Policy and Procedures

Doc. No.8Version No.1
Last Reviewed Approved By 
Next Review Responsibility 

Table of Contents

1. Policy. 1

1.1 Policy Statement 1

1.2 Purpose. 1

1.3 Scope. 1

1.4 Responsibilities. 2

2. Procedures. 2

3.1 Obtaining and Processing Data. 2

3.2 Data Access Requests. 3

3.3 Requests to Rectify, Erase, Restrict or Objections to Processing. 3

3.4   Confidentiality and Security. 4

3.5 Data Cleansing. 5

3.6 Managing a Data Breach. 6

3.7 Internal Audits. 7

3.8 Awareness Training and Support 8

3.9 Data Retention and Disposal 9

3.11 Data Retention Schedule. 10

3. Monitoring and Review.. 12

Appendix 1 Data Subject Access Request form …………………………………………………………………………..13

1. Policy   1.1 Policy StatementTwilight Community Group is committed to the protection of the rights and privacy of individuals and organisations, including staff, volunteers, Volunteer Involving Organisations (VIOs) and others whose data is held by the organisation. This commitment is underpinned by full compliance with the statutory measures that ensure these rights, namely the Data Protection Act 1988, the Data Protection (Amendment) Act 2003 and the General Data Protection Regulation 2016. To meet our responsibilities under the legislation and in accordance with the data protection principles, we will: Obtain and process information fairly. Keep it only for one or more specified, explicit and lawful purposes.Use and disclose data only in ways compatible with these purposes. Take appropriate measures to keep data safe and secure. Keep it accurate, complete and up-to-date. Ensure it is adequate, relevant and not excessive. Retain for no longer than is necessary for the purpose or purposes in was collected. Provide data to data subjects on request.
1.2 PurposeTo outline the rules on data protection and the legal conditions that must be satisfied in relation to the collecting, obtaining, handling, processing, storage, transportation and destruction of personal data. To provide good practice guidelines for staff and associated stakeholders.To protect Twilight Community Group from the consequences of a breach of its responsibilities.
1.3 ScopeAll staff, volunteers, contractors and representatives handling data for or on behalf of the organisation who have access to data in all formats i.e., paper, electronic or audio-visual.
1.4 ResponsibilitiesBoard/Steering Committee Ensuring resources are in place to meet the requirements of this policy.Ensuring the policy and procedures are adequate, up-to-date, in line with legislative requirements and systematically reviewed.Designating a Data Protection Officer (DPO).Ensuring the DPO has the autonomy and resources necessary to carry out their role effectively and efficient. Manager Assisting the Board/Steering Committee to develop, review and approve the policy and procedures. Ensuring the organisation is fully compliant with legislation in its day-to-day activities.Ensuring only authorised personnel engage in activities associated with providing the service. Monitoring the implementation of this policy and associated procedures.Dealing with concerns arising out of the implementation of this policy. Staff Complying with the requirements of the policy and associated procedures. Creating and maintaining full and accurate records of all activities.Handling data with care and respect so as not to compromise their integrity.Preventing unauthorised access.Bring any observations or concerns to the attention of the manager that may require updates to the policy and procedures.   Data Protection Coordinator Monitor compliance with the General Data Protection Regulation.Collect information to identify processing activities.Analyse and check the compliance of processing activities.Inform, advice and issue recommendations. Provide support, assistance and training.


2. Procedures

Doc. No.8.1Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.1 Obtaining and Processing Data
PurposeTo ensure that all data is obtained and processed in a transparent and effective manner.
Staff InvolvedAll Staff
ProcedureInformation may only be collected for the provision of volunteer associated activities which include the following:Gather statistics on the age, gender and nationality of volunteers.Provide a volunteer placement service.Provide a Garda Vetting Service.Provide services including, but not limited to, training and consultancy and volunteer programme management.Undertake marketing, promotion, direct recruitment and public relations exercises. (Related to volunteering).Carry out research into voluntary activities.Provide personnel, payroll and pension administration services.Update databases.Provide online services. The data subject must be made aware of the following prior to processing their data:Reason for collecting the data.How it will be used.Legal basis for processing the data (consent/explicit Consent).Disclosure to third parties.Retention period.Contact details for the DPO.Their rights:Right to be informed.Right of access.Right to rectification.Right to erasure.Right to restrict processing.Right to data portability.Right to object.Rights around automated decision making and profiling.  Right to withdraw consent at any time.Right to make a complaint.Personal data should only be processed for the specific purpose(s) notified to the data subject(s) and for which it was gathered in the first place. If it is requested to be used for any other purpose consent must be obtained from the data subject(s). (Any requests are subject to board/steering committee approval).Data should only be disclosed for the original purpose it was obtained.Data should not be disclosed to third parties without the consent/explicit consent of the data subject.Verbal consent may be obtained for the disclosure of non-sensitive dataWritten consent must be obtained for the disclosure of sensitive data.Sensitive personal data may be disclosed without the express written consent of the data subject in the following circumstances:Where the data subject has already been made aware of the person/organisation to whom the data may be disclosed.Where it is required by law.Where it is required for legal advice or legal proceedings, and the person making the disclosure is a party or a witness.Where it is required for the purposes of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing moneys due to the State.Where it is required urgently to prevent injury or damage to health, or serious loss of or damage to property. Personal information should not be disclosed to work colleagues unless they have a legitimate interest in the data to fulfil official employment duties.Personal data may be used for research purposes under the following conditions:Consent of the data subject.Personal data must be kept anonymous.Any concerns or queries relating to the obtaining and processing of data should be brought to the attention of the DPO and/or management.
RecordsI-Vol, Personnel Files, Retention Schedule, Emails, Written Correspondence
Doc. No.8.2Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.2 Data Access Requests
PurposeTo allow an individual access to their personal data
Staff InvolvedAll staff, DPO
ProcedureOnce a data request is received the following applies: Inform the individual that the request must be submitted in writing to the DPO using the organisation’s access request form (email a form on request).Once the written request is received the DPO will verify the identity of the individual using reasonable means – e.g., request a copy of recent photo I.D.Once verified the DPO will process the request or assign a person who will process it.The DPO will track/record results to ensure compliance. (In the event of a dispute a trail must be available to show compliance) Processing the request should be complete within one month of receiving the request in writing. This time period can be extended to two months where requests are complex or numerous.Inform the individual of the extended time period.Send the data to the individual in the agreed time electronically unless the individual requests that it be sent manually. 
RecordsAccess Request Form, Tracking Log, Emails, Written Correspondence
Doc. No.8.3Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.3 Requests to Rectify, Erase, Restrict or Objections to Processing  
PurposeTo ensure that individual requests are dealt with in a timely and effective manner.
Staff InvolvedAll Staff, DPO
ProcedureOnce a request is received the following applies: Inform the individual that the request must be submitted in writing to the DPO.Once the written request is received the DPO will verify the identity of the individual using reasonable means – e.g., request a copy of recent photo I.D.Once verified the DPO will process the request or assign a person to it.The DPO will track/record results to ensure compliance. (In the event of a dispute a trail must be available to show compliance) Processing the request should be complete within one month of receiving the request in writing. This time period can be extended to two months if where requests are complex or numerous.Inform the individual of the extended time period.Notify the individual in the agreed timeframe of the results of their request.   
RecordsEmails, Written Correspondence
Doc. No.8.4Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.4   Confidentiality and Security
PurposeTo ensure that information is managed in a consistent, secure and confidential manner.
Staff InvolvedAll Staff
ProcedureStandards of security include the following: Access to I-Vol is limited to authorised personnel who will have individual passwords for access.Access to IT servers is restricted in a secure location to a limited number of staff. Access to any staff personal data is restricted to authorised personnel for legitimate purposes only. Access to computer systems is password protected with other factors of authentication as appropriate to the sensitivity of the data. Non-disclosure of personal security passwords to any other individual including other personnel is encouraged. Information on computer screens and manual files to be kept out of sight from callers to our offices. Back-up procedures in operation for information held on computer servers, including off-site back-up.Data is backed up by the manager every quarter following data cleansing activities.Computers are protected by anti-virus software. Computers have automatic screen savers should the user fail to log out. Personal manual data is to be held securely in locked cabinets, locked rooms, or rooms with limited access.Staff are provided with data protection information and training relevant to role.
RecordsTraining Records, Staff CPD, Log in Details.
Doc. No.8.5Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.5 Data Cleansing
PurposeTo ensure accurate, up to date data is available to the organisation and that it is in line with data protection legislation and guidelines.
Staff InvolvedAll Staff
ProcedureI-Vol In order to ensure clean data all fields must be complete at time of initial entry on any systems – refer to the I-Vol manual for instructions. The automated system checks for any fields not complete on an ongoing basis.Quality checks are carried out quarterly on a random selection of:Volunteer RecordsVolunteer Involving Organisation (VIO) RecordsVolunteering OpportunitiesLog any issues identified.Create a clean-up plan with responsibility clearly assigned. Contact all VIOs annually to verify and update information.Maintain the database:Assign responsibility for systematic cleansing.Update policies and procedures.Seek external expertise, if required.Keep staff informed and upskilled.Carry out random spot checks.Discuss issues with relevant staff members.Ensure consistency of data entry among all staff.      Other Data All policies and procedures are reviewed annually, as per the document control matrix.Staff records are updated annually in line with performance reviews or sooner if required.Information on the website and/or social media is reviewed and updated weekly.All data is reviewed annually for relevance and updated or disposed of as required.
RecordsQuality Reports, Quality Improvement Plan, Record of Meetings, Document Control Matrix      
Doc. No.8.6Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.6 Managing a Data Breach
PurposeTo ensure a standardised management approach is implemented in the event of a data breach.
Staff InvolvedManager, DPO, Chairperson of the Board/Steering Committee
ProcedureA data breach may happen for a number of reasons, including: Loss or theft of equipment on which data is stored. Inappropriate access controls allowing unauthorised use. Equipment failure. Human error e.g., send an email to the wrong address. Unforeseen circumstances such as a flood or fire. Computer hacking. Access where information is obtained by deception. Should a breach occur it is to be managed in the following way: Details of the incident should be recorded, including.A description of the incident. The date and time of the incident. The date and time it was detected. Who reported the incident and to whom it was reported? The type of data involved and how sensitive it is. The number of individuals affected by the breach. Was the data encrypted? Details of any Information IT systems involved. Additional material. Notification of the breach and risk assessment. Internal Notification A data breach must be reported without delay the senior manager, who in turn will immediately notify the DPO and chairperson of the board/steering committee with the incident details. The DPO will immediately convene a meeting of relevant people to deal with the incident.The group will assess the incident details and the risks involved, including: What type of data is involved? How sensitive is the data involved? How many individuals’ personal data are affected by the breach? Were there protections in place e.g., encryption? What are the potential adverse consequences for individuals and how serious or substantial are they likely to be? How likely is it that adverse consequences will materialise? External Notification It is best practice to inform the office of the data commissioner immediately for advice on how best to deal with the aftermath of a data breach.The DPO will be responsible for contacting the office of the data commissioner. The management team in consultation with the office of the data commissioner will decide if it is appropriate to inform the persons whose data has been breached. (every incident will not warrant notification). When notifying individuals management will consider the most appropriate medium for doing so. It will bear in mind the security of the medium for notification and the urgency of the situation. Specific and clear advice will be given to individuals on the steps they can take to protect themselves and, what the organisation is willing to do to assist them. The DPO will be the contact person for further or ongoing information. The management team will also consider notifying third parties, such as A Garda Síochána who can assist in reducing the adverse consequences to the data subject(s). Other statutory agencies will be informed as required.Evaluation and ResponseSubsequent to any breach a review of the incident will be made by management. The purpose of this review will be to:Ensure that the steps taken during the incident were appropriate. Describe and record the measures being taken to prevent a repetition of the incident. Identify areas that may need to be improved. Document any recommended changes to policy and/or procedures which are to be implemented as soon as possible thereafter.
RecordsRecord of Meetings, Emails, Quality Improvement Plan
Doc. No.8.7Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.7 Internal Audits
PurposeTo ascertain if the systems in place are ensuring we are operating in accordance with the data protection acts and regulations and to identify any risks or possible non-compliance.
Staff InvolvedDPO
ProcedureInternal audits will be carried out annually by the DPO, who will. Complete the audit scheduleThe schedule specifies the areas and/or processes to be audited, the audit criteria and scope of the audit.Areas specified in the schedule are audited against relevant documentation and standards (audit criteria).Internal audits are carried out across selected activities annually, with greater frequency, if required.The frequency of audits can be adjusted depending on the results of previous audits, feedback, new procedures or the importance of an identified issue.The audits are carried out by:Reviewing manual and electronic procedures and compliance.Consultation with relevant staff. Reviewing previous audit reports and improvement plans.A summary internal audit report is completed by the DPO outlining any strengths and areas for improvement. Where an issue is discovered it is recorded on the QIP. (Issues will be prioritised for completion) The issue and corrective action should be agreed between the auditor and the person tasked with completing the corrective action.Where no issues are found a record is retained to signify that an audit has been carried out, i.e., an audit report must still be completed.Corrective actions are checked at the end of each month by the PO to verify completion.Reports are provided to the next board/steering committee meeting for review. Internal audit reports are to be maintained for a period of three years.
RecordsAudit reports, Quality Improvement plan, Corrective Action Log
Doc. No.8.8Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.8 Awareness Training and Support
PurposeTo ensure that staff have the necessary knowledge and skills to carry out their activities giving due care to the data they have access to,
Staff InvolvedSenior Management, DPO
ProcedureInitial data protection information will be provided at induction.All new staff members will receive beginner level I-Vol training provided by the super administrator.The DPO will provide periodic updates and awareness training as required.I-Vol upskilling workshops will be held annually.I-Vol manual will be reviewed and updated annually or sooner if required.Updates will be communicated to stakeholders electronically.A tricks and tips forum will be available to users on an ongoing basis.Salesforce regional champions will provide ongoing advice and support.    
RecordsTraining Attendance Sheets, Login Details, Induction Checklist, Staff CPD Records 
Doc. No.8.9Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title8.9 Data Retention and Disposal
PurposeTo provide assistance and guidance to staff in meeting their obligation in relation to the retention and disposal of data.
Staff InvolvedAll Staff
ProcedureManagement will: Ensure all staff are made aware of the records retention schedule so that they know which records the organisation has decided to keep and their personal responsibility to follow the retention schedules. Information users will: Review records in accordance with the retention schedule when they are no longer required for on-going business or specific legal or regulatory purposes. Review records at the end of their retention period and arrange for secure destruction, transfer to storage or given a further review date. (Documentation of the disposal or transfer of records will be completed and retained). Manage electronic records in accordance with the retention schedule. It is recommended that an intended disposal or review date is captured when creating electronic records.All data created and/or received by staff in the course of their duties are retained for as long as they are required to meet the legal, administrative, financial and operational requirements. The final disposal, either through transfer to archives or destruction, is carried out according to the retention schedules.Retention periods depend on different criteria, including compliance with legislation and best practice. The retention periods are the minimum time that records should be kept, and are calculated from the end of the calendar month, following the last entry on the record.A records retention schedule will apply to a series of records, and will indicate when eligible records must be destroyed or deleted, and when permanent records are to be archived.In conjunction with the retention periods included in this Policy, the following principles should also be observed:Be conservative and avoid inordinate degrees of risk. Consider the consensus of opinion of knowledgeable/experienced people. Retain a record if it is likely to be needed in the future, and if the potential consequences of not having it would be substantial and are foreseeable at the time. Apply common sense. Disposal of records must be authorised by a senior manager or the DPO. Where hard copy records are to be destroyed after the retention period has expired, they should be destroyed using a shredder, or where there is a large number of records to be destroyed, a professional contractor with expertise in this field should be employed on a confidential basis with the intention that such contractor will oversee the process and issue a certificate of destruction.A record in the form of a register is to be maintained of all records destroyed, providing verifiable authorised proof of destruction.The register should be kept in perpetuity and should provide details of all records destroyed, including identifying the name of the person to whom the record relates.The register should be signed and dated by the person who authorised the destruction of the records. This register should be held in a secure location.Electronic records should be disposed of as per the retention schedule.Third parties who have received records should be notified and requested to dispose of those records according to the retention schedule.
RecordsRetention Schedule, Disposal Log, Staff CPD Records, Emails
Doc. No.8.10Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
8.10 Data Retention Schedule
Record TypeRetention PeriodDisposal
Volunteers Records – I-Vol6 yearsContact individuals for consent to retain. If no consent permanently deletes from the system.
Volunteer Involving Organisations Records – I-Vol6 years or until no longer in existence.Contact for consent to retain. If no consent permanently deletes from the system.
Other Stakeholder Records  
Quality Review RecordsIndefinitelyArchive
Human Resource Records  
Applications for a vacant position: NotificationCopy of advertisementsJob descriptionShort listing criteriaCandidates not shortlistedApplication formsCVsSelection CriteriaLetter of offerCorrespondence to unsuccessful candidates.1 yearShred and/or delete 
Job Description3 years after being supersededArchive
Interview Panel Marking SheetsInterviewers notesPanel Recommendations2 yearsShred and/or delete.
Personnel Files: Application and CVReferencesAcceptance of PositionContract of employmentJob descriptionPerformance AppraisalsSupport and supervision records.Attendance records – workTraining and qualification records.6 years after employment ends unless required for pension purposes.Shred and/or delete.
Leave Records: Annual leave applicationsSick leave including certificates.Career break application and correspondenceJury service.Compassionate leave.3 yearsShred and/or delete.
Discipline records and correspondence.6 years after employment finishes or if involving criminal activity until after the individual’s death,Shred and/or delete.
Insurance policies, Accident reports, Claims correspondence.IndefinitelyArchive
Financial Records  
Accounts Payable InvoicesVAT RecordsTax Clearance CertsCurrent year + 6 yearsShred and/or delete.
Accounts Receivable Debtors ledgersIncome listingsIncome control accountsReceipts reconciliationCurrent year + 6 yearsShred and/or delete.
Agreements – Rental, Lease, Use, OccupancyIndefinitelyArchive
Bank Records Bank StatementsReconciliationCurrent year + 6 yearsShred and/or delete.
Administration Records  
Governance Records  
Health and Safety Records  

3. Monitoring and Review

Monitoring and ReviewThe DPO will be responsible for monitoring compliance by carrying out random audits during the year and a scheduled audit annually. The procedures will be reviewed annually or sooner if required. Any issues will be raised at regularly scheduled staff meetings and actioned as required. The policy will be reviewed by the Board/Steering committee every three years, or sooner if required.  
RecordsRecord of Meetings, Audit reports, Document Control Matrix

APPENDIX 1 – Data Subject Access Request

Subject Access Request Form Under the General Data Protection Regulation (GDPR) it is your right to request a copy of any personal data that Twilight Community Group holds on you.   If you would like to submit a request, send the completed form along with a copy of photo identification to Twilight Community Group, 15A Hebron House, Hebron Business Centre, Kilkenny or email to [email protected].

APPENDIX 2   –   DATA BREACH REPORT

Please act promptly to report any data security breaches. If you discover a data security breach, please notify your Manager who will complete Section 1 of this form and notify the Data Protection Officer of Twilight Community Group

Section 1: Notification of Data Security BreachTo be completed by Centre Manager
Date incident was discovered: 
Date(s) of incident: 
Place of incident: 
Name of person reporting incident: 
Brief description of incident or details of the information breached: 
Details of the IT systems, equipment, devices, records involved in the security breach: 
Number of Data Subjects affected, if known: 
Has any personal data been placed at risk? If, so please provide details 
Brief description of any action taken at the time of discovery: 
Received by: 
On (date): 
Actions Taken:              
APPENDIX 3   –   DATA BREACH RISK ASSESSMENT  
Section 1: Assessment of SeverityTo be completed by Manager and DPO
Details of information loss: 
If laptop lost/stolen: how recently was the laptop backed up onto central IT systems? 
Is the information unique? Will its loss have adverse operational, research, financial legal, liability or reputational consequences for the VC or third parties? 
What is the nature of the sensitivity of the data? Please provide details of any types of information that fall into any of the following categories:   HIGH RISK personal data Special Categories of personal data relating to a living, identifiable individual’s:   racial or ethnic origin;political opinions;religious or philosophical beliefs;membership of a trade union;genetic or biometric data;data concerning health;data concerning a person’s sex life or sexual orientation;   Also consider data relating to criminal convictions/ offences as sensitive.   
o Information that could be used to commit identity fraud such as personal bank account and other financial information and national identifiers, such as Personal Public Service Numbers (PPSNs) and copies of passports   
o Personal information relating to vulnerable adults and children;   
o Detailed profiles of individuals including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed;   


Section 2: Action takenTo be completed by Information Compliance Manager
If notified to Data Protection Commission, provide details, incl. date: 
If notified to data subjects, provide details, incl. date: 
If notified to other external, regulator/stakeholder, provide details: 
If reported to Gardai, provide details, incl. dates: 
If notified to other internal stakeholders, provide details and dates: 
Follow up action required/recommended:     
Signed: 
Date: