- About Us
- Funding Programmes
- Events and Training
Cavan County Childcare Committee, in conducting its business, needs to gather and use certain information about individuals.
This can include parents, childcare staff and committee members, clients, suppliers, business contacts, employees and other
people that we have a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet data protection standards and to
comply with GDPR.
This policy aims to ensure that Cavan County Childcare Committee:
Complies with data protection law and follows good practice
Protects the rights of staff, clients and partners
Is open about how it stores and processes individuals’ data
Protects itself from the risks of a data breach
This policy applies to:
All staff & Committee members of Cavan County Childcare Committee
All volunteers and students on work experience
All contractors, suppliers and other people working on behalf of Cavan County Childcare Committee
It applies to all data that the company holds and has access to relating to identifiable individuals and can include:
Names of individuals
Dates of Birth
Financial information including social welfare payments as part of CCSP eligibility
Plus any other information relating to individuals
Data protection risks
This policy helps to protect Cavan County Childcare Committee rom some very real data security risks including:
Breaches of confidentiality. For instance, information being given out inappropriately
Failing to offer choice. For instance, all individuals should be free to choose how their personal data is used
Reputational damage. In case of a data breach, data used for fraud or if hackers gained access to sensitive data
Everyone working for or with Cavan County Childcare Committee has some responsibility to ensure that data is collected, stored
and handled appropriately. Each staff member must ensure that they handle and process data in line with this policy and data
protection principles (see Appendix 1)
General Staff Guidelines
Only data needed for your work should be accessed
Data should not be shared informally and should not be disclosed to unauthorised people
Management will support staff to understand their responsibilities in regards to the implementation of this policy
All data should be kept secure by taking sensible precautions
Strong passwords should be used, passwords should never be shared, desktop computers should not be set to
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required it should be deleted
and disposed of
Staff should request help from the manager or data protection officer if they are unsure about any aspect of data
The board of directors is ultimately responsible for ensuring that Cavan County Childcare Committee meets its legal obligations
Data Protection Officer
The Data Protection Officer, Treasa Quigley, is responsible for:
Informing and advising colleagues and the Committee of their data protection obligations and keeping them aware about
data protection responsibilities, risks and issues
Monitoring the organisation’s GDPR compliance and reviewing all data protection procedures and related policies in line
with an agreed schedule
Handling data protection questions from staff and anyone else covered by this policy
Working with other staff as necessary to ensure initiatives abide by data protection principles and approving any data
protection statements attached to communications such as emails and letters
Dealing with requests from individuals to see the data Cavan County Childcare Committee holds about them (also called
“subject access requests”)
Provide advice regarding privacy impact assessments
Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data and
evaluating third party services used to store or process data (e.g. cloud computing services)
Addressing any data protection queries from outside of the organisation
Acting as a point of contact and co-operate with the data protection authority as required
Responsibilities of IT services contracted by Cavan County Childcare Committee
Ensuring all systems, services and equipment used for storing data meet acceptable security standards
Providing CCCC with verification statements and information in regards to the computer systems provided
Performing regular checks and scans to ensure security hardware and software is functioning properly
We ensure that data is collected lawfully, fairly and transparent by considering that consent is freely given, that there are
opportunities offered to withdraw consent and to correct data held.
Staff of Cavan County Childcare Committee will carry out a data inventory on a regular basis to establish that all data is held in
accordance with GDPR
Data stored on paper should be kept in a secure place in locked filing cabinet where unauthorised people cannot see it. This also
applies to data usually stored electronically that has been printed:
When not required the paper or files should be kept in a locked drawer or filing cabinet
Staff must ensure that paper or printouts are not left where unauthorised people could see them, e.g. on the printer
Data printouts should be shredded and disposed of securely when no longer required
Data stored electronically must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data should be protected by strong passwords that are changed regularly and never shared only with Coordinator(in the
event of sickness or annual leave)
Data stored on removable media (CD, DVD, USB) should be kept locked away securely when not being used
Data should only be stored on or uploaded to designated drives and servers
Servers containing personal data should be sited in a secure location away from public office space
Data should be backed up frequently, backups should be tested regularly in line with backup procedures
Data should never be saved directly to laptops or mobile devices like tablets or smart phones
All servers and computers containing data should be protected by approved security software and a firewall
Physical Security of the premises:
alarm system on the premises
locked filing cabinets
online data management systems are password protected
files are stored in appropriate places
shredder used to dispose of documents and printed data
Access Control, data Security:
We are particularly aware that as part of our work we have access to children’s data
Accessing computers, accessing portals (PIP safe & secure platform), access needs of internal staff and is it clearly
linked to the job duties and requirements of the post.
Staff desktop cannot be used for processing provider applications or reports – providers must arrive with their own laptop
and if wifi is needed they need to do so via a hotspot on their mobile phone.
Downloading can only be work related materials and research.
Work related documents, facebook, twitter should only be downloaded or accessed from work related equipment
USB should not be used to download work related documents
It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
When working with personal data staff should ensure that computers screens are always locked when left unattended or
set to password activated sleep mode after 5 minutes
Computers should be turned off at night or if working from home then have sleep mode activated on desktop screen
Personal data should not be shared informally. It should never be sent by email, as this form of communication is not
Precautions need to be put in place before transferring data electronically (i.e. encryption)
Staff should not save copies of personal data to their own computers or devices, always access the central copy of any
Personal data should never be transferred outside of the European Economic Area
Cavan County Childcare Committee will take reasonable and proportionate steps to ensure data is kept accurate and up to date.
This responsibility is shared by all staff.
Data will be held in as few places as necessary, staff should not create any unnecessary additional data sets.
Staff should take every opportunity to ensure data is updated (i.e. as soon as they become aware of a change or an
inaccuracy, checking details with clients routinely)
Cavan County Childcare Committee aims to make it easy for data subjects to update the information we hold about them,
this is facilitated by regular reviews and ongoing updates as requested by email or phone
Data access requests
All individuals who are the subject of personal data held by Cavan County Childcare Committee are entitled to ask what
information is held about them and why, find out how to gain access to it, be informed how to keep it up to date and have
information on how Cavan County Childcare Committee is meeting its data protection obligations. Any such request will be dealt
with in line with GDPR aiming for a response time of one month
Disclosing data for other reasons:
In certain circumstances (i.e. Child Protection and Welfare) the Data Protection Act allows personal data to be disclosed to
relevant agencies in an appropriate manner without the consent of the data subject.
Data Retention and Erasure
Please see appendix for our detailed DATA RETENTION POLICY
Data Breach Reporting:
Breaches must be reported to the relevant supervisory authority within 72 hours of discovering the breach, unless the breach is
unlikely to result in a risk to the rights of data subjects. Data subjects will be notified if the breach results in “high risk” to them.
Records of all breaches will be kept by data controllers and processors.
Cavan County Childcare Committee aims to ensure that individuals are aware that their data is being processed and that they
understand how the data is being used and how to exercise their rights
Privacy Impact Assessments
Type of Data collected in the course of the work at Cavan County Childcare Committee:
Provider/service contact information & details
Parent/child contact information & details
Interagency contacts & details
Training data & contact details of those attending training
Employee contact data and details / supervisory reports & appraisal
Recruitment & applicant data
Data Processing – Data Mapping throughout the organisation
Each CCCC staff member will process data relevant to their Job role using various systems
We respect your privacy and your rights to control your personal data. We will be clear about what data we collect and why we
collect it. This privacy statement explains the personal information we collect from you, why we collect it, how we will use it and
how we protect it.
Cavan County Childcare Committee collects personal data about you in order to deliver local programmes and actions on behalf
of DCYA. By agreeing to this statement CCCC will hold your personal data as described in this Statement.
Cavan County Childcare Committee is a Controller of the personal data you (the data subject) provide us. We may collect the
following types of personal data from you, about you depending on programme requirements:
Personal Data: date of birth, your address, email address, telephone number, PPS number, social welfare status, bank
account details, DCYA reference number, Tusla reference number, and any other relevant data required.
Why We Collect Your Personal Data?
We use the personal data you share with us so we can communicate with you and disseminate information on behalf of
the DCYA and Pobal and other relevant agencies and stakeholders.
Sharing & Disclosure
We strive to keep your personal data safe and only share it when necessary. We recognise that you have a right to know
that the information you share with CCCC is maintained confidentially. We only disclose your information as authorised in
this Statement. We do not rent or sell your Personal Information to anyone. We may share your personal information with
the third parties listed below.
Who We May Share Your Personal Information With:
Department of Children & Youth Affairs (DCYA)
Pobal PIP System & Pobal Compliance Officers
An Garda Síochána
Tusla Early Years Inspectorate
Health & Safety Authority
National Employment Rights Authority
The Revenue Commissioners
Tusla – Child and Family Agency
Protection of Named Service & others and Disclosures for Law Enforcement
Under certain circumstances CCCC may be required to disclose your Personal Information in response to valid requests by public
authorities to meet law enforcement requirements.
What we do with your data?
Your personal data is stored and processed in CCCC located at CCCC Address.
How long we keep your personal data?
Your records will be kept in line with our data retention policy.
What are your rights?
We use appropriate technical, organisational and administrative security measures to protect all personal data we hold in our
records and keep it secure. Unfortunately, no organisation can guarantee complete security.
Right of Access
Individuals have the right to access their personal data and supplementary information. Please use the Subject Access Request
Form and contact the Manager at email@example.com or in writing at Unit 5 Cavan Enterprise Centre, Killygarry, Dublin
Rd,Cavan. We will acknowledge your request and respond to you within 1 month
Right to Rectification
Please advise the service of any changes in your or your personal information, as soon as possible. Should you believe that any
personal data we hold on you is incomplete or incorrect complete, you have the ability to request to see this information and have
Right to Erasure
In certain circumstances, data subjects have the right to erasure of their data. Please contact the Manager at firstname.lastname@example.org
or in writing at Unit 5 Cavan Enterprise Centre, Killygarry, Dublin Rd, Cavan. We will acknowledge your request and respond to
you within 1 month. This is not an absolute right and only applies in certain circumstances.
Right to Restrict Processing
Individuals have the right to request the restriction or suppression of their personal data. Please contact the Manager at
email@example.com or in writing at Unit 5 Cavan Enterprise Centre, Killygarry, Dublin Rd, Cavan. We will acknowledge your
request and respond to you within 1 month. This is not an absolute right and only applies in certain circumstances.
Right to Object
You have the right to object and be removed from any direct marketing emails
Right to be informed
Right to Portability
Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF,
etc.). However, such requests can only be fulfilled if the data in question is: 1) provided by the data subject to the service, 2) is
processed automatically and 3) is processed based on consent or fulfilment of a contract.
In the event, that you wish to complain about how we have handled your personal data, please contact the Manager of Cavan
County Childcare Committee at firstname.lastname@example.org or in writing at Unit 5 Cavan Enterprise Centre, Killygarry, Dublin Rd, Cavan.
The Manager will then investigate your complaint and work with you to resolve the matter.
If you still feel that your personal data has not been handled appropriately according to the law, you can contact Irish Data
Protection Authority and file a complaint with them.
While all reasonable care has been taken in the compilation and publication of the contents of this web site, Cavan County
Childcare Committee cannot guarantee the accuracy or suitability of the information or materials contained here.
Cavan County Childcare Committee shall not be liable, directly or indirectly, to the user or any other third party for any damage
resulting from the use of the information contained or implied Cavan County Childcare Committee Website.
Cavan County Childcare Committee does not assume legal or other liability for any inaccuracy, mistake, mis-statement or any
other error of whatsoever nature contained herein.
Cavan County Childcare Committee hereby formally disclaims liability in respect of such aforesaid matters.
The information contained within this site is of a condensed and general informational nature only and can change from time to
time. It should not, by itself, be relied upon in determining legal rights or other decisions.
Visitors to the site are advised to verify, by direct and live contact with Cavan County Childcare Committee, any information on
which they may wish to rely.
Cavan County Childcare Committee has endeavoured to attribute copyright or other intellectual rights to the rightful owners where
such course has been appropriate. Where any attribution has been missed or overlooked Cavan County Childcare Committee, on
being informed, will correct this omission.
Users of this website should be aware that where you link to another website Cavan County Childcare Committee has no control
over that other website. Cavan County Childcare Committee has no responsibility for the privacy practices of other websites.
By visiting Cavan County Childcare Committee Website you are accepting this disclaimer.
APPENDIX – DATA RENTENTION POLICY
[Cavan CCC] strives to comply with applicable laws and regulations related to the retention of personal data in Ireland.
This policy outlines the basic rules by which [Cavan CCC] manages the retention of the personal data of parents, children,
suppliers, employees, practitioners, and other individuals that is processed by [Cavan CCC]. The policy sets out the required
retention periods for different categories of data and sets out the minimum standards to be applied when destroying certain
2. Who is this policy for?
All employees either permanent or temporary, all contractors, all volunteers and students, regardless of their length of
employment/placement in the service, are required to read and understand this document, so they are fully aligned with the policy
of [Cavan CCC]. This document will be made available to parents or guardians on request.
This policy applies to all data used at [Cavan CCC]. Examples of data include:
• Hard copy documents
• Soft copy documents
• Video, audio and photographs
• Data generated by physical access control systems (Keypads, Fob systems etc.)
• Social Media
3. Retention Rules
The Co-ordinator/Manager defines the time period (Appendix 1) for which documents and electronic records should be retained
through the Data Retention Schedule. These retention periods are predominantly determined by statutory obligations.
As an exemption, retention periods within the Data Retention Schedule will be prolonged in cases such as:
• Ongoing investigations from Irish authorities, if there is a chance records of personal data are needed by [Cavan CCC] to
prove compliance with any legal requirements; or
• When exercising legal rights during legal cases or similar court proceedings recognised under Irish law.
Safeguarding of Data during Retention Period
If personal data is physically retained in hard copy format this personal data may become out of date quickly and this will be
considered by the Co-ordinator/ Manager. If personal data is retained on electronic storage media (hard drive, server) or in the
cloud, the Owner/ Manager will ensure that backup copies of the information also is available. The 3-2-1 backup strategy will be
used: 3 copies total, 2 local copies, 1 offsite. Responsibility for the storage of data falls to the Co-ordinator/Manager.
Destruction of Data
[Cavan CCC] and its employees will regularly review all data, whether held electronically or in hard copy format, to decide whether
to destroy or delete any data once the purpose for which those documents were created is fulfilled. See Appendix 1 which outlines
the Data Retention Schedule. Overall responsibility for the destruction of data falls to the Co-ordinator/Manager.
Once the decision is made to dispose of personal data according to the Data Retention Schedule, the data will be deleted,
shredded or otherwise destroyed appropriately.
The method of destruction varies and will be dependent upon the nature of the document. For example, any documents that
contain sensitive or confidential information (and particularly sensitive personal data) will be disposed of as confidential waste and
be subject to secure electronic deletion. The Document Disposal Schedule section below defines the method of disposal.
The specific deletion or destruction process may be carried out either by an employee or by an internal or external service
provider that the Owner/ Manager subcontracts for this purpose. Destruction of data is always approved by the Co
ordinator/Manager and the details recorded. Any applicable general provisions under relevant data protection laws and [Cavan
CCC]’s Personal Data Protection Policy shall be complied with.
Appropriate controls are in place to prevent the permanent loss of essential information of [Cavan CCC] as a result of malicious or
unintentional destruction of information. [These controls include restricting access to the filing cabinet to only those who are
permitted to access the data. These controls include password protected access to the IT equipment that stores the data.
The Co-ordinator/Manager shall fully document and approve the destruction process (Appendix 2 gives a sample data disposal
Breach, Enforcement and Compliance
The person appointed with responsibility for Data Protection, the Co-ordinator/Manager, ensures that each employee complies
with this policy. It is also the responsibility of the Owner/ Manager to assist any local office with enquiries from any local data
protection or governmental authority.
Any suspicion of a breach of this Policy must be reported immediately to the Co-ordinator/Manager. All instances of suspected
breaches of the Policy shall be investigated, documented and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence
and possibly litigation, financial loss and damage to [Cavan CCC] reputation, personal injury, harm or loss. Non-compliance with
this Policy by employees, or any third parties, who have been granted access to [Cavan CCC] premises or data, may therefore
result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal
action against the parties involved in such activities.
4. Document Disposal
Routine Disposal Schedule
Records (only those containing personal data) which may be routinely destroyed unless subject to an on-going legal or regulatory
inquiry are as follows:
• Announcements and notices of day-to-day activities;
• Message slips;
• Outing reminder slips;
The Co-ordinator/Manager will determine what documents can be routinely destroyed.
If there is a current court case or legal proceedings, all documents will be retained. Advice will be sought before disposing of
documentation that may be subject to legal proceedings.
Documents that include any personal data shall be disposed of confidentially (cross-cut shredded and incinerated) and shall be
subject to secure electronic deletion if stored electronically. The Data Disposal Schedule will be completed in all cases of
disposing of documents containing personal data. Confirmation of destruction will be sought as needed.