1.1 Lisavaird Co-operative Creamery Limited (‘the Company’) was founded in 1925. The first historical General Meeting was held on March 13, 1925. The Company purchases milk from its farmer/shareholders and all milk is processed for the manufacture of cheese at Carbery Milk Products in Ballineen.
1.2 This Code of Practice is to disclose in a transparent way how the Company obtains and processes Personal Data so that all those who provide us with Personal Data will clearly understand our practices and procedures. This Code also sets out our approach to dealing with Data Subject Access Requests under Section 4 of the DPA.
The Appendix contains a glossary of the key terms used in this Code of Practice.
3.1 The Company would typically retain and process the following types of personal data:
(a) Regarding customers: Name, address, date of birth and any further details given by the customer when completing an account application form with the Company or, in the alternative, when a customer does not use such an account, details of any non-cash purchases made by such customers from the Company.
(b) Regarding milk suppliers: Name, Address, Herd Number, Supplier Number, Certificates of Animal Health Requirements for Milk Yielding Animals, Total Bacteria Count Records (TBCs), Somatic Cell Count records (SCCs), Milk supply, Disposal Records, Geo Mean and Antibiotics, SDAS, Water Tests, ERAD, Butterfat, Protein, Lactose, Dates of Birth, Quota Transactions, Home & mobile Numbers, Bank Details, Cow Numbers, Bulk Tank Size, milking platform information, email address & VAT numbers.
(c) Regarding shareholders; Name, Address, Home & mobile Numbers, Share Transaction History, Bank Details, Grant of Probate, copies of wills, email address & Solicitor correspondence.
(d) Regarding professional support; details of (a) to (c) above shared with professional support services on the basis that such information will only be shared where adequate, necessary and relevant, and only for as long as is needed, subject to clause 4.1 below.
(e) Regarding employees: Name, address, gender, date of birth and details of contractual arrangements and payments to employees of the Company.
(f) Regarding Raffles/Competitions: Name, address, telephone numbers, all of which will be destroyed after the event(s).
4.1 The Company controls the contents and use of Personal Data. The Company will usually perform its functions itself. When the Company engages third parties to process personal data on its behalf it will ensure in its contracts that such third parties will also be subject to the data protection obligations set out in the DPA.
5.1 The Company controls and processes Personal Data provided to us only for the purpose of conducting business as a co-op.
The Company is obliged to comply with the data protection principles set out in Section 2 of the DPA. These obligations mean the Personal Data we hold must meet the following criteria:
(a) Must be obtained and processed fairly
As most Personal Data obtained by us is provided directly by customers, milk suppliers and shareholders, in the course of our business as a co-op and cheese manufacturer, the Company will regard such data as having been fairly obtained.
(b) Shall be accurate, complete and kept up to date
The Company controls the data provided to it on its centralised, secure IT system. The Company will also comply with any data rectification requests received under Section 4 of the DPA in accordance with Section 12 below. Accordingly, the Company ensures that Personal Data processed by it is accurate, complete and up to date. Data received from customers, milk suppliers and shareholders, and entered into the Company’s system is cross checked to ensure accuracy and completeness.
(c) Shall have been obtained only for one or more specified, explicit and lawful purposes
The Company processes Personal Data that it holds only for the purposes of conducting business on behalf of its shareholders.
(d) Shall have been obtained only for one or more specified, explicit and lawful purposes
(e) Shall be adequate, relevant and not excessive for those purposes
The Company only requires Personal Data which is relevant to the performance of its business. It does not seek, nor does it wish to receive, excessive levels of data which are not relevant to these duties.
(f) Shall be kept for no longer than is necessary
Personal Data is ordinarily archived for a period of seven years. This allows the Company to recall the information in the event of subsequent litigation. The Company will retain statistical factual information about cases indefinitely, but such data will not be “personal data” as defined in the DPA.
(g) Must be kept secure against unauthorised access, alteration or destruction
To ensure that only those who have a need to access Personal Data can do so the Company’s manual data is stored in a secure site. The Company has established appropriate security provisions to ensure that: -
1. Access to the Company’s computers is restricted to the Company’s authorised staff.
2. Access to the information is restricted to the Company’s IT authorised staff.
3. The Company’s systems are password protected.
4. The Company has comprehensive back up procedures in operation.
5. All waste papers, printouts, etc are disposed of securely.
6. Back-up Data. Back-up data are data held specifically for the purpose of recreating a file in the event of the current data being destroyed. In accordance with our security obligations under the DPA, the Company’s electronic case management system is regularly backed-up so as to avoid the loss or compromise of data. Back-up data will not ordinarily be provided in response to a Data Subject Access Request.
7.1 Under Section 4 of the DPA, Data Subjects, such as customers, milk suppliers shareholders and employees, are entitled to the following information from the Company:
a) confirmation as to whether we keep Personal Data relating to them;
b) a description of the categories of Personal Data processed;
c) a copy of such Personal Data in intelligible form;
d) a description of the purpose(s) behind the processing of the Personal Data;
e) the identity of those to whom we have disclosed (or currently disclose) the data;
f) the source of the Personal Data (unless this is contrary to the public interest)
7.2 Access requests under Section 4 apply to Personal Data held by the Company in both a computerised and manual form. However, where a document exists in duplicate, two copies of the same document will not be provided in response to a request.
8.1 Data Subject Access Requests must meet certain formalities:
(a) they must be in writing;
(b) the Company will make reasonable enquiries to satisfy itself about the identity of the person making the request to ensure we are not disclosing Personal Data to a party who is not entitled to it under the DPA;
(c) it must include a reasonable level of appropriate information to help us to locate the information required. (However, no reason for the request needs to be provided);
8.2 a) Where a Data Subject Access Request does not specify otherwise, it is to be assumed, subject to Parts 9 and 10 below, that a copy of all Personal Data held by the Company about the Data Subject is to be disclosed.
b) Data Subject Access Requests will be complied with within 40 days of receipt of the request. Where reasonable additional information is required to substantiate the request as described in paragraph 7.1(b) and (c), the time frame for responding runs from receipt of the additional information.
c) If we receive a very general Data Subject Access Request, e.g. “please give me everything you have on me”, the DPA allows us to seek more detailed information on the nature of the request. However, this will be assessed on a case by case basis.
9.1 The Company will not normally disclose the following types of information in response to a Data Subject Access Request:
(a) Information about other People
A Data Subject Access Request may cover information which relates to one or more people other than the Data Subject. The information about the other person may be Personal Data about that person, to which the usual data protection rules under the DPA, including the restrictions on disclosure, apply.
In such circumstances we will not grant access to the information in question unless either:
(i) the other person has consented to the disclosure of their data to the Data Subject; or
(ii) in all the circumstances it is reasonable to make the disclosure without that person’s consent.
If the person’s consent is not forthcoming and it is not reasonable to make the disclosure without consent, we will make available as much Personal Data as we can without revealing the identity of the other person (for example by excluding the person’s name and/or other identifying particulars).
(b) Repeat Requests
The DPA provides an exception for repeat requests where an identical or similar request has been complied with in relation to the same Data Subject within a reasonable prior period. The Company will consider that if a further request is made within a period of six months of the original request and where there has been no significant change in the personal data held in relation to the individual, it will be treated as a repeat request. Accordingly, where Personal Data has recently been provided to the Data Subject or his/her legal representative, the Company will not normally provide a further copy of the same data in response to a Data Subject Access Request. The Company will not consider that it is obliged to provide copies of documents that are in the public domain.
(c) Privileged Documents
Where a claim of privilege could be maintained in proceedings in a court in relation to communications between the Company and their professional legal advisers (or between those advisers) any privileged information which we hold need not be disclosed pursuant to a Data Subject Access Request.
9.2 Where the Company refuses a Data Subject Access Request, we will do so in writing and we will set out the reasons for our refusal.
10.1 Section 5 of the DPA provides that individuals do not have a right to see information relating to them where any of the following circumstances apply. While these circumstances would not ordinarily apply to the Company, they are set out below for the sake of completeness:
If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing/collecting any taxes or duties: but only in cases where allowing the right of access would be likely to impede any such activities;
If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention;
(c) If the information is kept for certain anti-fraud functions; but only in cases where allowing the right of access would be likely to impede any such functions;
(d) If granting the right of access would be likely to harm the international relations of the State;
(e) If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation. This would only apply in respect of data relating to a claim against the Company.
(f) If the information would be subject to legal professional privilege in court;
(g) If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
The DPA provides a right of access to a permanent copy of the Personal Data that is held about the Data Subject unless this is not possible or would involve disproportionate effort. The information must be communicated to the Data Subject in an intelligible form. Usually this will mean that a photocopy or printout of the Personal Data will be provided to the Data Subject. However, where a Data Subject agrees, information can be provided in electronic format e.g. by email or on disk.
If a Data Subject seeks to have any of his or her Personal Data rectified or erased, this will be done within 40 days of the request being made provided there is reasonable evidence in support of the need for rectification or erasure.
The Company will not ordinarily transfer Personal Data to countries outside the European Economic Area (EEA). In the event that this position changes, the Company will comply with its obligations under Section 11 of the DPA by adopting one of the appropriate measures approved by the Data Protection Commissioner and the European Commission to ensure such transfers are lawful.
Any material changes to this Code will be notified to the Data Subjects prior to adoption.
October 22, 2018
The Data Protection Acts 1998 to 2003
The DPA applies only to Personal Data as defined in Section 1 of the DPA:
The DPA applies to Personal Data held in a computerised or manual (paper) form.
A Data Subject is the individual who is the subject of the Personal Data. Only a Data Subject is entitled to make a Data Subject Access Request.
Data Subject Access Request:
A Data Subject Access Request is a request made in writing to the Company by a Data Subject pursuant to Section 4 of the DPA.
Processing is extremely broadly defined and includes practically all imaginable acts of collection, access, use, storage and deletion of data.
Data controller means a person who, either alone or with others, controls the contents and use of personal data.
Data processor means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his/her employment.