Dáil Éireann Debate, Wednesday - 27 June 2018
251. Deputy John Brady asked the Minister for Employment Affairs and Social Protection if JobPath providers (details supplied) have been trained on the new GDPR rules; and if she will make a statement on the matter. [28179/18]
View answerMy Department collects and holds large volumes of personal data on customers and is very aware of the need to have adequate data protection policies, procedures and structures in place in line with the GDPR. Preparations for the GDPR have been overseen by the Department’s Data Management Programme Board. The Department has a dedicated GDPR implementation team in place and has commissioned external expertise to assist it with achieving GDPR compliance. While my Department already has strict data protection guidelines, policies and procedures, all have been subject to review and updated to ensure that the processing of all personal data is GDPR compliant. All data sharing arrangements are also being reviewed to ensure compliance with the Regulation.
Contracted providers of Activation services act on behalf of the Department for the purpose of delivering these services and are subject to strict obligations imposed by the Department in terms of data protection.
JobPath providers are contractually required to register with the Office of the Data Protection Commissioner. Data protection legislation requires that personal data shall be kept only for one or more specified and lawful purposes and that personal data shall be used and disclosed only in ways compatible with these purposes. The legislation also requires that the data should be adequate, relevant and not excessive. Any suspected breach of the data protection legislation will be investigated by the Department and may also be a matter for the Office of the Data Protection Commissioner.
My Department has regular meetings with both JobPath providers to ensure that they are fully aware of and are fulfilling their contractual obligations, including those concerned with data protection regulations. Both companies have undertaken regular independent audits of their data processes and procedures as part of these contractual obligations. In addition, the Office of the Data Protection Commissioner has recently conducted audits of each company. Employees of both companies, and their subcontractors, are subject to the same data protection laws as Departmental staff.
I hope this clarifies the matter for the Deputy.
