(1) This policy sets out the principles and responsibilities of all members of the Hibernia College community in relation to the collection, storage, processing and retention of personal data. This policy relates to the use and processing of all personal data which identifies or is capable of identifying any living individual, and which therefore requires compliance with the European Union’s General Data Protection Regulation 2016 and the Data Protection Act, 1998-Data Protection Act 2018. This policy should be read in conjunct with the College’s Privacy Policy. (2) This is an overarching policy setting out how personal data is processed by the College and applies to the processing of personal data by all Staff, Faculty, Adjunct Faculty, students and third parties. (3) This policy relates to all situations in which personal data is used and processed by the College. (4) The Records and Data Manager is responsible for managing the College’s implementation of the Personal Data and Records Policy and for managing and addressing breaches of this policy. (5) The Director of IT is responsible for operational matters regarding the technical security and safety of personal data. (6) All Staff, Faculty, Adjunct Faculty and students have individual responsibility for ensuring that this policy is adhered to where personal data is being collected, stored, processed or retained for any purpose, including research collection. (7) Any third parties involved in collaboration or contracted to complete work with the College for any reason are responsible for adhering to this policy. (8) (9) (10) (11) (12) (13) (14) (15) The College will comply with all requirements with regard to its data protection obligations, including the following: (16) The College only collects, uses and processes personal data in the following contexts: (17) The College endeavours to ensure that personal data is: (18) The College stores personal data and records in a format that is suitable for the processing of the personal data and records. (19) The College ensures that personal data and records are stored in a safe and secure manner. (20) The College will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. (21) See the College Document Retention Schedule for further information on retention periods. (22) Where the relevant retention period has expired, all personal data is destroyed promptly and securely and is permanently deleted from the College’s system. (23) A record is retained with regard to the disposal or destruction of personal data. (24) The College provides support, assistance, advice and training to all departments, offices and Staff to ensure that all parties are in a position to comply fully with this policy. (25) The College will only process criminal offence data in specific circumstances where it is required to do so in order to fulfil its obligations. (26) Garda vetting information is collected as required under the Children and Vulnerable Persons Act and the College’s Admissions Policy and Garda Vetting Procedure. (27) The College only processes special category data in specific circumstances as required to fulfil its legal obligations as a private unlimited company and as a higher education institution. This may include the following: (28) Subject to the existence of appropriate safeguards, Article 89 of the General Data Protection Regulation 2016 sets out certain exemptions to the principles of data processing for research purposes. These exemptions are set out below, and the College may apply these exemptions with regard to personal data collected for research purposes, where necessary: (29) The College is required to maintain accurate and up-to-date records for any data subject for whom the College holds personal details, which includes both students and graduates. (30) Changes to student and graduate personal details specifically are processed in line with the Change of Personal Details Procedure. (31) Personal data will only be disclosed as needed: (32) We will disclose your personal information to third-party recipients: (33) Data subjects have the right to access a copy of their personal data under the Data Subject Access Request (DSAR) Management Procedure. (34) Data subjects have a right to have their records amended in the case of inaccuracies in, or actual changes to, their personal details. (35) Data subjects have a right to restriction of processing of their personal data, except where processing is based on lawful grounds other than consent. (36) Data subjects have a right to have their personal details deleted, except where processing is based on lawful grounds other than consent. (37) Where it is technically feasible, data subjects have the right to have an easily accessible copy of their personal data transferred or moved to another data controller, except where that processing is based on lawful grounds other than consent. (38) Data subjects have the right to object to processing or restrict processing of their personal data if: (39) All DSARs received by the College must be responded to within one month, irrespective of weekends and public holidays. (40) The date of receipt of a DSAR is the date on which the DSAR was received by the College and this date is the beginning of the one-month period. (41) Where a request is complex, or multiple requests are received from the same individual, the College can extend this time by a maximum of two months. Where an extension is sought, the data subject is notified within a one-month period and an explanation for why the extension is necessary. (42) Where a DSAR is received by the College, all relevant departments must be notified. (43) Stakeholders will be notified about their responsibilities in assisting to identify categories of requested data. (44) Information will be sent securely via the format requested by the data subject. (45) A record of the DSAR will be retained for the purpose of auditing and evaluation. (46) Emails sent by students using a College email account are outside the scope of a normal DSAR unless there is data specific, identifiable and retrievable contained within and the data subject has an explicit legitimate interest for pursuing it. (47) Research data cannot be obtained as part of a DSAR, except where requesting such data does not impair or prevent the research project. (48) Where a DSAR is considered manifestly unfounded or excessive by the College, having undertaken a detailed assessment, the College may refuse to act on the request in line with Article 12(5) of the GDPR. If this is the case, the College will inform the data subject of its decision. (49) The College as a data controller is obliged to respond promptly to an actual or potential data security breaches as outlined in the Personal Data Security Breach Management Procedure. (50) Where the breach presents a risk to the affected individuals, the College is required to notify the Data Protection Commission of such a breach within 72 hours of becoming aware of the breach. (51) The notification will be made through the ‘Breach Notification Form’ on the Data Protection Commission website and will include the nature of the personal data breach. (52) Where a breach is likely to result in a high risk to the affected individuals, the College must also inform those individuals without undue delay. (53) Any stakeholders deemed relevant to the data breach will be notified. (54) Records of all personal data breaches are maintained in line with the College Document Retention Schedule. (55) Evaluation of practice is conducted regularly to ensure effective practice.Personal Data and Records Policy
Section 1 - Introduction
Purpose
Scope
To whom does the policy apply?
In what situations does the policy apply?
Who is responsible for implementing the policy?
Definitions
Section 2 - Context
Legal or Regulatory Context
Top of PageGDPR
Irish Data Protection Law
QA Guidelines
Section 3 - Policy Statements
Part A - Principles for Data Processing
Collection and Processing of Data
Storage
Retention
Disposal
Support
Criminal Offence Data
Special Category Data
Exemptions for Research
Maintaining Accurate Records
Part B - Third-Party Disclosure
Part C - Rights of the Data Subject
Right of Access
Right of Rectification
Restriction of Processing
Right to Erasure
Right to Portability
Right to Object
Part D - Principles for Managing Data Subject Access Requests (DSARs)
Timeframe of Response
Notification of Departments
Delivery of Request
Record of Request
Exemptions
Part E - Principles for Managing Data Security breaches
Notification of the Data Protection Commission
Notification of Relevant Stakeholders and the Data Subject
Records and Evaluation
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
The above exemptions apply where not exercising these exemptions would prevent or seriously impair the research process or if the research process is unlikely to cause substantial damage or distress to an individual.