Introduction
University College Dublin (UCD) needs to collect and use personal data (information) about its staff, students and other individuals who come into contact with the University. The purposes of processing data includes the organisation and administration of courses, examinations, research activities, the recruitment and payment of staff, compliance with statutory obligations, etc. Data Protection law safeguards the privacy rights of individuals in relation to the processing of their personal data. The EU General Data Protection Regulation (GDPR), effective May 2018 confers rights on individuals as well as responsibilities on those persons processing personal data. Personal data, both automated and manual are data relating to a living individual who is or can be identified, either from the data or from the data in conjunction with other information.
Purpose of this policy
This policy is a statement of UCD's commitment to protect the rights and privacy of individuals in accordance with the GDPR.
Scope of this policy
This policy applies to all personal data created or received in the course of University business in all formats, of any age. It applies to all locations where personal data is held by UCD. Personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversation or over the telephone. All staff, students, third parties engaged with UCD and processing personal data are all subject to the provisions of the Data Protection Policy.
Definition of Personal Data
Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Special Categories of Data (previously known as sensitive personal data) can only be processed under specific circumstances as outlined in article 9 of the regulations. The special categories are,
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Data concerning a person’s sex life or sexual orientation
- Genetic data
- Biometric data
Data Protection Principles
UCD undertakes to perform its responsibilities under the legislation in accordance with Article 5 of the GDPR as follows:
Obtain and process information lawfully, fairly and in a transparent manner
UCD obtains and processes personal data fairly and in accordance with its statutory and other legal obligations
Keep it only for one or more specified, explicit and lawful purposes
UCD keeps personal data for purposes that are specific, lawful and clearly stated. Personal data will only be processed in a manner compatible with these purposes
Use and disclosure only in ways compatible with these purposes
UCD only uses and discloses personal data in circumstances that are necessary for the purposes of for which it collects and keeps the data
Keep it safe and secure
UCD takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of data and against accidental loss or destruction
Keep it accurate, complete and up-to-date UCD operates procedures that ensure high levels of data accuracy, completeness and consistency
Ensure it is adequate, relevant and not excessive
Personal data held by UCD are adequate, relevant and not excessive in data retention terms
Retain for no longer than is necessary UCD has a policy on retention periods for personal data
Lawfulness of Processing
There are six available lawful bases for processing personal data. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. The lawful bases are;
- Consent: the individual has given clear consent for UCD to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract UCD have with the individual, or because they have asked UCD to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for UCD to comply with the law (not including contractual obligations). UCD will rely primarily on this lawful base for processing personal data as necessary for and connected with the performance of its statutory objects and functions, under the Universities Act and related legislation.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for UCD to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for UCD’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
UCD will decide which lawful basis applies depending on the specific purposes and the context of the processing. It will consider which lawful basis best fits the circumstances. More than one basis may apply, however no one basis should be seen as always better, safer or more important than the others and there is no hierarchy in the order of the list in the GDPR.
Rights of Data Subjects
Individuals have the following rights over the way UCD process their personal data:
Right of Access by the data subject Individuals have the right to request a copy of their personal data UCD are processing about them and to exercise that right easily and at reasonable intervals. UCD has procedures in place to ensure that data subjects can exercise their rights under the GDPR, see www.ucd.ie/dataprotection
Right of rectification
Individuals have the right to have inaccuracies in personal data that UCD hold about them rectified.
Right to erasure (right to be forgotten)
Individuals have the right to have their personal data deleted where UCD no longer have any justification for retaining it subject to exemptions such as the use of pseudonymised data for scientific research.
Right to restriction of processing
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, UCD is permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing and UCD must respond within one calendar month.
Right to data portability
Where it is technically feasible Individuals have the right to have a readily accessible machine readable copy of their data transferred or moved to another data controller where UCD are processing their data based on their consent and if that processing is carried out by automated means.
Right to object
Individuals have the right to object to processing or restrict the processing of their personal data if:
- The processing is based on public interest or in order to pursue a legitimate interest
- The personal data was processed unlawfully;
- You need the personal data to be deleted in order to comply with a legal obligations;
Right not to be subject to automated individual decision-making, including profiling
In certain circumstances individuals can object to profiling and automated decision making. Information Technology and Data Protection The University has established IT policies and procedures to safeguard essential services, protect the privacy of students and staff, and comply with contractual requirements and legislation.
Personal Data Security Breaches
A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the University in any format. Under GDPR the University, through the Data Protection Officer (DPO), is required to report data breaches to the Data Protection Commissioner within 72 hours from the time of becoming aware of the Data Breach. The University, as data controller, is expected to respond promptly and appropriately to data security breaches, including all relevant reporting obligations. It is vital to take prompt action in the event of any actual, potential or suspected breach of data security or confidentiality to avoid the risk of harm to individuals, damage to operational business or severe financial, legal and reputational costs to the University.
UCD has developed a Personal Data Security Breach Report Form to deal with data breaches efficiently and effectively and to minimise the consequences of any breach occurring to the the rights and freedoms of those data subjects, whose data are at the care of UCD.
Responsibility
UCD has overall responsibility for ensuring compliance with GDPR legislation when it is the Data Controller of personal data. However, all employees and students of UCD who separately collect and/or control the content and use of personal data are individually responsible for compliance with the legislation. The Data Protection unit provides support, assistance, advice, and training to all departments and offices to ensure that they are in a position to comply with GDPR.
Procedures and Guidelines
UCD is firmly committed to ensuring personal privacy and compliance with GDPR, including the provision of best practice guidelines and procedures in relation to all aspects of Data Protection.
Review of Policy
This Policy will be reviewed regularly in light of any legislative or other relevant developments.
Contact
If you have any queries relating to the processing of your personal data for the purposes outlined above or you wish to make a request in relation to your rights you can contact the Data Protection Unit by email data.protection@ucd.ie or telephone +353 1 716 8786/8722