Data Protection and the General Data Protection Regulation (GDPR)

On the 25th of May 2018 the General Data Protection Regulation (GDPR) came into effect. In Ireland GDPR has been given legislative effect in the new Data Protection Act 2018.

Overview

This new legislation updates the current law in relation to data protection and seeks to strengthen and unify data protection for all individuals within the European Union including Ireland. It grants new and enhanced rights for all individuals in relation to their own personal information. It also restricts the ways in which organisations can use the information.  

Data Protection law applies to the “Processing of Personal Data”.

Article 2 (1) defines the Scope of the GDPR as follows: 

This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

This means that all information held on a computer or other electronic systems is within the scope of the GDPR, as is any information that is held in paper or other manual records as long as such information is within a ‘filing system’, or created with the intention that it will be placed into a filing system. 

A filing system is defined as ‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis’.

Definitions

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” 

In essence, virtually anything that can be done with personal data amounts to processing. 

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 

Dundalk Institute of Technology (DkIT) is a Data Controller. 

More Information

Data Protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights, which states;

  • Everyone has the right to the protection of personal data concerning him or her;
  • Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified;
  • Compliance with these rules shall be subject to control by an independent authority.

This means that every individual is entitled to:

  • The right to be informed – about how DkIT processes your data;
  • The right of access - to receive a copy of and/or access the personal data that DkIT holds about you;
  • The right to rectification - to request that any inaccurate or incomplete data that is held about you is corrected;
  • The right to erasure - erasure of personal data where there is no legitimate reason for DkIT to continue to process it;
  • The right to restrict processing - the restriction of processing of personal data in specific situations;
  • The right to data portability – to request that DkIT provides some elements of your personal data in a commonly used machine-readable format in order to provide it to other organisations;
  • The right to object - to the processing of your personal data by DkIT in certain circumstances, including direct marketing material;
  • Rights in relation to automated decision making and profiling – right to obtain human intervention;
  • The right to make a complaint in respect of our compliance with Data Protection Law to the Office of the Data Protection Commission (DPC).

These rights can be exercised at any time.

For more details on your Rights under the GDPR please refer to the Data Protection Commission website.

Individuals have the right to request a copy of any of their personal data which are being processed by controllers. These requests are often referred to as data subject access requests or access requests.

If you wish to make a request for access to your personal data, please contact the following:

  • Address: Data Protection Office, Dundalk Institute of Technology, Dublin Road, Dundalk, Co. Louth, A91 KK584
  • Email[email protected]
  • Telephone: 042 9431390

Please be as specific as possible in relation to the personal data you wish to access. 

You may be asked to provide evidence of your identity. This is to make sure that personal information is not given to the wrong person.

Your requests will be dealt with free of charge.  However, in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive’ can a controller charge a ‘reasonable fee’ for the administrative costs of complying with the request. 

We will respond to your request within one month of receipt of it.  The one-month period may be extended by two further months, where necessary, considering the complexity and number of requests.  If this is the case, we shall inform you of any extension within one month of receiving your request and explain the reasons for the delay.

Article 15 (4) states that you have the right to obtain a copy of your personal data however this right shall not adversely affect the rights and freedoms of others.  This means that any identifiable personal data of other individuals (third Parties) shall be removed prior to the release of records.

If you are not happy with our decision or we do not take action on foot of your request, you have the right to lodge a complaint with the supervisory authority – the Data Protection Commission. You can contact the DPC as follows.

For further guidance on how you can exercise your Right of Access, please read the DPC guidance on The Right of Access on their website at https://www.dataprotection.ie/en/individuals/know-your-rights/right-access-information.

All access requests from a member of An Garda Síochána should include the following:

  1. The request must be in writing on official Garda letterheaded paper;
  1. It must indicate that it is for the prevention, detection, investigation, or prosecution of a criminal offence, 
  1. The request must state that it is made pursuant to section 41(b) of the Data Protection Act 2018, 
  1. The request must be signed by a Garda of the rank of Superintendent, or above,
  1. It must include the requesting Garda’s name and badge number,
  1. It must include the investigation pulse number.
  1. Additional information to allow DkIT locate the data such as time periods, names, departments or areas of DkIT that are most likely to hold the relevant information.  Please note we may have to get back to you to seek further clarification if we do not have enough detail to enable us to find the information you are seeking.

All access requests should be sent to the following address/email:

  • Postal Address: Data Protection Office, Whitaker Building, Dundalk Institute of Technology, Dublin Road, Dundalk, Co. Louth, A91 K584    
  • Email: [email protected]
  • Telephone: +353 (0)42 9431390

Right of Appeal

If Dundalk Institute of Technology fails to comply with a valid Subject Access Request or if you are not satisfied with our handling of your request, you can make a complaint to the Data Protection Commissioner:

Controllers have a range of obligations under data protection law, and in particular must comply with the Principles of Data Protection

Compliance with these fundamental principles of data protection is the first step for controllers in ensuring that they fulfil their obligations under the GDPR.

Article 5 GDPR sets out these principles, which aim to ensure that personal data are:

  • processed lawfully, fairly and transparently; 
  • processed for specific purposes; 
  • limited to what is necessary; 
  • kept accurate and up to date;
  • stored for no longer than necessary; 
  • protected against unauthorised or unlawful processing, accidental loss, destruction, or damage. 

Controllers must also be able to demonstrate compliance with these principles, under the principle of accountability.

DkIT is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.  To help comply with GDPR, DkIT have developed a range of policies and procedures which have been implemented throughout the organisation. 

Visit Data Protection Policies

Definition of a Personal Data Breach:

personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Under the General Data Protection Regulation (GDPR) there is a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organisations must do this within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.

If you discover a personal data breach or suspect a breach may have occurred, please notify our Data Protection Office immediately by emailing [email protected]  or by telephoning 042 9431390.

The staff and student privacy notices explain how DkIT collects, uses and shared your personal data and your rights in relation to the personal data that we hold on you. These privacy notices concern our processing of personal data for staff and for past, current and prospective students of the Institute.

Visit the Privacy Statement for Staff and Students

DkIT has appointed a Data Protection Officer to act as the point of contact with the supervisory authority and to assist individuals regarding all issues related to processing of their personal data and to the exercise of their rights under the Regulation. Data Protection Officer contact details:

  • Address: Data Protection Office, Dundalk Institute of Technology, Dublin Road, Dundalk, Co. Louth, A91 KK584 
  • Email: [email protected] 
  • Telephone: 042 9431390

The Data protection statement for student registration details the information Dundalk Institute of Technology will store about its students and student apprentices, how it will be used and other information about data protection. This Data Protection Statement applies to all students registering for the academic year 2019/2020 and thereafter.

Visit the Data Protection Statement for Student Registration

Staff Records

Employment details; payroll and processing information; Provisioning access to DkIT services (ICT and physical services); Pension records, leave records.

Student Records

Visit the Privacy Notice for information on student data that we collect

Student Records Management

Academic record management including records pertaining to : registration; fees administration; examinations; awards managments, access to services and facilities; access to online facilities; statistical reporting including government statutory returns. Sensitive data for example medical information - students may provide personal and medical data to DkIT in their registration for student support services. This information is required to establish that the individual requires additional student support services and what they might be, to that normally provisioned to the general student population and to allow the Institute deliver those additional supports. DkIT will never disclose any sensitive data to any third party without the individual's prior approval and consent.

The provision of other contact details (other than name and address) is necessary as this may be required for regulatory /communication purposes, eg grants or an Institute wide communication, using email or SMS services to communicate with such a large body of users. Examples of communications to study body might include notifications with regard to class cancellation, sports & societies groups and emergency information.

Retention of Records

DkIT will keep student's result permanently after the student ceases to be a student to retain the academic record of the student.

DkIT will keep staff employment records permanently after the staff member ceases to be a staff member. These records will be minimal in content and only that which will allow the Institute to fulfil its obligations pertaining to staff pay and pension entitlements following tenure at DkIT.

DkIT may share some data with authorised agents or third parties who act on behalf of DkIT in connection with the activities already referred to above however DkIT continue to be the Data Controller and authorised agents or third party processors will be operating on our behalf and in line with data protection legsilation and Institute guidelines for data protection and security. Further information on who the Institute may share data with is contained in the Privacy notices contained on this website.

From a legal perspective, DkIT may disclose student data if it is under a duty to do so in order to comply with any legal obligation; ie any applicable law, a summons, a search warrant, a court order or other valid legal process.

Visit Data Protection Policies

Marketing/Promotions

From time to time, DkIT and/or authorised agents acting on behalf of DkIT may wish to contact students about related services which may be of interest to students or to gain feedback to better enhance services offered to students. This could involve the taking of photos at Institute or related events however in both instances students have to give their explicit consent to be contacted in this manner and their permission sought for photo to be taken and subsequently used. To avoid any doubt however, DkIT will never sell or provide personal data to third parties who do not provide services to DkIT and DkIT will never use personal data to market non-DkIT related products or services.

We are committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data. As such, DkIT has developed a number of Policies that must be adhered to in order to comply with GDPR and these are listed on this website under Policies and Procedures.

The HEA has a statutory responsibility for the effective governance and regulation of the higher education system pursuant to the Higher Education Authority Act 2022 and subsequent amending legislation which has extended its remit to encompass Institutes of Technology and more recently Technological Universities. In order to discharge its functions effectively, it must process certain categories of personal information.

Visit the HEA Student Data Collection Notice


 

Data Protection Policies

View All
Showing 1–12 of 12 Policies
View All