Data Protection -GDPR
This page is a summary guide to common Data Protection questions. For more detailed advice, please refer to the Information & Compliance webpages www.ul.ie/dataprotection and www.ul.ie/recordsmanagement
Please also refer to the ITD Policies & Regulations webpage which provides further links relating to IT security; web and email usage etc and the HR Code of Conduct for Employees which sets out employee obligations relating to confidentiality & use of information etc
GDPR stands for General Data Protection Regulation. It is a new regulation which comes into force across the EU on 25 May 2018. It replaces the current EU data protection laws and will be supplemented by Irish Data Protection Acts. While many of the main concepts and principles of GDPR are similar to those in our current Data Protection Acts, GDPR introduces new elements and significant enhancements which UL is required to accommodate.
The University continues to be responsible for, and must be able to demonstrate, compliance (“accountability”) with the following Data Protection Principles:
Personal data shall be:
The GDPR introduces a number of changes to data protection practices and will require the University to review and revise its approach to data handling. Key changes include:
Yes. After 25 May 2018, all processing of personal data (including the ongoing storage of data) will be covered by the GDPR.
Personal data is any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. The definition is technology neutral. It does not matter how the personal data are stored – on paper, on an IT system, on a CCTV system etc. Common personal data include, name & address, personal email address, civil status, identity, identification data, living habits, marital status, income, financial situation, IP addresses, web cookies, event logs, location data, GPS data, GSM data.
Examples of personal data include but are not limited to:
Name and Contact Details (incl. Home address, home phone/mobile nos., email address) |
Date of Birth/Age |
Birthplace/citizenship /nationality |
Gender |
Marital Status |
Photographs (ID etc) |
Student/Staff ID Nos. |
Next of kin/dependent/ family details |
Bank account details |
Credit card details |
Proof of identity |
Signatures (incl. Electronic) |
Family/lifestyle/social circumstances |
References |
Data relating to children |
Car registration details |
Passwords & PINS |
Online identifiers (such as an IP address) |
Cookies |
Location data |
CCTV images/footage |
Sound/Video recordings containing identifiable individuals, inc. those using mobile phones |
Voice recordings |
Research student stipend documentation |
Staff / student performance review documentation |
Profiles of researchers / students / other individuals held in any format |
Questionnaires obtained from research subjects (paper/on-line) |
Research subject consent forms |
Reports to funders with details of staff member’s qualifications, rates of pay, contract duration etc |
Copy of Passport |
PPS Numbers |
Application records (CAO/PAC/ Direct Entry, scholarship applications) |
Qualifications/Education Details |
References, letters of support |
Garda Vetting data |
Examination scripts /other assessment records / FYPs |
Examination results, broadsheets, igrade records, recheck/appeal records |
Student academic transcripts |
Student attendance lists, absentee lists |
Plagiarism notifications and related documentation |
Contact lists or mailing lists for students, research subjects and research partners |
Correspondence with students |
Conferring records |
Alumni details |
Agent details (contact addresses, bank account details etc.) |
Bank details of suppliers who are individuals (i.e. not legal entities such as companies, trusts) |
Expense claims |
Grievance/Disciplinary Details |
Employment and career history, Contracts of employment, references |
Applications/CVs/interview board |
Qualifications/Education Details |
Recruitment and termination details |
Probation reports |
Garda Vetting documentation for students and members of staff |
Health and safety records |
Performance appraisals |
Training and development records |
Income / salary /salary increments |
Payroll / taxation data |
Membership of health care provider |
credit card or ATM card details |
Details of gifts/donations made |
Retirement / pension data |
Supplier details (names, addresses, contact details, banking and taxation data, licences issued, agreements, contracts etc) |
Sensitive Personal Data/Special Categories of Personal Data
The GDPR defines a subset of personal data as Special Categories of Personal Data (previously known as “sensitive personal data”), namely information concerning:
The rules regarding Special Category Data are stricter. Data relating to criminal convictions and offences, whilst not listed as a “special category”, has its own rules in the legislation.
Examples of Sensitive Personal Data include but are not limited to: Physical/Mental Health data, including sick leave details/medical certs, clinical files relating to students; Clinical files relating to research participants; Disability data; Genetic data; Human tissue samples; Human blood samples; Fingerprints/Other Biometric data etc
Yes – if an individual can be identified from the address then it is their personal data. If you are emailing more than one student at a time, you should always use the "Bcc" option to avoid sharing students' personal data (email address) with other students. Student email lists should not be shared with class reps or student societies. If a class rep wants to email all the students in their class, you could offer to forward the email on their behalf.
Yes. If a video or photograph contains images of identifiable individuals, then it is regarded as personal data relating to those individuals. Sometimes images may contain sensitive / special categories of personal data (e.g. racial origin, sexual orientation, etc.) so extra rules apply to the processing of such data.
A photograph of a person constitutes their personal data and therefore any use of that photograph must be in accordance with the Data Protection legislation. Individuals should be informed of all such uses that will be made of their image and given an opportunity to object to such use.
Yes. Under GDPR, the time frame for providing the information has been reduced from 40 days to one calendar month.
While many of the main concepts and principles of GDPR are much the same as those in our current Data Protection Acts 1988 and 2003, GDPR introduces new elements and significant enhancements to individuals’ rights:
A Data Breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the University in any format. Data Breaches can happen for a number of reasons. Please refer to Data Breaches for more details.
Please refer to Data Breaches for more details.
Data breaches can be caused by many factors, however some are more likely to occur than others. Therefore, taking measures to address these is an essential step in reducing risk. High standards of security are essential when dealing with all personal information responsibly.
Do
Don’t
You should not release that personal data unless you have the written consent of the student to do so.
Personal data may be processed on the basis that it is necessary to protect the "vital interests" of the data subject (this essentially applies in "life‑or-death" scenarios). Under GDPR, the “vital interests” processing condition can extend to other individuals (e.g. children of the data subject).
If you are emailing more than one student at a time, you should always use the “Bcc” option to avoid sharing students’ personal data (i.e. their email addresses) with other students.
Yes – please ensure where, if you have to share personal data in the course of performing University functions, make sure you only share the minimum amount of personal data with colleagues who need to know it.
The Data Protection legislation does not specify timelines for records retention. However, the University has a Records Management & Retention Policy which sets out retention periods and disposal actions for records held in each area. For further information please refer to Records Management.
Fully anonymised data is not personal data and therefore is not subject to the Data Protection Acts/GDPR. However, pseudonomised data (e.g. where a person’s name is replaced by a reference number or code) is personal data and Data Protection legislation apply.
Under current data protection legislation and the incoming GDPR, organisations must have a valid legal basis in order to process personal data. The University relies on legal and contractual obligations for the processing of student data for educational purposes and related administration and for the processing of staff data. The University relies of consent for other types of processing eg research participation, marketing.
The GDPR sets a high bar for consent and the GDPR has been designed to give data subjects more control over how their data is used. Some of the most important elements of consent under GDPR are:
Where we already use consent under the Data Protection Acts, we do not need to obtain fresh consent, as long as it meets the standards required by the GDPR. Therefore, all current processing that uses consent (eg marketing, subscriber lists) should be reviewed to ensure it meets the GDPR requirements.
To become accountable for all personal data held, an organisation needs to be aware of them first. This includes taking stock of the personal data held already. Insights gained from a data mapping exercise consequently help an organisation to put risk management processes in place and to identify potential problems before they arise. Article 30 of the GDPR makes it a responsibility for organisations to maintain a record of all personal data processed by the organisation. The University must be able to document its data processing activities in order to demonstrate that we comply with GDPR. In order for the University to create such a register it is vital that we’re able to determine what personal data is held across the University, and the legal basis that allows its processing.
Please familiarise yourself with the UL Data Protection Policy , Compliance Regulations and Records Management & Retention Policy, read and apply the advice set out in these FAQs and the other guidance provided on these pages eg:
Staff members must complete Data Protection Training (online and classroom options available).
Upcoming training programmes schedule available HERE.
Online Data Protection – GDPR training module for staff members HERE.
For guidance: UL Staff - Introduction to Data Protection and GDPR
1: Fair obtaining:
At the time when you collect information about individuals, are they made aware of the uses for that information?
Are people made aware of any disclosures of their data to third parties?
Have you obtained people's consent for any secondary uses of their personal data, which might not be obvious to them
Can you describe your data-collection practices as open, transparent and up-front?
2: Purpose specification
Are you clear about the purpose(s) for which you keep personal information?
Are the individuals on your database also clear about this purpose?
Has responsibility been assigned for maintaining a list of all data sets and the purpose associated with each?
3: Use and disclosure of information
Are there defined rules about the use and disclosure of information?
Are all staff aware of these rules?
Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.
4: Security
Is there a list of security provisions in place for each data set?
Is someone responsible for the development and review of these provisions?
Are these provisions appropriate to the sensitivity of the personal data you keep?
Are your computers and databases password-protected, and encrypted if appropriate?
Are your computers, servers, and files securely locked away from unauthorised people?
5: Adequate, relevant and not excessive
Do you collect all the information you need to serve your purpose effectively, and to deal with individuals in a fair and comprehensive manner?
Have you checked to make sure that all the information you collect is relevant, and not excessive, for your specified purpose?
If an individual asked you to justify every piece of information you hold about him or her, could you do so?
6: Accurate and up-to-date
Do you check your data for accuracy?
Do you know how much of you personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated?
Do you take steps to ensure your databases are kept up-to-date?
7: Retention time
Is there a clear statement on how long items of information are to be retained (www.ul.ie/recordsmanagement)?
Are you clear about any legal requirements on you to retain data for a certain period?
Do you regularly purge your filing cabinets/ databases of data which you no longer need, such as data relating to former customers or staff members?
Does your area delete personal data as soon as the purpose for which you obtained the data has been completed?
8: The Right of Access
Is a named individual responsible for handling access requests within your area?
Are there clear procedures in place for dealing with such requests?
9:Training & Education
Do you know about the levels of awareness of data protection in your unit?
Is your staff aware of their data protection responsibilities - including the need for confidentiality?
Is data protection included as part of the training programme for your staff?
10: Co-ordination and Compliance
Are all staff aware of his or her role?
Are there mechanisms in place for formal review by the co-ordinator of data protection activities within your organisation?
sourced from: https://dataprotection.ie/docs/Self-Assessment-Data-Protection-Checklist/y/22.html
Contact the Data Protection Officer by email at dataprotection@ul.ie