The IAA operates in compliance with General Data Protection Regulation (GDPR) legislation 2018, as well as the Data Protection Acts 1988 and 2003 in terms of the collection and use of personal data.
The IAA will not disclose personal information to any other party other than in accordance with this Privacy Policy and in the circumstances detailed below:
- to comply with a legal obligation.
- to protect and defend the rights or property of the IAA .
- to prevent or investigate possible wrongdoing in connection with the IAA .
- to protect the personal safety of users of the IAA or the public.
- to protect against legal liability.
- if we have received authorisation from you to do so.
Data Protection Principles
The IAA undertakes to perform its responsibilities under the legislation in accordance with the eight stated Data Protection principles outlined in the Acts as follows:
Obtain and process information fairly
The IAA obtains and processes personal data fairly and in accordance with statutory and other legal obligations.
Keep it only for one or more specified, explicit and lawful purposes
The IAA keeps personal data for purposes that are specific, lawful and clearly stated. Personal data will only be processed in a manner compatible with these purposes.
Use and disclosure only in ways compatible with these purposes
The IAA only uses and discloses personal data in circumstances that are necessary for the purposes for which it collects and keeps the data.
Keep it safe and secure
The IAA takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, data and against accidental loss or destruction.
Keep it accurate, complete and up-to-date
The IAA operates procedures that ensure high levels of data accuracy, completeness and consistency.
Ensure it is adequate, relevant and not excessive
Personal data held by the IAA are adequate, relevant and not excessive in data retention terms.
Retain for no longer than is necessary
The IAA has a policy not to retain personal data for longer than necessary.
Give a copy of his/ her personal data to that individual, on request
The IAA has procedures in place to ensure that data subjects can exercise their rights under the Data Protection legislation.
Security Of Data
The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee its absolute security.
Rights
The IAA aims to take reasonable steps to allow individuals to correct, amend, delete, or limit the use of Personal Data. Anyone wishing to be informed about what Personal Data the IAA hold about them and if they want it to be removed from the IAA’s systems, please contact the IAA CEO.
In certain circumstances, an individual has the right:
- To access and receive a copy of the Personal Data we hold about them
- To rectify any Personal Data held about them that is inaccurate
- To request the deletion of Personal Data held about them
An individual can request to obtain a copy of Personal Data in a commonly used electronic format so that they can manage and move it.
Review
This Policy will be reviewed regularly in light of any legislative or other relevant developments.
Personal Data held by the IAA
Readers Register
Purpose: To identify individuals availing of the reading room services of the IAA and to provide a record of material accessed.
Data Collected:
- Name
- Category (student, architect, planner, other professional or general public)
- Home address and/or
- Work address
- Telephone number, mobile number and email address
The original application forms are to be kept for 15 years and then securely disposed of. The data is entered into the Readers Register MS Access database which is stored internally on the IAA server and only accessible to IAA staff. The database also contains links to a record of documents accessed in the reading room by an individual reader and the date of access. A printout of an individual’s record can be provided from the database.
Register of Directors
Purpose: The IAA is obliged to maintain a Register of Directors.
Data Collected:
- Name
- Home address
- Nationality
- Date of birth
- Other directorships
The data is held in an database which is stored internally on a password protected drive on the IAA server.
Names and email addresses are also held in the Contacts database (see below)
Register of Members
Purpose: The IAA is obliged to maintain a Register of Company Members
Data Collected:
- Name
- Home and/or business address
- Email address
- The data is held in an database which is stored internally on a password protected drive on the IAA server.
- Names and email addresses are also held in the Contacts database (see below)
Accession Register
Purpose: To identify archival material acquired by IAA and the provenance (donor, lender or vendor) of that material.
Data Collected:
- Name
- Home and/or business address
- Email address and/or contact phone number (land line or mobile).
The Accessions Register exits as a hardcopy file. Abstracted information from the Accession Register is also held in two separate databases. Aside form donor, lender or vendor names which are included in the databases, personal information is held in the paper version of the Accession Register only. As the Accession Register is a vital record, it will be kept permanently. Access to the paper version of the Accessions Register is restricted to IAA staff.
Fundraising Data
The IAA maintains information on individuals who have financially supported the organisation. This can include names and addresses, email addresses, bank details (supplied on Standing Order forms) and PPSI numbers (supplied where relevant on Revenue CHY3 Cert forms for claiming back taxes)
The data is held in an spreadsheet which is stored internally on a password protected drive on the IAA server.
All other donor information is held in paper form in the relevant donation file held ion a secure filing cabinet. Bank details are kept for the duration of a standing order and for 7 years thereafter. The Revenue CHY3 forms are kept for the five years for which they endure.
Contacts database
Purpose: to record contact details of various individuals who interact with the IAA.
Data Collected:
- Name
- Home and/or business address
- Email address and/or contact phone number (land line and/or mobile).
This information is stored in the IAA’s password-protected email system (MS Outlook) and is accessible by IAA staff members.
IAA Staff
The IAA maintains files on individual staff members. Material in the files can include contracts/letters of appointment, salaries information, copies of correspondence, and other documents including doctors certs, which may from time to time be generated over the course of employment.
Hardcopy files on currently staff members are held in a secure filing cabinet. An electronic file is also held on a password protected drive on the IAA server. Files on past employees are held in the IAA’s own archive, the index to which is a MS Access database held on a password protected drive on the IAA server.
CCTV
Purpose: Security and invigilation
CCTV is in operation throughout the public spaces of the IAA . The recordings are stored digitally on a secure hard drive on the IAA premises and kept for 30 days.
Electronic Newsletter
The IAA’s Reader’s Registration form asked individuals to supply an email address if they wish to be added to the IAA’s e-newsletter circulation database. Individuals can also subscribe to the newsletter via the IAA’s website without becoming Registered Readers.
The e-newsletter of published on a monthly basis via Mail Chimp. Names and email addresses are held in the newsletter database which is maintain on the MailChimp platform. This information is held for the purposes of issuing the newsletter only and is not used for any other purpose. Unsubscribe/opt-out information is included on every newsletter issued.
Websites
The Facebook box on the main IAA website (www.iarc.ie) uses Facebook cookies to record certain information. These are covered by Facebook’s Cookie Policy – see https://www.facebook.com/policies/cookies/
The IAA websites (the main site, the catagoue site and the DIA site) use session cookies only and does not retain personal data.
The IAA does use Google analytics on its websites. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the uses of IAA websites. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. An individual can opt-out of having their activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy/.
IAA Collections
Personal data may be found in archival collections held in the IAA .
In general a thirty-year rule applies to archival collections and it is the policy of the IAA that appropriate closure periods be applied during the listing and cataloguing process to any files or other information deemed to be of a personal nature.
The IAA will process personal information in archival collections for archival and research, subject to the requirement that such processing shall be proportionate, shall respect the principle of data minimisation, shall facilitate anonymisation of possible, and shall be subject to appropriate safeguards for the rights and freedoms of data subjects.
IAA Catalogue
Information on individuals is include in the IAA catalogue – the names of authors of books or pamphlets for example, or the creators and individuals mentions in archival material.
The information includes the following:
- Name – first name and surname; titles too many be included
- Date of Birth – year only, sources from publicly available datasets, included for disambiguation purposes
- Flourit – indication of period during which an individual was active, included for disambiguation purposes
- Date of death – year only, included for disambiguation purposes
- Epithet – brief description of the induvial (e.g. architect, historian etc), included for disambiguation purposes
The catalogue is publicly accessible at http://iarc.cloudapp.net/
