Babywearing Ireland Data Retention Policy

Purpose of the policy

Babywearing Ireland (BWI) ("we", "us" or "our") is committed to protecting and respecting your privacy under Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)). This Data Retention Policy sets out our position in respect of the principle that data not be retained for longer than reasonably necessary as outlined under Article 5 of the GDPR:

Art 5(c) Data Minimisation: personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed'.
Art 5(e) Storage Limitation: personal data shall be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.

This policy applies to all records, irrespective of format, held by, under the control of, or in the possession of BWI. It applies to all staff or volunteers working in all positions and locations in BWI. It applies to all aspects of record maintenance and disposal. It includes all applications used to create records including, without being limited to, e-mail, database applications, cloud storage applications and any third party websites used to store the data of BWI. All information, written and electronic (including email), created or received by volunteers or staff of BWI, preserved in the form of records, is covered by this policy.

This policy outlines how Babywearing Ireland collects, stores, and disposes of personal data relating to volunteers, attendees, and members in compliance with the GDPR and Irish data protection laws. The aim is to ensure data is kept only as long as necessary while protecting individuals’ rights and privacy.

Scope

This policy applies to:

Volunteers and BWI committee members
Event attendees, including parents and children
Members and other individuals whose data is processed

Principles of data retention

Babywearing Ireland commits to the following:

Lawful Processing: Data will be kept only for legitimate purposes.
Data Minimisation: Only necessary data will be collected and stored.
Storage Limitation: Data will not be kept longer than required.
Security: Personal data will be stored securely and deleted appropriately.

Retention periods

Retention periods depend on different criteria, including compliance with EU and Irish legislation, contractual obligations and best practice. These minimum legislative periods, where they exist, along with:

operational and/or contractual necessities, and
corporate, historic or educational value

influence the overall retention period for a record type. Where applicable to the record type, the age of a record is calculated from the end of the calendar month, following the last entry on the record. Most records are reviewed on an annual basis. Where this is the case, and a record is to be deleted or anonymised, the relevant age of the record must have already passed for a record to be deleted or anonymised.

  
    


  
    Data type
    Retention Period
    Reason
  

    Volunteer applications &
agreements
    3 years after
leaving
    To manage potential re-
engagement or disputes
  

    Contact details of active
volunteers
    While active
    Necessary for operational

purposes
  

    Garda vetting records
    7 years after
leaving
    For safeguarding, insurance,
and queries
  

    Volunteer role descriptions
    6 years after

leaving
    Potential legal queries
  

    Attendance records (meet-ups,
events)
    3-5 years
    For safeguarding, insurance,

and queries
  

    Incident/accident reports
    10 years (or longer
for minors)
    In line with legal
requirements
  

    Safeguarding/child protection
records
    Until child is 25 at
minimum
    Best practice for child
protection
  

    Financial records (expense
claims, reimbursements)
    6 years
    Compliance with tax and
audit requirements
  

    Emails & routine correspondence
    1 year
    Regular clean-up of
unnecessary data
  

  

Keeping personal data secure

BWI operates and uses appropriate technical and physical security measures to protect personal data.

We have in particular taken appropriate security measures to protect any personal data held by BWI from accidental or unlawful destruction, loss or alteration, and from unauthorised disclosure or access. Access to personal data is only granted on a need-to-know basis to those people within BWI whose roles require them to process personal data and, in certain circumstances, to third parties.

Secure storage and disposal

Personal data is stored securely in password-protected digital files and, where necessary, in locked physical storage.
If digitised, hard copies will be destroyed after verifying the digital copy is an exact replica.
Data will be reviewed annually to ensure outdated information is deleted.
When data reaches the end of its retention period, it will be securely shredded (physical) or permanently deleted (digital) to prevent unauthorised access.

Data breaches under GDPR

A GDPR breach regarding an internal document occurs if personal data is lost, altered, disclosed, or accessed without authorisation, even internally. This includes sending restricted data to unauthorised staff. It must be reported to the Data Protection Officer within 72 hours if it risks individuals' rights, according to Article 33 of the GDPR.

Documentation: All breaches, even minor ones, should be documented internally in a data breach register.
Risk Evaluation: In the event of a breach, if the breach involves sensitive data of vulnerable individual (e.g. minors), the risk is higher, requiring potential notification to the affected individuals.

Steps to take:
- Contain: Immediately stop the spread of the document (e.g., recall email).
- Assess: Determine what personal data was involved.
- Report: Notify the internal DPO or committee as required.
- Remediate: Take steps to prevent future occurrences, like updating permissions.

Rights of individuals and accessing information

Individuals have the right to:

Request access to their data
Ask for corrections or updates
Request deletion of their data where applicable
Withdraw consent for processing

An individual can make a request for your personal data by contacting our Data Protection Officer via email to [name and contact email of Babywearing Ireland’s Data Protection Officer] or alternatively by writing to: Data Protection Officer, registered address of Babywearing Ireland.

If they would like to request that we amend the accuracy or completeness of their personal data, restrict the processing of their personal data or seek erasure of their data they should contact our Data Protection Officer.

Exceptional cases

There may be times when Babywearing Ireland needs to retain personal data for a longer period than either the time set out in law or the retention period set out above. Where this is the case, there will always be an objectively justifiable reason for keeping the data outside the normal period. This justification will be documented and held with the data concerned. In accordance with the principle of ‘data minimisation’, only the records needed will be retained and any and all ancillary data will be disposed of in accordance with Babywearing Ireland’s Data Protection Guidelines and in taking all reasonable precautions in compliance with our GDPR obligations.

Review of policy

This policy will be reviewed annually or as required by changes in data protection laws.