Data Protection Guidelines
The objectives of this document are:
- to give an overview of the Data Protection legislation that applies in the Republic of Ireland
- to summarise the responsibilities of staff and students within DCU and
- to summarise the rights of individuals under the legislation.
Further information is available at: http://www.dataprotection.ie
Data protection addresses the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection Acts 1988 and 2003 confer rights on individuals as well as responsibilities on those persons processing personal data.
DCU, in common with many other organisations such as government bodies, finance houses and other universities etc gathers and stores data about individuals. This is necessary for the purposes of running the operations of the University. For the purpose of data protection, such organisations or individuals who control the contents and use of personal data are known as DATA CONTROLLERS. The Data Protection Acts 1988 and 2003 impose obligations on data controllers and give rights to individuals relating to their personal data.
All personal information relating to a living individual is included under the legislation. It covers data that is held on computers as well as data that is held in manual files.
It applies to all the data that is held - for example it applies to data in emails and copy letters as well as to data on Master Files etc.
Any member of the DCU community that is involved in the collection, storage or processing of such data has responsibilities under the legislation.
Examples would include people involved in the collection of data from people applying to do courses at DCU, those involved in the recruitment of staff, those involved in the processing of Alumni data etc.
- to obtain and process information fairly
- to keep it only for explicit and lawful purposes
- not to disclose it to others
- to keep it safe and secure
- to keep it accurate, complete and up-to-date
- to ensure that it is adequate, relevant and not excessive
- to retain it for no longer than is necessary for the explicit purpose
- to give a copy of the data to an individual, on request(such a request is known as an ACCESS REQUEST).
- to have your personal information obtained and processed fairly, kept securely and not illegitimately disclosed to others
- to be informed, to know the identity of the Data Controller and for what purpose they have the information
- to get a copy of the personal information
- to have your personal data corrected or deleted if inaccurate
- to prevent your personal information from being used for certain purposes, for example you might want your data blocked for research purposes where it is held for other purposes
- to have your name removed from a direct marketing list
- to stop some specific uses of your personal information
- to Employment Rights, not to be forced to disclose information to a prospective employer. No one can force you to make an access request, or reveal the results of an access request, as a condition of recruitment, employment or provision of a service. Where vetting for employment purposes is necessary, this can be facilitated where the individual gives consent to the data controller to release personal data to a third party
- to freedom from automated decision making, to have human input in the making of important decisions relating to you. Important decisions about you, for example, work performance, creditworthiness, reliability may not be made solely by automatic means e.g. by computer, unless you consent to this. In general there has to be a human input in such decisions
- to prevent your phone directory details from being used for direct marketing purposes.
- Within DCU the Risk and Compliance Officer (RCO) has responsibility for the co-ordination for data protection issues. The RCO can be contacted at extension 8706.
- more complete information is available at: http://www.dataprotection.ie