Data Privacy Summary
Dundalk Institute of Technology take your privacy seriously. It is important that you know what we do with personal information that you and others provide to us, why we gather it and what that means to you. This information is being provided to you in line with our obligations under the General Data Protection Regulation (GDPR) which came into force on 25th May 2018. The GDPR together with the Irish legislative requirements – Data Protection Act 2018 – amend previous data protection law and place enhanced accountability and transparency obligations on all organisations using your personal information. Please take the time to read this notice carefully. If you have any questions about how we use your information please contact the Institute’s Data Protection Office - details listed below.
GDPR – what is it?
GDPR is the European Union General Data Protection Regulation. It came into effect on 25th May 2018. It sets out a series of new EU laws concerning how data can be processed and used by organisations. The objective of the Regulation is to strengthen and standardise data protection laws for all EU citizens. Further information on GDPR and the Data Protection Act 2018 can be found on the Data Protection Commission (DPC) web site www.dataprotection.ie
Section 1 – Who we are
1.1 The Data Controller
Dundalk Institute of Technology is the Data Controller for all personal data collected for the purpose of its business. The Institute decides what personal data it needs to collect from you to allow it to operate its services. Data processes are documented and issued to relevant staff.
There are approximately 500 staff directly employed by the Institute and we have in excess of 5,000 student population.
You can contact the Institute in any of the following ways:
1.2 The Data Protection Officer
If you have any queries relating to how we might use your personal data, contact our Data Protection Office in the following ways:
By email: email@example.com
By post: Data Protection Officer, Dundalk Institute of Technology, Dublin Road, Dundalk, Co Louth.
Section 2 – When we collect your information
We collect information about you for a range of reasons mainly from yourself but it also can come from other sources. The situations where we collect personal data are as follows:
2.1 When you apply to be considered for a course of study either through the CAO system or upon direct application to the Institute.
2.2 When you actually register as a full time or part-time student.
2.3 When you access any of the student services provided by the Institute you may give additional information – services such as Medical Centre, Counsellor, Clubs & Societies etc
2.4 When you transfer into the Institute from another third level organisation.
2.5 When you commence employment with the Institute.
2.6 When you attend events, functions.
2.7 When you provide services to the Institute such as a supplier or contractor.
Section 3 – What types of personal data do we collect?
3.1 It is the Institute’s policy to only collect the information that is required for the immediate purpose such as those outlined in section 5.
3.2 Personal data collected can include the following:
- Your name
- Your address
- Your date of birth
- Your phone number
- Your email address
- Your PPS number
- Your marital status
- Your family status
- Your next of kin
- Certain financial information
- Your educational qualifications
3.3 At times we also need to collect personal data such as health data and photographs. For example for health data - an employment medical you may undergo as a prospective new staff member or if you are a student availing of any of the health services such as registering with medical centre or Disability Service. Photographs are taken and used for the purpose of identification and security, for example students accessing Institute services will be required to produce their student ID card. Other data may include information concerning trade union membership – as a staff member you may wish to pay a subscription via your salary so Payroll will have a record of this. We acknowledge we can also collect, indirectly, data in relation to the religious beliefs and sexual orientation of students and staff.
Section 4 – The Legal Basis for Processing
The Institute has a number of Acts under which personal data may be legally processed. Our main legislation that we operate under is included in the Regional Technical Colleges Act, Institute of Technology Act and Technical Universities Act however we have a number of other pieces of primary and secondary legislation which allows us to process personal data.
The Institute is also entitled and indeed obliged to process personal data under other legislative provisions that provide the basis for all Government Departments to administer a range of services and supports as set out by successive Government decisions.
Please refer to the list of legislation noted as Appendix 1.
Section 5 – The Categories of processing undertaken by the Institute
We process personal data for the following purposes:
- The recruitment of students
- The Admission and Registration of students
- For Academic matters – teaching and learning provision, assessment, examinations, attendance, graduation, grievance and disciplinary matters.
- For the operation of work placement - will include the Vetting/approval of students undertaking placements as part of their programme of study under the Protection of Children & Vulnerable Adults legislation via the Garda Vetting Bureau. It will also include students signing a Health Declaration form prior to taking up placement in clinical settings (Covid-19 and infectious diseases related).
- For the provision of student cards for identification / security purposes.
- For provision of IT services
- For provision of Library services
- For provision of student services such as Access Office, Disability Office, Learning Support, Careers Office, Counselling Service, Health Centre, Clubs and Societies, Accommodation.
- To administer finance related issues such as fees, financial supports scholarships, prizes and bursaries.
- For research and statistical analysis purposes
- For the safety and wellbeing of all staff, students, visitors. The Institute operates a Contact Tracing Policy in line with HSE and Government Protocol (COVID-19 related) to manage contacts of those who have come in contact with a suspected or confirmed case. Any information collected for this reason will subsequently and immediately be deleted once appropriate period has elapsed as per Policy.
- To monitor and evaluate the student experience to enhance services further
- To enable us to effectively communicate with our students, staff and others.
- To provide data to organisations such as the HEA (Higher Education Authority) in line with legal and government requirements.
- To comply with statutory reporting requirements.
- To administer voluntary surveys of student opinion about experiences and the performance of the Institute. For example Stu Irish Survey of Student Engagement (StudentSurvey.ie)
- To create and publish printed and soft copy material such as prospectus, brochures, website for promotional and archive purposes.
- To assist with law enforcement or where required as authorised by law.
- To confirm the details of students’ academic achievements, and for statistical and historical purposes. (A core record of a student’s study history is retained indefinitely on the student information system, Banner).
- To enable the Institute to continue to contact you after you graduate for example to complete surveys of graduate work destinations, alumni news, marketing etc.
- To respond to requests for information made under data protection legislation.
- To assist sporting/society bodies who may require student data such as date of birth or confirmation of being in full time education as a pre-requisite to student representing the Institute in formal events or competitions.
- For the recruitment of staff which includes the Vetting/approval of new (and existing) staff under the Protection of Children & Vulnerable Adults legislation via the Garda Vetting Bureau.
- To Induct and further train staff
- For academic matters – provision of support in : teaching and learning skills, assessment, examinations, research.
- For the processing of grievance and disciplinary matters.
- For the provision of staff cards for identification / security and access purposes
- For the provision of staff services such as adequate access to buildings and car parks, Counselling and Advice service via the confidential Employee Assistance Programme.
- To administer finance related issues such as Staff Training Fees Assistance, payroll administration (salary payment including travel and part time teaching claims, Income Tax and other deductions), pension.
- To administer HR related issues such as contracts of employment, salary, maintenance of personnel details, sick and annual leave, pension administration, staff training, supplying confirmation of job title/employment to third parties, such as a new employer, as requested by individuals.
- To monitor and evaluate the staff experience to enhance services further
- To enable effective communication with our staff both current and past.
- To administer voluntary surveys of staff opinion about their experiences and the performance of the Institute as required from time to time.
- To confirm the details of staff academic achievements and employment (current and previous), and for statistical and historical purposes, (a core record of staffs employment is retained indefinitely on the Human Resources/Payroll information system, CORE HR).
- To enable the Institute to continue to contact you after you retire or leave employment for example for alumni news, marketing etc.
- To handle contracts with external service providers.
- To deal with service queries or complaints.
In certain situations we may share your data with other organisations in accordance with legislation and as outlined in Section 7 below. Data sharing arrangements or Statutory Instruments will be in place / operated under for any sharing that occurs.
Section 6 – Where do we store your personal data?
Electronic storage of personal data:
The bulk of personal data is stored by the Institute electronically on our internal IT systems. These systems are fully protected by anti-virus and anti-malware software. Electronic data includes student application, admission and academic record, recruitment data and for successful applicants subsequent staff employment records, evidence of identity, contact information, financial information, family details, evidence of educational and training achieved and pursuing, copies of electronic correspondence. The main electronic systems in use in the Institute are the student records system Banner; the personnel system CORE HR/Payroll; the Procurement/Creditors payment system Agresso. Additionally the Library operates a computerised automation system –Koha Interleaf / Discovery Service EBSCO and Outlook is the system used for email.
Access to personal data is restricted to those staff members who need the information to carry out their official duties. Access is controlled by every staff member having a unique login username and password. Minimum permissions are given to allow the staff member to work in a secure environment and to only access the personal data that they need for
Storage of hard copy (paper) files:
Where the Institute holds paper records containing personal data, these are stored on individual or category related files which are secured in the relevant staff office for current files or adjacent storage space for less current files. Only staff who need to work on these files will have access to them. Security is achieved by physical safe measures where access to a staff office or department office is by key access or swipe card and where visitors are screened so that unauthorised access to personal data is avoided. For example students are not allowed directly into an academic administration office, but their queries are dealt with via a student queries window.
Sometimes historical paper records will be stored off-campus in a secure location operated by a contracted services provider. This Processor is vetted to ensure it operates in line with good data protection practices which includes adhering to Institute instructions on the handling, acquisition and deletion of the data and a data processing /confidentiality agreement is in situ.
Section 7 – Sharing Personal Data
Categories of recipients with whom we may share your personal data:
The Institute is allowed to share your data with a range of organisations but only where legally enforceable data sharing agreements are in place or where there is a statutory report requirement. In general the types of organisations that the Institute would normally share information with are as follows:
- Government Departments and Regulators / supervisory authorities including Department of Education & Skills, Department of Public Expenditure & Reform, Revenue Commissioners, Department of Employment Affairs & Social Protection, Department of Finance, Higher Education Authority, An Garda Siochana, to provide for a range of shared services, supports and statistical information.
- Other public sector bodies such as SUSI, SOLAS, Education & Training Boards, Office of the Comptroller & Auditor General, An Bórd Altranais, HSE, other Third Level Education organisations, work placement sites.
- DkIT Students Union, DkIT Sport, IT consultants and general contractors hired by the Institute where they may be working on DkIT IT systems or delivering a service regarding a work process. Embassies or supporting/sponsoring bodies of International non-EU Students, partner EU Colleges and Universities.
Will your personal data be transferred out of the European Economic Area (EEA)?
No, your personal data will generally not be stored or transferred outside of the European Union or the EEA Area (EU states plus Iceland, Norway, and Liechtenstein). Where we do share information outside of the EEA or if there were to be exceptional arrangements for storage of your data outside the EEA, we will always take steps to ensure that any transfer of information outside of the EEA is carefully managed to protect your privacy rights under GDPR. This is provided for under EU Security Regulations. An example of when personal data may be shared or transferred: for non-EU International students who may be sponsored by their own country’s embassies or other supporting bodies, in this case they may require as part of the students placement on the programme and with their knowledge, an update of their attendance and progress.
Are there any other appropriate and suitable safeguards?
Personal data may only be transferred if appropriate safeguards are provided and on the condition that enforceable data subject rights and effective legal remedies are available. Safeguards may include:
- Legally binding and enforceable instruments between public authorities/bodies;
- Standard data protection clauses adopted by a Supervisory Authority and approved or adopted by the EU Commission;
- Standard contractual clauses between controller/processor and recipient in the third country or international organisation.
Section 8 - How long will we keep your personal data?
The Institute will keep information relating to you for only as long as required to provide you with access to services. There is some information that we need to retain on students and staff indefinitely. There are a number of reasons for this.
For example for staff we need to keep a record of name, position, PPS number and staff id, date of birth, salary and pension details – this is to be able to verify that a person was indeed a staff member should they require confirmation of same in the future or a transfer of service to another educational or public sector organisation and to administer retired staff pension payments and queries.
For students, we will keep their name, student ID, date of birth, programme of study and academic record indefinitely. Again this is to be able to verify that a student was registered on a programme of study and the level of qualification received and when awarded.
Information held on students / staff will be culled after they have completed their studies or left employment within the timeframe as set down in the Institutes records retention schedule for related records and thereafter the core details maintained indefinitely as noted above. For example finance related records (fees, claims etc) must be kept for a minimum of 7 years as per audit regulations.
The Institute must adhere to the rules of the National Archives’ Office for disposal and retention of records and various other administrative and legal requirements such as retention for audit purposes however the GDPR states that we cannot store any information for longer than it is required and therefore each domain of the Institute is responsible for the data that it collects for its own business reasons and what does not need to be retained indefinitely to be disposed of.
Where data is captured and required for specific reasons and does not need to be retained beyond a set timeframe then this data will be deleted as soon as its purpose has been served. An example of this would be where the Institute has generated an invitation list to an event – such as careers fair or open day – once the event has occurred then the list would be deleted as the purpose has concluded.
Section 9 - Will your personal data be used for any other purposes?
As mentioned earlier we are allowed by law to collect and process personal data for a range of reasons. We are also allowed to collect data for a specific reason and use it for another related purpose. This is because the Institute provides a wide range of services and it would be impractical for us to keep asking you for the same information over and over again. For example, when you register as a student during the Admissions process you give us a lot of information which allows us to enter you on a programme of academic study. However, we will use some of that information in our liaison with other Departments of the Institute to be able to provide further services to you such as Academic Schools, Student Services, Library, IT services and so on.
Section 10 - Your rights as a Data Subject
All our customers (Data Subjects) have rights under EU (GDPR) and Irish data protection legislation.
The right to access your personal data (information we hold on you)
You are entitled to ask us for copies of any of your personal data that we have collected and stored. Such requests can be submitted in writing or by email to the Data Protection Office, Dundalk Institute of Technology, Dublin Road, Dundalk, Co Louth. You will appreciate that we may need to verify your identity before we deal with any request for copies of your personal data. Under GDPR we have one month to process requests.
The right to correction of incorrect personal data held by the Institute and the right to object to the processing of data
The Institute will always try to make sure that the information that we hold on you is accurate and up to date. We may on occasion ask you to verify this information. If your information changes or you believe that we have information that is not up to date, please let us know. You are entitled to ask us to update any incorrect personal data that we may have in relation to you. Again we may ask for proof of identity before processing such a request. We cannot allow anyone else but you to update your personal data unless you have a fully authorised personal representative.
The right to erasure of personal data
As noted previously the Institute has a records retention schedule that states that some data may be retained indefinitely for various reasons. Where data is held or required for ongoing administration purposes then this data will not be subject to erasure even if requested by the data subject. However each business area of the Institute should only retain data for as long as is required for the specified purpose it was collected for. You have the right to request that business area to delete any information that you feel is not required for ongoing administration purposes.
The right to object to automated decision
The GDPR gives you the right to object to automated decision making by DkIT computer systems where there is a legal or significant impact on you as a customer. An automated decision is a decision which is made entirely by a computer without the intervention of an Officer of the Institute.
We do use a number of automated processes such as in Recruitment of new personnel using CORE HR/Payroll system or our Agresso creditors’ payment system. However, there is no situation where a customer (data subject) will receive a decision, communication or payment without the intervention of an Institute Officer. Automated systems used assist the manual work process already in place rather than replace it.
The right to data Portability – the right to receive your data from one controller to send it to another
Data subjects have the right to request their data from one controller so that it can be given to another controller. This right is most relevant to organisations such as utilities, financial institutions etc with which you have a contract and where you may wish to seek to change provider or to get a better deal.
This right says that you can get your personal data in a structured commonly used machine readable format to pass on to another organisation. Should you request this from the Institute, we may have to ask for what specific data is required but we will try to generate for you if doable and provide the information as quickly as possible.
The right to be notified of a data breach
As a customer – student (prospective, current, past) staff member (prospective, current, past) service and goods provider, etc, we are obliged to let you know when your personal data may have been lost, destroyed or given to a person or organisation who shouldn’t have received it. The Institute has a range of security measures in place to protect personal data and it would be very rare that one person’s personal data would be sent to another person who is not a trusted recipient or where it would be lost or stolen. However in the unlikely event that a serious data breach happens, the Institute will write to you to confirm what happened and what part of your data was affected. We will inform the Data Protection Commission Office of the breach also.
How to get in touch with us
If you have any queries with regard to this statement please contact the DPO at firstname.lastname@example.org
The Data Protection Commission
The Institute works hard to handle your data responsibly and we take our data protection responsibilities very seriously. If you are unhappy about the way we do this please contact the DPO who will attempt to address any concerns that you may have. However you also have the right to complain to the Data Protection Commission who can be contacted at:
How to exercise your rights under Data Protection
You can make a request under any of these rights by contacting the Data Protection Office – contact details at beginning of this statement.
We may need to confirm your identity first as we cannot give your personal data to others. Once we have verified your identity and location of your data we will endeavour to get the information requested to you as soon as possible. However we have to respond to you within one month from verification of your identity and request. You should give as much information about yourself in your request to assist the Institute in locating your information and fulfilling your request as quickly as possible. For example if you are a former student, you should supply your name, your student ID (if known) your date of birth and the programme of study that you attended and the date(s) you attended the Institute.
For complex requests or where there are a large number of requests, we can extend our time to respond to you by two months but we must tell you we are going to do this within the first month together with the reason for the delay. If we are not going to respond to your request at all we must tell you this within the first month. If you make an electronic request we must respond to you electronically unless you prefer otherwise.
Anything we do in response to your request and information we give you will not incur a charge. If you make excessive requests for example the same one repeatedly, or your requests have no basis in fact we may either charge you a fee or refuse to act on it. A fee will not be applied where you have made a mistake such as a wrong location or date but we will not act on your request.
List of Primary and Secondary Legislation under which DkIT have the authority to collect personal data:
Primary legislation (all as amended)
- Higher Education Act 1971
- Regional Technical Colleges Act 1992 / Amended 1994
- Institutes of Technology Act 2006
- Technical Universities Act 2018
- National Archives Act 1986
- Qualifications and Quality Assurance (Education & Training) Act 2012
- Disability Act 2005
- Student Support Act 2011
- Pensions Act 1990
- Payments of Wages Act 1991
- Social Welfare Act 2000 – Sect 32
- Terms of Employment Act 1994-2012
- Fixed Term Work Act 2003
- Employment Equality Act 1998 to 2015
- Equality Act 2004
- Equal Status Act 2000 to 2015
- Gender Recognition Act 2015
- Children’s Act 2015
- National Vetting Bureau Act 2016
- Single Pension Scheme 2012
- Parents Leave & Benefit Act 2019
- Data Sharing & Governance Act 2019
Secondary Legislation (all as amended)
- Ethics in Public Office 1995
- Education Act 2012
- Protection of Employees (Part-time) Act 2001
- Safety, Health and Welfare at Work Act 2005
- Organisation of Working Time Act 1997 (SI No 465 of1997)
- Ombudsman Act 1980
- Social Welfare Act 2000 (Sect 32)
- Maternity Leave Acts 1994-2004
- Adoptive Leave Act 1995
- Parental Leave Acts/Force Majeure Leave 1998-2019
- Carer’s Leave Act 2001
- Terms of Employment – Unfair Dismissals Acts 1977-2007
- Terms of Employment - Redundancy Act 1967 – 2007
- Industrial Relations Acts 1946 - 2012
- Public Service Management (Sick Leave) Regulations 2014 as amended by the Public Service Management (Sick Leave) Amendment 2015
- Education Section Superannuation Scheme 2015