Page 69 - EQA Employee Handbook
P. 69
Where it is not possible to provide all relevant information at the time of initial notification, EQA
(Ireland) shall communicate the same to the Data Protection Commissioner and shall endeavour to
provide all necessary information in phases without undue further delay.
7.7.5. Where the data subject is to be notified, the communication shall be in clear and plan language
and shall, at least:
• Describe the nature of the personal data breach;
• Communicate the name and contact details of the contact point where more information can
be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible adverse
effects.
7.7.6. While completing the ‘Data Breach Risk Assessment Form’, EQA (Ireland) senior management
shall determine if further investigation is required towards identifying opportunities for improvement
in its data protection management, including staff training and the adequacy of security measures.
7.7.7. Records of data breaches shall be retained at the following server location:
\\SERVER\Administration\Data Protection Act\Data Breaches
7.8 Data Protection Impact Assessments
7.8.1. Towards ensuring the appropriate management of the process of triggering and carrying out
Data Protection Impact Assessments, EQA (Ireland) refer to the relevant Guidelines on Data Protection
Impact Assessment as adopted by the Article 29 Data Protection Working Party.
7.8.2. When carrying out a Data Protection Impact Assessment, EQA (Ireland) shall make appropriate
reference to the ‘Data Protection Impact Assessment Form’, as well as Appendices 2 and 3 to this
policy.
7.8.3. Where data processing (existing or prospective) is likely to result in a high risk to the rights and
freedoms of natural persons, a Data Protection Impact Assessment shall be carried out. In evaluating
the likelihood of a high risk, the following criteria should be considered:
• Evaluation or scoring, including profiling and predicting, especially from aspects concerning
the data subject’s performance at work, economic situation, health, personal preferences or
interests, reliability or behaviour, location, or movements;
• Automated decision-making with legal or similar significant effect;
• System monitoring, such as the systematic monitoring of a publicly accessible area;
• Sensitive personal data or personal data of a highly personal nature, as well as personal data
relating to criminal convictions or offences;
• Personal data processed on a large scale, where a large scale is determined based on…
• Matching or combining datasets;
• Data concerning vulnerable data subjects, where the individual data subjects may be unable
to easily consent to or oppose the processing of their personal data, or otherwise exercise
their rights;
• Innovative use or applying new technological or organisational solutions;
• When the data processing in itself prevents data subjects from exercising a right or using a
service of a contract.
7.8.4. Where any of the above criteria are met, but EQA (Ireland) do not determine it likely to result
in a high risk, justification for this determination shall be documented in the relevant section of the
‘Data Protection Impact Assessment Form’.
7.8.5. Where a Data Protection Impact Assessment is to be carried out, a new subfolder shall be
created in the server location, \\SERVER\Administration\Data Protection Act\Data Protection Impact
Assessments\, uniquely identifying the nature of the assessment. The subfolder shall contain all
relevant documentation, including the associated ‘Data Protection Impact Assessment Form’.
Page 68 of 79
