Data Protection Policy

Data Protection Policy

View the University's Data Protection Policy below or download it by clicking here.

Document Location - Data Protection Officer, TU Dublin 

Revision History

Date of this revision:  February 2020

Date of next review:  February 2022

 

Version Number/ Revision Number

Revision Date

Summary of Changes

1.0

February 2020

 

 

 

 

 

Consultation History

Revision Number

Consultation Date

Names of Parties in Consultation

Summary of Changes

 

 

 

 

 

Approval

This document requires the following approvals:

Name

Title

Date

 

 

 

 

 

 

 

This Policy shall be reviewed and, as necessary, amended by the University at least every 2 years. All amendments shall be recorded on the revision history section above.

Table of Contents

SECTIONS

1. Policy
1.1 Overview
1.2 Purpose
1.3 Common Terms and Definitions
1.4 Scope
1.5 Compliance


2. Roles and Responsibilities
2.1 Compliance Organisational Chart


3. Principles of Data Protection
3.1 Personal Data Processing Principles
3.2 Lawful Processing and Consent
3.3 Transparency - Privacy Notices
3.4 Data Collection from Third Party Sources
3.5 Data Minimisation and Retention
3.6 Data Use Limitation
3.7 Data Accuracy
3.8 Data Storage Limitation
3.9 Security of Personal Data (Integrity and Confidentiality)
3.10 Data Encryption
3.11 Anonymisation and Pseudonymisation


4. Data Protection Practice / Accountability Requirements
4.1 Data Protection by Design and by Default
4.2 Data Protection Impact Assessment (DPIA)
4.3 Record of Processing Activity and Data Inventories
4.4 Transfer and Sharing of Data
4.5 Third Party Relationships and Data Sharing Agreements


5. Data Subject Rights
5.1 Subject Access Request (SAR) and Subject Rights Request (SRR)
5.2 Fees and Refusals of SARs under GDPR
5.3 Procedure for a SAR


6. Personal Data Protection Incident Response and Breach Notification 
6.1 Data Breach


7. CCTV


8. Training - Education and Awareness


9. Data Protection Officer (DPO)


10. Monitoring and Compliance / Demonstrate Accountability / Internal Control


11. Supervisory Authority (Data Protection Commission)


12. Changes to our Data Protection Statement

View APPENDICES

 

1. Policy


1.1 Overview

Technological University Dublin (TU Dublin, or the University) was formed by the Technological Universities Act 2018 from a merger of Dublin Institute of Technology (DIT), Institute of Technology Blanchardstown (ITB) and Institute of Technology Tallaght (ITT). This Data Protection Policy provides information about the ways in which TU Dublin (the University) collects, stores and uses personal data relating to individuals (data subjects). TU Dublin is the Data Controller of personal data and is subject to the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation 2016/679

This Data Protection Policy relates to personal data received by the University where data subjects contact or provide personal data to the University directly and also to personal data received by the University indirectly (via a third party).

This Policy shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law and other binding agreements.

The University is committed to complying with all applicable Data Protection, privacy and security laws and regulations. The suite of Data Protection policies adopted by the University create a common cores set of values, principles and procedures intended to achieve a standard set of universal compliance parameters based on GDPR.

Technological University Dublin (TU Dublin) is responsible for the processing of a significant volume of personal information across each of its Schools and Functions. It is vital that everyone is aware of their responsibilities in relation to data protection as follows:

• It is the responsibility of each School and Function to ensure that personal information is processed in a manner compliant with the relevant data protection legislation and guidance.
• The Information and Compliance office on each campus is available to Schools and Functions to provide guidance and advice pertaining to this requirement.
• All Staff must appropriately protect and handle information in accordance with the information’s classification.
• Personal Data is considered confidential information and requires the greatest protection level.

1.2 Purpose

The University intends to meet all relevant Data Protection, privacy and security requirements, whether originating from legal, regulatory, or contractual obligations.

Technological University Dublin (the University) as a Data Controller, has established this Policy as a EU Data Protection Framework to comply with all relevant European Data Protection requirements and has aligned same to relevant internal policies, programs and controls. In particular this document sets out the University’s policy regarding Personal Data collection/processing/sharing for all Schools and Functions, staff and students.

The University also embraces Privacy by Design and Privacy by Default principles in all its services and functions both current and future. This ensures that the public can maintain a high level of trust in the University’s competence and confidentiality while handling data.

This policy should not be viewed in isolation. Rather, it should be considered as part of the TU Dublin suite of Data Protection policies and procedures (see Appendix A for the list of Policies and Procedures).

1.3 Common Terms and Definitions

For a Glossary of Terms used in this Policy and Common Terms and Definitions relating to Data Protection, see Appendix B.

1.4 Scope

All Data Protection Policies apply to:

• Any person who is employed by the University who receives, handles or processes personal data in the course of their employment.
• Any student of the University who receives, handles, or processes personal data in the course of their studies for administrative, research or any other purpose.
• Third party companies/individuals (data processors) that receive, handle, or process personal data on behalf of the University.

This applies whether you are on campus, travelling or working remotely.

1.5 Policy Compliance

Compliance
Compliance with our suite of Data Protection Policies will help protect the University against data breaches under data protection legislation, reputational damage to the University and/or an infringement of the rights of employees, students, or other relevant third parties.

Compliance Exceptions
Any exception to the policy shall be reported to the Data Protection Officer in advance.

Non-Compliance
Failure to comply with this policy may lead to disciplinary action, being taken in accordance with the University’s disciplinary procedures. Failure of a third party contractor (or subcontractors) to comply with this policy may lead to termination of the contract and/or legal action. 

2. Roles and Responsibilities

Governing Body To review and approve the policy on a periodic basis
University Executive  Team (Senior Management)

The University Executive Team (Senior Management) is responsible for the internal controls of the University, an element of which is the retention of records used in the decision-making process for key decisions in order to demonstrate best practice and the assessment of risk. Responsible for:

 

  • Reviewing and approving all Data Protection Policies and any updates to them as recommended by the Data Protection Officer.
  • Ensuring ongoing compliance with the GDPR in their respective areas of responsibility.
  • As part of the University’s Annual Statement of Internal Control, signing a statement which provides assurance that their functional area is in compliance with the GDPR.
  • Ensuring oversight of data protection issues either through their own work or the Information Compliance Group or other governance arrangement.
Total Management Team (Heads of Departments and Heads of Functions)
  • To lead the Data Protection compliance for their Department/Function
  • Provide guidance to their staff
  • Ensure prompt reporting of data protection breaches originating from their Department/Function
Data Protection Officer
  • To lead the Data Protection compliance and risk management function, with responsibility for advising how to comply with applicable privacy legislation and regulations, including the GDPR
  • To advise on all aspects of Data Protection and Privacy obligations.
  • To monitor and review all aspects of compliance with Data Protection and Privacy obligations.
  • To act as a representative of Data Subjects in relation to the processing of their personal data.
  • To report directly on Data Protection risk and compliance to Chief Operations Officer.
Staff/Students/External Parties
  • To adhere to the suite of Data Protection Policies.
  • To report suspected breaches of policy to their Head of Department and/or Data Protection Officer.
Information Compliance Group

(Senior Management Team) Advisory Committee to support the Data Protection Officer including:

  • Reviewing and recommending all Data Protection Policies and any updates to them.
  • Ensuring ongoing compliance with the GDPR in functions and areas of responsibility accress the University.
  • As part of the University’s Annual Statement of Internal Control, recommending a draft a statement which provides assurance that the functional areas are in compliance with the GDPR.
  • Ensuring oversight of data protection issues either through its own work or other governance arrangement.
Information & Compliance Officers To support the Data Protection Officer to lead the Data Protection compliance and risk management function, with responsibility for advising how to comply with applicable privacy legislation and regulations, including the GDPR
Chief Operations Officer The Chief Operations Officer is the member of the University Executive Team (Senior Management) with overall responsibility for the delivery of the regulatory objectives of the University including compliance with Data Protection and privacy obligations.

2.1 Compliance Organisational Chart

See Appendix V (in development, will be included at a later date) for information on the reporting structures for Compliance within TU Dublin.

3. Principles of Data Protection

3.1 Personal Data Processing Principles

The following Data Protection requirements apply to all instances where Personal Data is stored, transmitted, processed or otherwise handled, regardless of geographic location. 

The University has established the following high level principles relating to Data Protection in order to comply with relevant European requirements. 

  • Personal Data shall only be processed fairly, lawfully and in a transparent manner (Principles of Lawfulness, Fairness and Transparency)
  • Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes (Principle of Purpose Limitation)
  • Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Principle of Data Minimisation)
  • Personal Data shall be accurate, and where necessary kept up to date (Principle of Accuracy)
  • Personal Data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the Personal Data are processed (Principle of Data Storage Limitation)
  • Personal Data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to: 

prevent and / or identify unauthorised or unlawful access to, or processing of, Personal Data; and
prevent accidental loss or destruction of, or damage to, Personal Data (Principles of Integrity and Confidentiality

The University whether serving as a Data Controller or a Data Processor, shall be responsible for, and be able to demonstrate compliance with, these key principles. (Principle of Accountability

For further information on the Principles of Data Protection, please see the website of the Data Protection Commissioner:

https://www.dataprotection.ie/en/organisations/principles-data-protection

3.2 Lawful Processing and Consent

The University as a Data Controller, shall be responsible for, and be able to demonstrate compliance with these GDPR Requirements. 

  • to process Personal Data in accordance with the rights of Data Subjects and to communicate with Data Subjects in a concise, transparent, intelligible and easily accessible form, using clear language.
  • only transfer Personal Data to another group or Third Parties outside of the European Economic Area (EEA) in accordance with this Policy. 
  • conduct all Personal Data processing in accordance with legitimate GDPR based processing conditions in particular:
    • Data Subject Consent for one or more specific purposes,
      and / or
    • Necessary processing for contract performance or contract entry.
      and / or
    • Legislative/statutory basis underpinning Processing.

In the absence of these conditions, only the Chief Operations Officer on the recommendation of the Data Protection Officer in consultation with the Information Compliance Group may allow Data Processing. 

Consent

For processing based on Consent, Schools and Functions must demonstrate that the Data Subject has provided appropriate consent for the specific processing. Further consent must be obtained for any new processing activity outside of initial Consent, including Data Aggregation activity either for use by the University or by Third Parties on behalf of the University.

In particular, Data Processing Consent cannot be implied and must be:

  • Freely given,
  • Specific,
  • Informed,
  • Unambiguous and
  • Provided by an affirmative action (Opt-in as opposed to Opt-out)

Appropriate Consent Request methods include: 

  • Clauses in contracts with students and vendors, and / or
  • Check boxes on replies to applications or forms, and / or
  • Click boxes on online forms where Personal Data is entered. 

Any written Consent Request must be: 

  • Clearly distinguishable from other matters and
  • Presented in clear and plain language 

All Schools and Functions shall establish collection and documentation processes for Data Subject Consent to the Processing, and / or transfer of Personal Data. These processes shall include: 

  • Provisions for determining what information must be provided in order to obtain a valid Consent,
  • Recording the communication of that information to the
  • documentation of the date of Consent
  • validity, scope and equity of the Consents given. 

All Schools and Functions shall establish Consent Withdrawal processes and inform Data Subjects about: 

  • their right to withdraw consent at any time and
  • the process through which they can achieve this. 

Direct Marketing

Any form of marketing to such audiences must follow the TU Dublin Direct Marketing Policy. For example, it must offer a way for people to ‘opt out’, and this preference should be recorded to ensure that they do not receive future communications.

TU Dublin will communicate with Alumni of the University who have consented to direct marketing within the last five years, or where the electronic contact details have been obtained in the course of a service (or event) within the last twelve months and the direct marketing material relates to a ‘similar product or service’, provided the individual was given an opportunity to refuse such contact at the time the data was collected, also known under electronic marketing rules as a ’Soft Opt–in’.

See TU Dublin Direct Marketing Policy in Appendix O (in development, will be included at a later date) for further information. 

Processing of Special Categories of Personal Data 

The University will not process Special Categories of Personal Data unless; 

  • The Data Subject expressly consents
    and / or
  • It is necessary to carry out Data Controller’s obligations or exercise Data Subject’s specific rights in the field of employment and social security and social protection law
    and / or
  • It is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • It is in the Vital Interest of the Data Subject. The University may only process such data where it is necessary to protect a Data Subject’s vital interest in the event that this subject is physically or legally incapable of giving consent. For example this may apply where the Data Subject may require emergency medical care. Only the Data Protection Officer may authorise this exemption and only in accordance with relevant national legislation. 

Any exceptions to processing in the absence of one of these conditions requires the approval of the Data Protection Officer in consultation with the Information Compliance Group.

3.3 Transparency – Data Protection Notices (Fair Disclosure Notices) 

To ensure fair and transparent processing activities, Schools and Functions must provide Data Protection Notices to Data Subjects when directly collecting data. This Policy includes Data Protection Notices for Students, for Staff and for Recruitment Candidates. 

These notices must be: 

  • Provided at the first contact point with the Data Subject or as soon as reasonably practicable.
  • Provided in an easily accessible form.
  • Written in clear language.
  • Made in such a manner as to draw attention to them. 

If Schools and Functions use Consent as the Processing Personal Data condition, then this Consent should, where possible, be obtained at the data collection point.  

All Schools and Functions collecting Personal Data must establish technical or administrative means to: 

  • Deliver the Date Protection notices and
  • Document that the University has provided these notices to the Data Subject at the time of collection, or document they were previously provided and
  • Record all obtained Consents and ensure this information is up to date. 

See Appendix C, Appendix D and Appendix E for Data Protection Notices for Students, Staff and Recruitment Candidates respectively. 

If the School or Function intends to process Personal Data for an additional process outside of original consent, then they must get the Data Subject’s additional consent through an additional Data Protection notice or other suitable notification. 

Wherever possible, these Data Protection notices should be given at the first point of contact with the Data Subject or, if it is not possible on collection, as soon as reasonably practicable thereafter, unless otherwise agreed with the Data Protection Officer (in consultation with the Information Compliance Group). In the case of employees, the Data Protection notice should be referred to in the employment contract.  Appropriate Data Protection notices should also be referred to in any job application form, employee handbook or other internal employment document.  The disclosures should be made in a manner calculated to draw attention to them. 

The Data Protection notices, content and communication method requires prior the Data Protection Officer approval in consultation with the Head of School or Function (in consultation with the Information Compliance Group).  

3.4 Data Collection from Third Party Sources

In addition to Section 3.3 above, when the University collects Personal Data from a Third Party (i.e. not directly from a Data Subject), the Data Controller must provide Data Protection notices to the Data Subject either at the time of collection or within a reasonable timeframe that is no more than 30 days post collection. 

In addition to the content of the notice outlined above in Section 3.3, Schools and Functions shall provide the Data Subject with the following information necessary to ensure fair and transparent processing of their Personal Data: 

  • The Personal Data collected
  • Whether this was from a public source.
  • The categories of Personal Data concerned. 

The following are the only exceptions: 

  • If the Data Subject has already received this information or
  • Notification would require disproportionate effort or
  • The law expressly provides for this Personal Data collection, processing or transfer. 

3.5 Data Minimisation and Retention 

School and Functions should limit Personal Data collection to:

  • What is directly relevant and
  • What is necessary to accomplish a specified purpose. 

School and Functions should identify the minimum amount of Personal Data needed for a particular purpose and then align collection volumes and associated retention periods to this purpose. 

Please see Appendix W for the University’s Data Retention Policy and Schedule.

3.6 Data Use Limitation 

School and Functions must only collect Personal Data for specified, explicit and legitimate purposes. They are prohibited from further processing unless they have identified and documented additional legitimate processing conditions or if the Personal Data involved is appropriately Anonymised and /or Pseudonymised and used for statistical purposes only. Please see Section 3.11 below for further information. 

3.7 Data Accuracy 

Each School and Function must ensure that any Personal Data collected is complete and accurate and maintained in an accurate, complete and up-to-date form as its purpose requires.

3.8 Data Storage Limitation

School and Functions must only keep Personal Data for the period necessary for permitted uses. They shall establish a destruction date and / or review schedule when defining a Personal Data permitted use under the stated purpose. This shall be recorded and aligned to the University’s Data Retention Policy and Schedule. See Appendix W (in development, will be included at a later date) for the Policy and Schedule.

School and Functions should reasonably endeavour to erase any Personal Data that violates:

  • Data Protection Law
  • Data Protection Regulations
  • Contractual Obligations
  • Requirements of this Policy
  • If the University no longer requires the Data
  • If the Personal Data no longer benefits the Data Subject in the relevant process 

School and Functions should Anonymise and / or Pseudonymise Personal Data where possible rather than erase if: 

  • The law prohibits erasure
  • Erasure would impair the legitimate interests of the Data Subject
  • Erasure is not possible without disproportionate effort due to the specific type of storage or
  • Where the Data Subject has disputed the accuracy of the Personal Data, the University disagrees with that assertion and resolution has not been reached. 

3.9 Security of Personal Data (Integrity and Confidentiality)

Information Security

Each School and Function shall ensure Personal Data security through appropriate physical, technical and organisational measures. These security measures should be in keeping with standards appropriate to the University sector and prevent:

  • Alteration
  • Loss
  • Damage
  • Unauthorised processing
  • Unauthorised access 

When implementing Personal Data security measures each School and Function must consider:

  • Technological developments
  • Implementation Costs
  • Nature of relevant Personal Data
  • Inherent Risks posed by human action/physical/natural environment 

ICT Management must adequately address European Data Protection requirements to relevant University IT Policies and Procedures. 

European Data Protection requirements specifically refer to Personal Data collected and processed within Europe. However, the University is committed to protecting all collected, processed, stored and transferred Personal Data regardless of country of origin.

Data Breach (Unauthorised Disclosure)

No employee or agent shall disclose Data Subject’s Personal Data (including Personal Data or Special Categories of Personal Data),  except where this Policy allows such disclosures.

Staff must report all suspected incidents of unauthorised access to the Data Protection Offficer. Incidents include disclosure, loss, destruction or alteration of personal data, regardless of whether it is in paper or electronic form.  Schools and Functions must establish formal procedures and a point of contact to report all potential unauthorised disclosure incidents.

Please see the University’s Personal Data Incident Response and Breach Policy in Appendix S (in development, will be included at a later date), the  Data Breach Notification Form in Appendix L and the Data Breach Notification Form in Appendix M for further information.

3.10 Data Encryption

The University has drafted guidelines for staff on the encryption of Personal Data contained, processed or transmitted within hardware and software resources that are owned and/or operated by the University. Please see Appendix P (in development, will be included at a later date) for these draft Guidelines on Data Encryption. 

Situations Requiring Encryption – Data at Rest (Servers, Desktop Computers, Laptops, Tablets, Mobile Phones and other Smart Devices and Removable Storage Devices) and Data Transmission.

3.11 Data Anonymisation / Pseudonymisation 

Anonymisation and Pseudonymisation are two methods of processing personal data, in such a manner that the Personal Data in question cannot be traced back to the individual (Data Subject) to whom it originally pertained. The key difference between these methods as defined under GDPR, is whether the original data subject can be re-identified.

Anonymisation renders the data subject unidentifiable, even to the party that carries out the anonymisation of data. If the data is truly anonymised and identifying the subject is impossible, then the data falls outside the remit of GDPR.

Pseudonymisation renders the data subject unidentifiable without the use of additional information. Once the “additional information” and the pseudonymised data are held separately, the data processor/controller can use the data more freely, as the rights of the data subject under GDPR remain intact.

The University has drafted Guidelines for staff regarding the treatment and use of Anonymisation and Pseudonymisation. Please see Appendix Q (in development, will be included at a later date) for these draft guidelines. 

4. Data Protection Practice / Accountability Requirements

4.1 Data Protection by Design and by Default

Privacy by Design is an essential requirement that involves minimising privacy risks to individuals. It is the consideration of data protection implications at the start or re-design of any product, service, system, IT application or process that involves the processing or personal data. It fosters a culture of embedding privacy by design into operations and ensuring proactivity instead of reactivity.

Privacy by Default promotes that, where possible, having regard to business implications and the rights of the data subject, the strictest data protection settings are applied automatically to any project.

The University has an obligation under GDPR to consider Data Privacy throughout all processing activities. This includes implementing appropriate technical and organisational measures to minimise the risk to Personal Data. This is of particular importance when considering new processing activities or setting up new procedures or systems that involve Personal Data. GDPR imposes a ‘privacy by design’ requirement emphasising the need to implement appropriate technical and organisational measures during the design stages of a process and throughout the lifecycle of the relevant data processing to ensure that privacy and protection of data is not an after-thought. School and Functions engaged in projects, new courses, services or systems development of any sort (including change to existing practices) through the relevant local project and change management processes must comply with the terms of this Policy and any specific guidelines and requirements set by the Data Protection Officer or ICT Policies in furtherance of these principles.

4.2 Data Protection Impact Assessment (DPIA)

When a School or Functional Area undertakes a processing activity which would be likely to have a privacy impact upon students or staff, they should consider if a Data Protection Impact Assessment is required. A Data Protection Impact Assessment (DPIA) is a tool, required by GDPR, which can help the University to identify the most effective way to comply with its Data Protection obligations as well as meeting individuals’ expectation of privacy by facilitating the identification and remediation of risks in the early stages of a project. It should also identify measures which would help to reduce risks. Therefore, DPIA’s are an integral part of taking a Privacy by Design approach to processing of Personal Data.

When the Processing of Personal Data may result in a high risk to the rights and freedoms of a Data Subject, School and Functions are required to conduct a DPIA and then consult with the Data Protection Officer.  Where the requirement for a DPIA has not been established, or where there is any confusion as to the applicability of Data Protection requirements, a referral must be made to the DPO and the Privacy by Design principles, set out in the Systems Development Life Cycle Policy (SDLC) must be considered. 

See Appendix R (in development, will be included at a later date) for the University’s Draft SDLC Policy.

Such assessment is also recommended for high-risk data processing, which was in place before May 2018 to ensure that the Privacy risks to individuals are still mitigated.

The University’s Data Protection Impact Assessment Template can be found in Appendix G (in development, will be included at a later date), Guidelines for the completion of a DPIA in Appendix U (in development, will be included at a later date) and Criteria to determine whether a DPIA is required in Appendix T (in development, will be included at a later date).

4.3 Record of Processing Activity and Data Inventories

The University as a Data Controller is required under GDPR to maintain a record of processing activities under its responsibility. That record contains details of why the Personal Data is being processed, the types of individuals about which information is held, who the Personal Data is shared with and when such Data is transferred to countries outside the EU. 

New activities involving the use of Personal Data that is not covered by one of the existing records of processing activities require consultation with the Data Protection Officer prior to the commencement of the activity. 

The Data Protection Officer will review records of processing periodically and will update same accordingly. The Data Protection Officer will provide Processing Activity Records (ROPA) to a Supervisory Authority on request. 

See Appendix H for the University’s ROPA which is also published on the University Website. 

Data Inventories

The University has created a Data Inventory / Data Processing Register Template as part of the GDPR compliance program. This details all business activities that involve the processing of personal data, the basis for doing so, retention periods for this personal data, what the personal data is used for, and whether this personal data is transferred to a third party. Please see Appendix I for the Template.

Maintenance of Data Processing Inventories

School and Functions must maintain a written records of processing activity under its responsibility on a system accessible to the Data Protection Officer. These are known as Data Inventories or Data Processing Registers, a template of which is available in Appendix I. The Data Protection Officer will review these records periodically and will update same accordingly. The Data Protection Officer will provide Processing Activity records to a Supervisory Authority (Office of the Data Protection Commissioner) on request.

4.4 Transfer and Sharing of Data

Sharing with a Third Party or External Processor

As a general rule, Personal Data should not be shared with or passed on to third parties, particularly if it involves Special Categories of Personal Data but there are certain circumstances when it is permissible e.g.

  • The University may disclose student’s Personal Data and Sensitive Personal Data (Special Category Personal Data) to external agencies to which it has obligations or a legitimate reason. Such sharing should be noted in the relevant Data Protection Notices. Please see the Data Protection Notices in Appendix C, Appendix D and Appendix E for information on what third parties the University shares Personal Data with and for what purpose.
  • The Data Subject consents to the sharing.
  • The third party is operating as a Data Processor and meets the requirements of GDPR. Where a third party is engaged for processing activities there must be a written contract or equivalent in place which shall clearly set out respective parties responsibilities and must ensure compliance with relevant European and local Member State Data Protection requirements/legislation. These are known as Data Sharing Agreements, an example of which is available in Appendix X (in development, will be included at a later date).

The Data Protection Officer should be consulted where a new contract that involves the sharing or processing of personal data is being considered.

Transfer of Personal Data outside the EEA

Transfers of Personal Data to third countries are prohibited without certain safeguards. The means the University must not transfer Personal Data to a third country unless there are adequate safeguards in place which will protect the rights and freedoms of the Data Subject. It is important to note that this covers Personal Data stored in the cloud as infrastructure may be in part located outside of the EU/EEA.

School and Functions must not transfer Personal Data to a third party outside of the EU/EEA regardless of whether the University is acting as a Data Controller or Data Processor unless certain conditions are met.

Prior to any Personal Data transfer outside the EU/EEA, the Chief Operations Officer, (on the recommendation of the Data Protection Officer) must approve the transfer of such information and the Data Protection Officer will record the determination in writing.

4.5 Third Parties Relationships and Data Sharing Agreements

Where Schools and Functional Areas engage a third party for processing activities, the Data Processor must protect Personal Data through sufficient technical and organisational security measures and take all reasonable compliance steps. When engaging a third party for Personal Data processing, School and Functional Areas must enter into a written contract, or equivalent. This contract known as a Data Sharing Agreement and must:

  • clearly set out respective parties responsibilities
  • ensure compliance with relevant European and local Member State Data Protection requirements/legislation.

and must give due consideration to the following items:

  • Management of Data Processors
  • Selection of Data Processors
  • Contract Requirements
  • Sub-contracted Data Processors
  • Monitoring and Reporting
  • Data Transfers
  • Appropriate Safeguards
  • Derogations for specific situations
  • Once off transfer of Personal Data
  • Data Sharing Agreements
  • Review of data sharing arrangements
  • Data transfer methods
  • Email
  • Cloud storage and cloud applications
  • Telephone / mobile phone
  • Sending the information by post
  • Hand delivery / collection
  • Data Breach Notification

Please see Appendix X (in development, will be included at a later date) for a sample Data Sharing Agreement.

5. Data Subjects Rights

The Data Protection Officer, supported by the Head of Schools and Functions, shall maintain appropriate processes and procedures to address Data Subjects rights under GDPR.

Data Subjects have the following rights under Data Protection Law, subject to certain exemptions, in relation to their personal data:

 

RightExplanation
Information The right to be informed about the data processing the University does.
Access The right to receive a copy of and/or access the personal data that the University holds about you.
Portability You have the right to request that the University provides some elements of your personal data in a commonly used machine readable format in order to provide it to other organisations.
Erasure The right to erasure of personal data where there is no legitimate reason for the University to continue to process your personal data.
Rectification The right to request that any inaccurate or incomplete data that is held about you is corrected.
Object to processing You can object to the processing of your personal data by the University in certain circumstances including direct marketing material.
Restriction of processing concerning the data subject

You can request the restriction of processing of personal data in specific situations where:

  1. You contest the accuracy of the personal data
  2. You oppose the erasure of the personal data and request restriction instead
  3. Where the University no longer needs the data but are required by you for the establishment, exercise or defence of legal claims
Withdraw Consent

If you have provided consent for the processing of any of your data, you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. This can be done by contacting the department who obtained that consent or the University’s Data Protection Office (contact details below).

The right to complain to the Data Protection Commissioner

You have the right to make a complaint in respect of our compliance with Data

Protection Law to the Office of the Data Protection Commissioner.

In order to exercise any of the above rights, please contact a representative of the Data Protection Officer using the contact details in Section 9 below.

5.1 Subject Access Requests (SARs) and Subject Rights Requests (SRRs)

Employees and students of the University can contact the Data Protection Officer to discuss their request requirements prior to making a formal request in order to maximise the likelihood that their request will be fulfilled in a timely, efficient and satisfactory manner. External requests for personal data should all be directed to the Data Protection Officer for response.

All Subject Access Requests are requested to be made via the Request Forms that are available on the University website. All subject access requests shall be directed to the Data Protection Officer and all requests shall have an open status until an action by the Data Protection Officer sets a closed status.

Any information provided to a Data subject in response to a request must be: 

  • Concise
  • Transparent
  • Intelligible
  • In an easily accessible form, using clear and plain language
  • Free unless proven to be excessive (administration fee chargeable in this case) and
  • Provided in a timely manner.

School and Functions must notify the Data Protection Officer immediately when in receipt of a Data Subject Request and must provide the Data Protection Officer with all necessary support to allow a response in accordance with regulatory timelines. 

See Appendix J and Appendix K for the University’s Subject Access Request Form and Subject Rights Request Form along with information regarding both processes.

5.2 Fees and refusals of SARs under GDPR

There is no fee for Subject Access Requests. However, under GDPR, the University reserves the right where requests from a data subject are manifestly unfounded or excessive in nature to either: 

  • Charge a fee to cover the administrative costs of providing the personal data or
  • Refuse to act upon the request.

The University may also refuse to act upon a subject access request under GDPR in the following circumstances:

  • Where it would breach the rights of someone else.
  • Where it is the subject of an ongoing legal case.
  • It would be illegal to do so.
  • The identity of the requester cannot be determined.
  • Where existing processes exist to access personal data (a charge may be in place). 

6. Personal Data Protection Incident Response and Breach Notification 

6.1 Data Breach 

TU Dublin as a Data Controller is legally required to notify the Office of the Data Protection Commissioner where a personal data breach is likely to result in a risk to data subjects’ rights and freedoms.

In addition, Schools and Functional Areas are legally required to notify affected individuals (Data Subjects) where a Personal Data breach is likely to result in a high risk to their rights and freedoms. For further guidance on what constitutes a high risk, please see the TU Dublin Data Protection Incident Response and Breach Notification Policy in Appendix S (in development, will be included at a later date).

TU Dublin is required to notify the Data Protection Commissioner within 72 hours after having become aware of the Personal Data breach. Therefore, Schools and Functional Areas have to implement robust processes and procedures in place to identify and report suspected Personal Data breach incidents. These procedures should also cover errors and “near misses” for learning opportunities and in order to mitigate possible future risks.

Schools and Functional Areas also have to implement an internal reporting procedure. This should include documentation of any suspected Personal Data breach, comprising the facts relating to the breach, its effects and the remedial action taken. Failure to report a notifiable breach could result in enforcement action by the Data Protection Commissioner including the imposition of an administrative fine in addition to any fines imposed regarding the breach.

Please see Appendix L and Appendix M for the University’s Data Breach Notification Form and Data Breach Report Form.

7. CCTV

All usage of CCTV other than in a purely domestic context must be undertaken in compliance with the requirements of the Data Protection Acts. Extensive guidance on this issue is available on the Data Protection Commissioner’s website at:

https://dataprotection.ie/en/guidance-landing/guidance-use-cctv-data-controllers

In summary, all uses of CCTV must be proportionate and for a specific purpose. As CCTV infringes the privacy of the persons captured in the images, there must be a genuine reason for installing such a system and such purpose must be displayed in a prominent position. 

Please see Appendix Y (in development, will be included at a later date) for the University's CCTV Policy.

8. Training – Education and Awareness

The University is committed to the provision of Data Protection training to ensure all individuals are aware of their respective obligations under Data Protection regulation. This is especially important for staffwho handle Personal Data and / or Sensitive Category Personal Data in the course of their everyday business. 

To achieve this, the University supports the development, rollout and communication of Data Protection training and an awareness programme across the University. This training programme ensures that staff are regularly reminded of policies throughout the year and refresher sessions, briefings and reminders occur at regular intervals. The University has also introduced an online GDPR Training Module for all staff. For online training and electronic communications, confirmation of reading and tracking of responses can be put in place to ensure staff follow through on a commitment to be aware of the policies.

All sections, offices and staff are expected to: 

  • Acquaint themselves with, and abide by, the rules of the full suite of Data Protecton Policies;
  • Read and understand all Data Protection Policies;
  • Understand what is meant by ‘Personal Data’ and ‘Sensitive Category Personal Data’ and know how to handle such data;
  • Not jeopardise individuals’ rights or risk a contravention of the Act;
  • Contact their Head of School / Function or local Information and Compliance Office if in any

School and Functional areas must ensure that all staff are trained on relevant Privacy, Data Protection and Information Security requirements. This should be refreshed annually. In addition to General Data Protection Regulation training, staff may receive additional training when applicable to their duties or position. The University will maintain employee GDPR training completion records.

9. Data Protection Officer (DPO)

The University in meeting its data privacy commitments has appointed a Data Protection Officer (DPO) as the point of contact for all data privacy queries that employees and students may have including subject access requests. The contact details of the Data Protection Officer are available on the University website and have been notified to the Office of the Data Protection Commissioner.

Contact details for the Data Protection Office, TU Dublin –

  • By email:dataprotection@tudublin.ie
  • In writing: The Data Protection Office, TU Dublin, Park House Grangegorman, 191 North Circular Road, Dublin 7, D07 EWV4
  • Tel: Blanchardstown +353 1 8851503, City +353 1 2205264, Tallaght +353 1 4042530

10. Monitoring and Compliance / Demonstrate Accountability / Internal Control

The Data Protection Officer monitors compliance with Data Protection policies and procedures by way of an Annual Compliance Report which reports School and Function Areas compliance with GDPR principles and includes maintenance of Data Inventory, compliance with Data Retention Schedule, staff training records, actions taken of recommendations following data breaches and near misses.

In order for TU Dublin to demonstrate compliance with the Data Protection Principles, the Schools and Functional Areas have to put in place comprehensive governance measures. In addition, to the requirements set out above in Section 3.1 of this Policy, the GDPR requires:

  • The Schools and Functional Areas to maintain records of its processing activities, which must also be provided to the Data Protection Officer upon request.
  • Further information regarding maintaining these records can be found in the Record of Processing Activity in Section 4.3 above.
  • Schools and Functional Areas should ensure that they have implemented and documented procedures and procedures to comply with each of the minimum requirements outlined in this Policy. 

11. Supervisory Authority (Data Protection Commissioner) 

The Office of the Data Protection Commissioner (DPC) is the Irish Statutory Authority for GDPR. Please see https://www.dataprotection.ie/ for further information on the Office of the Data Protection Commissioner. 

12. Changes to the TU Dublin Data Protection Policy 

This Data Protection Policy will be subject to revision at least every 2 years. 

If you have any comments or queries in relation to this Data Protection Policy, please forward same to a representative of the Data Protection Officer at the contact details provided in Section 9 above.

APPENDICES

Please click on any of the links below to view / download documents

Appendix A         TU Dublin Suite of Compliance Policies

Appendix B         Common Terms and Definitions

Appendix C         Data Protection Notice for Students

Appendix D         Data Protection Notice for Staff

Appendix E         Data Protection Notice for Recruitment Candidates

Appendix F         Privacy Statement for Student Health Centres

Appendix G         Template Data Protection Impact Assessment (in development)

Appendix H         Record of Processing Activity

Appendix I         Template Data Inventory/Data Processing Register

Appendix J         Subject Access Request Form

Appendix K         Subject Rights Request Form

Appendix L         Data Breach Notification Form

Appendix M         Data Breach Report Form

Appendix N         Cookies & Website Privacy Policy

Appendix O         Draft Direct Marketing Policy

Appendix P         Draft Guidelines on Data Encryption  (in development)

Appendix Q         Draft Guidelines on Anonymisation and Pseudonymisation  (in development)

Appendix R         Draft SDLC Policy  (in development)

Appendix S         Personal Data Incident Response and Breach Policy (in development)

Appendix T         Draft DPIA Criteria (in development)

Appendix U         Draft DPIA Guidelines (in development)

Appendix V         Compliance Organisational Chart (in development)

Appendix W         Data Retention Policy and Schedule (in development)

Appendix X         Sample Data Sharing Agreements (in development)

Appendix Y         CCTV Policy (in development)