Data Protection Policy – Updated: November 2025
1.1 The purpose of this Data Protection Policy is to provide for the protection of the rights and privacy of individuals about whom Laois Sports Partnership processes personal data in accordance with The Data Protection Act 2018, which was signed into law on 24 May 2018.
1.2 Laois Sports Partnership (“LSP”) is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act and acknowledges the rights that this Act confer on individuals as well as the responsibilities the Act places on Laois Sports Partnership employees and auxiliary staff who process personal data in the course of their duties.
1.3 This Data Protection Policy is designed to:
(a) give practical guidance on LSP’s approach to data protection law.
(b) raise awareness amongst LSP staff and key stakeholders about data protection law, including rights and responsibilities.
(c) provide guidance on how to comply with those responsibilities.
2. LSP’S APPROACH TO DATA PROTECTION
2.1 LSP has taken the following steps to ensure its compliance with data protection law including:
(a) Identifying and appointing a Data Protection Liaison Officer (DPLO)
(b) Providing and attending data protection specific training.
(c) Engaging experts regarding compliance and planning accordingly.
(d) Drafting and reviewing relevant policies that are reviewed and signed off by the LSP board.
(e) Creating an inventory of personal data, mapping out what personal data we hold and process and the justifications for doing so.
(f) Continuously monitoring our policies and our compliance with data protection law including refresher trainings where required.
2.2 This policy should be read in conjunction with existing policies and rules, including but not limited to the following:
– Privacy policy
– Complaints Policy
– Employee handbook
– Safeguarding policy
– Garda Vetting
3. DATA PROTECTION LAWS & PRINCIPLES
3.1 The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“DPA 2018”) (together “data protection laws”).
3.2 The data protection laws require that the personal data is processed in accordance with the Data Protection Principles (see 3.3) and gives individuals rights to access, correct and control how we use their personal data.
3.3 Laois Sports Partnership must handle personal data in accordance with the eight stated data protection principles outlined in the Act as follows:
(a) Obtain and process the personal data fairly.
(b) Keep only for one or more specified and lawful purpose(s).
(c) Use and disclose only in ways compatible with the purpose(s) for which it was initially provided.
(d) Keep safe and secure.
(e) Keep accurate, complete and up to date.
(f) Ensure that it is adequate, relevant and not excessive.
(g) Retain for no longer than is necessary for the specified purpose(s).
(h) Provide a copy of his/her personal data to an individual, on request.
4. DATA PROTECTION DEFINITIONS
4.1 The Data Protection Act provides for the collection, processing, retention and eventual destruction of personal data in a responsible and secure way thereby avoiding its misuse.
4.2 “Personal Data” is data that relates to a living individual who is identifiable either from the data itself or from the data in conjunction with other information held by Laois Sports Partnership. Personal data has a very broad-ranging definition and includes, but is not limited to, a person’s name, physiological, economic, cultural, social identity, pseudonyms, occupation, address etc. Personal data may be held in either electronic form (e.g. on a computer system, CCTV system) or in hard copy.
4.3 “Sensitive Personal Data” relates to a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; physical and mental health; sexual life; criminal convictions, the alleged commission of an offence and trade union membership.
4.4 Data Subject is the living individual to whom the relevant personal data relates.
4.5 Processing is widely defined under the data protection laws and can include for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including CCTV images.
4.6 Lawful Basis for Processing
4.6.1 For personal data to be processed lawfully, LSP must process it on one of the legal grounds set out in the data protection laws.
4.6.2 For the processing of ordinary personal data in LSP these may include, among other things:
4.6.2.1 the data subject has given their consent to the processing;
4.6.2.2 the processing is necessary for the performance of a contract with the data subject;
4.6.2.3 the processing is necessary for the compliance with at legal obligation to which the data controller is subject; or
4.6.2.4 the processing is necessary for legitimate interest reasons of the data controller or a third party i.e. you are processing someone’s personal data in ways they would reasonably expect it to be processed and which have a minimal privacy impact on the data subject or where there is a compelling justification for the processing.
4.7 Data Controller is the person who decides how personal data is used, for example we will always be a data controller in respect of personal data relating to our employees.
4.8 Data Processor is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller.
4.9 Data Users include employees or volunteers whose work involves using personal data. Data users have a duty to protect the information they handle by always following this data protection policy.
5. OTHER DEFINITIONS
5.1 Personal Data related to Deceased Persons best practice requires that where personal data relating to deceased persons is held, this data is retained and processed in the same manner as personal data relating to living individuals.
5.2 Anonymised Personal Data – Personal data collected anonymously or irrevocably anonymised to the extent that the individual cannot be identified from the data is not subject to the requirements of the Data Protection Act or this Policy.
6. USE OF PERSONAL DATA AT LAOIS SPORTS PARTNERSHIP
6.1 To fulfil its functions, Laois Sports Partnership (as ‘data controller’) must collect and process certain personal data about its employees, Directors, stakeholders, programme and event participants and other individuals who come in contact with the Company.
6.2 Such functions include but not limited to:
– the registration of new participants.
– ongoing renewals based on extended programmes.
– management of approved current database.
– registration of participants for attendance at education and training courses.
– the circulation of promotional and information materials.
– the recruitment, appointment and payment of employees and auxiliary staff.
– compliance with statutory obligations and other necessary administrative activities.
6.3 All personal data collected and processed by Laois Sports Partnership must be treated with the highest standards of security and confidentiality to comply with the Data Protection Acts.
6.4 Any provision for Laois Sports Partnership, as a ‘data controller’, to use a third party (‘data processor’) must be the subject of a written agreement. All proposed agreements between the Company and a third party must be developed in conjunction with the relevant legal advisors of Laois Sports Partnership.
7. RESPONSIBILITIES OF LAOIS SPORTS PARTNERSHIP EMPLOYEES
7.1 This Policy applies to all departments, offices, units and areas of work that form part of the Company structure and applies to all personal data processed by Laois Sports Partnership.
7.2 While Laois Sports Partnership has the overall responsibility for ensuring compliance with the Data Protection Act, responsibility for the implementation of this Policy rests with the Head of each area of activity to ensure good data handling practices are in place to uphold the privacy of personal data within their respective areas of responsibility. Consent must also be received for usage of photographs and video relating to service delivery activities.
7.3 Notwithstanding the foregoing, all employees of Laois Sports Partnership who collect or use personal data as part of their duties have a responsibility to ensure that they process personal data in accordance with the conditions set down in this Policy, the Laois Sports Partnership Data Protection Compliance Regulations, the Data Protection Act and any other relevant Company policies, regulations and procedures.
7.4 Laois Sports Partnership Data Protection Regulations
7.4.1 To assist employees in implementing this Policy, statements are available at www.laoissports.ie. These regulations set out key areas of work at Laois Sports Partnership where data protection issues may arise and outline best practice in dealing with them.
8. Procedure in the Event of a Personal Data Breach
8.1 A personal data breach may be defined as an incident where unauthorised disclosure, loss, destruction or alteration of personal data occurs through, for example, loss or theft of a portable device, accidental disclosure via email/other electronic system, loss of hard copy records etc.
8.2 In the event of a personal data breach;
– The DPLO of Laois Sports Partnership must be notified immediately by email info@laoissports.ie or phone.
– The DPLO will ensure, where appropriate and required, that the data subjects and the Data Protection Commissioner’s Office are notified within a maximum of two days of a breach occurring as required by the Data Protection Commissioner’s ‘Personal Data Security Breach Code of Practice’ (available at www.dataprotection.ie).
8.3 Breaches of the terms and conditions of this Policy could result in major reputational and financial damage to the Company and may result in employee disciplinary action and termination of employment being invoked.
8.4 Under the Data Protection Acts, data subjects are entitled to make a request for their personal data held by Laois Sports Partnership free of charge and any additional copies can be requested for a fee not more than €6.35.
8.5 Any such requests should be made in writing to: The Coordinator, Laois Sports Partnership, Portlaoise Leisure Centre, Moneyballytyrrell, Portlaoise, Co. Laois R32 YP11.
9. SHARING DATA WITH THIRD PARTIES
9.1 Data subject’s information will not be shared with third parties for marketing or fundraising purposes and will only be shared with third parties for the purposes set out below:
– Third Party Description Purpose for Sharing Data e.g. Programme Management, Certification.
– Sub-contractors to help the LSP to run our business in an effective manner under our terms and conditions of contract with data subjects.
– Cloud Service Providers to store information legitimately held by the LSP for business purposes.
– IT Back-up Providers to store information legitimately held by the LSP for business purposes.
– Email Service Providers to help the LSP to run our business in an effective manner for legitimate business purposes
– Internal Customer Databases to an effective manner under the LSP’s terms and conditions of contract with data subjects.
– Under this policy LSP Tutors are treated as third party.
10. DATA SUBJECTS RIGHTS
10.1 Data subjects have a number of rights under GDPR. These include:
– The right to request to access the data LSP holds on them through a Subject Access Rights Request (SAR) (Right of Access).
– The right to request to change or correct any inaccurate data (Right to Rectification).
– The right to request to delete data that LSP holds (Right to Erasure).
– The right to object to having their data processed (Right to Restriction of Processing).
– The right to object to receiving direct marketing materials.
– Data subjects can request to have their data moved outside of LSP if it is in an electronic format (Right to Data Portability)
– The right to not be subject to a decision made solely by automated data processing.
11.1 To ensure fair and transparent processing activities, LSP is required to provide data subjects with a privacy notice to let them know what we are doing with their personal data when directly collecting data. This Privacy Notice can be viewed on www.laoisports.ie and will be reviewed consistently in line with other policies and procedures.
12. RECORD OF PROCESSING ACTIVITIES
12.1 As a data controller the LSP is required under GDPR to maintain a record of processing activities under its responsibility (Data Processing Register). The record shall contain details of why the personal data is being processed, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the EU.
13. POLICY COMPLIANCE
13.1 Failure to comply with this policy may lead to disciplinary action, being taken in accordance with LSP disciplinary procedures. Non-compliance shall be reported to the DPC and Data Protection Officer for the purposes of GDPR only and should the need to instigate the disciplinary procedures arise, it should be dealt with by the appropriate manager. Failure of a third party contractor (or subcontractors) to comply with this policy may lead to termination of the contract and/or legal action.
14.1 This Policy will be reviewed on a biennially.