What is Data Protection?
Data protection is the protection of individuals in relation to the processing of personal data relating to them. Data protection is a fundamental right of everyone within Ireland and the European Union.
Data protection is based on a legal framework, comprising EU and Irish legislation, and based on principles which are explored further below.
The primary purpose of data protection law is to safeguard the rights of individuals where an entity, such as a university, processes personal data.
There is therefore an obligation on all organisations to process personal data in a manner compliant with the law - including Dublin City University (DCU) and its wholly-owned campus companies.
In order to carry out its statutory, academic and administrative functions, the University collects and processes personal data relating to different categories of individuals, including students and staff of the University.
DCU takes protection of personal data seriously, and consequently takes all reasonable steps to comply with data protection legislation. The University is also committed to ensuring that all staff, registered students, agents, contractors and data processors comply with data protection law.
Some of the terms used above are explored in more detail below.
Personal data
Personal data includes any information relating to an identified or identifiable living individual who is, or can be, identified - directly or indirectly - from that information.
Information which may identify an individual includes: identifiers (such as a name, an identification number, location data, an online identifier), or one or more factors specific to the individual (such as physical, physiological, genetic, mental, economic, cultural or social identity of that person).
Processing
Processing means performing any operation or set of operations on personal data or sets of personal data, whether or not by automated means.
In other words, it means doing anything with the personal data.
Processing can include collection, recording, storage, organisation, structuring, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, sharing or otherwise making available, combination, erasure, destruction, or deletion.
Data controller
A data controller is:
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Dublin City University is a data controller where it makes fundamental 'how and why' decisions about processing activities.
A controller is responsible for safeguarding personal data, and otherwise ensuring compliance with data protection law.
The GDPR sets out certain principles relating to the processing of personal data. These principles are mandatory requirements in data protection compliance, and must be adhered to when processing personal data.
These data protection principles are summarised below.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the person to whom the personal data relates.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Note: Certain derogations may apply in relation to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and you should contact the Data Protection Unit for assistance if you think these derogations may apply to your work or research.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In other words, only use personal data you require to achieve your purposes, and no more than that.
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Note: Certain derogations may apply in relation to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and you should contact the Data Protection Unit for assistance if you think these derogations may apply to your work or research.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller shall be responsible for, and be able to demonstrate compliance with each of the above principles.
The data protection legal framework in Ireland is governed by both EU and national law. Some of the main laws relating to data protection which apply within Ireland are mentioned below.
Key laws of the EU:
- General Data Protection Regulation (the GDPR): The primary data protection legislation is the EU's General Data Protection Regulation (the GDPR). This law is directly binding on all EU member states, including Ireland. It also takes primacy over national laws in the EU: this means that if there is a conflict or contradiction between a national law and the GDPR, the GDPR prevails and the national law must be disregarded.
- ePrivacy Directive: This EU law concerns certain data protection matters in the context of electronic communications, including marketing. This law is binding on all EU member states, including Ireland, although some latitude is given to each country in how they implement it at national level. This law should be read in conjunction with the GDPR, which also applies to marketing matters.
Key laws of Ireland:
- Data Protection Act 2018: This primary legislation is an Act of the Oireachtas, and gives effect to certain aspects of the GDPR to reflect the particular context within Ireland.
- ePrivacy Regulations 2011: This secondary legislation is issued by the relevant Minister, and gives effect to the EU's ePrivacy Directive to implement it within Ireland's jurisdiction.
Some additional information on the data protection legal framework can be found on the Data Protection Commission website here.
Full titles and links for the above mentioned legislation can be found below.
- General Data Protection Regulation (the GDPR):
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Link: https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04
- ePrivacy Directive:
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
Link: https://eur-lex.europa.eu/eli/dir/2002/58/oj
- Data Protection Act 2018:
An Act to establish the Data Protection Commission and to give effect the General Data Protection Regulation.
Link: https://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/print.html
- ePrivacy Regulations 2011:
S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011
Link: https://www.irishstatutebook.ie/eli/2011/si/336/