V 0.1 November 2023
V 0.2 April 2024
- Introduction
The Heritage Council will, through its actions and policies, demonstrate that it cares for the personal data of people it interacts transparently, accountably, securely and in their interest in the first instance, and in the public interest thereafter, and that it will manage and monitor on an on-going basis its responsibilities as a ‘data controller’ in relation to the GDPR.
The Heritage Council undertakes to process all personal data with care for its ownership and integrity, and in accordance with the principles of GDPR. It will ensure that appropriate security measures are in place to protect confidentiality and will review these from time to time with due regard to the technology available, the cost and the risk of unauthorised access.
The Heritage Council is based at Áras na hOidhreachta, Church Lane, Kilkenny. Our Data Protection Officer can be contacted by email at dpo@heritagecouncil.ie.
- Data Privacy Notice
This document outlines the approach of the Heritage Council to Data Privacy to fulfil our obligations under the General Data Protection Regulation 2018 and the Data Protection Acts 1998-2018.
The Heritage Council collects personal data to facilitate the provision of programmes and projects, the payment of grants and for other administration activities in accordance with our remit under the Heritage Act 1995. We administer personal data from third parties such as public bodies, community groups, voluntary organisations, NGOs, etc. as part of our work in supporting the heritage sector. This information is only retained for as long as is necessary to facilitate processing. For details of our data retention schedule, please refer to our Data Protection Policy.
If you sign up for our email newsletters, you will be asked to provide your name and email address, which we will use to send you the newsletters. Subscribers to our newsletter will receive an ezine from us every month. You can unsubscribe from our newsletter at any time via the ‘unsubscribe’ link in the newsletter itself or by emailing us at mail@heritagecouncil.ie and requesting to be removed from the mailing list.
We may also collect names, telephone numbers and email addresses for one off events which are hosted by the Heritage Council, such as National Heritage Week events and Culture Night events. This information is only retained for the duration of the event.
No information provided will be divulged to any third party save pursuant to clause 8 hereof, unless we receive your prior consent and/or we are compelled to do so by law.
We will only use data provided by you for the purpose for which it was collected.
- What is personal data?
Personal data means information relating to a living individual who is, or can be, identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, your possession.
The definition of personal data is both technology neutral and format neutral. It includes data stored on a hosted or cloud service, computer network, hard drive, USB stick, internet, phone system, mobile devices (smartphone or tablet), camera, SD card, hardcopy paper file, electronic file, CCTV system, voice recording, etc.
The definition of personal data is deliberately broad. Examples of personal data include your name, address, phone number, email address, date of birth, bank details, signature, PPSN, photograph, video footage, employment records, salary records, medical records, your computer’s IP address, voicemail, biometric data, etc.
- Data Protection Principles
All personal data must be processed in accordance with the data protection principles as set out in the Data Protection Acts and the General Data Protection Regulations 2018.
Personal data must always be processed lawfully, fairly, and transparently.
Lawful |
Fairly |
Transparently |
The Heritage Act 1995 outlines the Heritage Council’s core functions. We support the heritage sector through our grant schemes and funding avenues. We educate and raise awareness through our projects and programmes. Your information will be requested where it is required to administer a scheme or programme. Your rights regarding processing of your information and your right to withdraw consent is outlined below |
We will provide you with information regarding processing your information at the time that we collect it. |
Where we have to collect, use or process your personal data, we will inform you to what extent your personal data will be processed. |
Purpose Limitation |
Data Minimisation |
Data Accuracy |
The Heritage Council will only collect personal data for specified, explicit, and legitimate purposes and not further process it in a manner that is incompatible with those purposes. |
Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Heritage Council will only process personal data if it is not possible to administer our activities without personal data. The Heritage Council will ensure that the period for which personal data is stored is limited to a strict minimum. |
The Heritage Council will take every reasonable step to ensure that any personal data that we hold is accurate, up to date and limited to the use for which it was collected. |
Storage Limitation |
Integrity and Confidentiality |
Accountability |
Personal data should only be kept for as long as is necessary for the purposes for which the personal data are processed. The Heritage Council will take every reasonable step to ensure that personal data will be reviewed periodically for erasure. |
Processes are in place to ensure that personal data is processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage. |
The Heritage Council is responsible for compliance with all of the Principles of Data Protection. We take our role as data controllers seriously and take adequate steps in the processing of personal data and how we comply with the GDPR. |
- Your Rights Under GDPR
As a data subject, you have the following rights:
- Right to have your personal data used in accordance with GDPR. Your personal information must be obtained and used fairly, kept securely and only for as long as is absolutely necessary, and not illegitimately disclosed to others.
- Right to be informed about the type and extent of personal data collected or obtained from you and held by commercial companies and other organisations.
- Right of access to your personal data. You are entitled to get a copy of your personal information.
- Right to rectification. You have the right to have your personal information corrected where it is inaccurate or completed where it is incomplete.
- Right to be forgotten. You have the right to have your personal data erased if it is being unlawfully processed, held for longer than necessary, or used for direct marketing purposes.
- Right to data portability allows data subjects to get back personal data they provided to a company in a structured, commonly-used and machine-readable format and transmit that data to another company of their choosing e.g. emails held by an email service provider or data held by a music streaming service.
- Right to object to processing of your personal data, particularly where it relates to direct marketing or profiling.
- Right to restrict processing of your personal data. Where processing of your data is restricted, it can be stored by the data controller, but most other processing actions - for example deletion - will require your permission. A typical example is where you have contested the accuracy of your data and request a restriction until the data controller has determined the accuracy of your data, or the outcome of your objection.
- Right to freedom from automated decision-making. You have the right not to be subject to a decision based solely on automated processing e.g. creditworthiness, work performance, etc.
- Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The Heritage Council has taken action to ensure that any personal data is held in the most secure manner possible. In the event of a data breach, the Data Protection Commission will be notified immediately, and steps taken to mediate the impact of the breach.
The Heritage Council’s servers are hosted and managed by a third-party service provider with ISO 27001 certification.
The Heritage Council’s Staff Handbook contains its code of practice for employees in relation to Confidentiality (Section 5.9), E-mail and internet use (5.7) and Telephones (5.8).
Council’s ICT operating platform and hardware have been hardened and encrypted to 2021 good practice standards and will be continuously reviewed and upgraded on a monthly and quarterly basis. Hardware and software ‘Firewalls’ are in place, to protect end-user devices and the overall network. Devices, databases and files are encrypted at rest and in transit, and Transport Layer Security protocols have been added to e-mail systems
Council has put in place a suite of employee policies for Information and Communication Technology usage, and associated risk management processes to measure, manage and remediate cyber risks.
All computer systems are password protected. The ICT system is set to lock computers if they are not accessed or used upon expiration of a predefined period of time and a password is required to unlock them.
- Use of cookies
Cookies are small pieces of text stored on your computer to help your browser keep track of your movements on our websites, remember preferences you may have selected, keep you logged in until you log out, etc. They are also used to anonymously collect marketing data, mostly through Google Analytics.
They help us to improve our website and deliver may of the functions that make your browser experience more user friendly. By using the Heritage Council website, you are agreeing to the use of cookies as described.
No information is collected that could be used by us to identify website visitors.
Cookies may be disabled in your browser settings.
Our website may contain links to external websites run by other organisations. This privacy notice only applies to the Heritage Council’s systems and websites. We are not responsible for the policies and practices of third-party websites, and we recommend that you are aware of the cookies policies of external websites.
- What we do with your data
For details of data processing please refer to our Data Protection Policy and Data Retention Schedule which can be found here
- What we will not do with your data
Automated decision making The Heritage Council does not use automated decision making in any of its processes.
Direct marketing The Heritage Council will never use personal data provided by you to undertake direct marketing as defined in law.
- How long we keep your personal data
Detailed information on our retention schedules can be found in our Data Protection Policy here
- International Transfer
Some of the websites that are used by the Heritage Council for data processing are located in third countries, such as Mail Chimp. Where this occurs, we will inform you at the time of collection of the data.
- Complaints
You have the right to lodge a complaint about how we handle your personal data to the competent supervisory authority, which is the Data Protection Commission.
The Data Protection Commissioner is located at 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
- Changes to this notice
We will update this notice from time to time. The notice will be available on our website. This version dates from April 2024.
- Contact details
For more information about this notice or data protection matters, please contact the Heritage Council’s Data Protection Officer at dpo@heritagecouncil.ie.