Data Protection Statement
- Executive Summary
- The NTMA is a data controller of Personal Data for a wide range of statutory purposes, including when it is acting as the State Claims Agency and providing various schemes, funds and services such as State Savings, ISIF, NewERA and the NDFA. The NTMA also provides certain support services in its role as a data processor, acting on behalf of NAMA and the SBCI.
- The NTMA is committed to complying with our obligations in respect of the processing of personal data under data protection laws. The purpose of this Data Protection Statement (“Statement”) is to ensure that we meet our transparency obligations pursuant to the General Data Protection Regulation (“GDPR”). The Statement sets out information about our duties and responsibilities regarding the protection of Personal Data.
Statement has effect from 25 May 2018, which is the commencement date
for the GDPR, and will be reviewed from time to time. We will always
post the most up to date version on the NTMA website.
2. About the NTMA
- The National Treasury Management Agency (referred to in this Data Protection Statement as “NTMA”, “us” or “we) is a State body which operates with a commercial remit to provide asset and liability management services to Government. The NTMA manages a diverse range of businesses as further described below.
- Funding and Debt Management: The NTMA is responsible for borrowing on behalf of the Government and managing the National Debt in order to ensure liquidity for the Exchequer and to optimise the interest burden on the State over the medium term. This includes borrowing through the sale of retail products under the brand name State Savings, which is used to describe the range of savings products offered by the NTMA through its agents, An Post and the Prize Bond Company.
- Ireland Strategic Investment Fund: The NTMA controls and manages the Ireland Strategic Investment Fund, which was established in December 2014 with a statutory mandate to invest on a commercial basis in a manner designed to support economic activity and employment in the State. The ISIF is the successor to the National Pensions Reserve Fund.
- National Development Finance Agency: Acting as the National Development Finance Agency, the NTMA is the statutory financial advisor to State authorities in respect of all public investment projects with a capital value over €20m. It also has full responsibility for the procurement and delivery of Public Private Partnership (PPP) projects in sectors other than transport and local authorities and for the traditional procurement and construction of schools as instructed by the Department of Education and Skills.
- NewERA: Acting as NewERA, the NTMA provides a dedicated centre of corporate finance expertise to Government, in particular in relation to commercial oversight of certain State bodies. It provides financial and commercial advisory services to Government Ministers including in relation to financial performance, corporate strategy, capital and investment plans, proposed acquisitions or disposals, restructuring and board appointments. In addition, NewERA may, in consultation with the relevant Minister, develop proposals for investment in the energy, water, telecommunications and forestry sectors to support economic activity and employment.
- State Claims Agency: Acting as the State Claims Agency (“SCA”), the NTMA manages personal injury, property damage and clinical negligence claims brought against certain delegated State authorities (hereinafter referred to as “DSA’s”) including, Government Ministers, the Attorney General, the Health Service Executive, the Commissioner of an Garda Síochána, the Irish Prison Service, the Defence Forces and community and comprehensive schools. The SCA’s Risk Management function advises and assists DSA’s on measures to be taken to prevent the occurrence, or reduce the incidence, of acts or omissions which may give rise to personal injury, property damage or clinical negligence claims. The SCA also provides consultancy and advisory services to DSA’s and negotiates Tribunal legal costs and the costs of litigation against DSAs, including from the management of Claims as defined by the NTMA Acts.
- In addition to the above
functions, the NTMA assigns staff to the National Asset Management
Agency (“NAMA”) and the Strategic Banking Corporation of Ireland
(“SBCI”) and also provides them with business and support services and
3. Purpose of this Data Protection Statement
- The purpose of this Data Protection Statement is to explain what Personal Data we Process and how and why we Process it. In addition, this Data Protection Statement outlines our duties and responsibilities regarding the protection of such Personal Data and the rights of data subjects in that respect.
- This Data Protection Statement is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Statement from time to time to reflect changing practices. In addition, we operate a number of internal workplace policies and procedures which inter-relate with this Data Protection Statement. For example, the NTMA has internal policies and procedures governing Data Breach, Data Subjects’ Rights, Information Security and Data Retention.
- In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Data Protection Statement by reference into various points of data capture used by us such as application forms, website forms and staff notices.
- A glossary of some of the data protection terms used throughout this Statement may be accessed in Annex 2.
4. The NTMA as a Data Controller
- The NTMA is a statutory body established by the National Treasury Management Agency Act 1990, as amended (“NTMA Acts”). The data Processing undertaken by the NTMA is undertaken in fulfilment of its statutory functions and duties.
- When acting as a Data
Controller, the NTMA relies on Art. 6(1)(e) of the GDPR, which permits
Processing that is necessary for the performance of a task which is in
the public interest, where such “public interest” is laid down in EU or
Irish law, as the legal basis for most of its Processing. Where
Processing activities are not supported by a statutory basis, the NTMA
relies on alternative legal bases permitted by Data Protection Law.
5. The NTMA as a Data Processor
- In some cases, the NTMA acts as a Data Processor, under the instructions of a Data Controller. For example, when it is providing business and support services and systems to NAMA and the SBCI. The NTMA, acting as the State Claims Agency, is also a Data Processor in some instances where Delegated State Authorities choose to store their information within the National Incident Management System (the “NIMS System”). The NIMS system is a national end to end web-based tool operated by the NTMA and used by DSA’s to record and manage their risks.
acting as a Data Processor, the NTMA complies with the relevant
obligations under Data Protection Law. These include ensuring that the
data that is Processed by the NTMA on behalf of the relevant Data
Controllers is subject to appropriate technical and organisational
measures to ensure a level of security appropriate to the risk and
ensuring that the Processing is underpinned by a contract which includes
the data protection provisions prescribed in Data Protection Law.
6. Purposes of Processing
- As mentioned in section 4.2 of this Data Protection Statement, the NTMA largely relies on the public interest provision provided for in Article 6(1)(e) of the GDPR as the legal basis for most of its Processing. In this regard we Process Personal Data for the purpose(s) of fulfilling our statutory functions and obligations under the NTMA Acts and other applicable legislation. Examples of the types of public interest Processing undertaken by the NTMA along with a description of the underlying statutory basis may be accessed in Annex 1 of this Data Protection Statement.
7. Special Categories of Data
- The NTMA when acting as the State Claims Agency routinely processes Special Categories of Data (largely data concerning health but it can also extend to other categories) in the discharge of its functions. In this regard, the State Claims Agency relies on the fact that the Processing of Special Categories of Data is permitted under several provisions of the GDPR and the Data Protection Act 2018, including the following:
- Where it is necessary for the establishment, exercise or defence of legal claims and where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
- Processing for reasons of substantial public interest;
- In relation to the management of medical risk and medical claims, e.g. where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care.
- The NTMA
(excluding the State Claims Agency) processes Special Categories of Data
in limited circumstances, typically related to the ordinary course of
8. Individual Data Subject Rights
- Data Protection Laws provide certain rights in favour of Data Subjects. The rights in question (“Data Subject Rights”) are as follows:
- The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Data Controller);
- The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data are being processed and, if so, having access to the Personal Data plus additional ancillary information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed and retention periods;
- The right to rectify or erase Personal Data (right to be forgotten);
- The right to restrict Processing;
- The right of data portability. i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine readable format and have the right to transmit those data to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to the NTMA (and not to data which is received from third parties).
- The right of objection; and
- The right to object to automated decision making, including profiling.
- Articles 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller so these rights may not apply in some cases.
- Any Data Subject
wishing to exercise their Data Subject Rights should write to the NTMA
Data Protection Officer, Treasury Dock, North Wall Quay, Dublin 1,D01 A9T8
or email email@example.com. Your request will be dealt with in accordance
with the NTMA’s Data Subject Rights Procedure.
9. Data Security and Data Breach
- The NTMA has a suite of Information Security Policies and Procedures which are designed to ensure that appropriate technical and organisational measures are in place to protect information. They are overseen by an IT Security Committee and apply to all NTMA staff. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
- Article 34 of the GDPR obliges Data Controllers to
notify the Data Protection Commission and affected data subjects in the
case of certain types of personal data security breaches. The NTMA has
implemented a Personal Data Breach Procedure and we will manage a Data
Breach in accordance with this procedure.
10. Disclosing Personal Data
- From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process. For example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
- We may also share Personal Data: (a) with another statutory body where there is a lawful basis to do so; (b) with selected third parties including contractors and sub-contractors (as appropriate); (c) if we are under a legal obligation to disclose Personal Data. This includes exchanging information with other organisations for the purposes of fraud prevention or investigation.
- Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data.
- Examples of third parties to whom Personal Data have been or will be disclosed include:
- In respect of the personnel function, payroll and pensions administrators, advisors and recruiters who must have access to personal data to perform their services.
- In respect of State Savings products, An Post and the Prize Bond Company act as Data Processors for the NTMA who are the Data Controller. Data gathered and maintained by An Post and the Prize Bond Company in this capacity is used for the purpose of administering the State Savings products and for disclosure to the Revenue Commissioners as required by law.
- In respect of the
State Claims Agency, disclosures are made for example to solicitors,
barristers, expert witnesses and private investigators in order to
process the claims to which the personal data relates. Disclosures may
also be made to Marsh Clearsight, a US based company, who provide the
NIMS system used by the State Claims Agency and Delegated State
11. Data Retention
- We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed and in accordance with our Records Management Policy.
12. Data Transfers outside the EEA
- From time to time we may need to transfer Personal Data outside of the European Economic Area (“EEA”). This transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Model Contract Clauses) and in accordance with this Data Protection Statement when transferred outside of the EEA.
- Examples of data transfers outside of the EEA by the NTMA include:
- The State Claims Agency in carrying out its statutory duties frequently provides medical records and other information to clinical experts in the UK, EEA and the USA for the purpose of obtaining expert reports on liability and other issues pertinent to claims.
- In addition, in carrying out its statutory duties, the State Claims Agency provides medical records and other information to clinical staff who have moved abroad, e.g. to the UK, USA, Canada, Australia and the Far East for the purpose of obtaining witness statements in respect of claims, where such clinical staff provided professional medical services. Clinical experts and witnesses may also be provided with a copy of legal proceedings.
may also be processed by Marsh Clearsight, a US based company, who
provide the NIMS system used by the State Claims Agency and Delegated
13. Further Information/Complaints Procedure
- You can ask a question or make a complaint about this Data Protection Statement and/or the Processing of your Personal Data by contacting the NTMA Data Protection Officer at firstname.lastname@example.org. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the NTMA DPO in the first instance to give us the opportunity to address any concerns that you may have.
Purposes of Processing
The following are non-exhaustive examples of the types of public interest Processing undertaken by the NTMA along with a description of the underlying statutory basis:
|Example of Statutory Function||Legislative Support||GDPR Lawful Basis for associated data Processing activities|
|Funding and Debt Management||Section 5 of the NTMA Act states that the ‘Government may by order delegate to the Agency the functions of the Minister specified in the First Schedule and any other functions of the Minister in relation to the management of the national debt or the borrowing of monies for the Exchequer that the Minister considers appropriate and are specified in the order.’ The First Schedule to the NTMA Act contains the list of functions delegated to the Agency. This list has been extended since 1990, to incorporate additional functions.||Public interest|
|State Savings||State Savings products are offered by the Minister for Finance acting through the NTMA pursuant to the powers conferred on the NTMA by the National Treasury Management Agency Act 1990 and the National Treasury Management Agency Act 1990 (Delegation of and Declaration as to Functions) Order 1990 (S.I. No. 277 of 1990).||Public interest|
|Ireland Strategic Investment Fund||Under Sections 22 and 39 of the NTMA (Amendment) Act 2014, the NTMA is required to invest the assets under the management of ISIF in a manner “designed to support economic activity and employment in the State”.||Public interest|
|Annual Statements of Interest by Designated Directors and Certain NTMA Employees||Under the Ethics in Public Office Acts 1995 and 2001, certain “designated directors” and “holders of designated positions of employment” of public bodies are required to furnish an annual statement of interests to the Standards in Public Office Commission and the officer in the relevant body nominated by the Minister.||Public interest|
|State Claims Agency||The SCA has, pursuant to the NTMA (Amendment) Acts 2000 and 2014, a wide statutory remit including:||Processing for the performance of statutory functions|
Processing necessary for the defence of legal claims
Public interest (see below re Special Categories of Data)
|NewERA||The National Treasury Management Agency (Amendment) Act 2014 established NewERA in statute and introduced new requirements in relation to the corporate governance of certain State bodies designated in that Act.||Public interest|
|NDFA||The NDFA was established on 1 January 2003 and its key functions are now mandated within the National Treasury Management Agency (Amendment) Act, 2014 and the Ministerial Guidelines issued by the Department of Public Expenditure and Reform, in consultation with the Department of Finance.||Public interest|
|Employee Data||Common examples of the reasons for which we Process Personal Data include: payroll and benefit administration; HR, performance and talent management; internal audits or investigations; prevention and detection of unlawful behaviour; and/or fulfilling legal obligations.||Public interest, contract performance (Art 6(1)(b)), compliance with legal obligations (Art 6(1)(c)), protecting the vital interests of employees and other persons (Art 6(1)(d))|
|Support Services to NAMA||Pursuant to section 41 of the National Asset Management Agency Act 2009, the NTMA is required to provide NAMA with “such business and support services and systems as the Board determines, acting upon the recommendation of the Chief Executive Officer of NAMA and after consultation with the Chief Executive of the NTMA, to be necessary or expedient for NAMA to perform its functions under this Act.” In the context of the data processing undertaken by the NTMA on behalf of NAMA, the NTMA acts as a Data Processor in performing these relevant business and support services.||Public interest|
|Support Services to the SBCI||Pursuant to section 10 of the Strategic Banking Corporation of Ireland Act 2014, the NTMA is required to provide “such business and support services and systems as the SBCI determines, after consultation with the Chief Executive of the NTMA, from time to time, to be necessary or expedient for the SBCI to perform its functions.” In the context of the data processing undertaken by the NTMA, on behalf of the SBCI, the NTMA acts as a Data Processor in performing these relevant business and support services.||Public interest|
In this Data Protection Statement, the terms below have the following meaning:
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018 and any other laws which apply to the NTMA in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:
- a name, an identification number;
- details about an individual’s address or contact details;
- data related to the delivery a service by the NTMA, e.g. details of transactions with State Savings or of claims or incidents which are managed by the State Claims Agency;
- any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.