Data Protection: General Information
Welcome to the Data Protection: General Information page of the DCU's Data Protection Unit (DPU).
This page provides general information on data protection compliance within Dublin City University.
The DCU Data Protection Policy can be accessed at the link below.
The purpose of this policy is to explain at a high level what personal data is processed by DCU, and why and how we process it. In addition, the policy outlines our duties and responsibilities regarding the protection of personal data.
The Data Protection Policy is updated from time to time, as necessary, to reflect changes in the University's operations and/or changes in the law.
The DCU Personal Data Retention Policy can be accessed at the link below.
Personal Data Retention Policy
The purpose of the policy is to state the University’s position concerning the retention and destruction of personal data.
The DCU Data Classification Policy can be accessed at the link below.
The purpose of this policy is to support the classification of data to allow for the protection of Dublin City University data, or data held by Dublin City University, in terms of confidentiality, integrity, and availability.
The DCU Signing Authority Policy can be accessed at the link below.
The purpose of this policy is:
- To ensure only those Dublin City University employees with appropriate approval and accountability are authorised to sign documents on behalf of the University;
- To designate who may sign the documents listed in the Appendix to this policy, after their review and approval by the individuals or groups indicated in the Appendix;
- To assist in managing exposure to risk which may arise when a document is signed on behalf of the University; and
- To promote good governance by applying appropriate internal controls.
The information below is intended to provide an overview on the data protection rights of individuals under the GDPR. These rights may be invoked when dealing with the University, or with one of its Campus Companies.
Not all of these rights are absolute, and so in certain circumstances there may be limits which apply when a person invokes their rights with the University. For example, the right to erasure is limited by the statutory obligation on Universities to retain certain examination and academic records indefinitely.
Furthermore, the rights discussed here may be further restricted in accordance with the GDPR and Section 60 of the Data Protection Act 2018.
Exercising your data protection rights
If you wish to exercise your data protection rights, please contact DCU's Data Protection Officer, Mr Martin Ward, at data.protection@dcu.ie or via the DPU's Contact Us page.
To help us to respond to your request as efficiently as possible, please provide as much detail as possible in your request. (For example, if you wish to exercise your right of access, please specify which personal data you are seeking. Please also include any additional details that would help us to respond to your request - for instance, a staff or student ID number, names of any DCU Schools or Units that you were associated with, dates or time periods.)
In certain cases, we may also require proof of identity to ensure our response is provided to the correct person to whom the personal data relates. The form of identification may include passport, driver's licence, staff ID card, or student card.
Where required, copies of identification will acceptable in most cases; however, DCU reserves the right to ask to see original documents where necessary. Any copies identification provided to DCU in the course of making a request relating to your data protection rights will in general be destroyed following completion of our response to that request.
Finally, if you wish for a third party to submit a request on your behalf (such as a family member or a solicitor), you must provide written authorisation to allow us to disclose the
personal data to that third party.
Further information
This information provided here is non-exhaustive and does not constitute legal advice. Further information can be found on the website of the Data Protection Commission.
Any processing of personal data must be lawful, fair, and transparent.
It must be clear to individuals that personal data relating to them are collected, used, or otherwise processed, and to what extent.
Additionally, any information or communication relating to such processing is easily accessible and easy to understand, in concise, clear and plain language. Any such communication must be tailored appropriately to audiences, taking into account age and capacity, and may include visualisation or other appropriate modes of communication.
Everyone has the right to obtain from a data controller:
(a) confirmation of whether or not personal data relating to them is being processed;
(b) if so, a copy of that personal data; and
(c) certain additional information, such as:
- the purpose(s) of processing
- categories of personal data held by the controller
- any recipient(s) of the personal data outside of the controller
- retention period(s) and/or criteria
- their data protection rights
- the right to contact the data protection supervisory authority
- information relation to any automated decision-making.
If personal data relating to an individual is inaccurate, they have the right to have that data rectified, by the controller, without undue delay.
If personal data relating to an individual is incomplete, they have the right to have that data completed, including by means of providing supplementary information.
This right is not absolute. In certain circumstances, this right may be restricted under Section 60 of the Data Protection Act 2018.
Personal data relating to an individual must be erased, without undue delay, by the data controller, if one of a certain number of grounds applies.
These grounds include:
- Where the personal data are no longer necessary in relation to the purpose for which it was collected or processed.
- Where the individual withdraws their consent to the processing, and there is no other lawful basis for processing the data.
- Where the individual objects to the processing, and there is no overriding legitimate grounds for continuing the processing.
- Where the individual objects to the processing, and the personal data are being processed for direct marketing purposes.
- Where the personal data have been unlawfully processed.
- Where the personal data must be erased in order to comply with a legal obligation.
- Where the personal data have been collected in relation to the offer of information society services (e.g. social media) to a child.
This right is not absolute. In certain circumstances, this right may be restricted under Section 60 of the Data Protection Act 2018.
In addition, the right to erasure does not apply where processing is necessary for:
- Exercising the right of freedom of expression and information.
- Compliance with a legal obligation, the performance of a task carried out in the public interest or in the exercise of official authority.
- Reasons of public interest in the area of public health.
- Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- Establishment, exercise or defence of legal claims.
In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance.
This right is not absolute.
This right only applies where processing of personal data (supplied by the data subject) is carried out by automated means, and where you have either consented to processing, or where processing is conducted on the basis of a contract between you and the data controller.
Additionally, this right only applies to the extent that it does not affect the rights and freedoms of others.
This right is not absolute. You have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks:
- in the public interest,
- under official authority,or
- in the legitimate interests of others.
You have a stronger right to object to processing of your personal data where the processing relates to direct marketing. Where a data controller is using your personal data for the purpose of marketing something directly to you, or profiling you for direct marketing purposes, you can object at any time, and the data controller must stop processing as soon as they receive your objection.
You may also object to processing of your personal data for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.
Individuals have a limited right of restriction. This means applying a restriction (or pause) on processing of personal data by the data controller. Where processing of personal data is restricted, certain activities (such as deletion) will require permission from the individual to whom the personal data relates.
This right is not absolute. Some processing activities will not require permission, such as storage of the personal data.
Additionally, this right only applies where:
(a) the individual has objected to processing of the personal data (see above);
(b) the individual has contested the accuracy of the personal data;
(In these cases, the restriction of processing applies until the data controller has determined the accuracy of the data, or the outcome of your objection.)
(c) the processing is unlawful; and/or
(d) the individual requires the personal data in respect of a legal claim.
You have the right to not be subject to a decision based solely on automated processing.
Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.
Automated processing includes profiling.
Automated processing is permitted only:
- with the express consent of the individual to whom the personal data relates;
- when necessary for the performance of a contract; or
- when authorised by Union or Member State law
One of the rights recognised under data protection legislation is the Right of Access. This provides individuals with the right to request a copy of any of their personal data which is held by DCU, as well as other relevant information. These requests are sometimes called Data Subject Access Requests.
Such requests can be made either in writing or verbally. While there is no required format for an Access Request to be made, the guide at the link below provides details on how these requests may be made to the University.
Data Subject Access Requests can be made in writing or verbally, ideally directly to the DCU Data Protection Unit.
Requests made in writing are not required to follow a particular format, but the below options may be useful to anyone considering making such a request in writing:
Access Request Application Form - Downloadable Word Version
Access Request Application Form - Online Version
A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Typical examples of a data breach are:
- Emails or post containing personal data being sent to an incorrect recipient.
- Lost or stolen devices that hold personal data (e.g. laptops, USB keys etc).
- Hard copy files being lost or disposed of incorrectly.
- Hacking (real or suspected) of an IT system or database.
- A power cut or system error, resulting in lack of access to systems containing personal data.
All potential and suspected data breaches must be notified immediately to the Data Protection Unit (DPU).
If you suspect a breach has taken place the first step is to inform the DPU (by phone or email). The DPU will then investigate and determine whether a data breach has occurred, and how it is to be managed and contained.
Thereafter, please complete the University's Data Incident/Breach Report Form, linked below, and return it to the DPU without delay.
Online training is available to DCU students to assist them in meeting their obligations to process personal data in compliance with data protection law.
The online DCU Data Protection course for students and post-graduates may be accessed via the student's Loop account at the link below. Once you login into Loop, select the Data Protection course from the Loop Dashboard.
Online Data Protection Course for Students
Dublin City University (DCU) occasionally receives requests from members of An Garda Síochána and other law enforcement agencies, seeking certain types of personal data (for example, CCTV, staff details, student details).
Any and all such requests received by DCU staff must be communicated to the DCU Data Protection Unit (DPU). The DPU will assist in determining whether and how any response the request is to be issued.
If you receive such a request please forward it to data.protection@dcu.ie
The guide below provides information to staff on how the University manages and assesses these types of requests for personal data.
DCU Guide to Requests from Law Enforcement
From time to time, the University may receive requests from An Garda Síochána for copies of CCTV recordings held by the University. DCU's Guide to Law Enforcement Requests applies in respect of such requests.
Additionally, the below Garda CCTV Request Form must be used by members of An Garda Síochána when requesting a copy of a CCTV recording(s) held by the University, in order to comply with best practice and Data Protection Commission guidelines. No other form of request will be entertained.
Completed forms must be emailed to data.protection@dcu.ie where it will be assessed by the DPU in accordance with the University's guidelines and protocols in this area.
The links below are to specific Data Protection Notices & Statements that the University is required to make public either under the legislation or as part of an agreement with external entities.
A University guide to the safe disposal of hardcopy personal data is provided below.
Guidance on how to unsubscribe from DCU email group can be accessed at the link below.
A separate suite of data protection resources for Dublin City University staff may be accessed at the link below.
Data Protection: Staff Resources
Note: The link referenced above can only be viewed by members of Staff. If you are a member of staff but cannot see or access the linked page, please access the page from a different device or browser and provide your DCU Multi-Factor Authentication details when prompted to do so.
The Data Protection Commissioner (DPC) provides a 'Frequently Asked Questions (FAQ)' resource on data protection matters, which may be accessed at the link below.
Data Protection Commission: Frequently Asked Questions (FAQs)