Wednesday, 13 June 2018

Questions (202)

Catherine Murphy

Question:

202. Deputy Catherine Murphy asked the Minister for Employment Affairs and Social Protection the steps she took in the context of GDPR to ensure her Department's transfer of personal data of persons to Seetec and Turas Nua was compliant with GDPR rules; if she has had engagement with JobPath operators on the way in which they are compliant with GDPR rules in the context of processing and storing personal data of persons; and if she will make a statement on the matter. [25845/18]

View answer

Written answers (Question to Employment)

My Department collects and holds large volumes of personal data on customers and is very aware of the need to have adequate data protection policies, procedures and structures in place in line with the GDPR. Preparations for the GDPR have been overseen by the Department’s Data Management Programme Board. The Department has a dedicated GDPR implementation team in place and has commissioned external expertise to assist it with achieving GDPR compliance.

All contracted providers of Activation services act on behalf of the Department for the purpose of delivering these services and are subject to strict obligations imposed by the Department in terms of data protection.

The purpose of sharing information is to assist in the development of tailored plans for individual jobseekers in order to support them back into paid employment.

JobPath providers are contractually required to register with the Office of the Data Protection Commissioner. Data protection legislation requires that personal data shall be kept only for one or more specified and lawful purposes and that personal data shall be used and disclosed only in ways compatible with these purposes. The legislation also requires that the data should be adequate, relevant and not excessive. Any suspected breach of the data protection legislation will be investigated by the Department and may also be a matter for the Office of the Data Protection Commissioner. JobPath providers may use jobseekers’ data only for the purposes of delivering employment services for the Department.

My Department has regular meetings with both JobPath providers to ensure that they are fulfilling their contractual obligations including those concerned with data protection compliance. Both companies have undertaken regular independent audits of their data processes and procedures as part of these contractual obligations, in addition, the Office of the Data Protection Commissioner has recently conducted audits of each company. Employees of both companies, and their subcontractors, are subject to the same data protection laws as Departmental staff.

I hope this clarifies the matter for the Deputy.