Select your language

Data Protection

Welcome to the Data Protection Page for State Boards. Here you will find all of our policies relating to the processing and protection of your personal data along with a Frequently Asked Questions section that we hope will address any questions that you may have in relation to this area.

Data Protection Documentation:

Candidate Privacy Statement

Board Member/Assessor/Invigilator Privacy Statement

Code of Practice for the Protection of Personal Data

Cookies Policy

Records Retention Schedule

Data Security Policy

CCTV Policy

Subject Access Policy

Subject Access Request Form

Data Protection FAQs:

GDPR is the General Data Protection Regulation. It comes into effect from 25th May 2018. The objective of the regulation is to strengthen and standardise data protection laws for all EU citizens. These regulations will apply to any organisation that controls and/or processes data on behalf of an individual or group of individuals. Those responsible for adhering to these regulations include employees of the organisation, and either directly or indirectly, contractors, consultants, agents and third parties who have access to data.

We have always appreciated your trust in us to collect, process and protect your information. As a data controller and processor of your personal data, we will continue to:

  • develop our strong risk management culture by acting responsibly and putting the security of your data at the top of our priorities;
  • manage our controls, processes and systems to improve our level of customer service while providing you with the assurance that your information is safe and secure; and
  • conduct our business in a fair and transparent way and ensure we minimise the risk of unfair outcomes for our customers or any negative impact on their data rights and freedoms.

Code of Practice for the Protection of Personal Data and explains how we collect personal information about you, how we use it and how you can interact with us about it or how you can correct it.

When we talk about the Public Appointments Service “PAS” or “publicjobs” or “us” or “we” in our Code of Practice for the Protection of Personal Data in the Public Appointments Service and on this website, we are talking about the Public Appointments Service which is the independent centralised recruitment, assessment and selection body for the Civil Service, Health Service, Local Authorities, the Garda Síochána, Prison Service and other public service bodies.

Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer at This email address is being protected from spambots. You need JavaScript enabled to view it. or by writing to them at Data Protection Officer, Public Appointments Service, Chapter House, 26 – 30 Abbey Street Upper, Dublin 1, D01 C7W6.

We collect personal information from you, for example when you:

  • register on our website;
  • make an application directly or through executive search;
  • participate in the competition process which may include tests, interviews, clearance and assignments stage;

We also collect information through our voluntary customer surveys and our CCTV system. Further information on how and why we collect information is detailed in our Candidate Privacy Statement.

Our websites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you. Further information is available on our Cookies Policy.

This is some of the information we may collect and how you register on our website or apply for a recruitment competition or progress through the competition process:

Personal Data:

Username *

Highest Qualification

Password *

Current/Most Recent Industry Sector

Candidate ID

Career Level


Daytime Phone Number *

First Name *

Mobile Phone Number

Surname *

Communication Language Preference *

Address Line 1 *

Preference for Contact

Address Line 2

Employment Record

Address Line 3

Personal Statement

Postcode *

Curriculum Vitae

PPS Number

Covering Letter


On Line Personality Questinnaire Responses

Primary e-mail Address*

Assessment Accommodation Details if required

Country *

Description of relevant skills and experiences in specific areas


Results and information notes on your performance of all assessments processes

SMS Text Alerts


If you are successful in an assessment process and/or under consideration for assignment we may also collect: -

Health and Character Information

Garda Vetting/Security Clearance Information, Health Statement/Medical

Identification Documents *

Original Qualifications/Professional Membership

Employer/Other References

Workplace Accommodations if required

Mandatory Information *

Under GDPR, there are special categories that require additional safeguards for processing. In some instances, we will require this information for processing or it may be volunteered by you. These data types and the reason we collect them are:

Health data

Yes - We request health data from you before recommendation/assignment to a post.

Racial or ethnic origin

No - We do not require you to provide details of racial or ethnic origin to use our services.

Political opinions

No - We do not request you to provide political opinions to use our services.

Religious or philosophical beliefs

No - We do not request you to provide data on your religious or philosophical beliefs to use our services.

Trade union membership

No - We do not request you to provide trade union membership details to use our services.

Genetic data

No - We do not request you to provide genetic data to use our services.

Sexual orientation

No - We do not request you to provide sexual orientation information to use our services.

Disability related information

Yes - If you inform us that you require reasonable accommodations to be put in place during the assessment process.

When you register with or submit an application for a competition, we create a computer record in your name. Information submitted with a job application is used in processing your application. If you are successful in the recruitment and selection campaign, your application may be made available to the Human Resources section of the organisation to which you have been assigned.

The Data Protection Bill provides that the processing of personal data shall be lawful where such processing is necessary for the performance of a statutory function of a controller. PAS is mandated by statute to act as the centralised assessment and selection body for the civil service and to carry out all the procedures necessary to undertake the recruitment, assessment and selection of suitable candidates for appointment (Section 34 of the Public Service Management (Recruitment and Appointments Act 2004) (2004 Act) therefore, the processing of personal data necessary for this purpose is lawful as Article 6(1) (e) GDPR applies.

The Data Protection Bill also provides a legal basis for the processing of “special categories” of personal data for the performance of a function conferred by or under an enactment. The information collected from applicants that falls within the “special categories” of personal data set out in Article 9 GDPR will be subject to a “toolbox” of measures designed to safeguard the fundamental rights and freedoms of data subjects. The “toolbox” of measures includes encryption and pseudonymisation of data, obtaining the explicit consent of the data subject and includes strict time limits for the erasure of relevant personal data. The data processing must be necessary and proportionate and in accordance with the principles of data protection including data minimisation – i.e. that the data processing is limited to what is necessary for the purposes for which the data processed.

To meet our regulatory and legal obligations, we collect your personal information, retain it in a safe and secure structure and keep it and update it as the campaign progresses and delete it once we no longer have to keep it. We may also need to transfer information about you to a third party (e.g. test providers) and this will only take place via secure channels. Before data is transferred to an external third party a written agreement will be put in place in advance of any data transfer.

The onus is on the candidate to ensure that the personal information on their personal profile is regularly checked to ensure data is correct and to alert PAS to anything that needs to be updated if they cannot update it themselves.

Sometimes we need your consent to use your personal information. For example, when we use sensitive personal information (known as special category information under GDPR) about you, such as disability related data, we ask for your explicit consent. We have controls to ensure that you are informed when making your decision and that you are aware that you can remove your consent at any time by contacting us.

Our consent requests are built on the following principles:

  • Positive Action - Clear affirmative action is required. We will not use pre-ticked boxes, imply or assume consent in the event of no positive action from you.
  • Free will - Your consent must be freely given and not influenced by external factors.
  • Specific - We will be clear on what exactly we are asking your consent for.
  • Recorded - We will keep a record of your consent and how it was obtained.
  • Can be withdrawn at any time - We will stop data processing requiring your consent at any time you make valid request.

PAS has an obligation to keep information ‘safe and secure’ and have appropriate measures in place to prevent unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction in compliance with the GDPR. It is imperative, therefore, that we have security measures and policies in place to ensure that only those staff members with a business need to access a particular set of personal or sensitive data are allowed to access that data. This PAS Security Policy sets out who can access the various types of personal data in PAS, the procedures for handling personal data and for ensuring the security of personal data (both manual files and on IT systems). It also contains procedures for the transmission of data to other parties. For further information, please see the attached Data Security Policy.

The implementation of this Policy is subject to audit by a staff member nominated by the Data Protection Officer and may also be the subject of an internal audit investigation and report to the Audit Committee at any stage.

The Records Retention Schedule for PAS sets out the retention periods for all items of personal data kept and the procedures in place to implement these guidelines. Necessary approval has been sought from the Director of the National Archives to destroy electronic and physical records.

The National Archives require PAS to submit competition files to them after 30 years. The competition files contain certain personal data, depending on how far the candidate has progressed in the competition process. Certain information in relation to candidates scores and test results are also retained for as long as the campaign is active. Candidates who progress to shortlisting stage will be included on the list of candidates presented to the shortlisting board which includes all candidate names and their most recent roles; the board members’ assessment of their application will be retained. At Interview stage, the notes from each candidate’s interview are retained (this may not be the case for large volume recruitment) and a copy of the marks awarded under each area (if applicable). Should the candidate be considered for appointment a copy of the provisional recommendation issued to the employing organisations will be retained (this includes, the candidate’s name, address, date of birth, relevant qualifications and experience). All of this information will be retained indefinitely and ultimately sent to the National Archives.

Personal Information is only sent to external parties when absolutely necessary and in compliance with the General Data Protection Regulation. Information is encrypted and customers are informed they should not send in personal information by email. If there is a request for information from a subject, the relevant information is collected and we will consider our obligations to other data subjects. The person(s) preparing our response will consider the rights of third parties and any obligations of confidentiality which may apply, in addition to any relevant exemptions under GDPR. Where the identity of third parties would be disclosed in data relating to you, we may either redact (blank out) that data to protect the privacy and confidentiality of such third parties or may provide you with an extract from the data instead of the original sources material.

Contractors, consultants and external service providers (including on-line test and assessment providers) contracted by PAS will be subject to strict procedures with regard to accessing personal data by way of formal contract in line with the provisions of the General Data Protection Regulations. The terms of the contract and undertakings given are subject to review and audit to ensure compliance.

We require that these third parties provide sufficient guarantees that the necessary safeguards and controls have been implemented to ensure there is no impact on your data rights and freedoms.

You can exercise your rights by contacting us by email at This email address is being protected from spambots. You need JavaScript enabled to view it. and/or by telephoning +353 (0) 1 8587461.

Whenever you contact us to ask about your information, we may ask you to verify your identity. This is to help protect your information.

Your right to obtain information cannot adversely affect the rights and freedoms of others. Therefore, we cannot provide information on other people without consent. We generally do not charge you when you contact us to ask about your information. If requests are deemed excessive or manifestly unfounded, we may charge a reasonable fee to cover the additional administrative costs or choose to refuse the requests.

The following section details your information rights and how we can help ensure that you are aware of these rights, how you can exercise these rights and how we intend to deliver on your requests.

PAS is aware of its obligations as a data controller with primary responsibility for, and a duty of care towards, the personal data within its control. Our obligations are set out in the GDPR and associated implementing and supplementary legislation in Ireland.

Data subjects whose personal data is held by PAS are entitled to ask PAS and receive confirmation as to whether or not personal data concerning them is being processed. Where that is the case, data subjects are entitled to access the personal data as well as the following information in relation thereto:

  1. The purposes of processing
  2. The categories of personal data concerned
  3. The recipients, or categories of recipients, to whom personal data has been, or will be disclosed
  4. Where possible. the envisaged period for which personal data will be stored, or if not possible, the criteria used to determine that period
  5. The existence of the right to request from PAS rectification or erasure of personal data or restriction of processing personal data concerning the data subject or it object to such processing
  6. The right to lodge a complaint with the Data Protection Commissioner
  7. Where the personal data is not collected from the data subject, any available information regarding the sources
  8. The existence of automated decision-making (including profiling) being operated on the data subject’s data, where relevant, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
  9. Where personal data is transferred to a third party the appropriate safeguards pursuant to the GDPR relating to such transfer.

The subject access request should be made in writing, and should include sufficient information to identify the data subject to our reasonable satisfaction so we can verify that we are not releasing your data to someone who is impersonating you. When the criteria are satisfied, we will be in a position to commence the work involved in responding to your request. PAS will strive to respond as quickly as possible and in any event without undue delay, but if we have not been able to complete our work in that regard within one calendar month we will update you as to the progress of our response to your request. Attached is the Subject Access Request Form

PAS will provide the data subject with any relevant data in response to a subject access request in electronic format. If you do not wish to receive our response to your request by email, please let us know in advance. Once our response to your subject access request has been finalised, we will make a full copy of the material to be retained for our own reference. This record will be used as a reference should there be any dispute as to the content or timeliness of our response provided to you. It will be retained for 7 years.

You can update your own profile at any stage and should do so as your circumstances change.

To access your profile: -

  • log on to,
  • Enter your username and password
  • My personal details
  • Update your profile
  • Click on Save

You may have the right to restrict or object to us processing your personal information. We will require your consent to further process this information once restricted. You can request restriction of processing where:

  • The personal data is inaccurate and you request restriction while we verify the accuracy;
  • The processing of your personal data is unlawful;
  • You oppose the erasure of the data, requesting restriction of processing instead;
  • You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing;
  • You disagree with the legal basis and processing is restricted until the legal basis is verified.

You may ask us to delete your personal information or we may delete your personal information under the following conditions:

  • the personal data are no longer necessary in relation to the purposes for which they were collected, or otherwise processed
  • you withdraw your consent where there is no other legal ground for the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation.

This does not apply where PAS is complying with a legal obligation, or performing a task in the public interest, or in the exercise of official authority, or for archiving or research purposes, or for exercise of the defence of a legal claim.

If you no longer wish to maintain an active account, there is a facility on your profile page to allow you to delete your account and remove the associated personal information. The Public Appointments Service requires that participants in all competitions have an active account. By deleting your account, you will be indicating your intention to withdraw your candidature from any active competitions you may be involved in.

To delete your profile: -

  • log on to,
  • Enter your username and password
  • My personal details
  • Find the “Account Deletion” Section
  • Click on “Delete Account” button
  • Review the information on the confirmation screen and click “Confirm”

NOTE: Deleting your account is permanent and cannot be undone

Taking into account the purposes of the processing, you shall have the right to have incomplete or inaccurate personal data completed or corrected, including by means of providing a supplementary statement. You should contact This email address is being protected from spambots. You need JavaScript enabled to view it..

You have the right to receive your data in a structured, commonly used and machine readable format and the right to transmit it to another controller where processing is carried out by automated means and where it is technically feasible.

This does not apply to data processed in the exercise of official authority vested in PAS.

PAS will not take an evaluation decision by automated means unless you have officially consented. You have the right to obtain human intervention and express your point of view.

If you have a complaint about the use of your personal information, please let a member of staff in PAS know, giving them the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, in writing and by email. We will fully investigate all the complaints we receive. You may complain through our Office, by phone, by email or in person. We ask that you supply as much information as possible to help us resolve your complaint quickly.You should contact This email address is being protected from spambots. You need JavaScript enabled to view it..

You can also contact the Office of the Data Protection Commissioner in Ireland using the contact details below:

  • Visit their website
  • Email This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Phone on +353 (0)57 8684800 or +353 (0)761 104 800
  • Write to the Office of the Data Protection Commissioner, Fitzwilliam Square, Dublin 2, D02 RD28, or Data Protection Office, Canal House, Station Road, Portarlington, Co. Laois, Ireland R32 AP23

We will make changes to this notice from time to time, particularly when we change how we use your information, and change our technology and products. You can always find an up-to-date version of this notice on this website at, or you can ask us for a copy.