Protecting your data rights

To make an access request or to exercise any of your rights under the GDPR or Data Protection Act 2018 you can contact the Service's data protection officer in the following ways:

Phone: +353 (1) 618 4712

email: dataprotection@oireachtas.ie

Postal address: Houses of the Oireachtas Service, Leinster House, Kildare Street, Dublin 2, D02 XR20

A personal data breach includes a breach of security leading to unauthorised disclosure, alteration, loss or destruction of personal data in any form. The Service's full data breach management procedures are also available.

Data protection rights

The following is a list of data protection rights.

The Houses of the Oireachtas Commission is a corporate body established under the Houses of the Oireachtas Commission Act  2003 as amended. It is the governing body of the Houses of the Oireachtas Service. The Houses of the Oireachtas Service is the public service body that administers the National Parliament of Ireland (the Houses of the Oireachtas) on behalf of the Houses of the Oireachtas Commission. In this Policy, the two are generally referred to as the Service.

This Policy outlines how the Houses of the Oireachtas Service seeks to ensure that it complies with its data protection duties, especially under the General Data Protection Regulation (EU) 2016/679 (the GDPR) and the Data Protection Act 2018. The mission of the Service is to provide a high-performing Parliamentary Service that enables the Houses of the Oireachtas to discharge their constitutional functions; supports members as representatives of the people, and promotes an open and accessible Parliament.

The primary functions of the Service are to provide advice and support services to —

• the Houses of the Oireachtas Commission
• the Houses of the Oireachtas and their Committees
• Members of the Houses of the Oireachtas

This policy should be read in conjunction with the Service’s Records Management Policy, Personal Data Breach Management  procedures, Disposal of Records Procedures, Information Security Policy, and CCTV Policy, and the Service’s Privacy Notices that apply to particular activities, for example its Website Privacy Notice.

A glossary of terms key to understanding data protection principles is set out in the Appendix to this Policy.

The Service is responsible for—

1) Data protection governance.

The Service takes its duty to comply with the GDPR and the Data Protection Act 2018 with the utmost seriousness. It has set in place governance procedures to oversee, monitor, and ensure compliance with data protection legislation. Data protection forms part of the overall governance framework of the Service and the relevant governance principles are set out in Office Notice X of
2019.

2) Data protection by design and by default. Technical and organisational measures.

Implementation of data protection by design and by default means that data protection principles (see section 5 below) will be embedded into ICT systems or other relevant processes at the earliest stage possible. The Service will ensure that data protection by design and default is built into existing ICT project management guidelines. This addresses matters such as setting up a system so that users cannot gain automatic access across the board to personal data in a database. The Service has established and implemented technical and organisational measures to secure data against unauthorised access, internal or external. These include, for example, an Acceptable Usage Policy and security policies. These measures are continuously reviewed and,where appropriate, upgraded.

3) Record of processing.

As noted under Accountability in section 5 “Data processing principles” below, the Service maintains a record of processing activities with the particulars prescribed by the GDPR. This will be comprehensively reviewed at least annually.

4) Third party relationships – joint controller/data sharing.

If the Service decides jointly with another data controller (including a Government Department or other public body) on processing personal data, the Service and the other data controller(s) will formally set out their arrangements for complying with their data protection responsibilities and duties except so far as the subject matter is governed by legislation. These arrangements will be transparent. The arrangements may take the form of contracts or memoranda of understanding or bilateral agreements with the relevant third parties with whom or which personal data is shared. The arrangements will specify why the data are shared, security requirements, and provide for how the arrangement is to come to an end, and what is then to happen to the data (usually return or deletion). The Service’s privacy notices will describe the effect of these arrangements. Where necessary, the essence of data sharing arrangements will be made available to the relevant data subjects. The arrangements will not restrict the data subject’s rights against the Service and the other controller(s).

5) Third party relationships – data processor.

The Service will only engage a third party data processor to process data on its behalf where the processor sufficiently guarantees that it will implement technical and organisational measures so as to ensure that the GDPR is complied with and the rights of data subjects are protected. A third party will not process data on behalf of the Service unless it does so pursuant to a contract or equivalent legally binding instrument in force between the third party and the Service. The contract will clearly set out the respective duties and liabilities of the Service and the processor, and the minimum terms it will include are those set out in the GDPR. In particular, the contract will limit processing by reference to the Service’s instructions. It will require the data processor to take technical and organisational measures to implement appropriate levels of security and it will expressly provide, subject to any independent legal obligation to which the processor is subject,for the verified return or deletion of data being processed when it ceases to have effect.

6) Data protection impact assessment (DPIA).

The Service will conduct DPIAs where required before commencing a data processing project, in particular where the project is likely to involve a high risk to privacy and other personal rights. The Service will seek the advice of the Data Protection Officer (“DPO”) about the conduct of the DPIA. If the DPIA shows that the high risks cannot be mitigated, the Service will contact the Data Protection Commission before any processing begins.

Members of staff are encouraged to contact the DPO if they are in doubt whether a DPIA is necessary, or where they think one may be appropriate although it is not necessary, or in any other instance where they believe that a particular class of personal data processing may significantly affect a data subject’s rights and freedoms.

7) Pseudonymisation and anonymisation.

Where personal data are not immediately required for consultation or use, information may be extracted from those data and stored separately so that the remainder is no longer attributable to a particular person. This is known as pseudonymisation. Alternatively the means of identification may be eliminated entirely, in which instance it is anonymised. Pseudonymisation will be considered by the Service where appropriate as means of ensuring data protection by design and by default, and as a general security measure. Data will be pseudonymised or anonymised where data are processed for archival, historical research or statistical purposes unless to do so would frustrate the purpose in question.

8) Transfer outside the EEA.

If it is necessary to transfer third party data out of the European Economic Area (currently the EU, Iceland, Liechtenstein, and Norway) then the Service will ensure that all the necessary protections and appropriate safeguards are in place.

9) Data breach procedures.

A personal data breach includes a breach of security leading to unauthorised disclosure, alteration, loss or destruction of personal data in any form. A specific set of procedures for Personal Data Breach Management and a reporting form are maintained by the Service. It is the duty of a member of staff to comply with these procedures when (s)he believes a breach or potential breach has occurred, principally by reporting the matter to the DPO in accordance with the procedures.

The DPO will comply with his or her duty to report a breach to the Data Protection Commission in accordance with the time limits specified by the GDPR, and will, having assessed the gravity of the breach and any mitigating circumstances in accordance with Article 34 of the GDPR, ensure that the Service informs affected data subjects of the breach as required by that Article.

10) Training.

The Service provides regular staff training with regard to data protection duties. Targeted training is provided where appropriate as a “suitable and specific measure” for dealing with special category data as contemplated by section 36 of the Data Protection Act 2018.

This policy applies to all personal data collected, processed and stored by the Service in respect of all individuals, (for example, Members, Members’ staff, Service employees, third party service providers, members of the public) by whatever means including paper and electronic records.

The Service is most likely to process personal data as a data controller. The purpose of this Policy is to provide guidance about how the Service deals with personal data as controller.

The Service also processes personal data as data processor on behalf of Members in connection with their parliamentary duties. The Member is then the data controller. The personal data are processed by the Service only on the basis of the Member’s authorisation and instructions. The same high level of security is applied to the data as to the data the Service keeps or otherwise processes on its own behalf. The Service provides a data processing agreement for Members to sign to comply with their duties on retaining a data processor.

Article 5 of the GDPR establishes 6 principles that all data controllers, including the Service, must observe. That is, personal data must be:

1. Processed lawfully, fairly, and transparently

Lawfulness

There must be a legal basis for every act of processing. Article 6 of the GDPR specifies six legal grounds for processing personal data. These are where it is necessary for:

— performing a contract or entry into one, the data subject being (an intended) party

— compliance with a legal obligation to which the Service is subject

— protecting a person’s vital interests

— performing a task in the public interest or exercising official authority

— Advancing the Service’s legitimate interests, but only if the Service is not performing its
public functions (e.g. is acting as employer), and if, on balance, the data subject’s rights
should not take precedence (e.g. because of prejudice or surprise).

The other ground is that:

— the data subject has given consent.

Usually, the legal basis the Service relies on for processing personal data is the public interest or the exercise of official authority. The GDPR requires this to be defined in (in this instance) Irish law. Section 38 of the Data Protection Act 2018 permits the processing of data that is “necessary and proportionate for…the performance of a function of a controller conferred by or under an enactment [this is defined to include Regulations] or by the Constitution.”

Article 9 of the GDPR sets out 10 categories of additional justification, at least one of which is required for processing special category data (see the Appendix below). So, special category data may not be processed merely for performance of a contract, but may be processed where processing is necessary in the field of employment law, for example. Section 49 of the Data Protection Act 2018 permits the processing of special category data on grounds similar to section 38, but it requires a higher level of justification and additional safeguards. Another ground that applies from time to time to special category data processed in the political context is that the data have been manifestly made public by the data subject.

The Service acknowledges that processing of personal data relating to criminal convictions and offences (including allegations), and related security measures, is subject to special rules under Article 10 of the GDPR and section 55 of the Data Protection Act 2018 and complies with these rules.

Fairness and transparency

The duty to process data fairly and transparently means there should be no surprises about how personal data are processed. Under Articles 13 and 14 of the GDPR the Service:

• gives data subjects ready access to Privacy Notices in plain language describing how their personal data are processed;
• if it has obtained the personal data from someone else, must usually let the data subject know within a month at most;
• must also let him or her know from what source it obtained the personal data.

The Service’s Privacy Notices set out the legal basis for collecting and otherwise processing data for particular classes of data subjects.

Before complying with any data rights request, the Service will take all necessary steps to confirm the identity of the individual making the request, whether on his or her own behalf or on another’s behalf, and, where applicable, the requester’s entitlement to act on behalf of the other person.

Again, just like with the six data protection principles, the following data rights are subject to any relevant qualifications or exemptions provided for by the GDPR or by Irish law (such as in section 60 of the Data Protection Act 2018) in conformity with it.

1) Right to access and information

A data subject has a right to information about his or her personal data that the Service processes, such as the purposes of the processing, any categories of recipients to whom the data have been or will be disclosed, particulars of his or her other rights in respect of the data, and the source of the data if it is not the data subject. Much of this information will already be available to the data subject from the Privacy Notices published by the Service.

Furthermore, a data subject has a right to obtain a copy of any personal data about him or her held by the Service.

The Service will respond to a data subject’s access request within one month of receiving it unless this interval may exceptionally be extended as provided in the GDPR.

2) Right to rectification

A data subject has the right to have data rectified where an inaccuracy has been identified and the right to have data completed where it is incomplete. This can include the right to provide a supplementary statement.

3) Right to erasure (“be forgotten”)

A data subject has a right to erasure of personal data, for example, where the processing is no longer necessary, where the data subject has withdrawn the consent that was the legal basis of the processing, where (s)he successfully exercises the right of objection (sub-heading 7 below), or the erasure is consistent with a legal duty (including where data are being unlawfully processed).

This right in particular is subject to a number of qualifications. It does not apply, for instance,

• where ongoing processing is required by a legal obligation,
• where such processing is justified by law in the public interest or in the exercise of official authority,
• where such processing is justified by legitimate objectives of public information or freedom of expression, or
• where the processing relates to legal claims and litigation, or
• is being carried out for archiving, historical research, or statistical purposes

A Data Protection Officer (DPO) has, in accordance with the GDPR, been designated by the Service, and answers only to the highest level of management. The Service will ensure that the DPO is involved, properly and in a timely manner, in all issues that relate to the protection of personal data – for example with regard to DPIAs and other assessments of risk posed by current or intended processing to data subjects, and in responding to potential personal data breaches. The Service will support the DPO in his or her tasks as contemplated by the GDPR.

The DPO under the GDPR Article 39(1)(b) among other matters (without limiting duties specified elsewhere in this Policy):

• informs and advises the Service, and the employees of the Service who carry out processing, of their obligations under Irish and EU law that relates to the protection of personal data
• monitors the compliance of the Service with Irish and EU law that relates to the protection of personal data
• monitors the compliance of the Service with the Service’s policies in relation to the protection of personal data, including the assignment of responsibilities, the raising of awareness and the training of staff involved in processing operations, and any audit activity related to the protection of personal data
• provides advice, where requested to do so, in relation to the carrying out of a data protection impact assessment, and monitors any steps taken on foot of that assessment
• acts as the contact point for data subjects with regard to all issues related to the processing of their personal data and to the exercise of their rights
• co-operates with the Data Protection Commission and acts as a contact point for the Commission for issues related to processing carried out by the Service, including consultation by the Service with the Commission
• promotes a data protection risk based approach across the Service.

The Service’s Data Protection Officer can be contacted on +353 1 618 4712 or dataprotection@oireachtas.ie. The postal address of the Service is Houses of the Oireachtas Service, Leinster House, Kildare Street, Dublin 2, D02 XR20.

The Houses of the Oireachtas Commission is the statutory body that manages and supports the work and services that are necessary for the Houses of the Oireachtas to operate. The Houses of the Oireachtas Service is, broadly, the work and services that are performed on behalf of the Houses of the Oireachtas Commission and the people who perform them. In this page, the two are generally referred to as "the Service". The address of the Service is Leinster House, Dublin 2. The Service’s data protection officer will be your usual point of contact about the matters that this privacy notice relates to.

The Service is issuing this privacy notice because of its duties under the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. This privacy notice applies from that date.

To describe what will happen to your personal information when you use the website Oireachtas.ie, the Service needs to tell you about a couple of legal terms.

Usually the Service decides what happens to your personal information, and how it is dealt with. The Service is then known as the controller of the personal information. The Service is the controller of your personal information if, for example, you provide the personal information to book a tour of the Houses, make a query to the Press Office, make a query to the Library & Research Service, or subscribe to our email alerts.

But sometimes the Service deals with your personal information on someone else’s behalf. Then the Service is known as a processor. The Service is a processor for most of the personal information you provide when, for example, you click an email link to a Deputy, Senator or Committee to send them a message by email. To find out more about what the Deputy, Senator or Committee will do with your personal information, you need to consult the privacy notice of the person or Committee in question. For example, the Joint Committee on Public Petitions has a Privacy Notice about petitions submitted to it.

As you will see below, the Service also retains processors to deal with personal information on its behalf. Indeed, sometimes these sub-contract to so-called sub-processors. Each of these is bound by contract with the Service to safeguard your personal information, and your privacy and other rights associated with it.

The Service’s Data Protection Officer is Jennifer McGrath. Her contact details are:

Jennifer McGrath
Houses of the Oireachtas Service
Kildare Street
Dublin 2
D02 XR20
+353 1 618 4712
dataprotection@oireachtas.ie

The Service is setting out in this privacy notice the grounds on which it will deal with personal information belonging to you and to other people, along with some common examples. The Service is also letting you know what conditions apply (often to protect your privacy) to how it can deal with personal information. If unusual circumstances arise not covered by this privacy notice, the Service will communicate with you specifically about these.

When you visit the Houses of the Oireachtas website

When you visit Oireachtas.ie some information is automatically retrieved about your visit to the website. The information that may be retrieved includes:

• your IP address (this is the identifying details for your computer (or your internet company's computer), expressed in internet protocol (IP) code (for example 192.168.72.34). Every computer connected to the web has a unique IP address, although the address may not be the same every time a connection is made.
• the search terms you used
• the pages you accessed on the website and the links you clicked
• the date and time you visited the site
• the referring site (if any) through which you clicked through to this site
• your operating system (for example, Windows or Mac)
• the type of web browser you use (for example, Chrome, Internet Explorer, Mozilla Firefox)
• other information like your screen resolution and the language setting of your browser.

This statistical information will be viewable by Service staff, contractors or third parties who provide administration and/or support services for the website. The information is used to produce summary reports on usage and performance of the Service’s online services, and to help it to analyse and improve the website content and functionality. The Service does not use any of the information above to identify visitors personally. The information is used in aggregate form only.

When you provide email details to the Service

When you provide your email address to the Service in connection with something that the Service as controller can do for you (look above for some illustrations), the Service will only use that personal information for the purpose described on the website.  Stricter rules apply to some types of personal information which may be described as sensitive personal information, although the type of personal information you are likely to give the Service by using this Website is probably unlikely to be sensitive.

Other grounds for dealing with personal information

There are other grounds on which the Service will deal with your personal information, although they are unlikely to arise in the context of using the website. For example, the Service will deal with your personal information where the law requires it to do so. The Service, as a public body, is subject to the Freedom of Information Act and, although the type of personal information you provide in using the website tends to be exempt from disclosure under that Act, exemption can’t be guaranteed. The Service will also need to deal with your personal information if you exercise rights under data protection law. The Service will deal with your personal information where this is necessary to establish (including investigate), exercise, or defend a legal claim, including by disclosing it to its legal advisers and in proceedings before any relevant court, tribunal, arbitrator, mediator, or similar entity. The Service is allowed to deal with a person’s personal information in order to protect the vital interests of the person or of some other person. The Service may deal with personal information in the public interest or in the exercise of official authority.

The type of personal information you give the Service as a controller is normally kept within the Service, but there are exceptions. For example, the Service uses a processor to deal with your personal information where this is needed to deliver to you email alerts to which you have subscribed. That processor currently retains MailChimp as a sub-processor. Rarely, your personal information may be disclosed to the Service’s legal advisers, or to other people or bodies connected with a legal dispute, or to the Garda Síochána.

Transfer of information to third countries

Personal information the Service deals with and to which this privacy notice applies will more often than not be kept within the EU, but the transfer to MailChimp, which is based in the United States, is an exception. There may be others from time to time. Special provision is made in any contract between the Service and a processor outside the EU, or a processor which uses a sub-processor outside the EU, to safeguard your personal information, and your privacy and other rights in respect of it.

Retention of information

The Service will keep personal information only as long as is necessary for the purposes set out in this privacy notice, in accordance with its retention schedule, or as required by law, whichever is the longest. So, for example, personal information you give the Service in connection with email alerts is kept so long as you are a subscriber, but is deleted once you unsubscribe. Media queries are kept for five years.

Further dealing with information

It would be rare for the Service to deal with personal information for a purpose other than the purpose for which it received the information. If the Service does need to deal with the information in any further way, it will let you know before the dealing takes place.

You may ask the Service for a copy of your personal information. You may ask the Service to supplement or correct your personal information if it is incomplete or incorrect (including out of date). You may be able to ask the Service to delete personal information, especially if you have withdrawn consent to the Service’s dealing with it or the Service no longer needs it, or not to deal with it for the time being, for example, if you think it is incorrect. If the Service is dealing with your personal information on the basis of your consent, you can normally require the Service to forward it on to some other person named by you. You may object at any time to the Service’s dealing with personal information it is dealing with in the exercise of official authority or in the public interest, although this entitlement is subject to many legal qualifications depending on the personal information and why the Service is dealing with it. You are entitled not to be subject to automated decision making, including profiling.

Redress

If you are not content with how the Service is dealing with your personal information, you may bring your dissatisfaction to the attention of the Data Protection Commission.

The Service maintains a presence on several social media platforms including Twitter and Facebook. Any information, communications, or materials you submit to the Service by way of a social media platform is done at your own risk without any expectation of privacy. The Service cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.

For further information on how the Service interacts with others on our social media platforms and the content we publish, please see our Social Media Policy (2021).

The website includes links to other websites. These third party websites have their own privacy policies, and are also likely to use cookies. The Service encourages you to carefully read the privacy policy of any website you visit.

Sensitive personal information means personal information about a person’s

• race
• ethnic background
• political opinions
• religion
• philosophical beliefs
• membership of a trade union
• genes (biological inheritance)
• biometric data (such as fingerprints on a passport)
• health
• sex life
• sexual orientation
• alleged commission of criminal offences
• criminal convictions
• being subject to security measures related to criminal offences or convictions

For information on, and options relating to, cookies please read our cookie notice.

The Service may change this privacy policy at any time and from time to time.