Opting Out Data Protection Policy
Opting Out’s Data Protection Policy applies to the personal data held by Arukas Limited, (the limited company that owns Optingout.ie), which is protected by the EU General Data Personal Regulation (GDPR).
The policy applies to all users of Opting Out insofar as the measures under the policy relate to them. No private information will be requested by Opting Out from schools. However, data will be stored securely, so that all information is protected in compliance with relevant legislation. This policy sets out the manner in which data will be protected by the site.
Data Protection Principles
The webmaster is the data controller of personal data relating to its past, present and future users of Opting Out. As such, the site is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 to 2018 and GDPR, which can be summarised as follows:
Obtain and process Personal Data fairly
Information on users is gathered through their interaction with the website. In relation to information the site holds on individuals, the information is generally furnished by individuals within schools themselves and/or families that send their children to these schools with full and informed consent and compiled during the course of their use or contact with the site. However, the site is open to any member of the public and, as such, any inaccurate information can be removed within 1 month of receiving notification. All such data is treated in accordance with the Data Protection legislation and the terms of this Data Protection Policy. The information will be obtained and processed fairly.
Any member of the public can register a school on Opting Out. However, consent for this information to be uploaded to this website can be withdrawn by schools at any time.
Keep it only for one or more specified and explicit lawful purposes
Opting Out collects users’ data to:
- create statistical information about how schools accommodate children and teachers from minority and non-faith backgrounds
- provide a searchable portal for users to find schools with opting out policies
- publish blog posts and social media posts with information gained from data provided by schools
Process it only in ways compatible with the purposes for which it was given initially
Data relating to individuals will only be processed in a manner consistent with the purposes for which it was gathered. These reasons are outlined above.
Keep Personal Data safe and secure
Only those with a genuine reason for doing so may gain access to the information. All data is stored on Blacknight’s shared server.
Keep Personal Data accurate, complete and up-to-date
Users have full control over the data they provide to the school and can log into the site at any time to make changes. For any part of the website, schools can request any piece of information about their specific school to be removed from the website by contacting the website. Once informed, the site will make all necessary changes to the relevant records within 1 month.
Ensure that it is adequate, relevant and not excessive
Only the necessary amount of information required to provide an adequate service will be gathered and stored.
Retain it no longer than is necessary for the specified purpose or purposes for which it was given
As a general rule, the information will be kept online unless the user specifically asks for all of their information to be removed from the site. Once data is deleted, it is irretrievable and a school will have to re-register on the site.
Provide a copy of their personal data to any individual on request
Individuals have a right to know and have access to a copy of personal data held about them, by whom, and the purpose for which it is held.
The Data Protection legislation applies to the keeping and processing of any Data. The purpose of this policy is to assist the site to meet its statutory obligations, to explain those obligations to users how their data will be treated
The policy applies to all users of the website, Opting Out.ie.
Definition of Data Protection Terms
In order to properly understand the school’s obligations, there are some key terms, which should be understood by all users of Opting Out.ie:
Personal Data means any data relating to an identified or identifiable natural person i.e. a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller (BoM)
Data Controller is the webmaster of Opting Out.ie, Simon Lewis.
Data Subject – is an individual who is the subject of personal data
Data Processing – performing any operation or set of operations on data, including:
- Obtaining, recording or keeping the data,
- Collecting, organising, storing, altering or adapting the data
- Retrieving, consulting or using the data
- Disclosing the data by transmitting, disseminating or otherwise making it available
- Aligning, combining, blocking, erasing or destroying the data
Data Processor – a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work. The Data Protection legislation places responsibilities on such entities in relation to their processing of the data.
Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. This means any compromise or loss of personal data, no matter how or where it occurs
In addition to its legal obligations under the broad remit of educational legislation, the company has a legal responsibility to comply with the Data Protection Acts 1988 to 2018 and the GDPR
This policy explains what sort of data is collected, why it is collected, for how long it will be stored and with whom it will be shared. The company takes its responsibilities under data protection law very seriously and wishes to put in place safe practices to safeguard individual’s personal data. It is also recognised that recording factual information accurately and storing it safely facilitates an evaluation of the information, enabling the directors to make decisions in respect of the efficient running of the site. The efficient handling of data is also essential to ensure that there is consistency and continuity where there are changes of personnel within the company.
Other Legal Obligations
Implementation of this policy takes into account the company’s other legal obligations and responsibilities.
The Personal Data records held by the company may include:
1. User records:
Categories of user data:
As well as existing users (and former users), these records may include:
- Password and Email Address
- Personal Information supplied by the school
User records are kept for the purposes of:
- Being able to log into the site to make changes to the school’s profile
All other information should not fall under the category of “personal data” such as the school’s name, address, etc. This website does not ask for any other personal data and will only publish what is provided by the person registering on the website.
All data is used for statistical purposes which will be published.
Location and Security procedures of Aruskas Limited
- All records are digital. These records are stored on a password-protected cloud-based server (Blacknight).
Processing in line with a data subject’s rights
Data in this company will be processed in line with the data subject’s rights. Data subjects have a right to:
- Know what personal data the company is keeping on them
- Request access to any data held about them by a data controller
- Prevent the processing of their data for direct-marketing purposes from companies not under the Arukas Limited umbrella of sites.
- Ask to have inaccurate data amended
- Ask to have data erased once it is no longer necessary or irrelevant.
The data processor is Simon Lewis.
Personal Data Breaches
All incidents in which personal data has been put at risk must be reported to the Office of the Data Protection Commissioner within 72 hours
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company must communicate the personal data breach to the data subject without undue delay
If a data processor becomes aware of a personal data breach, it must bring this to the attention of the data controller without undue delay.
Dealing with a data access request
Individuals are entitled to a copy of their personal data on written request
The individual is entitled to a copy of their personal data
Request must be responded to within one month.
No fee may be charged except in exceptional circumstances where the requests are repetitive or manifestly unfounded or excessive
No personal data can be supplied relating to another individual apart from the data subject
Providing information over the phone
Arukas Limited will not provide information by phone to any users. All interactions will take place online.