Data Protection Policy

1. Introduction
2. Scope & purpose
3. Responsibility for this policy
4. Data Protection Principles
5. Rights of Individuals whose data is collected
   1. Right of access
   2. Right to rectification
   3. Right to erasure (right to be forgotten)
   4. Right to restriction of processing
   5. Right to data portability
   6. Right to object
   7. Right not to be subject to automated decision making
   8. Right to complain
6. Responsibilities of MARA
   1. Ensuring appropriate technical and organisational measures
   2. Maintaining a record of data processing
   3. Implementing appropriate agreements with third parties
   4. Transfers of personal data outside of the European Economic Area
   5. Data protection by design and by default
   6. Data protection impact assessments
   7. Personal data breaches
   8. Freedom of Information
   9. Governance
7. The Data Protection Officer’s Responsibilities
8. Responsibilities of Staff
   1. Training and awareness
   2. Consequences of failing to comply
9. Queries about Data Protection

1. Introduction

The Maritime Area Regulatory Authority, or MARA, is an independent state agency. MARA’s functions are set out in the Maritime Area Planning Act 2021, as amended and it has a key role to play in the consenting system for the maritime area, including:

• Assessing Maritime Area Consent (MAC) applications
• Granting marine licencing for specified activities;
• Compliance and enforcement;
• Investigations and prosecutions;
• Administration of the existing Foreshore consent portfolio;
• Fostering & promoting co-operation between regulators of the maritime area.

MARA is a body under the aegis of the Department of Housing, Local Government and Heritage and is located in Wexford.

MARA, many of whose activities are carried out on a co-operative basis across multiple business areas, comprises the Board, the Office of the CEO, and a number of work units.  MARA works within a network of associated Agencies, local authorities, other Government Departments and public bodies to deliver on the objectives of Government. In order to carry out certain tasks required in the course of the performance of our functions, MARA needs to process certain personal data.

For MARA’s core activities, examples of processing personal data may include assessing applications for MACs and licences in our role as a consenting authority and investigating as an enforcement agency. Other examples of our processing activities relate to our wider activities such as our role as an employer or in relation to appointments to Boards; processing data in order to make payments or carry out audits; processing submissions from public consultations; processing contact details in the course of communicating with a wide range of  stakeholders; processing data in the course of Oireachtas business; processing FOI and AIE requests and general queries, requests for information or complaints from customers; processing connected to public procurement and contractual agreements with service providers, etc.

This Data Protection Policy sets out MARA’s commitment to protecting the rights and privacy of individuals and details how we will ensure compliance with the General Data Protection Regulation (GDPR) and Irish data protection legislation.

2. Scope & purpose

• Personal data means any information relating to an identified or identifiable natural person (‘data subject’).
• An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

This policy should be read in conjunction with other relevant MARA policies and documents. MARA may supplement or amend this policy by additional policies and guidelines from time to time.

3. Responsibility for this policy

The Board of MARA, the Chief Executive Officer and all staff are committed to compliance with relevant EU and Irish laws in respect of personal data, and to the protection of the rights and freedoms of individuals whose information MARA collects and processes.

Senior Managers are responsible for ensuring that this policy is implemented in their respective Business Units. Managers at all levels are responsible for being able to demonstrate that this policy is being implemented.

All members of staff have a responsibility to comply with MARA’s Data Protection Policy.

4. Data protection principles

All processing of personal data must be conducted in accordance with the data protection principles set out in relevant legislation.

MARA’s policies and procedures are designed to ensure that personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the Regulation, not be considered to be incompatible with the initial purposes (‘purpose limitation’)
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

5. Rights of Individuals whose data is collected

MARA implements appropriate policies and procedures, and facilitates training and provides advice to staff, to ensure that data subjects can exercise their rights as follows:

5.1 Right of access

MARA implements procedures to ensure that requests from data subjects for access to their personal data will be identified and fulfilled in accordance with relevant legislation.

5.2 Right to rectification

MARA is committed to holding accurate data about data subjects and will continue to implement processes and procedures to ensure that data subjects can rectify their data where inaccuracies have been identified.

5.3 Right to erasure (right to be forgotten)

Data subjects have a right to request the erasure of their personal data in specific circumstances. Where such an objection is received, MARA will assess each case on its merits.

5.4 Right to restriction of processing

MARA implements and maintains appropriate procedures to assess whether a data subject’s request to restrict the processing of their data can be implemented. Where the request for restriction of processing is carried out, MARA will write to the data subject to confirm the restriction has been implemented and when the restriction is lifted.

5.5 Right to data portability

Where MARA has collected personal data on data subjects by consent or by contract then the data subjects have a right to receive the data in electronic format to give to another data controller. It is expected that this right will apply only to a small number of data subjects.

5.6 Right to object

Data subjects have a right to object to the processing of their personal data in specific circumstances. Where such an objection is received, MARA will assess each case on its merits.

5.7 Right not to be subject to automated decision making

Data subjects have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning him or her. Data subjects will be informed when elements of processing include automated decision making or profiling.

5.8 Right to complain

MARA implements and maintains a complaints process whereby data subjects can contact the Data Protection Officer. The Data Protection Officer’s role includes working with the data subject to bring complaints to a satisfactory conclusion for both parties. Data subjects are also informed of their right to bring their complaint to the Data Protection Commission.

6. Responsibilities of MARA

6.1 Ensuring appropriate technical and organisational measures

MARA implements appropriate technical and organisational measures to ensure the security of personal data.

6.2 Maintaining a record of data processing

MARA will record its data processing activities (ROPA) in the manner prescribed by the Regulation. Senior Management will review and sign off on the record annually.

6.3 Implementing appropriate agreements with third parties

MARA will put in place appropriate agreements, memoranda of understanding, bilateral agreements or contracts (collectively “agreements”) with all third parties with whom it shares personal data.

6.4 Transfers of personal data outside of the European Economic Area

MARA does not transfer the personal data of its data subjects outside of the European Economic Area unless an adequate level of protection is ensured. Data subjects will be informed where transfers to a third country are in place.

6.5 Data protection by design and by default

MARA will implement technical and organisational measures, at the earliest stages of the design of processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, MARA will also ensure that personal data is processed with the highest privacy protection so that by default personal data is not made accessible to an indefinite number of persons (‘data protection by default’).

6.6 Data protection impact assessments

MARA will implement procedures and documentation whereby all new types of processing, in particular using new technologies, that result in a high risk to the rights and freedoms of its data subjects shall carry out a data protection impact assessment. As part of this process, a copy of the impact assessment shall be shared with MARA’s Data Protection Officer.

Where MARA is unable to identify measures that mitigate the high risks identified, MARA will consult with the Data Protection Commission prior to the commencement of processing.

6.7 Personal data breaches

MARA defines a ‘personal data breach’ as meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed (e.g. the most common breach incidents that can occur are correspondence issuing to an unauthorised third party).

MARA deems any loss of personal data in paper or digital format to be a personal data breach.

MARA maintains a protocol for dealing with personal data breaches. This protocol establishes the methodology for handling a personal data breach and for notification of the breach to the Data Protection Commission and to data subjects where this is deemed necessary.

6.8 Freedom of Information

The Freedom of Information Act 2014 (FOI) obliges MARA to publish information on its activities and to make the information that it holds, including personal information, available to citizens. MARA will maintain a separate policy to ensure compliance with FOI. MARA’s procedures will ensure that requests for personal data are correctly dealt with under either Data Protection or FOI legislation.

6.9 Governance

MARA monitors compliance with relevant data protection legislation via its Senior Management structure. The CEO will:

• Receive regular reports from the Data Protection Officer, including in relation to breaches of personal data;
• Review data protection impact assessments and approve or not the design of data protection elements of projects;
• Instigate investigations of data protection matters of interest where appropriate.

7. The Data Protection Officer’s Responsibilities

MARA has designated a Data Protection Officer who reports to the Chief Executive Officer is respect of all data protection matters. The responsibilities of the Data Protection Officer include the following:

1. Keeping the Chief Executive Officer updated about data protection responsibilities, risks and issues;
2. Acting as an advocate for data protection within MARA, including informing and advising staff of their obligations pursuant to GDPR and other data protection legislation;
3. Monitoring compliance with data protection legislation;
4. Ensuring all data protection policies and policies are reviewed and updated on a regular basis;
5. Ensuring that appropriate data protection training and advice is made available to all staff members;
6. Providing advice where requested in relation to data protection impact assessments and monitoring such assessments to ensure they are completed to an appropriate standard;
7. Responding to individuals such as customers and employees who wish to exercise their data subject rights;
8. Ensuring that the Record of Processing Activity is updated regularly;
9. Acting as a contact point for, and cooperating with, the Data Protection Commissioner;
10. Monitoring the process of putting in place appropriate data processing agreements with third parties;
11. Carrying out any reviews or data protection audits as are required or necessary.

8. Responsibilities of Staff

All staff processing personal data on behalf of MARA have a responsibility to comply with this Data Protection Policy. Detailed advice in relation to data protection procedures is made available to staff by email.

8.1 Training and awareness

All staff will receive training on this policy.  In addition, staff are continuously reminded of data protection obligations through emails to staff.

8.2 Consequences of failing to comply

MARA takes compliance with this policy very seriously. If a staff member knowingly or willfully fails to comply with any requirement, MARA may consider action under the Civil Service Disciplinary Code.

9. Queries about Data Protection

MARA’s Data Protection Officer is available to provide information and advice to staff on all matters related to personal data processing, breaches, and compliance with relevant data protection legislation.

Members of the public who wish to request more information about data protection in MARA should contact:

Data Protection Officer,
MARA – Governance and Communications Unit
Maritime Area Regulatory Authority (MARA)
2nd Floor, Menapia House,
Drinagh Business Park,
Drinagh,
Wexford,
Y35RF29.