The full list of RSG Policies & Procedures can be found here

Commitment to Best Fundraising Policy

County Roscommon Disability Support Group’s Commitment to Best Fundraising Policy County Roscommon Disability Support Group, as a not for profit organisation and charity, is fully committed to achieving the standards contained within the Statement of Guiding Principles for Fundraising.

We commit to doing this by:

• Maintaining good fundraising practice.

• Providing high levels of accountability and transparency to our donors and prospective donors from the public.

• Provide clarity and assurances to you about how we spend your money. Background of The Statement of Guiding Principles For Fundraising This Statement of Guiding Principles for Fundraising has been drawn up in the context of the publication of The Charities Bill 2007, which proposes that the operational and administrative aspects of fundraising would be regulated by agreed Codes of Practice to be developed with the sector. It is a voluntary statement of intent that we have considered and will make every effort to follow. We are grateful for all funds donated to us at County Roscommon Disability Support Group and strive to ensure we have complete transparency and accountability to our donors. Below we have some information and welcome feedback at any time.

Donor Charter

Click here for the RSG Donor Charter

Public Compliance Statement

Click here for the RSG Public Compliance Statement

Data Protection Policy and Procedure

Policy Statement

County Roscommon Disability Support Group CLG (RSG)[1] is a data controller under the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 and therefore must adhere to the 8 data protection principles.  This policy and procedure is in place to ensure compliance with data protection law.


The purpose of this policy is to outline employees, service users, volunteers and employers rights and responsibilities under the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003. RSG is committed to complying with its legal obligations with regard to the Acts.


This policy applies to all employees, service users, volunteers of RSG

Legislation and Related Policies


  • Data Protection Act 1988
  • Data Protection (Amendment) Act 2003
  • I. 82 of 1989 (Health data)
  • European Communities Data Protection Regulations, (2001)
  • European Communities (Data Protection and Privacy in Telecommunications) Regulations (2002)
  • Data Protection EU Directive 95/46/EC
  • The General Data Protection Regulation (GDPR) (May 2018)

Related Policies and Procedures

  • CCTV Policy
  • Consent Policy
  • Information Technology Email and Internet Usage Policy
  • HR and Recruitment Policy and Procedure
  • Interview Policy
  • Vetting Policy

Glossary of Terms and Definitions

  • Organisation

            Refers to County Roscommon Disability Support Group CLG


A policy is a written statement that clearly indicates the position and values of the organisation on a given subject (HIQA 2006)


A procedure is a written set of instructions that describe the approved and recommended steps for a particular act or sequence of events.


This includes both the target users and target population (only refer to a target population if the policy and procedure is referring to specific groups) of the policy and procedure. It identifies to whom the policy and procedures applies to.


Means information in a form which can be processed. It includes both automated data and manual data.

Data Controller

Are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, Government Departments or voluntary organisations, or they can be individuals such as G.P.s, pharmacists or sole traders.

Roles and Responsibilities

The IT Officer is the Data Protection Liaison for RSG.

The Board of Management has overall responsibility for ensuring compliance with data protection legislation.

All Board of Management Members and Employees must co-operate with the Data Protection Liaison when carrying out his/her duties.

The Data Protection Liaison is also available to answer queries or deal with Employees, service users and volunteers’ concerns about data protection.


The GDPR will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. Under the Data Protection Acts and GDPR, employees, service users, volunteers of RSG have a right to obtain a copy of any information relating to them kept on a computer or in a structured manual filing system regardless of when the data was created.

Personnel records held by Employers come within the terms of the Acts.

Service user’s personal and personal health information come within the terms of the Acts and volunteer personal information come within the terms of the Acts.

Employees can make access requests for information held about them.

Data Protection Principles

RSG has the responsibility to protection all personal and sensitive data concerning staff and service users.  Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.  Both staff and service users have the right of access to data which has been collected concerning them, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. GDPR is designed to give individuals more control over their personal data. Under the Data Protection Acts and GDPR, data must be:

  • Obtained and processed fairly.
  • Accurate, complete and kept up to date.
  • Obtained only for one or more specified, explicit and legitimate purpose.
  • Shall not be processed in a manner incompatible with these purposes.
  • Adequate, relevant and not excessive.
  • Shall not be kept longer than is necessary.
  • Should be controlled with appropriate security measures.
  • Give a copy of his/her personal data to an individual on request.
  • The key principles under the GDPR are:
  • Lawfulness, fairness and transparency;
  • Purpose Limitation;
  • Data minimisation;
  • Accuracy;
  • Storage Limitation;
  • Integrity and confidentiality and – Accountability.

Storage of Personal Data

Employee data kept by RSG shall normally be stored on the Employee’s personnel file / Employee’s training file or the Payroll System. Highly sensitive data such as medical reports will be stored in a separate file in order to ensure the highest levels of confidentiality. RSG will ensure that only authorised personnel have access to an Employee’s personnel file. It may be necessary to store certain other personal data e.g. salary details will be stored on the payroll system. The Employee’s Manager or supervisor may have access to certain personal data where necessary. Office Staff have access to certain Employee Details

Service User data is kept in individual files and retained by the service co-ordination team.

Volunteer information is kept individual files and retained by volunteer co-ordinator.

RSG has appropriate security measures in place to protect against unauthorised access.

Collection and Storage of Data

RSG processes certain data relevant to the nature of the Employment.

RSG will ensure that personal data will be processed in accordance with the principles of data protection, as described in the Data Protection Acts, 1988 and 2003.

Personal data is normally obtained directly from the Employee concerned. In certain circumstances, it will, however, be necessary to obtain data from third parties e.g. references from previous Employers.

Service user information including personal health information is normally obtained directly from service user and or their representative, health care professionals and the HSE.

Volunteer personal information is obtained directly from the volunteer.

Changes In Personal Details

Employees are responsible for ensuring that they inform the HR and Training Manager of any changes in their personal details e.g. change of address. RSG will endeavour to ensure personal data held is up to date and accurate.

Service users or representatives are responsible for ensuring that they inform the Services co-ordination team of any change in their personal details e.g. change of address.

Volunteers are responsible for ensuring that they inform the Volunteer Co-ordinator of any changes in their personal details.

RSG is under a legal obligation to keep certain data for a specified period of time.

In addition the organisation will need to keep personnel data for a period of time in order to protect its legitimate interests.

Accordingly, the personal health information of each service user will be maintained and retained in compliance with Data Protection law. Service user’s information will be maintained for a period of ten years. At the end of this period, records will be securely destroyed.

Security and Disclosure of Data

RSG shall take all reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and manual data.

Security measures will be reviewed from time-to-time having regard to the technology available, the cost and the risk of unauthorised access. Employees must implement all company security policies and procedures e.g. use of computer passwords, locking filing cabinets etc.

HR data will only be processed for Employment-related purposes and in general will not be disclosed to third parties, except where required or authorised by law or with the agreement of the Employee. HR files are normally stored in the office of the HR & Training Manager and Employees who have access to these files must ensure that they treat them confidentially.

Personal and personal health information of service users will only be processed for the purpose of informing care, treatment or service provisions and should not be disclosed to a third party unless the service user has consented.

Service user files are normally stored in the Services Co-ordination team’s office and employees who have access to these files must ensure that they treat them confidentially.

Electronic data is security by means of encryption which is the process of encoding information stored on a device and can add a further useful layer of security.  It is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network.  All staff are encouraged to use the automatic lock activation and/or manual locking of their workstation every time he/she leaves the computer unattended.

In the event of RSG ceasing to provide services, informed consent of the service user is required for the transfer of personal information and personal health information to another Service Provider and/or HSE.

In relation service users’ home care plans, plans must be maintained at the service users’ home and must be made available to the relevant Home Care Support Workers, all health care professional involved in the service users’ care and to the HSE.

Volunteer’s personal information will only be processed for volunteer-related purposes and in general will not be disclosed to third parties, except where required or authorized by law or with the agreement of the volunteer. Volunteer files are normally stored in the office of the Volunteer Co-ordinator.  Employees who have access to these files must ensure that they treat them confidentially

Employees must maintain the confidentiality of any data they have access to in the course of their Employment.

Employees must adhere to the data protection principles set out above.

To ensure compliance with the Data Protection policy and procedure all members of the workforce will receive appropriate data protection training in accordance with their specific need and their level of access to personal and personal health information.

If Employees are in any doubt regarding their obligations they should contact the Data Protection Liaison.

Any breach of the data protection principles is a serious matter and may lead to disciplinary action up to and including dismissal.

Employee Medical Data

The Organisation requests that prior to employment Employees visit their Doctor and get written confirmation of their fitness to work. This data will be retained by the Organisation.

Occasionally, it may be necessary to refer Employees to the company doctor for a medical opinion and all Employees are required by their contract of employment to attend in this case. The Organisation will receive a copy of the medical report, which will be stored in a secure manner with the utmost regard for the confidentiality of the document.

Employees are entitled to request access to their medical reports. Should an Employee wish to do so, please contact the HR & Training Manager who will consult with the doctor who examined you and request the data.

The final decision lies with the doctor to decide whether the data should be disclosed to you or not in accordance with Statutory Instrument No. 82 of 1989.

Employees are required to submit sick certificates in accordance with the sick pay policy. These will be stored by the Organisation having the utmost regard for their confidentiality.

Interview Records

The Organisation will retain records of interview notes, application forms etc. in order to ensure compliance with the Employment Equality Acts, 1998 and 2012 and with the Organisation’s Equal Opportunities Policy for a period of 12 months.

Email Monitoring

The Organisation provides email facilities and access to the internet. In order to protect against the dangers associated with email and internet use, screening software is in place to monitor email and web usage. Mailboxes are only opened upon specific authorisation by a Manager in cases where the screening software or a complaint indicates that a particular mailbox may contain material which is dangerous or offensive; where there is a legitimate work reason or in legitimate interest of the company.

Please see the Email and Internet Usage Policy for further details.

Close Circuit Monitoring

The Organisation has close circuit television cameras located at a number of locations around the DALE Centre and the Resource Centre. Please see CCTV Policy for further information in relation to specific locations of CCTVs.

CCTV is necessary in order to protect against theft or pilferage, for the security of staff and company property. Access to the recorded material will be strictly limited to authorised personnel.

Close circuit surveillance is not used to manage performance.

Access Requests

Employees, service users and volunteers are entitled to request data held about them on computer or in relevant filing sets. This includes personnel records held by RSG. The company will provide this data within 40 days. Employees, service users and volunteers should make a request in writing to the data protection liaison, stating the exact data required.

Persons are only entitled to data about themselves and will not be provided with data relating to others or third parties. It may be possible to block out the data relating to a third party or conceal his/her identity, and if this is possible the Organisation may do so.

Data that is classified as the opinion of another person will be provided unless it was given on the understanding that it will be treated confidentially. Employees who express opinions about other employees, services users and volunteers in the course of their employment should bear in mind that their opinion may be disclosed in an access request, e.g. performance appraisals.

An employee or volunteer who is dissatisfied with the outcome of an access request has the option of using the organisation’s grievance procedure.

A service user who is dissatisfied with the outcome of an access request has the option of using the organisation’s complaints policy and procedure.

Right to Object

Employees, service users and volunteers have the right to object to data processing which is causing them distress. Where such objection is justified, the Organisation will cease processing the data unless it has a legitimate interest that prevents this. The Organisation will make every effort to alleviate the distress caused to the individual.

An objection should be made in writing to the Data Protection Liaison, outlining the data in question and the harm being caused to the employee, service user or volunteer.

Contract with External Bodies

When RSG will need to engage the services of a sub-contractor or agent to process personal data on its behalf. Such an agent is termed a ‘data processor’ under the Data Protection Acts e.g. a payroll company.  Therefore, RSG as data controller must ensure that the all data protection standards are maintained.  A data controller can do business with a data processor only on the basis of a written contract which includes appropriate security and other data protection safeguards.

The key points for consideration are:

  • The Data Protection Acts place responsibility for the duty of care owed to personal data on RSG the Data Controller and accordingly when drawing up the contract RSG the Data Controller should be very specific in the instructions given as to what the Contractor/Data Processor can do with the personal data provided. In particular, the contract should specifically provide that the Contractor/Data Processor will process personal data only on the basis of the authorisation and instructions received from the Contractor/Data Processor. This provision ensures that personal data passed on to a data processor may not be retained or used by the Contractor/Data Processor for its own purposes.
  • The contract must commit the Contractor/Data Processor to apply appropriate security measures to the personal data to protect it from unauthorised access or disclosure. This provision ensures that the standard of security must be maintained when the personal data is passed from the data controller to its agent.
  • The deletion or return of the data upon termination or ending of the contract.
  • Any penalties in place should the terms of the contract be broken.
  • It would also be expected that RSG the Data Controller or their agents would have a right to inspect the premises of the Contractor/Data Processor as to ensure compliance with the provisions of the contract.
  • If RSG the Data Controller is required to register with the Office of the Data Protection Commissioner, the Contractor/Data Processor must also register with the Office of the Data Protection Commissioner for the duration of the contract.

Revision and Audit

The monitoring, audit and revision must take place on a consistent, planned ongoing basis, as referenced on the review date on the cover of the policy and procedure. This review and audit date must be agreed by the development committee.

The feedback from the audit must be communicated to the relevant people in order to ensure continuous improvement. This will facilitate the sharing of best practice and learning from experiences and knowledge of what works best in the organisation.

The feedback must also be used to address any barriers to implementation and influence future development of the policy and procedure.

A review will be carried out on a yearly basis unless for example, an audit, serious incident, organisational structural change, scope of practice change, advances in technology, significant changes in international best practice or legislation identifies the need to update the policy and procedure.



https://www.hiqa.ie/standards/health/safer-better-healthcare (accessed 27/4/18)

https://www.hse.ie/eng/services/yourhealthservice/info/DP/ (accessed 27/4/18)

www.dataprotection.ie (accessed 27/4/18)



[1] Herein after referred to as RSG.