Data Protection: General Information
Welcome to the Data Protection: General Information page of the DCU's Data Protection Unit (DPU).
This page provides general information on data protection compliance within Dublin City University.
The DCU Data Protection Policy can be accessed at the link below.
The purpose of this policy is to explain at a high level what personal data is processed by DCU, and why and how we process it. In addition, the policy outlines our duties and responsibilities regarding the protection of personal data.
The Data Protection Policy is updated from time to time, as necessary, to reflect changes in the University's operations and/or changes in the law.
The DCU Personal Data Retention Policy can be accessed at the link below.
Personal Data Retention Policy
The purpose of the policy is to state the University’s position concerning the retention and destruction of personal data.
The DCU Data Classification Policy can be accessed at the link below.
The purpose of this policy is to support the classification of data to allow for the protection of Dublin City University data, or data held by Dublin City University, in terms of confidentiality, integrity, and availability.
The DCU Signing Authority Policy can be accessed at the link below.
The purpose of this policy is:
- To ensure only those Dublin City University employees with appropriate approval and accountability are authorised to sign documents on behalf of the University;
- To designate who may sign the documents listed in the Appendix to this policy, after their review and approval by the individuals or groups indicated in the Appendix;
- To assist in managing exposure to risk which may arise when a document is signed on behalf of the University; and
- To promote good governance by applying appropriate internal controls.
The guidance below is intended to inform members of the public, staff and students on their data protection rights under GDPR. These rights include:
- The Right to be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restriction of Processing
- The Right to Object to Processing
- Rights in relation to Automated Decision-Making
The above rights may be invoked when dealing with the University, or with one of its Campus Companies.
Not all of these rights are absolute, and so in certain circumstances there may be limits which apply when a person invokes their rights with the University. For example, the right to erasure is limited by the statutory obligation on Universities to retain certain examination and academic records indefinitely.
Further information can be found in the Data Subject Rights Procedure document linked below.
One of the rights recognised under data protection legislation is the Right of Access. This provides individuals with the right to request a copy of any of their personal data which is held by DCU, as well as other relevant information. These requests are sometimes called Data Subject Access Requests.
Such requests can be made either in writing or verbally. While there is no required format for an Access Request to be made, the guide at the link below provides details on how these requests may be made to the University.
Data Subject Access Requests can be made in writing or verbally, ideally directly to the DCU Data Protection Unit.
Requests made in writing are not required to follow a particular format, but the below options may be useful to anyone considering making such a request in writing:
Access Request Application Form - Downloadable Word Version
Access Request Application Form - Online Version
A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Typical examples of a data breach are:
- Emails or post containing personal data being sent to an incorrect recipient.
- Lost or stolen devices that hold personal data (e.g. laptops, USB keys etc).
- Hard copy files being lost or disposed of incorrectly.
- Hacking (real or suspected) of an IT system or database.
- A power cut or system error, resulting in lack of access to systems containing personal data.
All potential and suspected data breaches must be notified immediately to the Data Protection Unit (DPU).
If you suspect a breach has taken place the first step is to inform the DPU (by phone or email). The DPU will then investigate and determine whether a data breach has occurred, and how it is to be managed and contained.
Thereafter, please complete the University's Data Incident/Breach Report Form, linked below, and return it to the DPU without delay.
Online training is available to DCU students to assist them in meeting their obligations to process personal data in compliance with data protection law.
The online DCU Data Protection course for students and post-graduates may be accessed via the student's Loop account at the link below. Once you login into Loop, select the Data Protection course from the Loop Dashboard.
Online Data Protection Course for Students
Dublin City University (DCU) occasionally receives requests from members of An Garda Síochána and other law enforcement agencies, seeking certain types of personal data (for example, CCTV, staff details, student details).
Any and all such requests received by DCU staff must be communicated to the DCU Data Protection Unit (DPU). The DPU will assist in determining whether and how any response the request is to be issued.
If you receive such a request please forward it to data.protection@dcu.ie
The guide below provides information to staff on how the University manages and assesses these types of requests for personal data.
DCU Guide to Requests from Law Enforcement
From time to time, the University may receive requests from An Garda Síochána for copies of CCTV recordings held by the University. DCU's Guide to Law Enforcement Requests applies in respect of such requests.
Additionally, the below Garda CCTV Request Form must be used by members of An Garda Síochána when requesting a copy of a CCTV recording(s) held by the University, in order to comply with best practice and Data Protection Commission guidelines. No other form of request will be entertained.
Completed forms must be emailed to data.protection@dcu.ie where it will be assessed by the DPU in accordance with the University's guidelines and protocols in this area.
The links below are to specific Data Protection Notices & Statements that the University is required to make public either under the legislation or as part of an agreement with external entities.
A University guide to the safe disposal of hardcopy personal data is provided below.
Guidance on how to unsubscribe from DCU email group can be accessed at the link below.
A separate suite of data protection resources for Dublin City University staff may be accessed at the link below.
Data Protection: Staff Resources
Note: The link referenced above can only be viewed by members of Staff. If you are a member of staff but cannot see or access the linked page, please access the page from a different device or browser and provide your DCU Multi-Factor Authentication details when prompted to do so.
The Data Protection Commissioner (DPC) provides a 'Frequently Asked Questions (FAQ)' resource on data protection matters, which may be accessed at the link below.
Data Protection Commission: Frequently Asked Questions (FAQs)