is the webmaster of Opting Out.ie, Simon Lewis.

Data Subjectis an individual who is the subject of personal data

Data Processing – performing any operation or set of operations on data, including:

  • Obtaining, recording or keeping the data,
  • Collecting, organising, storing, altering or adapting the data
  • Retrieving, consulting or using the data
  • Disclosing the data by transmitting, disseminating or otherwise making it available
  • Aligning, combining, blocking, erasing or destroying the data

Data Processor – a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work. The Data Protection legislation places responsibilities on such entities in relation to their processing of the data.

Personal Data Breacha breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. This means any compromise or loss of personal data, no matter how or where it occurs

Rationale

In addition to its legal obligations under the broad remit of educational legislation, the company has a legal responsibility to comply with the Data Protection Acts 1988 to 2018 and the GDPR

This policy explains what sort of data is collected, why it is collected, for how long it will be stored and with whom it will be shared. The company takes its responsibilities under data protection law very seriously and wishes to put in place safe practices to safeguard individual’s personal data. It is also recognised that recording factual information accurately and storing it safely facilitates an evaluation of the information, enabling the directors to make decisions in respect of the efficient running of the site. The efficient handling of data is also essential to ensure that there is consistency and continuity where there are changes of personnel within the company.

Other Legal Obligations

Implementation of this policy takes into account the company’s other legal obligations and responsibilities.

Personal Data

The Personal Data records held by the company may include:

1. User records:

Categories of user data:

As well as existing users (and former users), these records may include:

  • Password and Email Address
  • Personal Information supplied by the school

Purposes:

User records are kept for the purposes of:

  • Being able to log into the site to make changes to the school’s profile

All other information should not fall under the category of “personal data” such as the school’s name, address, etc. This website does not ask for any other personal data and will only publish what is provided by the person registering on the website.

All data is used for statistical purposes which will be published.

Location and Security procedures of Aruskas Limited

  1. All records are digital. These records are stored on a password-protected cloud-based server (Blacknight).

Processing in line with a data subject’s rights

Data in this company will be processed in line with the data subject’s rights. Data subjects have a right to:

  • Know what personal data the company is keeping on them
  • Request access to any data held about them by a data controller
  • Prevent the processing of their data for direct-marketing purposes from companies not under the Arukas Limited umbrella of sites.
  • Ask to have inaccurate data amended
  • Ask to have data erased once it is no longer necessary or irrelevant.

Data Processors

The data processor is Simon Lewis.

Personal Data Breaches

All incidents in which personal data has been put at risk must be reported to the Office of the Data Protection Commissioner within 72 hours

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company must communicate the personal data breach to the data subject without undue delay

If a data processor becomes aware of a personal data breach, it must bring this to the attention of the data controller without undue delay.

Dealing with a data access request

Individuals are entitled to a copy of their personal data on written request

The individual is entitled to a copy of their personal data

Request must be responded to within one month.

No fee may be charged except in exceptional circumstances where the requests are repetitive or manifestly unfounded or excessive

No personal data can be supplied relating to another individual apart from the data subject

Providing information over the phone

Arukas Limited will not provide information by phone to any users. All interactions will take place online.