arrow
Search icon

Frequently Asked Questions FAQs

Data Protection -GDPR

This page is a summary guide to common Data Protection questions. For more detailed advice, please refer to the Information & Compliance webpages www.ul.ie/dataprotection and www.ul.ie/recordsmanagement

Please also refer to the ITD Policies & Regulations webpage which provides further links relating to IT security; web and email usage etc and the HR Code of Conduct for Employees which sets out employee obligations relating to confidentiality & use of information etc

 

GDPR stands for General Data Protection Regulation. It is a new regulation which comes into force across the EU on 25 May 2018.  It replaces the current EU data protection laws and will be supplemented by Irish Data Protection Acts. While many of the main concepts and principles of GDPR are similar to those in our current Data Protection Acts, GDPR introduces new elements and significant enhancements which UL is required to accommodate. 

The University continues to be responsible for, and must be able to demonstrate, compliance (“accountability”) with the following Data Protection Principles: 

Personal data shall be:

  • Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”);
  • Collected, created or processed only for one or more specified, explicit and lawful purpose (“purpose limitation”);
  • Adequate, relevant and limited to what is necessary for those purposes (“data minimisation”);
  • Kept accurate and, where necessary, up-to-date (“accuracy”);
  • Kept safe and secure (“integrity and confidentiality”)
  • Retained no longer than is necessary (“storage limitation”);

The GDPR introduces a number of changes to data protection practices and will require the University to review and revise its approach to data handling. Key changes include: 

  1. A broader definition of personal data: now includes ID numbers, IP addresses and reversibly anonymised (‘pseudonymised’) data
  2. Sensitive personal data: now includes genetic and biometric data
  3. Privacy Statements: more detailed privacy statements are required, which explain the purpose and legal basis behind processing activities;
  4. Accountability: stronger requirements to demonstrate compliance; record-keeping regarding all data processing activities;
  5. Consent: must be ‘opt-in’ (rather than being assumed from lack of action), freely given, informed and specific to named processing activities; data subjects will be able to withdraw consent at any time
  6. Subject Access Requests: individuals still have a right to request access to their personal data held by an organisation; this can no longer be charged for; the response time limit is reduced from 40 days to one month
  7. Breach notification: must notify the Data Protection Commissioner within 72 hours of becoming aware of a data protection breach
  8. Right to be forgotten: data subjects can request that their data is deleted in some circumstances
  9. Right to data portability: data subjects can request their data in a portable format, in order to move it to another data controller
  10. Privacy by Design and Default should be the norm;
  11. More restrictive rules around the use of child data: restricts the age at which individuals can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent.
  12. International transfers: new rules for transfers outside the European Economic Area (EEA)
  13. Data Protection Impact Assessments (DPIAs): required for new processing activities where privacy risks are high
  14. Fines: tougher financial penalties (fines of up to 4% of annual global turnover or €20 million (whichever is greater));

Yes. After 25 May 2018, all processing of personal data (including the ongoing storage of data) will be covered by the GDPR. 

Personal data is any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. The definition is technology neutral.  It does not matter how the personal data are stored – on paper, on an IT system, on a CCTV system etc. Common personal data include, name & address, personal email address, civil status, identity, identification data, living habits, marital status, income, financial situation, IP addresses, web cookies, event logs, location data, GPS data, GSM data.

Examples of personal data include but are not limited to:

Name and Contact Details (incl. Home address, home phone/mobile nos., email address)

Date of Birth/Age

Birthplace/citizenship /nationality

Gender

Marital Status

Photographs (ID etc)

Student/Staff ID Nos.

Next of kin/dependent/ family details

Bank account details

Credit card details

Proof of identity

Signatures (incl. Electronic)

Family/lifestyle/social circumstances

References

Data relating to children

Car registration details

Passwords & PINS

Online identifiers (such as an IP address)

Cookies

Location data

CCTV images/footage

Sound/Video recordings containing identifiable individuals, inc. those using mobile phones

Voice recordings

Research student stipend documentation

Staff / student performance review documentation

Profiles of researchers / students / other individuals held in any format

Questionnaires obtained from research subjects (paper/on-line)

Research subject consent forms

Reports to funders with details of staff member’s qualifications, rates of pay, contract duration etc

Copy of Passport

PPS Numbers

Application records (CAO/PAC/ Direct Entry, scholarship applications)

Qualifications/Education Details

References, letters of support

Garda Vetting data

Examination scripts /other assessment records / FYPs

Examination results, broadsheets, igrade records, recheck/appeal records

Student academic transcripts

Student attendance lists, absentee lists

Plagiarism notifications and related documentation

Contact lists or mailing lists for students, research subjects and research partners 

Correspondence with students

Conferring records

Alumni details

Agent details (contact addresses, bank account details etc.)

Bank details of suppliers who are individuals (i.e. not legal entities such as companies, trusts)

Expense claims

Grievance/Disciplinary Details

Employment and career history, Contracts of employment, references

Applications/CVs/interview board

Qualifications/Education Details

Recruitment and termination details

Probation reports

Garda Vetting documentation for students and members of staff

Health and safety records

Performance appraisals

Training and development records

Income / salary /salary increments

Payroll / taxation data

Membership of health care provider

credit card or ATM card details

Details of gifts/donations made

Retirement / pension data

Supplier details (names, addresses, contact details, banking and taxation data, licences issued, agreements, contracts etc)

Sensitive Personal Data/Special Categories of Personal Data

The GDPR defines a subset of personal data as Special Categories of Personal Data (previously known as “sensitive personal data”), namely information concerning:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade Union membership
  • Genetic or biometric data
  • Physical or mental health
  • Sexuality or sex life

The rules regarding Special Category Data are stricter.  Data relating to criminal convictions and offences, whilst not listed as a “special category”, has its own rules in the legislation.

Examples of Sensitive Personal Data include but are not limited to: Physical/Mental Health data, including sick leave details/medical certs, clinical files relating to students; Clinical files relating to research participants; Disability data; Genetic data; Human tissue samples; Human blood samples; Fingerprints/Other Biometric data etc

Yes – if an individual can be identified from the address then it is their personal data. If you are emailing more than one student at a time, you should always use the "Bcc" option to avoid sharing students' personal data (email address) with other students. Student email lists should not be shared with class reps or student societies. If a class rep wants to email all the students in their class, you could offer to forward the email on their behalf.

Yes. If a video or photograph contains images of identifiable individuals, then it is regarded as personal data relating to those individuals. Sometimes images may contain sensitive / special categories of personal data (e.g. racial origin, sexual orientation, etc.) so extra rules apply to the processing of such data.

A photograph of a person constitutes their personal data and therefore any use of that photograph must be in accordance with the Data Protection legislation. Individuals should be informed of all such uses that will be made of their image and given an opportunity to object to such use.

Yes. Under GDPR, the time frame for providing the information has been reduced from 40 days to one calendar month.

While many of the main concepts and principles of GDPR are much the same as those in our current Data Protection Acts 1988 and 2003, GDPR introduces new elements and significant enhancements to individuals’ rights: 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

A Data Breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the University in any format. Data Breaches can happen for a number of reasons. Please refer to Data Breaches for more details.

Data breaches can be caused by many factors, however some are more likely to occur than others. Therefore, taking measures to address these is an essential step in reducing risk. High standards of security are essential when dealing with all personal information responsibly.

Do  

  • Keep personal data only on electronic devices that are:
    • Password protected and never use your UL password for any other account
    • Regularly scanned with security software
    • Portable electronic devices must be encrypted
  • Leave paper documents containing personal data:
    • If not in use, locked away
    • Never lying around or behind
    • Out of sight of unauthorised people (e.g. when reading a CV in a public place, on a train or in an airplane)
  • After the original purpose you got permission for has come to an end, dispose of personal data, both electronic and paper, only in a manner that does not allow undoing deletion/destruction. This means for paper documents confidential shredding, and for electronic data using an appropriate deletion programme. The ‘Recycling Bin’ of your electronic device is not an appropriate place for deleted personal information.

Don’t

  • Never put personal information on any device that can be lost or stolen easily. This includes USBs, external hard disks you carry around, laptops left in cars, mobile phones, tablets.
  • Storage solutions like Drop Box, Google Drive, etc must not be used for personal data and are not ITD-supported
  • Don’t log on to public Wi-Fi, e.g ( at airports, cafes, etc) because it can be hacked easily
  • Don’t use your UL password for anything else
  • For paper documents containing personal information:
    • Never keep them on an open shelf in a general office
    • Never throw them in the general bin
    • Never leave them behind after you are finished with it
  • For both electronic and paper formats of personal information, if you share it with other people, be sure you have the right to do so.

Personal data may be processed on the basis that it is necessary to protect the "vital interests" of the data subject (this essentially applies in "life‑or-death" scenarios). Under GDPR, the “vital interests” processing condition can extend to other individuals (e.g. children of the data subject).

If you are emailing more than one student at a time, you should always use the “Bcc” option to avoid sharing students’ personal data (i.e. their email addresses) with other students.

Yes – please ensure where, if you have to share personal data in the course of performing University functions, make sure you only share the minimum amount of personal data with colleagues who need to know it.

The Data Protection legislation does not specify timelines for records retention. However, the University has a Records Management & Retention Policy which sets out retention periods and disposal actions for records held in each area. For further information please refer to Records Management.

Fully anonymised data is not personal data and therefore is not subject to the Data Protection Acts/GDPR. However, pseudonomised data (e.g. where a person’s name is replaced by a reference number or code) is personal data and Data Protection legislation apply.

Under current data protection legislation and the incoming GDPR, organisations must have a valid legal basis in order to process personal data. The University relies on legal and contractual obligations for the processing of student data for educational purposes and related administration and for the processing of staff data. The University relies of consent for other types of processing eg research participation, marketing.

The GDPR sets a high bar for consent and the GDPR has been designed to give data subjects more control over how their data is used. Some of the most important elements of consent under GDPR are:

  • Consent requires a positive opt-in
  • The notions of having to opt-out of pre-ticked boxes or any other method of consent by default are not allowed
  • Consent needs to be explicit
  • We need to be specific, clear and concise with regard to what people are consenting to
  • We need to be granular, rather than asking for blanket consent to cover a number of different things.
  • Consent should not be a pre-condition of accessing a service
  • People should be able to withdraw their consent at any time easily
  • We must retain records of consent provided.

Where we already use consent under the Data Protection Acts, we do not need to obtain fresh consent, as long as it meets the standards required by the GDPR. Therefore, all current processing that uses consent (eg marketing, subscriber lists) should be reviewed to ensure it meets the GDPR requirements.

To become accountable for all personal data held, an organisation needs to be aware of them first. This includes taking stock of the personal data held already. Insights gained from a data mapping exercise consequently help an organisation to put risk management processes in place and to identify potential problems before they arise. Article 30 of the GDPR makes it a responsibility for organisations to maintain a record of all personal data processed by the organisation. The University must be able to document its data processing activities in order to demonstrate that we comply with GDPR. In order for the University to create such a register it is vital that we’re able to determine what personal data is held across the University, and the legal basis that allows its processing.

Please familiarise yourself with the UL Data Protection Policy , Compliance Regulations and Records Management & Retention Policy, read  and apply the advice set out in these FAQs and the other guidance provided on these pages eg:

Staff members must complete Data Protection Training (online and classroom options available).

Upcoming training programmes schedule available HERE.

Online Data Protection – GDPR training module for staff members HERE.

For guidance: UL Staff - Introduction to Data Protection and GDPR

1: Fair obtaining:

At the time when you collect information about individuals, are they made aware of the uses for that information?

Are people made aware of any disclosures of their data to third parties?

Have you obtained people's consent for any secondary uses of their personal data, which might not be obvious to them

Can you describe your data-collection practices as open, transparent and up-front?

2: Purpose specification

Are you clear about the purpose(s) for which you keep personal information?

Are the individuals on your database also clear about this purpose?

Has responsibility been assigned for maintaining a list of all data sets and the purpose associated with each?

3: Use and disclosure of information

Are there defined rules about the use and disclosure of information?

Are all staff aware of these rules?

Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.

4: Security

Is there a list of security provisions in place for each data set?

Is someone responsible for the development and review of these provisions?

Are these provisions appropriate to the sensitivity of the personal data you keep?

Are your computers and databases password-protected, and encrypted if appropriate?

Are your computers, servers, and files securely locked away from unauthorised people?

5: Adequate, relevant and not excessive

Do you collect all the information you need to serve your purpose effectively, and to deal with individuals in a fair and comprehensive manner?

Have you checked to make sure that all the information you collect is relevant, and not excessive, for your specified purpose?

If an individual asked you to justify every piece of information you hold about him or her, could you do so?



6: Accurate and up-to-date

Do you check your data for accuracy?

Do you know how much of you personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated?

Do you take steps to ensure your databases are kept up-to-date?

7: Retention time

Is there a clear statement on how long items of information are to be retained (www.ul.ie/recordsmanagement)?

Are you clear about any legal requirements on you to retain data for a certain period?

Do you regularly purge your filing cabinets/ databases of data which you no longer need, such as data relating to former customers or staff members?

Does your area delete personal data as soon as the purpose for which you obtained the data has been completed?

8: The Right of Access

Is a named individual responsible for handling access requests within your area?

Are there clear procedures in place for dealing with such requests?



9:Training & Education

Do you know about the levels of awareness of data protection in your unit?

Is your staff aware of their data protection responsibilities - including the need for confidentiality?

Is data protection included as part of the training programme for your staff?

10: Co-ordination and Compliance

Are all staff aware of his or her role?

Are there mechanisms in place for formal review by the co-ordinator of data protection activities within your organisation?

sourced from: https://dataprotection.ie/docs/Self-Assessment-Data-Protection-Checklist/y/22.html

  • Data - information in a form that can be processed
  • Personal Data - data relating to a living individual who can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the University
  • Sensitive Personal Data - personal data of a particularly sensitive or private nature, e.g. health data
  • Data Processing - performing any operation on personal data. Examples of data processing include, but are not limited to: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasure or destruction of data.
  • Data Subject - the person who is the subject of the data, i.e. the data is about that person
  • Data Controller - a body that processes and controls personal data
  • Data Processor - a body that processes personal data on behalf of a data controller
  • Data Protection Commissioner - the Commissioner, independent of the Government, who oversees compliance with the terms of the Data Protection Acts
  • Personal Data Protection Breach (Data Breach) - when personal data is made available to one or more third parties without the consent of the data subject
  • Personal Data Access Request (Access Request) - Under Data Protection legislation a data subject may receive a copy of personal data about them that is held by the University of Limerick by making a Personal Data Access Request.

President's Report to Governing Authorit...

November Report now available*

Governing Authority Reports

January Report now available*