Personal Data Protection Policy
Cocoon strives to comply with applicable laws and regulations related to Personal Data protection in Ireland. This policy document outlines the basic principles by which Cocoon handles personal data of parents, children, suppliers, employees and other individuals who are involved with the service.
This policy provides rules and procedures which apply to all individuals within Cocoon aimed at ensuring all personal data is processed and protected properly. All employees, contractors, volunteers and students are responsible to read and understand this document, so they are familiar with the policy of Cocoon. This document is available to employees, parents and guardians.
There are certain legal documents that are relevant to this policy and we refer to these documents throughout. For your information these documents are listed below:
- EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
- Irish Data Protection Act, 1988 and Amended Act 2003
Key definitions of terms that are used in this document for your information are below. They are specifically drawn from Article 4 of the European Union’s General Data Protection Regulation:
Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. That personal data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or sexual orientation.
The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller. Processing An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
General Principles for Processing Personal Data
Cocoon is considered a Data Controller and therefore are responsible for the data they obtain. Cocoon are responsible to demonstrate compliance with the data protection principles as listed below when handling personal data.
Lawfulness, fairness, and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Data subjects must be told what processing will occur, the actual processing must match this description and the processing must match the purposes specified in the GDPR. Cocoon relies on GDPR fundamentals which are contractual and consent for processing for the majority of the data processing it undertakes.
Personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Cocoon are transparent about information collected and what it is used for. Cocoon ensure the personal data we hold is used for the intended purposes only. This is conducted through our privacy notice, our terms and conditions and our consent forms.
Any personal data that is being held needs to be accurate. Changes in your personal information should be advised to the branch manager. If a data subject believes any personal data held is incorrect, they can request to have the information rectified by following the Data Subject Access Request Procedure detailed in the Data Subject Access Request Policy.
Storage period limitation
Personal data will be processed and stored in the branch at which a child attends or an employee works and in head office. Data will be held for no longer than is necessary considering the purposes of the processing activities. After this period, personal data will be destroyed as per Cocoon’s Data Retention Policy.
Integrity and confidentiality
Only authorised persons have access to the personal data which Cocoon collects. Only those that require access should have it. The physical security of the filing cabinets and rooms are considered and locked when not in use. Some data is required in the child’s classroom such as dates of birth, medical and allergy information and information for legal guardian contact information. This information needs to be in the classroom as practitioners need it to hand for operational reasons but must ensure to take all reasonable measures to keep it safe (eg. Put folder with information in a cupboard out of sight, put cover page on front of allergy list in classroom). Access to electronic devises that hold personal data are restricted to the staff whom use them on a regular basis. Cocoon use appropriate technical, organisational and administrative security measures to protect all personal data we hold. Unfortunately, no organisation can guarantee complete security. Individuals have the right to access their personal data and supplementary information.
Cocoon is responsible for compliance with the principles outlined above. Branch managers are responsible for auditing how well individual rooms and areas of branch implement this policy. Regular checks are carried out on the implementation of this policy. Any individual who breaches this policy may be subject to internal disciplinary action and may also face civil or criminal liability if their action violates the law. Third-party contractors whom provide Cocoon with services, should have a contract of services in place. The contract outlines that personal data processed by the third party is being done so in compliance with GDPR and adequate security measures to safeguard personal data are taken. Cocoon remain responsible for the personal data even if the third party are responsible for a data breach.
Building Data Protection into the Cocoon Services
In order to demonstrate compliance with the principles of data protection, Cocoon aims to build and engrain data protection into its day to day activities.
Notification to Data Subjects
For the purpose of transparency of all processing of personal Data Processing, all parents/ legal guardians of a child and all employees are furnished with a privacy notice and consent form which must be signed and returned to show they understand the data that is processed and the reasons for this.
Choice and Consent
Cocoon may process personal data for a legitimate purposes as detailed in the privacy notice and generally it may do so without obtaining the consent of the data subject to improve the efficiency of internal operations such as for writing a letter to parents or employees, fees collection or for personnel management activities. Cocoon shall seek further consent if applicable. Data subjects have the right to withdraw consent at any time by contacting the Data Protection Officer who can let the data subject know the consequence of this decision. For example, Cocoon must hold certain information on an employee such as Garda vetting to comply with legislation. Failure to do so would mean the employee could no longer work at Cocoon.
Collection of Data
Cocoon strives to collect the least amount of personal data possible. Collection of personal data should be obtained from the data subject, directly so consent can be given prior to the collection of data. Cocoon will furnish the data subject with a privacy statement letter and consent form to ensure they are familiar with what data is collected and for what purposes it is used.
Using the Data, Retaining the Data and Disposing of the Data
Cocoon maintains the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data are be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches.
Cocoon must provide reasonable means for data subjects to access their own personal data and allow data subjects to update, correct, erase, or transmit their personal data if appropriate or required by law as reflected in the Subject Request Procedure.
Data subjects have the right to request, a copy of the data they provided to us in a structured format and to transmit this data to another controller. The Data Protection Officer is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
Cross-border transfer of Personal Data
Before transferring personal data out of a country, the company and individuals must consider whether the cross-border transfer is necessary or legal. When transferring personal data out of the European Economic Area, the transferred and the transferee must have signed a data transfer agreement in compliance with EU regulations and Cross Border Data Transfer Policy. The transfer must provide adequate protection for the data transferred in accordance with the data transfer agreement.
Right to be Forgotten
Upon request, data subjects have the right to request the erasure of their personal data. This must be done only in compliance with any legal or statutory obligations. For example, there may be a requirement for Cocoon to retain a child’s file until the child is aged 21 years as per the requirements of our insurance company. If a data subject requests the file to be erased, Cocoon have the right to retain that information and not erase it based on legal obligations.
Response to Personal Data Breach
Incidents The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with Cocoon and has access to personal data processed by Cocoon. Cocoon strive to ensure confidentiality in all of our communications. When Cocoon learns of a suspected or actual personal data breach, an internal investigation will take place and appropriate remedial measures taken in a timely manner, in accordance with the Data Breach Policy.
Conflicts of Law
This policy is intended to comply with the laws and regulations in Ireland in which Cocoon operates. In the event of any conflict between this policy and applicable laws and regulations, the latter shall prevail.
This policy will be reviewed annually or as necessary to reflect changes in legislation.
Data Subject Access Request Procedure
Under GDPR, all individuals have a right to request access to their own personal information. This procedure outlines how Cocoon responds to and handles requests made by individuals for access to their personal data.
This ensures compliance with GDPR and transparency for all parties. All employees, contractors, volunteers and students are responsible to read and understand this document, so they are familiar with the policy of Cocoon. This document is available to employees, parents and guardians.
The Rights of a Data Subject
If personal information is being processed, a data subject i.e. an individual has the following rights:
- To know whether a data controller holds any personal data about them.
- To know the nature of the data held about them.
- To be informed of the reason(s) for which their data is being processed, and from where it was received.
- To be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
- The right to data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF, etc.). However, such requests can only be fulfilled if the data in question is: 1) provided by the data subject to the service, 2) is processed automatically and 3) is processed based on consent or fulfilment of a contract.
- If the data is being used to make automated decisions about the data subject, to be told what logic the system uses to make those decisions and to be able to request human intervention.
- The right to rectify incorrect personal data that is held.
- The right to erase personal data. This is only applicable in certain circumstances and is not an absolute right. The data subject can request erasure of their personal data if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for
- If you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
Data Subject Access Request
A Data Subject Access Request is any request made by any individual (e.g. by a parent or by a parent on behalf of their child) for information held about them by Cocoon. A Data Subject Access Request form must be filled out by any individual wishing to access data. This form is available from the Data Protection Officer. All data subject request forms must be submitted to the Data Protection Officer in writing to Head Office or via email firstname.lastname@example.org. Verbal requests for information held about an individual will not be considered as valid requests.
Data Subject Access Request Process
Step 1: Request for information
To enable Cocoon to respond to Data Subject Access Requests in a timely manner, the data subject or parent / guardian should submit their request to the Data Protection Officer and fill out the Data Subject Access Request Form. They may also be required to submit valid identification. However, Cocoon may not provide data where the resources required to identify and retrieve the requested data would be excessively difficult or time-consuming. In this situation requests may need to be more specific or targeted. Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information, the time period in which the information was processed and being specific about the nature of the data sought.
Step 2: Identity Verification
The Data Protection Officer must check the identity of anyone making a Data Subject Access Request to ensure information is only given to the person who is entitled to it. If the identity of the requestor has not already been provided, the Data Protection Officer will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address. If the requestor is not the data subject, written confirmation that the requestor is authorised to act on behalf of the data subject is required. However, a parent can request this data on behalf of a child under 16 years of age.
Step 3: Information for the Data Subject Access Request
Where the Data Protection Officer is reasonably satisfied with the information provide, they will notify the requestor that his/her request will be responded to within 30 calendar days. The 30-day period begins from the date that all necessary documents are received by Cocoon from the requestor.
Step 4: Review of Information
The Data Protection Officer will gather all the information as requested in the Data Subject Access Request and will ensure the information is reviewed by the imposed deadline to ensure the 30-calendar day timeframe is not breached.
Step 5: Response to the Access Request
The Data Protection Officer will ensure a written response is sent back to the requestor via email, unless the requestor has specified another method by which they wish to receive the response (e.g. post). Cocoon will only provide information via channels that are secure.
Step 6: Archiving
After the response has been sent to the requestor, the Data Subject Access Request will be considered closed and archived by the Data Protection Officer.
An individual does not have the right to access information recorded about someone else, unless they are an authorised representative, or have parental responsibility. Cocoon is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified, and can be satisfied of the identity of the data subject making the request.
In principle, Cocoon will not normally disclose the following types of information in response to a Data Subject Access Request:
- Information about other people – A Data Subject Access Request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted, unless the individuals involved consent to the disclosure of their data. Information relating to other individuals will be redacted if necessary to ensure anonymity.
- Repeat requests – Where a similar or identical request in relation to the same data subject has previously been submitted and responded to within a reasonable time period, and where there is no significant change to the personal data held in relation to that data subject, any further request made within a 3-month period of the original request will be considered a repeat request, and the service will not normally provide a further copy of the same data.
- Publicly available information – The service is not required to provide copies of documents which are already in the public domain.
- Opinions given in confidence or protected by copyright law – The service does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.
Data Subject Access Request Refusals
There are situations where individuals do not have a right to see information relating to them. For instance:
- If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
- Requests made for other, non-data protection purposes can be rejected.
If Cocoon refuses a Data Subject Access Request the reasons for the rejection will be clearly set out in writing. Any individual dissatisfied with the outcome of his/her Data Subject Access Request is entitled to make a request for the outcome to be reviewed.
This policy will be reviewed annually or as necessary to reflect changes in legislation.