• Section 1 - Introduction
• Hibernia College and Student Personal Data
• Who are these guidelines for?
• Section 2 - What Is Data Protection?
• Data Protection Principles
• Definitions
• Examples of Students’ Personal, Special Category Data and Criminal Offence Data
• Section 3 - Accessing Personal Data
• Section 4 - How Can You Ensure You Are Handling Student Data Appropriately?
• Part A - Taking Care in Identifying Student Personal Details
• Verifying Student Identity
• Cause for Concern for Student Identity
• Change of Personal Details
• Part B - Taking Care in Student Data Handling 
• Drafting Documentation
• Unauthorised Use of Data
• Confidentiality
• Data Handling in Assessment
• Part C - Practising Good Data Security
• Keeping Your Access to Hibernia College Systems Secure
• Device Safety
• Email Correspondence with Students
• Part D - Data Breaches
• Discovering a Suspected Data Breach
• Breach Notifications
• Examples of Data Breaches
• Part E - Questions or Concerns

Section 1 - Introduction

Hibernia College and Student Personal Data

(1) Processing student data is an integral part of the day-to-day operation of Hibernia College. As a data controller, the College has an obligation to protect the data privacy, security and integrity of our data subjects, including our students, in line with the principles set out in the Personal Data and Records Policy. 

Who are these guidelines for?

(2) These guidelines are to support any Staff, Faculty or Adjunct Faculty member in the implementation of data protection principles in their role and in the day-to-day handling of student data.

Section 2 - What Is Data Protection?

Data Protection Principles

(3) The following seven principles underpinning data protection are dealt with in the Personal Data and Records Policy:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Definitions

(4) The following key data protection terms apply to this document:

1. Data Controller
2. Data Processor
3. Data Subject
4. Personal Data
5. Special Category Data 
6. Criminal Offence Data
7. Identifiable Natural Person

Examples of Students’ Personal, Special Category Data and Criminal Offence Data

(5) Examples of students’ personal data held by Hibernia College includes but is not limited to:

1. Biographical information such as name, address, date of birth, PPS number, phone number and email address
2. Data relating to studies such as student number, prior educational data (i.e. grades achieved at leaving cert, grades achieved at third level), grades achieved during study, admissions data, academic appraisal and feedback
3. Emergency contact/next of kin

(6) Examples of Special Category Data

1. Certificates pertaining to a student’s mental or physical health provided as evidence for absences, reasonable accommodation, assessment extensions and pause in studies

(7) Examples of Criminal Offence Data

1. Garda Vetting disclosures and associated information

Section 3 - Accessing Personal Data

(8) The GDPR gives individuals the right of access to their personal data. This includes the right to confirmation that personal data concerning them is being processed and the right to request a copy of any such data. These requests are often referred to as Data Subject Access Requests (DSARs).

(9) Data Subjects have the right to access data pertaining to them in any format, including documents where they are identified directly or indirectly by any identifier such as a PPS number or student number or any attributes distinguishing a person.

(10) The College’s process for dealing with a DSAR is set out in the Data Subject Access Request (DSAR) Management Procedure.

Section 4 - How Can You Ensure You Are Handling Student Data Appropriately?

Part A - Taking Care in Identifying Student Personal Details

Verifying Student Identity

(11) Hibernia College Staff, Faculty and Adjunct Faculty should take care to ensure they are responding to a student’s official College email address, or students’ email as registered with the College, in all written communications.

(12) When communicating with students on the phone, Staff, Faculty and Adjunct Faculty should ask two verification questions to verify the student’s identity before releasing any personal information. The first verification question should always be a request for their Student Number. Additional questions can include verification of registered address, telephone number and date of birth.

(13) In instances where special category data is being requested, it may be appropriate to request the student to produce a copy of photographic identification in consultation with the Data and Records office, e.g. students requesting records of data they submitted as evidence in a formal process, such as requests for extensions and applications related to reasonable accommodations. 

Cause for Concern for Student Identity

(14) Whenever there is uncertainty about a person’s identity, the Records and Data Manager must be contacted without delay.

(15) The Records and Data Manager will conduct an investigation and will notify all departments to hold all correspondence relating to the individual until their identity can be confirmed.

(16) In cases where there is any doubt as to whether a personal data security breach has occurred, the Records and Data Manager should be consulted immediately.

Change of Personal Details

(17) Students can submit a Change of Personal Details Application Form to the Data and Records Office to update or amend their personal details. 

(18) Any requests received by other College Staff, Faculty and Adjunct Faculty should be forwarded to the Data and Records Office for processing.

Part B - Taking Care in Student Data Handling 

Drafting Documentation

(19) Hibernia College Staff, Faculty and Adjunct Faculty should ensure that all documentation, records or correspondence which contain student data are drafted in consideration of the students’ right of access. 

Unauthorised Use of Data

(20) Accessing student data for usage outside of your contract with Hibernia College is strictly prohibited. Such prohibited usage includes but is not limited to personal interests or commercial interests.

Confidentiality

(21) Hibernia College Staff, Faculty and Adjunct Faculty should never discuss any aspect of a student’s grade or academic record with another person outside of the College. This includes the parent, spouse or friend of a student. Our contract is with the student alone.

(22) If a student provides any Staff member with special category data, the Staff member should ensure that the special category data is passed to the appropriate Hibernia College Staff or Faculty member. Once the data has been passed to the appropriate person, the Staff member should permanently delete the data from their records. 

Data Handling in Assessment

(23) When marking several assessments in a row, Hibernia College Staff, Faculty and Adjunct Faculty should ensure the file name matches the name and student number on the account to which the file is uploaded.

(24) Ensure that feedback files are not mixed up with personal files on your device.

(25) Do not save any assessment or feedback material to unsecure environments. This includes, desktops, unlicensed cloud services and USBs.

(26) Once you have concluded marking an assessment and you have received confirmation that the relevant data has been received by the College, delete all information pertaining to the assessment from your device. 

(27) Avoid paper records unless absolutely necessary.

Part C - Practising Good Data Security

Keeping Your Access to Hibernia College Systems Secure

(28) Ensure that your password to Hibernia College systems including, but not limited to, Outlook, Quercus, MyHELMS and Inplace is strong and secure. Use a mixture of lowercase, uppercase, letters, numbers and special characters. Do not use a password that is the same as a password you use in other contexts. Ensure that your password is regularly changed. 

(29) Never allow another person to access the College information systems using your account.

(30) If you suspect your account has been compromised, change your password immediately and contact the Hibernia College Information Technology department.

(31) If you are accessing Hibernia College systems from a shared device, do not save your passwords.

(32) Single Sign On (SSO) and Multi Factor Authentication (MFA) must be used where available.  

(33) Access to College Systems from outside Hibernia’s office network should be by a secure Virtual Private Network (VPN).   

(34) Never open unsolicited emails or click on any links within an email unless you are expecting the email and sure of the source.   

(35) Where possible, do not send files as attachments, but via a secure link.   

Device Safety

(36) Never leave your device unattended without ensuring it is password protected. Never leave your device unattended in an unsecure location for any reason.

(37) Ensure your device is encrypted or password protected.

(38) To safeguard against cyber-attacks, viruses and malwares, ensure your device is equipped with an adequate firewall and anti-virus software.

(39) If your device is lost or stolen, contact the Records and Data Manager and the Information Technology department immediately. 

Email Correspondence with Students

(40) When sending group emails, use MyHELMS wherever possible. 

(41) If, for a legitimate reason, you are required to use email for group correspondence, always send group emails via the ‘bcc’ field, not the ‘to’ field. If students can view the contact details of their classmates, this is a data breach.

(42) Be very mindful when forwarding email threads from students as the content may contain protected or sensitive information that the subsequent recipient does not need to view or is not entitled to view.

Part D - Data Breaches

Discovering a Suspected Data Breach

(43) If you discover, or even suspect a data breach, consult the Personal Data Security Breach Management Procedure and contact Data Protection Officer immediately at dpo@hiberniacollege.net  

Breach Notifications

(44) Where the College has determined that the data breach is likely to result in a risk to the rights and freedoms of data subjects, the data breach must be reported to the Data Protection Commission within 72 hours of first having become aware of the breach. 

(45) Data processors are also required to notify their customers, the controllers, ‘without undue delay’ after first becoming aware of a data breach.

Examples of Data Breaches

(46) Examples of data breaches include:

1. Disclosing information about a student to another student
2. Disclosing information about a student to a person not contracted by Hibernia College to serve students
3. Publishing of student information on websites and social media
4. Inadvertently sending emails via reply all to those who did not need to view that information
5. Data is stolen by physical or electronic means

Part E - Questions or Concerns

(47) If you have any questions or concerns, feel free to contact the Data Protection Officer at dpo@hiberniacollege.net.