- Home
- Information Access
- Data Protection Statement
Data Protection Statement
Data Protection Statement
- 1. Executive Summary
1.1 The National Treasury Management Agency is a data controller of Personal Data for a wide range of statutory purposes, including when it is acting as the State Claims Agency (“SCA”) and providing various schemes, funds and services such as State Savings, Funding and Debt Management (“FDM”), Ireland Strategic Investment Fund (“ISIF”), NewERA and the National Development Finance Agency (“NDFA”). The NTMA also provides certain support services in its role as a data processor, acting on behalf of the National Asset Management Agency (“NAMA”), the Strategic Banking Corporation of Ireland (“SBCI”) and Home Building Finance Ireland (“HBFI”), (together the “Affiliate Agencies”).
The NTMA is committed to complying with our obligations in respect of the processing of personal data under data protection laws. The purpose of this Data Protection Statement (“Statement”) is to ensure that we meet our transparency obligations pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”) and the Data Protection Acts 1988 – 2018 (“DPA”), together “Data Protection Law”. The Statement sets out information about our duties and responsibilities regarding the protection of Personal Data.
1.2 This Statement has effect from 21 May 2024 and is reviewed from time to time1. The most up to date approved version is posted on the NTMA website. Previous versions are also available on the NTMA website.
- 2. About the NTMA
2.1 The National Treasury Management Agency (referred to in this Data Protection Statement as “NTMA”, “us” or “we) is a State body which operates with a commercial remit to provide asset and liability management services to Government. The NTMA manages a diverse range of businesses as further described below.
2.2 Funding and Debt Management: The NTMA is responsible for borrowing on behalf of the Government and managing the National Debt in order to ensure liquidity for the Exchequer and to optimise the interest burden on the State over the medium term. This includes borrowing through the sale of retail products under the brand name State Savings, which is used to describe the range of savings products offered by the NTMA through its agents, An Post and the Prize Bond Company.
2.3 Ireland Strategic Investment Fund: The NTMA controls and manages the Ireland Strategic Investment Fund, which has a statutory mandate to invest on a commercial basis in a manner designed to support economic activity and employment in the State.
2.4 National Development Finance Agency: Acting as the National Development Finance Agency, the NTMA provides financial advisory, procurement and project delivery services to State authorities in respect of public infrastructure projects
2.5 NewERA: Through NewERA, the NTMA provides a dedicated centre of corporate finance expertise to Government regarding their shareholdings in major commercial State bodies.
2.6 State Claims Agency: The State Claims Agency (“SCA”) manages personal injury and third-party property damage claims against the State and delegated State authorities (hereinafter referred to as “DSA’s”) and provides related risk management functions. It manages claims for legal costs against the State and DSAs, however so incurred. The SCA carries out audits to assess eligibility of claims of relevant insurers who seek to apply for payment from the Insurance Compensation Fund (‘ICF’) and manage applications to the High Court by relevant insurers in liquidation. The SCA also manages Garda compensation claim applications regarding claims made by members of An Garda Síochána pursuant to the Garda Compensation legislation. Certain health service providers are required to report notifiable incidents to the Health Information and Quality Authority (HIQA), the Chief Inspector of Social Services and the Mental Health Commission (MHC) following introduction of the Patient Safety (Notifiable Incidents and Open Disclosure) Act 2023 which notifications are made through the SCA-managed National Incident Management System (‘NIMS’).
2.7 In addition to the above functions, the NTMA assigns staff to NAMA, the SBCI and HBFI and also provides them with business and support services and systems. In this regard, the NTMA may act as a data processor.
1 The NTMA Data Protection Statement was originally drafted in May 2018 and was subsequently updated in September 2020, July 2022 and May 2024.
- 3. Purpose of this Data Protection Statement
3.1 The purpose of this Data Protection Statement is to explain what Personal Data we Process and how and why we Process it where you engage with any of the businesses managed by the NTMA, whether as a job candidate, customer, business partner or generally as a member of the public. In addition, this Data Protection Statement outlines our duties and responsibilities regarding the protection of such Personal Data and the rights of data subjects in that respect. NTMA Employees may find information about our Processing of Personal Data in our dedicated Employee Data Protection Statement. Information on our website-related Processing activities is available in our NTMA Website Privacy and Cookies Policy.
3.2 This Data Protection Statement is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Statement from time to time to reflect changing practices. In addition, we operate a number of internal workplace policies and procedures which inter-relate with this Data Protection Statement. For example, the NTMA has internal policies and procedures governing Personal Data Breaches, Data Subjects’ Rights, Information Security and Data Retention.
3.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Data Protection Statement by reference into various points of data capture used by us such as application forms and website forms.
3.4 A glossary of some of the data protection terms used throughout this Statement may be accessed in Annex 2.
- 4. The NTMA as a Data Controller
4.1 The NTMA is a statutory body established by the National Treasury Management Agency Act 1990, as amended (“NTMA Acts”). The data Processing undertaken by the NTMA is undertaken in fulfilment of its statutory functions and duties.
4.2 When acting as a Data Controller, the NTMA relies on Art. 6(1)(e) of the GDPR, which permits Processing that is necessary for the performance of a task which is in the public interest, where such “public interest” is laid down in EU or Irish law, as the legal basis for most of its Processing. Where Processing activities are not supported by a statutory basis, the NTMA relies on alternative legal bases permitted by Data Protection Law. This may include reliance on Art 6(1)(c) where processing by the NTMA is necessary for compliance with a legal obligation to which the NTMA as a controller is subject.
- 5. The NTMA as a Data Processor
5.1 In some cases, the NTMA acts as a Data Processor, under the instructions of a Data Controller, for example, when it is providing business and support services and systems to the Affiliate Agencies. The NTMA, acting as the State Claims Agency, is also a Data Processor in some instances where Delegated State Authorities choose to store their information within the National Incident Management System (the “NIMS System”). The NIMS system is a national end to end tool operated by the NTMA and used by DSAs to record and manage their risks.
5.2 When acting as a Data Processor, the NTMA complies with the relevant obligations under Data Protection Law. These include ensuring that the data that is Processed by the NTMA on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions prescribed in Data Protection Law.
- 6. Purposes of Processing
6.1 As mentioned in section 4.2 of this Data Protection Statement, the NTMA largely relies on the public interest provision provided for in Article 6(1)(e) of the GDPR as the legal basis for most of its Processing. In this regard we Process Personal Data for the purpose(s) of fulfilling our statutory functions and obligations under the NTMA Acts and other applicable legislation. Where the processing is ancillary to our statutory public functions (e.g., in connection with the employment of our staff), we rely on our legitimate interests under Article 6(1)(f). Examples of the types of Processing undertaken by the NTMA along with a description of the underlying legal basis may be accessed in Annex 1 of this Data Protection Statement.
6.2 The NTMA does not employ automated decision-making or carry out profiling of data subjects.
- 7. Special Categories of Data
7.1 The NTMA, when acting as the State Claims Agency, routinely processes Special Categories of Data (largely data concerning health, but it can also extend to other categories) in the discharge of its functions. In this regard, the State Claims Agency relies on the fact that the Processing of Special Categories of Data is permitted under several provisions of Data Protection Law, including the following:
(a) Where it is necessary for the establishment, exercise or defence of legal claims and where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
(b) For the purpose of the administration of justice and performance of functions;
(c) Public interest, where processing is necessary for reasons of public interest in the area of public health;
(d) Processing for reasons of substantial public interest;
(e) In relation to the management of medical risk and medical claims, e.g. where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care;
(f) Consent is relied upon in limited circumstances.
7.2 The NTMA (excluding the State Claims Agency) processes Special Categories of Data in limited circumstances, typically related to the ordinary course of personnel administration. Please see Appendix 1 for further information in this regard.
- 8. Individual Data Subject Rights
8.1 Data Protection Law provides certain rights in favour of Data Subjects. The rights in question (“Data Subject Rights”) are as follows:
(a) The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Data Controller);
(b) The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data are being processed and, if so, having access to the Personal Data plus additional ancillary information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed and retention periods;
(c) The right to rectify Personal Data;
(d) The right to erase Personal Data (right to be forgotten);
(e) The right to restrict Processing;
(f) The right of data portability, i.e. the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine-readable format and the right to have those data transmitted to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to the NTMA (and not to data which is received from third parties).
(g) The right of objection;
(h) The right to object to automated decision making, including profiling; and.
(i) The right to withdraw consent (in the limited cases where we rely on your consent to process your personal data), without affecting the lawfulness of processing based on consent before its withdrawal.
8.2 Some rights will not apply in some cases, and exemptions may apply to the exercise of your rights. For example, Articles 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
8.3 In certain limited circumstances, the NTMA may act as a joint controller, i.e. where the NTMA, in conjunction with another party, may jointly determine the purposes and means of processing of your personal data. For example, this is relevant in a public procurement context when the NTMA and the Office of Government Procurement (OGP) jointly process personal data as part of the conduct of public procurement competitions on the eTenders electronic tendering platform. Where any joint controller arrangement entered into by the NTMA is applicable to your Personal Data, you will be so informed, and the rights outlined above may be exercised against each of the controllers2.
8.4 Any Data Subject wishing to exercise their Data Subject Rights should write to the NTMA Data Protection Officer, Treasury Dock, 1 North Wall Quay Dublin 1, D01 A9T8 or email dpo@ntma.ie. Your request will be dealt with in accordance with the NTMA’s Data Subject Rights Requests Procedure.
[2] Art 26 GDPR
[3] Where information is shared with another public body and no other lawful basis exists, a data sharing agreement will be put in place, pursuant to the Data Sharing and Governance Act 2019
- 9. Data Security and Personal Data Breach
9.1 The NTMA has a suite of Information Security Policies and Procedures which are designed to ensure that appropriate technical and organisational measures are in place to protect information. They are overseen by an IT Security Committee and apply to all NTMA staff. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
9.2 Articles 33 and 34 of the GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. The NTMA has implemented a Personal Data Breach Procedure and we will manage a Data Breach in accordance with this procedure.
- 10. Disclosing Personal Data
10.1 From time to time, we will disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process, for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
10.2 We will also share Personal Data:
(a) with another statutory body3 where there is a lawful basis to do so (such as the Data Protection Commission in relation to complaint handling);
(b) with selected third parties including contractors and sub-contractors (as appropriate), such as records management service providers and banks;
(c) if we are under a legal obligation to disclose Personal Data; and
(d) where it is necessary to enable the fulfilment of statutory functions.
10.3 Where we enter into agreements with third parties to Process Personal Data on our behalf, we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data.
10.4 Examples of third parties to whom Personal Data have been or will be disclosed include:
- - In respect of the personnel function, advisors and recruiters who must have access to personal data to perform their services.
- - In respect of State Savings products, An Post and the Prize Bond Company act as Data Processors for the NTMA, which is the Data Controller. Data gathered and maintained by An Post and the Prize Bond Company in this capacity is used for the purpose of administering the State Savings products and for disclosure to the Revenue Commissioners as required by law.
- - In respect of the State Claims Agency, disclosures are made for example to solicitors, barristers, expert witnesses, witnesses as to fact, private investigators, legal cost accountants, the judiciary, the Courts Service, insurers and other third parties named in proceedings, in order to process the claims to which the personal data relates, and also to insurers and other third parties named in proceedings. Disclosures will also be made to Riskonnect, a US based company, which provides the NIMS system used by the State Claims Agency and Delegated State Authorities.
- - In respect of the establishment, exercise, or defence of a legal claim to which the NTMA or a person acting on behalf of the NTMA are a named party to proceedings (such as our nominee directors), disclosures are made to legal counsel in the EEA and outside the EEA in order to facilitate legal proceedings and to comply with court orders.
2 Art 26 GDPR
3 Where information is shared with another public body and no other lawful basis exists, a data sharing agreement will be put in place, pursuant to the Data Sharing and Governance Act 2019. This includes fulfilment by the SCA of its claims and risk management functions, functions relating to applications to the Insurance Compensation fund and role in managing Garda compensation claim applications. This also includes exchanging information with other organisations for the purposes of fraud prevention or investigation.
- 11. Data Retention
11.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed and in accordance with our Records Management Policy.
11.2 The NTMA is required to keep records for prescribed periods of time, ranging up to 25 years (and in certain cases, permanently), for example:
(a) For the purposes of handling potential claims and for record-keeping purposes:
(i) Where an individual makes a complaint, we will hold records regarding the complaint for 3 years after the complaint is closed.
(ii) Information relating to third parties (e.g. customers, service providers) is kept for up to 7 years following the conclusion of the business relationship.
(iii) Personal data in relation to unsuccessful candidates and unsuccessful tenders is anonymised or deleted after 12 months.
(b) The SCA holds records:
(i) relating to claims, for 25 years (from the date a claim is finalised) to enable it to fulfil its statutory functions pursuant to the NTMA (Amendment) Act 2000 and the NTMA Amendment Act 2014 (“NTMA Acts”);
(ii) relating to claims involving a Ward of Court, or, mental incapacitation for 100 years from the plaintiff’s date of birth to enable it to fulfil its statutory functions pursuant to the NTMA Acts.
(iii) regarding SCA queries, for 15 years, to enable it to fulfil its statutory functions pursuant to the NTMA (Amendment) Act 2000 and the NTMA Amendment Act 2014.
(iv) relating to its statutory involvement in applications to the High Court for payment from the ICF by insurers in liquidation, for 7 years after the insurance company liquidation is completed, to enable it fulfil its functions pursuant to the Insurance Act 1964 as amended by the Insurance (Amendment) Act 2011 and Insurance (Amendment) Act 2018 (together the “Insurance Acts”).
(c) Accounting records are retained for 7 years before being archived, in accordance with the NTMA’s remit, in compliance with legal obligations and in line with the Government archiving practice.
(d) Records regarding valid claims under the Eligible Liabilities Guarantee scheme (“ELG”) are kept indefinitely to defend any future challenge in relation to claims paid, while records regarding rejected claims are kept for 2 years.
(e) In line with Government guidance and best practice, records relating to FOI requests, AIE requests and general queries are kept for 7 years after the complaint is closed (with records relating to general queries being anonymised thereafter), while responses to parliamentary queries are kept permanently.
(f) Records of calls are kept for up to 2 years for record-keeping and complaint management purposes.
(g) Records relating to non-employees who visit the NTMA and are entered into our Visitor Management System are kept for 28 days for security purposes.
11.3 We may need to keep personal data beyond the periods specified in our Records Management Policy where there is an outstanding claim or dispute, which requires the further retention of personal data in connection with that claim.
- 12. Data Transfers outside the EEA
12.1 From time to time, we will need to transfer Personal Data outside of the European Economic Area (“EEA”). This transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Standard Contractual Clauses and related Transfer Impact Assessments) and in accordance with this Data Protection Statement when transferred outside of the EEA.
12.2 Examples of data transfers outside of the EEA by the NTMA include:
- - The State Claims Agency, in carrying out its statutory duties, frequently provides medical records and other information to experts in the UK, within the EEA and outside the EEA, such as in the USA, Australia, New Zealand, Switzerland, Israel and Gibraltar, for the purpose of obtaining expert reports on liability and other issues pertinent to claims.
- - In addition, in carrying out its statutory duties, the State Claims Agency provides medical records and other information to clinical staff who have moved abroad, e.g. to the UK, USA, Canada, Australia and the Far East for the purpose of obtaining witness statements in respect of claims, where such clinical staff provided professional medical services. Clinical experts and witnesses may also be provided with a copy of legal proceedings.
- - Data will also be processed by Riskonnect, a US based company, which provides the NIMS system used by the State Claims Agency and Delegated State Authorities. Categories include name, address/contact details, date of birth, employee information, gender, description of adverse incident, medical information, injury, healthcare number, nationality, witness details.
- - Personal data (including names and contact details) will be processed by service providers and professional advisors outside the EEA such as in the UK, the USA and India on behalf of the NTMA and the NDFA.
- - Personal data in relation to candidates for employment will be processed by service providers in the UK on behalf of the NTMA.
(Note: although outside the EEA, the EU has provided an adequacy decision to the UK, i.e. it is deemed to provide the equivalent level of personal data protection as countries within the EEA).
- 13. Further Information/Complaints Procedure
13.1 You can ask a question or make a complaint about this Data Protection Statement and/or the Processing of your Personal Data by contacting the NTMA Data Protection Officer at dpo@ntma.ie. While you may make a complaint in respect of our compliance with Data Protection Law to the Data Protection Commission, we request that you contact the NTMA DPO in the first instance to give us the opportunity to address any concerns that you may have.
- Annex 1
Annex 1
Purposes of Processing
The following are non-exhaustive examples of the types of Processing undertaken by the NTMA along with a description of the underlying legal basis:
Example of Function / Activity
Description
GDPR Lawful Basis for associated data Processing activities
Funding and Debt Management
Section 5 of the National Treasury Management Agency Act 1990 (“NTMA Act”) states that the ‘Government may by order delegate to the Agency the functions of the Minister specified in the First Schedule and any other functions of the Minister in relation to the management of the national debt or the borrowing of monies for the Exchequer that the Minister considers appropriate and are specified in the order.’ The First Schedule to the NTMA Act contains the list of functions delegated to the Agency. This list has been extended since 1990, to incorporate additional functions.
The performance of the NTMA’s functions under the NTMA Act and the NTMA (Amendment) Acts requires personal data to be processed in a variety of ways, for example, recording of telephone calls with counterparties in respect of transaction and balance confirmations and query resolution.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
Compliance
The NTMA must process personal data to comply with a range of legal obligations.
For example:
The NTMA processes contact details and IDs for the purposes of fulfilling the NTMA’s mandate in accordance with the NTMA Act, and to comply with legal obligations, such as sanction checking.
Personal data may be shared in response to parliamentary questions and requests made in accordance with the Freedom of Information Act 2014, the European Communities (Access to Information on the Environment) Regulations 2007 to 2018, and Dáil Standing Orders.
In accordance with data protection law, the NTMA may be required to share personal data with the Data Protection Commission to assist in the investigation of individuals’ complaints. The NTMA may also be required to process personal data, including special category personal data, in the management of data subject rights requests.
Contact and bank details will be processed for the purpose of processing claims under the ELG Scheme in accordance with the Credit Institutions (Eligible Liabilities Guarantee) Scheme 2009.
The NTMA may be required to process personal data to comply with court orders and establish, exercise or defend legal claims relating to the performance of the NTMA’s functions.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)€
Compliance with a legal obligation – Various sanction regime requirements
The NTMA’s legitimate interest in assisting with the establishment, exercise or defence of a legal claim arising from its functions and activities – Art 6(1)(f).
State Savings
State Savings products are offered by the Minister for Finance acting through the NTMA pursuant to the powers conferred on the NTMA by the NTMA Act and the National Treasury Management Agency Act 1990 (Delegation of and Declaration as to Functions) Order 1990 (S.I. No. 277 of 1990).
Personal data such as contact details and financial details will be processed in a variety of ways for the purposes of offering State Savings products,
e.g. in the course of handling complaints.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
Ireland Strategic Investment Fund
Under Sections 22 and 39 of the NTMA (Amendment) Act 2014, the NTMA is required to invest the assets under the management of ISIF in a manner “designed to support economic activity and employment in the State”.
This will involve a variety of processing activities, including processing CV details on investee principals, shareholders and directors for due diligence purposes, in accordance with the NTMA Act.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
State Claims Agency
The SCA has, pursuant to the NTMA (Amendment) Acts 2000, NTMA (Amendment) Act 2014, the Insurance (Amendment) Act 2018 and SI No. 191/2018 the National Treasury Management Agency (Delegation of Claims for Costs Management Functions) Order 2018, a wide statutory remit including:
- the management of claims and counter claims on behalf of delegated State Authorities (“DSAs”); the provision of risk management advice and assistance to DSAs on measures to be taken to mitigate the occurrence, or to reduce the incidence, of acts or omissions that may give rise to personal injury, property damage or clinical adverse events that could subsequently result in claims, with the aim of reducing future claims and litigation;
- the management of claims for costs against the State; and
- the provision of consultancy and advisory services to DSAs in respect of any matter to which the SCA’s functions relate.
The SCA has, pursuant to the Insurance Act 1964 as amended by the Insurance (Amendment) Act 2011 and the Insurance (Amendment) Act 2018 (together the “Insurance Acts”), a statutory remit including;
- The management of applications to the High Court for payment from the Insurance Compensation Fund (‘ICF’) by relevant insurers in liquidation. This includes the SCA carrying out audits to assess eligibility of claims, the preparation and making of applications to the High Court seeking approval for payment from the ICF and the payment of claimants and/or their legal representatives on receipt of the funds from the Central Bank of Ireland.
The SCA has, pursuant to Section 31 of the Garda Síochána (Compensation) Act 2022, a statutory mandate to manage claims against the Minister for Public Expenditure and Reform relating to applications for compensation under the Garda Síochána (Compensation) Acts 1941 to 2003.
Section 30 of the Patient Safety (Notifiable Incidents and Open Disclosure) Act 2023 provides that where certain health service providers are required to report notifiable incidents to the Health Information and Quality Authority (HIQA), the Chief Inspector of Social Services and the Mental Health Commission (MHC), such notifications are to be made through the National Treasury Management Agency incident management system (‘NIMS’).
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller - Art 6(1)(e)
Processing is necessary for compliance with a legal obligation to which the controller is subject and Section 49 Data Protection Act 2018Processing necessary for the defence of legal claims - Art 9 (2)(f) & Section 47 Data Protection Act 2018
Consent is sought in limited circumstances, at certain times when seeking consent to take up a claimant’s medical records, as per Art 9 (2)(a)
Public interest, where processing is necessary for reasons of public interest in the area of public health (see Section 7 in the text of the Statement above re Special Categories of Data) - Arts 9(2)(g),
(h) and (i) and Section 53 Data Protection Act 2018
Necessary for the performance of a contract (Art 6(1)(b))
NewERA
The National Treasury Management Agency (Amendment) Act 2014 established NewERA in statute and introduced new requirements in relation to the corporate governance of certain State bodies designated in that Act.
This will include processing CV information in relation to prospective directors of designated entities.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
NDFA
The NDFA was established on 1 January 2003 and its key functions are now mandated within the National Treasury Management Agency (Amendment) Act, 2014 and the Ministerial Guidelines issued by the Department of Public Expenditure and Reform, in consultation with the Department of Finance.
This will include processing names, contact details and financial details in relation to contracts, taking site photographs, evaluating CV information for tenders, and processing personal injury reports provided by third parties as a requirement of contractual agreements, all in accordance with the NDFA functions under the NTMA Act.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e), including substantial public interest - Art 9(2)(g)
Processing necessary for the defence of legal claims - Art 9 (2)(f)
Necessary for the performance of a contract (Art 6(1)(b))
Annual Statements of Interest by Designated Directors and Certain NTMA Employees
Under the Ethics in Public Office Acts 1995 and 2001, certain “designated directors” and “holders of designated positions of employment” of public bodies are required to furnish an annual statement of interests to the Standards in Public Office Commission and/or the officer in the relevant body nominated by the Minister.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
Candidate Data
Name, contact details, CV information, psychometric data and interview notes will be processed to assess if a candidate is suitable for a role.
Necessary for the performance of a contract – Art 6(1)(b)
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
The NTMA’s legitimate interest in managing its staff and its recruitment process and to assess the suitability of candidates for positions (Art 6(1)(f)).
Dormant Accounts
Consent is obtained from relevant individuals in the event their data is required to be shared externally with a bank/insurer to remit money pursuant to the Dormant Accounts Acts 2001- 2012 and the Unclaimed Life Assurance Policies Act 2003.
Consent – Art 6(1)(a)
Maintaining Records / Correspondence
Business contact information in relation to investors, primary dealers and other business contacts is collected for the purposes of corresponding with them and for the purposes of records management.
Visitor Information is gathered in relation to visitors to Treasury Dock for security and record management purposes.
The NTMA’s legitimate interest to ensure effective and appropriate management of its staff and its business (Art 6(1)(f));
Internal Audit
Internal audits of individual business could necessitate the processing of client personal data.
The NTMA’s legitimate interest to ensure effective and appropriate management of its staff and its business (Art 6(1)(f));
Support Services to NAMA
Pursuant to section 41 of the National Asset Management Agency Act 2009, the NTMA is required to provide NAMA with “such business and support services and systems as the Board determines, acting upon the recommendation of the Chief Executive Officer of NAMA and after consultation with the Chief Executive of the NTMA, to be necessary or expedient for NAMA to perform its functions under this Act.” In the context of the data processing undertaken by the NTMA on behalf of NAMA, the NTMA acts as a Data Processor in performing certain of these relevant business and support services.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
Support Services to the SBCI
Pursuant to section 10 of the Strategic Banking Corporation of Ireland Act 2014, the NTMA is required to provide “such business and support services and systems as the SBCI determines, after consultation with the Chief Executive of the NTMA, from time to time, to be necessary or
expedient for the SBCI to perform its functions.” In the context of the data processing undertaken by the NTMA, on behalf of the SBCI, the NTMA acts as a Data Processor in performing certain of these relevant business and support services.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
Support Services to HBFI
Pursuant to section 9 of the Home Building Finance Ireland Act 2018, the NTMA is required to provide “such business and support services and systems as HBFI determines, after consultation with the Chief Executive of the NTMA, from time to time, to be necessary or expedient for HBFI to perform its functions.” In the context of the data processing undertaken by the NTMA, on behalf of HBFI, the NTMA acts as a Data Processor in performing certain of these relevant business and support services.
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art 6(1)(e)
- Annex 2
ANNEX 2
Glossary
In this Data Protection Statement, the terms below have the following meaning:
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018 and any other laws which apply to the NTMA in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to an identified or identifiable living individual (“Data Subject”). Personal Data can include:
- a name, an identification number;
- details about an individual’s address or contact details;
- data related to the delivery of a service by the NTMA, e.g. details of transactions with State Savings or of claims or incidents which are managed by the State Claims Agency;
- any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data for the purposes of uniquely identifying an individual (for example, fingerprints), health data, data concerning sex life or sexual orientation. Personal Data relating to criminal convictions or offences are also considered sensitive, and specific restrictions apply to the processing of such data.