Home  /  About Us  /  Policies  /  Privacy and Cookies
 

Privacy notice

Introduction

This Notice provides you with information regarding the personal data about you which is held by the Commission for Public Service Appointments. 

The Commission for Public Service Appointments fully respects your right to privacy.  Your personal data will be treated with the highest standards of security and confidentiality, in accordance with the General Data Protection Regulation (GDPR) and Data Protection legislation. 

This Notice uses certain words or terms which have a particular meaning under GDPR and Data Protection legislation.  See the Definitions section of this Notice for an explanation or definition of the words.

Who we are and who controls your data

Your personal data is held by the Commission for Public Service Appointments (or ‘the CPSA’ in this notice) which is the data controller for the purposes of GDPR and Data Protection legislation purposes.  The Ombudsman is a member of the CPSA.  Certain ‘in house’ services or facilities of the CPSA are jointly shared with the Office of the Ombudsman – these services include, for example, corporate services, finance and IT.  The Office of the Ombudsman is therefore a joint controller in so far as data relating to such shared services is concerned.

We may be contacted at:

18 Lower Leeson Street, Dublin 2, DO2 HE97. 

Telephone: (01) 639 5750

Email:  info@cpsa.ie

Data Protection Officer

Our Data Protection Officer may be contacted at:

Email:  dataprotection@ombudsman.ie

Telephone: (01) 639 5760

Postal Address: 18 Lower Leeson Street, Dublin 2, DO2 HE97. 

The Data Protection Officer is designated for the Office of the Ombudsman, OIC, OCEI, SIPOC, CPSA and the Referendum Commission.

Your personal data and how we collect it

A very large amount of the personal data which we hold about you is provided by you in your phone calls, letters, emails or other communications with us. 

We also hold personal data which has been provided by someone else or by someone on your behalf.  Where this occurs, further details are provided below.

The personal data we hold and where it comes from will depend on the type of interaction you have with us. 

Persons making a complaint under Section 8 of the Code of Practice

We hold personal data about requesters under Section 8 of the Code of Practice.  The type of data we hold will depend on the particular case but can include your: contact details; application information; interview/assessment notes; employment history; qualifications; references; HR records (PMDS, cases brought under the Bully and Harassment Policy and/or grievance procedures); legal cases taken against employers; complaints pursued through the WRC.  It can also include such health data, data relating to religious or political beliefs and data relating to criminal convictions or offences as may be disclosed.

This data is provided by the data subject (the person to whom the information relates) or by the public body. 

Other persons involved in a selection process subject to a complaint under Section 8 of the Code of Practice

We hold personal data about other persons involved in a selection process which has been the subject of a complaint under Section 8 of the Code of Practice. This can include other applicants, selection board members and staff of the public body involved in the administration of the process.

The data we hold can include your: contact details; interview/ assessment notes; application information; employment history; qualifications; references.  It can also include such health data, data relating to religious or political beliefs and data relating to criminal convictions or offences as may be disclosed.

This data is provided by either the person who has made the complaint or the public body to which the complaint refers.

Persons involved in a selection process subject to audit under Section 3 of the Code of Practice

We hold personal data about persons involved in a selection process which has been the subject to audit under Section 3 of the Code of Practice. This can include other applicants, selection board members and staff of the public body involved in the audit.

The data we hold can include your: contact details; interview/ assessment notes; application information; employment history; qualifications; references.  It can also include such health data, data relating to religious or political beliefs and data relating to criminal convictions or offences as may be disclosed.

This data is generally provided by the public body subject to which the audit refers. On occasion is may be provided by a third party that has disclosed information to the CPSA. 

Persons subject to a request for an excluding order under Section 11 of the Public Service Management (Recruitment and Appointment) Act, 2004 (‘the Act’)

We hold personal data about persons who are subject to a request for an excluding order under Section 11 of the Act. The type of data will depend on the particular case but can include your: name, contact details, employment history; qualifications. 

This data is provided by the public body responsible for the making the request. 

Staff of public bodies 

We hold personal data about staff of public bodies in relation to their administration of matters relating to the CPSA. This includes the administration of matters relating to the CPSA’s:

  • Codes of Practice
  • Mechanisms for review under Section 7 and Section 8
  • Excluding order process
  • Recruitment Licence application process
  • Processes for dealing with statutory requests 

The personal data we hold includes the name, contact details, grade/role of the staff member and information relating to the performance of their functions. This personal data comes from the public body or the staff member who is in contact with the CPSA and includes personal data in the communications regarding the handling of the CPSA matter or other communications with us. 

Staff of recruitment agencies

We hold personal data about staff in recruitment agencies, which includes contact details, qualifications and employment histories.  It is provided to us by the recruitment agencies.

Persons making enquiries in relation to any of the CPSA’s functions under Section 13 of the Act

We hold personal data about people making enquiries in relation to the CPSA’s various functions under the Act. This can include queries in relation to the CPSA’s:

  • Codes of Practice
  • Mechanisms for review under Section 7 and Section 8
  • Excluding order process
  • Recruitment Licence application process
  • Application process for inclusion as a listed agency
  • Processes for dealing with statutory requests 

This data is provided by you, the person making the enquiry, or by your representative.

Requesters under the Protected Disclosure Act

We hold personal data about requesters under the Protected Disclosure Act. This data can include your: contact details; interview/ assessment notes; application information; employment history; qualifications; references; HR records (PMDS, claims under the Bully and Harassment Policy and/or grievance procedures); legal cases taken against employers and complaints pursued through the WRC.  It can also include such health data, data relating to religious or political beliefs and data relating to criminal convictions or offences as may be disclosed.

This data is provided by you or your representative.

Statutory requests to the CPSA

We hold personal data about people who make statutory requests to the CPSA, including for example people who make an FOI request or Data Protection access request looking for records or information from us.  The personal data includes your name and contact details and information relating to the statutory request. 

These statutory requests made to the CPSA could also include personal data about someone other than the person making the request.  Whether they contain personal data and, if so, the type of personal data will depend on the request.  This information comes from the person making the request.

Representatives

We hold personal data about representatives who make enquiries or who make requests on behalf of someone else.  This data includes the name, contact details and details relating to the representative capacity or relationship with the person on whose behalf the enquiry or application is made. It also includes any other personal data which the representative provides.

This data is provided by the data subject (the representative). 

Visitors to our website

When someone visits www.cpsa.ie  we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site.

We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source.

If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information through our website and will explain what we intend to do with it.

Emailing us

We are part of the Government Services network. Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used.

Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Suppliers / service providers / other people in contact with the CPSA

We hold personal data about you where there has been contact between the CPSA and yourself in relation to various matters, including e.g. contact regarding the supply of goods or services or invitations to the CPSA to make presentations to seminars, attend conferences etc.  This personal data includes your name, contact details and information relating to the goods or services, the seminar, conference etc.  It comes from your interactions with us.

Others

We have described above all the main categories of people whose personal data we hold.  We can hold data about people who do not fall within these categories.  For example, from time to time we hold personal data about people attending meetings or events with the CPSA.  We confirm that all personal data is treated with the highest standards of security and confidentiality, in accordance with the General Data Protection Regulation (GDPR) and Data Protection legislation. 

 

What we use your data for and the legal basis

Functions under the Act

We use the information about you so that the CPSA can carry out its functions under the Act.  In other words, in order to carry out these functions, we will have to process your data.

In legal terms, our use of personal data is:

  • necessary for the performance by the CPSA of a task carried out in the public interest or in the exercise of official authority vested in the CPSA
  • necessary for reasons of substantial public interest, on the basis of the Data Protection legislation which is proportionate, respects the essence of the right to data protection and provides suitable and specific measures to safeguard your fundamental rights and interests.

General administration & compliance with legal obligations

We also hold information about you for the purpose of responding to statutory requests made to the CPSA (such as access requests under the FOI Act 2014, the Data Protection Act and the Access to Information on the Environment Regulations).  Doing this is necessary for compliance with our legal obligations. 

We also compile and publish statistics showing information like the number of reviews we receive, but not in a form which identifies anyone.

Who we share your information with

In examining a complaint under Section 8 of the Code of Practice we will need to share information with the public body to which the complaint relates. Such information sharing may similar occur when carrying out an audit under Section 3 of the Code or any of other function as prescribed for in the Act.

Joint controller: As explained above, the Office of the Ombudsman is joint controller of certain data relating to such services as corporate services, finance and IT.  For data protection purposes your personal data is considered to be shared with the Office of the Ombudsman.

How long we keep your personal data

The length of time we hold your personal data for will depend on the type of document or record which contains the data.  Our Records Retention Policy sets out the time periods for different types of record.  Please see the attached Records Retention Policy.

Categories of data subjectsRetention period
Persons making a complaint under Section 8 of the Code of Practice 
  • Final reports issued by the CPSA under Section 8 are retained for 3 years from date of issue
  • Supporting documentation is retained for 1 year from date of issue of report

(this is subject to extension on the basis of receipt of a request under formal review procedures)

Other persons involved in a selection process subject to a complaint under Section 8 of the Code of Practice

Supporting documentation is retained for 1 year from date of issue of report

(this is subject to extension on the basis of receipt of a request under formal review procedures)

Persons involved in a selection process subject to audit under Section 3 of the Code of PracticeSupporting documentation is retained for 1 year from date of issue of audit report
Persons subject to a request for an excluding order under Section 11 of the Act
  • Excluding orders are retained for 1 year from the expiry date of order
  • Supporting documentation is retained for 1 year from the expiry date of order
Staff of public bodies 

In relation to the administration of matters relating to the CPSA’s:

·         Codes of Practice – Data is retained for the duration of the period the staff member remains a nominated/relevant contact person for the CPSA

·         Mechanisms for review under Section 7 and Section 8 - 1 year from the date of issue of a report under Section 8 or completion of enquiry (subject to extension on the basis of receipt of any requests under formal review procedures)

·         Excluding order process - 1 year from expiry date of order

·         Recruitment licence application process – Recruitment licences are retained indefinitely, Supporting docs are retained for 1 year from the date of issue of a licence

·         Processes for dealing with statutory requests  - Supporting docs – 1 year from date of issue of formal response (subject to extension on the basis of the receipt of any requests under formal review procedures, i.e review of the decision)

Staff of recruitment agencies1 year from the date on which the agency was granted approval for inclusion in the CPSA’s list of approved agencies
Persons making enquiries in relation to any of the CPSA’s functions under Section 13 of the Act1 year from the date on which the enquiry was closed
Requesters under the Protected Disclosures Act1 year from date of issue of response to the request (subject to extension on the basis of the receipt of any requests under formal review procedures, i.e. review of the decision)
Statutory requests to the CPSA1 year from date of issue of response to the request (subject to extension on the basis of the receipt of any requests under formal review procedures, i.e. review of the CPSA’s decision)
RepresentativesRetention policies for representatives correlate to those of the persons to whom the requests relate, under the provisions of the Act
Suppliers / service providers / other people in contact with the CPSA1 year from the date on which the contract for services/the service provided to the CPSA ended

 

Your data protection rights

Under the GDPR and Data Protection legislation you have certain rights.  These rights arise in certain circumstances and are subject to certain exemptions.  The rights are:

  • right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data
  • right rectification – you have the right to request that inaccurate personal data be corrected and that incomplete personal data be completed
  • right to erasure (or right to be forgotten) – you have the right to request that personal data be deleted
  • right to restriction of processing or objection to processing – you have the right to request that our use or processing of your data be restricted or to object to our processing of your data
  • right to data portability – you have the right to request that personal data be given to you or another person in a transferable or machine readable form.
  • If your personal data is held by us on the basis of your consent (or explicit consent), you have the right to withdraw that consent at any time.

If you would like to exercise any of your rights, please contact:

The Data Protection Officer

Email:  dataprotection@ombudsman.ie

 

Your right to complain

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

You also have the right to lodge a complaint with the Data Protection Commission.  The Data Protection Commission may be contacted at:

Website: www.dataprotection.ie

Email:  info@dataprotection.ie

Telephone:  (0761) 104 800; Lo-Call 1890 25 22 31. 

Postal Address: Canal House, Station Road, Portarlington, Co Laois, R32 AP23. 

Requirements to provide personal data and possible consequences of failure to provide

Section 15(4) of the Act provides that any ‘authorised person’, may request, where required for the purposes of carrying out the functions of the CPSA under the Act, access to any records he/she considers appropriate, from a Licence Holder (a public body to which a recruitment licence has been granted by the CPSA under Section 43 of the Act).

If you are making an enquiry, making a complaint under Section 8, making a request for an excluding order or making a statutory request, we may need certain information in order to respond to you or address your request. If you do not give us the information, we will not be able to respond or carry out the review.

Further information

This privacy notice was drafted with clarity in mind. It does not provide exhaustive detail of all aspects of the collection and use of personal data by CPSA. However, we are happy to provide any additional information or explanation needed. Please feel free to contact us. 

​Use of cookies 

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Our CookiesNamePurposeMore information
cpsa site cookie acceptanceAccept_cookiesThis cookie is used to record if a user has accepted the use of cookies on the cpsa website.To withdraw your consent after accepting this cookie, delete the accept cookies cookie. Find out how at www.aboutcookies.org
Google Analytics_utma
_utmb
_utmc
_utmz
These cookies are used to collect information about how visitors use our site.  The cookies collect information in an anonymous form that does not identify a visitor. They provide information regarding the number of visitors to the site, where visitors have come to the site from and the pages they visited.  We use this information to compile reports and to help us improve the way our website works, for example by making sure users are finding what they need easily.Click here for an overview of privacy at Google

To opt out of being tracked by Google Analytics across all websites visit the Google site
Search Engine The search engine on our website is designed to be as powerful and easy to use as the popular search engine Google. The search is made possible by a piece of hardware (a search 'appliance') supplied by Google that is plugged into our server and continuously indexes the content on our site. All search requests are handled by the appliance and the information is not passed on to any third party, including Google.Click here for an overview ofprivacy at Google
Online notification form cookieASP.NET_SessionIdThis cookie is essential for the online form, and is set only for those people using the form. This cookie is deleted when you close your browser.Visit the Microsoft website

Definitions

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Protection Act 2018  Amongst other things, this Act gives further effect to the GDPR (see below) in areas where Member State flexibility is permitted. 

Data Protection Officer  The GDPR requires some organisations to designate a Data Protection Officer (DPO).  Article 39 of the GDPR states that the data protection officer “shall have at least the following tasks:

  1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”

Data Subject means the identified or identifiable natural person to whom the personal data relates – see also the definition of personal data below.

The General Data Protection Regulations (GDPR) is an EU Regulation relating to data protection which came into force on 25 May 2018. 

Joint Controller.  Where two or more controllers (see above) joint determine the purposes and means of processing, they are joint controllers.

Personal Data means any information relating to an identified or identifiable natural person (‘data subject ’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.