Waterways Ireland is committed to protecting your personal information and to being transparent about what we use it for. This Privacy Notice tells you what to expect when Waterways Ireland collects your personal information. It has been written in accordance with the EU General Data Protection Regulation (GDPR) which came into effect on 25 May 2018, and associated Data Protection Act 2018 (UK), Data Protection Act 2018 (Ireland). It further takes account of the UK’s decision to leave the EU on 31 January 2020 and associated legislation (Section 3 of the EU Withdrawal Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
This Privacy Notice explains the following:
1. Who we are
2. What is
Personal Data / information
3. Why we
collect your personal information
4. Where we get
your personal information from
categories of Personal Data we collect
6. How we keep
your information safe and where it is stored
7. How long we
hold your personal information
8. Who we share
your personal information with
9. Transfer of
your personal information to other countries
10. Your personal
information rights as the 'Data Subject'
responsibilities as the 'Data Subject'
details for our Data Protection Officer
13. How to make a
Data Protection Complaint
14. Role of the
Information Commissioner's Office UK and the Data
- Protection Commission in Ireland
15. Updates to
this Privacy Notice
16. Links to other
1. Who we are
Waterways Ireland is the Data Controller in relation to the processing activities described in Sections 3, 4 and 5. This means that Waterways Ireland decides why and how your personal information is processed. Where this Privacy Notice refers to 'we', 'our' or 'us', unless it mentions otherwise, it is referring to Waterways Ireland.
Waterways Ireland is a cross-border body established under the British-Irish Agreement of 10 April
1998. The Agreement was given domestic effect by means of the North / South Cooperation (Implementation Bodies) (Northern Ireland) Order, 1999 and the British-Irish Agreement Act, 1999 respectively.
Our statutory function is to manage, maintain, develop and restore specified inland navigable waterways, principally for recreational purposes. We are the navigation authority for approximately 1,000 km of navigable waterways comprising:-
- the Barrow Navigation
- the Lower Bann Navigation
- the Royal Canal
- the Grand Canal
- the Erne System
- the Shannon-Erne Waterway
- the Shannon Navigation
In July 2007, our remit was extended by the North South Ministerial Council (NSMC) to include responsibility for the reconstruction of the Ulster Canal from Upper Lough Erne to Clones, and following restoration, for its management, maintenance and development, principally for recreational purposes.
2. What is Personal Data
Personal data is data that relates to an identifiable living person i.e. the 'Data Subject'. For example, this could include your:-
| ||Name|| ||Date of Birth|
| ||Address|| ||Bank Details|
| ||Phone number|| ||Email Address|
Special Categories of Personal Data: GDPR refers to sensitive personal data as 'Special Categories of Personal Data'. This relates to an identifiable living person but reveals any of the following:-
- Race or ethnicity
- Political opinions
- Religious or similar beliefs or other beliefs
- Physical or mental health
- Genetic data
- Sexual orientation
- Trade union membership
- Biometrics (where used for ID purposes)
3. Why we collect your personal information
We collect and process a broad range of personal data in order to deliver our services as a public body, and support you either as a member of the public or as our employee. For example,
- To provide a member of the public with the services, products or information they have asked for.
- To keep a record of the public's relationship with us (when and how they have contacted us).
- To ensure we know how our customers prefer to be contacted.
- To assist us in identifying and understanding how we can deliver and improve our services, products or information.
- To fulfil our legal and regulatory obligations both to our employees and the public.
As a public body we are required to disclose the remuneration and pension interests of our senior management staff within our published Annual Report.
To collect and use your personal information lawfully, we rely on one or more of the following legal basis:-
- Your consent
- Performance of a contract
- Compliance with a legal obligation
- To protect the vital interests of the data subject
- Performance of a public task in the public interest
- Our legitimate interests
If you choose to withhold requested information, we may not be able to provide you with certain services.
4. Where we get your personal information from?
We collect personal information from various sources both directly from you and indirectly from third parties. For example,
- When you provide it directly to us by telephone, at meetings, conferences, events, exhibitions, through our education programmes, or written correspondence we may receive from you.
- When you request to register a vessel with us, buy navigation permits, smart cards, publications, maps, winter moorings, book our dry dock facilities, or enter into a licence, lease or other legal agreement with us regarding your use of our property.
- When you apply for a job with us and thereafter during the course of your employment, or if you take up a position as a member of our Audit Committee.
- Drone recordings taken to enable the effective management and maintenance of our assets.
- We sometimes receive personal data indirectly from other organisations, for example.
- When you provide permission to other organisations to share it with us (e.g. social media platforms such as Facebook and Twitter).
- Details of landowners from Land & Property Service Northern Ireland, Property Registration Authority in Ireland or local authorities, where such details are relevant to the protection, development and implementation of our property interests.
- From representatives acting on your behalf, for example solicitors, doctors, medical insurance companies or trade unions.
- From photographic and video images taken at public events.
- Where we intend to use your personal data received indirectly (with the exception of social media) and contact details are available to us, we will always contact you to let you know that we are holding your personal information and the purpose of our intended use.
- When we capture personal data through the use of Closed-circuit television (CCTV) installed for maintaining the security of our properties and for preventing and investigating crime.
We keep a record of Internet Protocol (IP) and traffic data which is logged automatically by our servers, such as your IP address and device information. We also collect some site, application and service statistics such as access rates, page hits and page views. We are not able to identify any individual from traffic data or site statistics.
Through the collection of cookies which are small text files which are transferred from our websites, applications or services and stored on your device. These help us provide you with a personalised service, and help make our websites, applications and services work better for you. Strictly necessary cookies are needed for our websites, applications or services to function properly for example, these cookies allow you to access secure areas of a website. Performance cookies and analytics technologies collect information about how visitors and users use our websites, applications and services, for instance which functionality visitors use most often and if they get error messages from areas of the websites, applications or services. These cookies do not collect information that identifies
a visitor or user. All information collected through cookies is aggregated and therefore
5. What categories of Personal Data we collect
Each division within Waterways Ireland collects and processes personal data for a number of purposes. We only collect, hold and process certain categories of personal information where it is necessary and proportionate to do so in order to deliver our services or meet a legal or regulatory requirement.
If we do not need certain categories of your personal information we will not ask for it. If we already hold categories of your personal information and do not consider it likely that we will continue to require all of it for the same purpose for which it was originally collected, we will destroy it in accordance with our Retention and Disposal Schedule. Where we plan to use personal information for research and analysis purposes, your details will be anonymised unless you provide written consent that we can disclose them for such specific purposes.
We may ask you to consider providing your personal details to endorse our products or services for marketing purposes, and it is only with your written consent will we do so.
6. How we keep your information safe and where it is stored
We protect your personal information by implementing appropriate and up to date technological and organisational control measures and in accordance with our internal policies and external regulatory requirements; these keep our computers, files and buildings secure.
Staff access to personal information is restricted to only relevant staff members in each work area who have a requirement to maintain a relationship with you, or update your personal data. Staff that have access to sensitive personal information operate with an additional level of security restriction. Only authorised Waterways Ireland staff can have access to the various types of personal information that we collect and process.
Hard copy personal data files are held in secure filing systems. Personal information held on electronic data storage systems is stored on secure servers at our offices and disaster recovery sites. All laptops are encrypted for increased security to allow the temporary storage of personal data where this is necessary for business purposes. Encryption means that information is hidden so that it cannot be read without special knowledge, such as a Password; this is done with a secret code.
As a cross-border body, Waterways Ireland operates from offices in both Ireland and Northern Ireland. This gives rise to the storage and transfer of personal data in and between both jurisdictions. Following the UK's formal departure from the EU on 1 January 2021, personal data transfers made by Waterways Ireland from its offices in Ireland to Northern Ireland will continue to be in accordance with GDPR compliance requirements, and also the corresponding UK Data
Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations, 2019.
Some external services utilised by Waterways Ireland are hosted by organisations within and outside the European Union, and in each of these circumstances GDPR compliance requirements are agreed in writing by individual contractors/agents (Processors or Controllers), using EU Standard Contract Clauses (SCCs) (see Section 9).
If we are planning to store or process your personal data in new ways, we will consider the risks
and decide whether or not a Data Impact Assessment is required. Where the plan for new storage or processing is considered to be high risk, we will carry out a Data Impact Assessment.
If we decide that a Data Impact Assessment is not required we will document the reasons for this
Reinforcing our Data Protection standards
Waterways Ireland staff are obliged to treat any personal data collected in full compliance with
the requirements of the General Data Protection Regulation 2018 and the Waterways Ireland Data Protection Policy. Compliance with the Waterways Ireland Data Protection Policy and monitoring of same is regularly reviewed and addressed with staff through audits, and training and awareness briefings. When you contact us to ask about your personal information, we will ask you to identify yourself with certain ID to enable us respond to any 'Subject Access Request' you may make for disclosure of your personal information, or to exercise other Data Subject rights detailed in
Section 10. Verification of your identity is important in enabling us to protect your information.
7. How long we hold your personal information
We will only use and store your information for as long as it is required for the purpose for which it was originally collected. How long it will be stored for depends on the nature of the personal information, what it is being used for and sometimes, statutory legal requirements which obligate us to hold certain personal information for specified periods. Waterways Ireland has published a Records Retention and Disposal Schedule which outlines the timeframes after which personal data will be deleted and / or destroyed. You can access our Records Retention and Disposal Schedule by contacting our Data Protection Officer as explained in Section 12.
8. Who we share your information with
We only share information with others where there is a legal requirement to do so, to fulfil our public task responsibilities, to meet employment contractual obligations, or in response to employee requests.
We do not sell or share your personal information for other organisations to use.
We have a legal obligation to disclose your personal information in relation to the following:-
- Court orders
- As required by the Police Service of Northern Ireland, An Garda Siochána and other crime agencies for the prevention or detection of crime
- To Her Majesty's Revenue and Customs (HMRC) or the Revenue Commissioner's Ireland regarding tax deductions and queries
- Northern Ireland Audit Office and the Office of the Comptrollers and Auditor's General in Ireland to demonstrate effective use of our funding
- States Claims Agency in Ireland regarding liability claims
- Health and Safety Authority Ireland and Health and Safety Executive Northern Ireland regarding accidents
- Health and Safety Executive (HSE) Ireland and National Health Service (NHS) Northern Ireland regarding pandemic track and tracing procedures
- As required by emergency services where there is an emergency situation such as illness or serious injury, where disclosure of personal details is in someone's vital interest
- Our government sponsoring departments and Departments of Finance in Northern Ireland and Ireland, Waterways Ireland Audit Committee and the North South Ministerial Council as required by our enabling legislation. The governance of personal data disclosures to these bodies will be managed through separate Data Sharing Agreements with Waterways Ireland.
When we engage third party suppliers and service providers to operate on our behalf
We use third party suppliers and service providers that store or process personal information on our behalf, help deliver our services to you, or enable us to fulfil our public task responsibilities in exercise of our official authority. It is also in our legitimate interests to use third party suppliers to maintain cost effective and efficient operations.
We will always have complete control over what our third party suppliers and service providers see, how long they see it for and what they are allowed to do with it. We only disclose to them any personal information that is necessary for them to provide their service. We ensure this by having a written contract in place that requires them to keep your information secure and not to use it other than in accordance with our specified instructions.
Third Party Suppliers and Service Providers with whom we share personal information in relation to our operations
- Publication storage and distribution companies
- Information and Communications Technology (ICT) service support
- Provision of Solicitor Case Management systems
- Engineering Design and Environmental consultants in relation to landowners relevant to certain development projects / plans
Valuers to facilitate us enter into property lease and licence agreements
- Property Management Systems
- Waterways Ireland's solicitor and associated legal counsel
- Banking and Payment service providers
- Fuel Card companies
- External Auditing, Financial and Taxation service providers
Third Party Suppliers, Service Providers and individuals with whom we share personal information in relation to employment contractual obligations
- Payroll system providers
- Pension Administrator
- Past or prospective employers
- Trainers, educators, examination and accrediting organisations
- Financial organisations
- Credit reference agencies
- Medical professionals
- Social welfare departments
- HR consultants
- Trade union and medical insurance companies
When an employee requests that we share their personal data with other organisations and individuals
- Trade unions
- Credit unions
- Pension companies
- Child care providers
- Health care companies
- Recreational clubs
- Family and other nominated representatives of employees whose personal data we are processing
9. Transfer of your personal information to other countries
As previously stated in Section 6, Waterways Ireland as a cross-border navigational authority operates from offices in both Ireland and Northern Ireland, and this gives rise to the storage and transfer of personal data in and between both jurisdictions, and by data processors/controllers/ agents acting on our behalf, who may operate outside the EU.
The UK (including Northern Ireland) formally left the EU on 31 January 2020 and therefore, as from the 1 January 2021, the UK becomes a "third country" within the meaning of the EU GDPR. The effect of such change of status means that transfers of personal data will no longer be considered as intra-EU transmissions of data and automatically protected by EU GDPR. Therefore, additional data protection safeguards have been put in place by Waterways Ireland to provide assurances of GDPR compliance. Internal personal data transfers within Waterways Ireland will be unaffected by the UK's formal departure from the EU.
Transfer of personal data between EU countries is unrestricted (i.e. without need for additional data protection safeguards) because data controllers and data processors located in all EU countries are obliged to comply with the obligations imposed on them by the EU General Data Protection Regulation (EU GDPR).
Transfers of personal data from the UK to the EU (including Ireland) will not be affected by the change in status of the UK because data controllers and data processors in the Ireland will be obliged to comply with EU GDPR.
The UK has passed its own version of GDPR into UK law known as the UK GDPR, by virtue of the Data Protection Act, 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations, 2019 which changes and shapes the
EU GDPR into domestic UK law, as well as revising the UK Data Protection Act, 2018. The UK GDPR maintains the core data protection principles, rights and obligations found in the EU GDPR, subject to certain changes to accommodate domestic areas of UK law. However, the EU GDPR no longer applies to the UK, and the UK is independent to keep its own data protection framework under review in the future.
Certain "third countries" such as New Zealand have received what is known as an "Adequacy Decision" from the European Commission, which allows cross-border personal data transfer from the EU to the "third country", almost as if the "third country" in question was a member of the EU and subject to EU GDPR. The EU Commission grants such an Adequacy Decision when it determines that a "third country" has an adequate level of data protection safeguards in force compared to the EU.
It is possible that the EU Commission may make an "Adequacy Decision" in respect of the UK at a future date. In the absence of such an "Adequacy Decision", Waterways Ireland has included Standard Contractual Clauses (the wording of which has been approved by the EU) into contracts and data sharing agreements between Waterways Ireland and external data controllers or data processors located in the UK.
The Standard Contractual Clauses consist of template sets of contractual terms and conditions issued by the EU Commission that Waterways Ireland and the UK recipient of the data sign up to, whereby each party gives contractually binding commitments to protect personal data in the context of the transfer. In addition, the data subject is also given certain specific rights under the Standard Contractual Clauses, even though they are not party to the relevant contract.
Waterways Ireland confirms its commitment to adhere to the requirements of the EU GDPR and the corresponding UK GDPR, in respect of all internal and external personal data transfers, either within or outside the EU, and we provide assurance that the data subject has the entitlement to exercise his/her rights directly against Waterways Ireland.
10. Your personal information rights as the 'Data Subject'
The General Data Protection Regulation offers Data Subjects specific rights in relation to the collection and processing of their personal data.
The EU GDPR has been adopted into UK law by Section 3 of the EU Withdrawal Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This means that, post Brexit, under the new UK GDPR, there will be no immediate change to the UK's data protection standards. Waterways Ireland will continue to comply with both UK GDPR and the Data Protection Act, 2018 in Ireland and UK GDPR and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations, 2019.
In order to exercise any of these rights, please contact our Data Protection Officer as explained in
Section 12 of this document. We can assist you with the following:-
Being informed about what information we process (Right to be Informed)
We will inform you about what personal information we collect and process through Privacy
Notices and other direct communication with you.
Accessing your personal information (Right of Access)
You may ask us for a copy of the personal information we hold relating to you, and how we collect,
share and use your personal information. This will be provided free of charge unless the request is considered to cause an excessive administrative burden. A request to obtain a copy of the personal information we hold regarding you, known as a 'Subject Access Request', can include both hard copy and electronic records. Your request will be processed and the information provided to you within 1 calendar month from the date of receiving the request. We will require proof of identify and address before we can release this information.
Updating and correcting your personal information (Right to Rectification)
You may ask us to update / correct personal information we hold about you that is inaccurate or
incomplete. It is your responsibility to ensure that all personal data provided to us is accurate and complete, and if it changes you must let us know as soon as possible.
Deleting your personal information (Right to Erasure also known as the Right to be
You may ask us to delete or destroy your personal information. In some cases we will retain your
information where it is required for legal purposes.
Restricting your personal information (Right to Restriction)
You may request us to restrict the processing of your personal information if for example you consider the data is inaccurate or that the processing is unlawful, but you do not want us to erase your data. We may continue to process your personal data where you provide consent to such processing, it is necessary for legal purposes or in the public interest.
Removing your consent (Right to Object)
You can change your mind whenever you give us your consent, for example to receive direct communications or marketing, or to enable us use your sensitive information, such as medical data in the case of employment. We will provide you with information on the actions we have
taken if you remove your consent or object to us continuing to process your personal information.
Moving your information (Right to Portability)
You have the right to ask for your personal information to be given back to you or another service
provider of your choice in a commonly used format. Where possible, we will share a digital copy of your personal information directly with you or another organisation.
Right not to be subject to automated decision-making including profiling
We do not currently use automated decision-making in relation to any personal data you may
provide. Should Waterways Ireland decide to do so in the future, it will not be used without human intervention to enable the expression and consideration of individual views. This will ensure that no decision is taken regarding you based solely on an automated process.
11. Your responsibilities as the 'Data Subject'
To enable us effectively deliver our services to you, we need you to do the following:-
Firstly ensure that you provide us with accurate information.
- Inform us in writing as soon as possible if there are any changes required regarding the personal information you have previously provided.
- Inform us in writing as soon as possible if you notice mistakes or inaccuracies in the information we hold regarding you.
These actions on your part will enable us ensure that your personal information is accurate and kept up to date.
12. Contact details for our Data Protection Officer
If you wish to obtain a copy of your personal information, i.e. submit a Subject Access Request or require any other information / assistance in relation to this Privacy Notice and your rights, please contact the Waterways Ireland Data Protection Officer as follows:-
Data Protection Officer Email: email@example.com
Waterways Ireland Tel: +44 (0)28 6632 3004
2 Sligo Road
13. How to make a Data Protection Complaint
Waterways Ireland endeavours to meet the highest standards when collecting and using your personal information and in doing so, encourages people to bring to our attention if they think
that the collection or use of their personal information is considered to be unfair or inappropriate.
If you wish to make a complaint regarding the way we have collected or processed your personal information, please contact our Data Protection Officer by telephone, written or email correspondence, see Section 12 above.
Please be assured that all complaints received will be fully investigated. To enable us address your complaint quickly and effectively resolve it, we ask that you provide us with as much information as possible.
14. Role of the Information Commissioner's Office UK and the Data Protection Commission in Ireland
If you are dissatisfied with the Data Protection Officer's findings in relation to your complaint, you have the right to complain to either the Data Protection Commission in Ireland or the Information Commissioner's Office in the UK.
Information Commissioner 's Office , UK contact details:-
Information Commissioner's Office Email: firstname.lastname@example.org
Wycliffe House Tel: +44 (0)303 123 1113
Water Lane www.ico.org.uk
England SK9 5AF
Data Protection Commission, Ireland contact details
Data Protection Commission Email: email@example.com
Canal House Tel: +353 (0) 104 800
Station Road www.dataprotection.ie
Dublin office Data Protection Commission
21 Fitzwilliam Square
15. Updates to this Privacy Notice
We will amend this Privacy Notice from time to time to ensure it continues to reflect how and why Waterways Ireland as an organisation collects and uses personal data. The current version will always be posted on our website at https://www.waterwaysireland.org/privacy-notice
Note: This Waterways Ireland GDPR Privacy Notice was last updated on 18 December 2020.
16. Links to other websites
Waterways Ireland's website may contain links to other websites ("Third-Party Websites") which are outside of our control and therefore not covered by this Privacy Notice. If you access Third- Party Websites using the links provided, the operators of such sites may collect information from you which will be used by them in accordance with their own Privacy Notices / Policies. We encourage you to review the Privacy Notices / Policies of those Third-Party Websites so that you understand if / how they collect and / or use information from you or your computer.