NMBI needs to gather and use certain information about individuals. In particular, it has a statutory duty to collect and process personal data as the regulator of the professions of nursing and midwifery, as set out in the Nurses and Midwives Act 2011. The data subjects NMBI needs to gather and use information about includes registrants, student nurses and midwives, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
National data protection law and the General Data Protection Regulation (GDPR) describes how organisations – including NMBI – must collect, process and store personal information.
Data Protection law
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The Data Protection Act 2018 was signed into law in Ireland on 24 May 2018.
The GDPR is underpinned by six important principles. These say that personal data must:
- Be processed lawfully, fairly and transparently (lawfulness, fairness and transparency);
- Be obtained only for specified, explicit and legitimate purposes (purpose limitation);
- Be adequate, relevant and limited to what is necessary (data minimisation);
- Be accurate and kept up to date (accuracy);
- Be kept only for as long is necessary (storage limitation); and
- Be processed with appropriate security (integrity and confidentiality).
How to access your data (Subject Access Request)
You may use data protection legislation to access your personal data, held by the NMBI. All individuals who are subject to personal data held by NMBI are entitled to:
- Ask what information NMBI holds and why;
- Ask how to gain access;
- Be informed about how to keep their personal data up to date; and
- Be informed about NMBI’s data protection policies.
To request your personal data, you must make a subject access request to NMBI’s Data Protection Officer. Subject access requests must be made in writing. They can be sent by postal address to: Dr. Aoibhín de Búrca, Data Protection Officer, 18/20 Carysfort Avenue, Blackrock, Co Dublin, A94 R299 or by email to email@example.com.
Please try to be as detailed as possible in your request, as it will ensure that you will receive the relevant records which you have requested. Once the request has been received, NMBI must respond to subject access requests within one month. NMBI will always verify the identity of anyone making a subject access request before handing over any information.
NMBI’s Subject Access Request Policy contains more detailed information on subject access requests.
For further information on how the NMBI uses your data please see our policies:
Making a complaint to the Data Protection Commissioner
Individuals have the right to lodge a complaint with the Data Protection Commission if they consider that the processing of personal data relating to him or her, by NMBI, infringes the national Data Protection Acts or the GDPR.
The complaint must be made in writing, and can be made:
By email to firstname.lastname@example.org
By post to the Office of the Data Protection Commission, Canal House, Station Road, Portarlington, Co Laois, R32 AP23, Ireland.
For more information, please see the Data Protection Commission website.