• Section 1 -  Introduction
• Purpose
• Scope
• Definitions 
• Section 2 - Context
• Legal or Regulatory Context
• Section 3 - Policy Statements
• Part A - Principles for Data Processing
• Collection and Processing of Data
• Storage
• Retention
• Disposal
• Support
• Criminal Offence Data 
• Special Category Data
• Exemptions for Research
• Maintaining Accurate Records
• Part B - Third-Party Disclosure
• Part C - Rights of the Data Subject
• Right of Access 
• Right of Rectification
• Restriction of Processing
• Right to Erasure
• Right to Portability
• Right to Object
• Part D - Principles for Managing Data Subject Access Requests (DSARs)
• Timeframe of Response
• Notification of Departments
• Delivery of Request
• Record of Request
• Exemptions
• Part E - Principles for Managing Data Security breaches
• Notification of the Data Protection Commission 
• Notification of Relevant Stakeholders and the Data Subject 
• Records and Evaluation

Section 1 -  Introduction

Purpose

(1) This policy sets out the principles and responsibilities of all members of the Hibernia College community in relation to the collection, storage, processing and retention of personal data. This policy relates to the use and processing of all personal data which identifies or is capable of identifying any living individual, and which therefore requires compliance with the European Union’s General Data Protection Regulation 2016 and the Data Protection Act, 1998-Data Protection Act 2018. This policy should be read in conjunct with the College’s Privacy Policy.

Scope

To whom does the policy apply?

(2) This is an overarching policy setting out how personal data is processed by the College and applies to the processing of personal data by all Staff, Faculty, Adjunct Faculty, students and third parties. 

In what situations does the policy apply?

(3) This policy relates to all situations in which personal data is used and processed by the College.  

Who is responsible for implementing the policy?

(4) The Records and Data Manager is responsible for managing the College’s implementation of the Personal Data and Records Policy and for managing and addressing breaches of this policy.

(5) The Director of IT is responsible for operational matters regarding the technical security and safety of personal data.

(6) All Staff, Faculty, Adjunct Faculty and students have individual responsibility for ensuring that this policy is adhered to where personal data is being collected, stored, processed or retained for any purpose, including research collection.

(7) Any third parties involved in collaboration or contracted to complete work with the College for any reason are responsible for adhering to this policy.

Definitions 

(8) Data Controller

(9) Data Processor

(10) Data Subject

(11) Personal Data

(12) Special Category Data 

(13) Criminal Offence Data

(14) Identifiable Natural Person

Section 2 - Context

Legal or Regulatory Context

(15) The College will comply with all requirements with regard to its data protection obligations, including the following:

1. GDPR

   1. This policy is intended to facilitate the College in fulfilling its obligations under General Data Protection Regulation 2016. The General Data Protection Regulation 2016 is a regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2. Irish Data Protection Law

   1. This policy is also intended to ensure the College’s compliance with the Data Protection Act 2018.  

3. QA Guidelines

   1. The policy is designed to comply with both the European Standards and Guidelines and QQI’s Core Statutory Quality Assurance Guidelines, which both specify requirements in respect of the collection, processing, storage and disposal of data.

Section 3 - Policy Statements

Part A - Principles for Data Processing

Collection and Processing of Data

(16) The College only collects, uses and processes personal data in the following contexts: 

1. The data subject has provided consent to the processing of their personal data. 
2. Processing is necessary for the performance of a contract with the data subject or in order to take steps at the request of the data subject before entering into a contract.
3. Processing is necessary to protect the vital interests of a data subject or another natural person.
4. Processing is necessary to fulfil legal and accreditation obligations to which the College is subject. 
5. Processing is necessary for the purposes of the College’s legitimate interests except where such interests are overridden by the fundamental rights of the data subject. 

(17) The College endeavours to ensure that personal data is: 

1. Processed lawfully and fairly 
2. Collected for specified purposes
3. Relevant and limited to what is necessary
4. Accurate and, where necessary, kept up to date
5. Retained for no longer than necessary
6. Processed in a manner that ensures appropriate security of personal data

Storage

(18) The College stores personal data and records in a format that is suitable for the processing of the personal data and records.

(19) The College ensures that personal data and records are stored in a safe and secure manner.

Retention

(20) The College will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

(21) See the College Document Retention Schedule for further information on retention periods. 

Disposal

(22) Where the relevant retention period has expired, all personal data is destroyed promptly and securely and is permanently deleted from the College’s system. 

(23) A record is retained with regard to the disposal or destruction of personal data.

Support

(24) The College provides support, assistance, advice and training to all departments, offices and Staff to ensure that all parties are in a position to comply fully with this policy.

Criminal Offence Data 

(25) The College will only process criminal offence data in specific circumstances where it is required to do so in order to fulfil its obligations.

(26) Garda vetting information is collected as required under the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012 to 2016 and the College’s Admissions Policy and Garda Vetting Procedure.

Special Category Data

(27) The College only processes special category data in specific circumstances as required to fulfil its legal obligations as a private unlimited company and as a higher education institution. This may include the following:

1. Data concerning health may be required to fulfil obligations and to provide evidence of personal circumstances as set out in College procedures, such as the Appeals Policy and the Extenuating Circumstances Policy.
2. Any other data as required for processing of students’ academic performance.

Exemptions for Research

(28) Subject to the existence of appropriate safeguards, Article 89 of the General Data Protection Regulation 2016 sets out certain exemptions to the principles of data processing for research purposes. These exemptions are set out below, and the College may apply these exemptions with regard to personal data collected for research purposes, where necessary:

1. Storage Limitation: Research data can be held for an indefinite period of time.  
2. Purpose Limitation: Research data can be used for a purpose other than that it was originally intended for, provided that purpose is still research.
3. Data Subject Rights: Certain exemptions as set out in Article 89 of the General Data Protection Regulation 2016 may apply with regard to data subject rights (see below).

Maintaining Accurate Records

(29) The College is required to maintain accurate and up-to-date records for any data subject for whom the College holds personal details, which includes both students and graduates.

(30) Changes to student and graduate personal details specifically are processed in line with the Change of Personal Details Procedure.

Part B - Third-Party Disclosure

(31) Personal data will only be disclosed as needed: 

1. To processors approved by and carrying out necessary functions for the College under criteria specified by the College
2. Where the College is required to do so by law or by professional bodies in connection with the performance of a contract in respect of the data subject
3. To any department or appointed authorised person within the company or any member company within this group, which means any subsidiary or holding company within the meaning of Sections 7 and 8 of the Companies Act 2014
4. To any governmental, financial or regulatory body, agency or department
5. To business partners, suppliers and sub-contractors for the performance of any contract entered into with them or the data subject in relation to the services, including insurers and Adjunct Faculty
6. To research partners including participating schools, healthcare providers and/or higher education institutions in Ireland and abroad in relation to any project or placement you undertake or agree to participate in
7. To selected third parties including the Garda Vetting Unit and educational partners, including but not limited to Quality & Qualifications Ireland, the Teaching Council and the Nursing and Midwifery Board of Ireland, as well as other professional, regulatory or statutory bodies in connection with the performance of any contract we may enter into with you

(32) We will disclose your personal information to third-party recipients:

1. If the College sells or buys any business or assets, personal data will be disclosed to the prospective seller or buyer of such business or assets
2. If the College, or substantially all of its assets, are acquired by or transferred to a third party whether in the event of a merger, reorganisation, transfer of undertakings, receivership, liquidation or other winding up or any other similar circumstances, in which case personal data held by the College will be one of the transferred assets
3. If the College is under a duty to disclose or share a data subject’s personal data in order to comply with any law, legal obligation or court order, or in order to enforce rights under the law, our Terms and Conditions of Website Use or any other agreements
4. To protect our rights, property or safety, our customers, or others
   1. This includes exchanging information with other companies and organisations for the purposes of maintaining the security of the websites and services

Part C - Rights of the Data Subject

Right of Access 

(33) Data subjects have the right to access a copy of their personal data under the Data Subject Access Request (DSAR) Management Procedure.

Right of Rectification

(34) Data subjects have a right to have their records amended in the case of inaccuracies in, or actual changes to, their personal details.

Restriction of Processing

(35) Data subjects have a right to restriction of processing of their personal data, except where processing is based on lawful grounds other than consent.

Right to Erasure

(36) Data subjects have a right to have their personal details deleted, except where processing is based on lawful grounds other than consent.

Right to Portability

(37) Where it is technically feasible, data subjects have the right to have an easily accessible copy of their personal data transferred or moved to another data controller, except where that processing is based on lawful grounds other than consent.

Right to Object

(38) Data subjects have the right to object to processing or restrict processing of their personal data if:

1. The personal data is processed unlawfully
2. Restriction is needed to comply with legal obligations
3. The data subject has withdrawn consent

Part D - Principles for Managing Data Subject Access Requests (DSARs)

Timeframe of Response

(39) All DSARs received by the College must be responded to within one month, irrespective of weekends and public holidays.

(40) The date of receipt of a DSAR is the date on which the DSAR was received by the College and this date is the beginning of the one-month period. 

(41) Where a request is complex, or multiple requests are received from the same individual, the College can extend this time by a maximum of two months. Where an extension is sought, the data subject is notified within a one-month period and an explanation for why the extension is necessary. 

Notification of Departments

(42) Where a DSAR is received by the College, all relevant departments must be notified. 

(43) Stakeholders will be notified about their responsibilities in assisting to identify categories of requested data.

Delivery of Request

(44) Information will be sent securely via the format requested by the data subject.

Record of Request

(45) A record of the DSAR will be retained for the purpose of auditing and evaluation.

Exemptions

(46) Emails sent by students using a College email account are outside the scope of a normal DSAR unless there is data specific, identifiable and retrievable contained within and the data subject has an explicit legitimate interest for pursuing it.

(47) Research data cannot be obtained as part of a DSAR, except where requesting such data does not impair or prevent the research project.

(48) Where a DSAR is considered manifestly unfounded or excessive by the College, having undertaken a detailed assessment, the College may refuse to act on the request in line with Article 12(5) of the GDPR. If this is the case, the College will inform the data subject of its decision. 

Part E - Principles for Managing Data Security breaches

Notification of the Data Protection Commission 

(49) The College as a data controller is obliged to respond promptly to an actual or potential data security breaches as outlined in the Personal Data Security Breach Management Procedure.  

(50) Where the breach presents a risk to the affected individuals, the College is required to notify the Data Protection Commission of such a breach within 72 hours of becoming aware of the breach. 

(51) The notification will be made through the ‘Breach Notification Form’ on the Data Protection Commission website and will include the nature of the personal data breach.

Notification of Relevant Stakeholders and the Data Subject 

(52) Where a breach is likely to result in a high risk to the affected individuals, the College must also inform those individuals without undue delay. 

(53) Any stakeholders deemed relevant to the data breach will be notified.

Records and Evaluation

(54) Records of all personal data breaches are maintained in line with the College Document Retention Schedule.

(55) Evaluation of practice is conducted regularly to ensure effective practice.