The purpose of this Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Policy outlines our duties and responsibilities regarding the protection of such Personal Data.
This Policy is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices. In addition, we operate a number of other workplace policies and procedures which inter-relate with this Policy, including the following:
(a) Staff Data Processing Notice – (Internal to DCU)
(b) Data Retention Policy – (Public Facing)
(c) Data Breach Reporting Procedure – (Public Facing)
(d) Data Breach Reporting Procedure – (Internal to DCU)
(e) Data Subject Rights Procedure – (Public Facing)
(f) Data Subject Rights Procedure – (Internal to DCU)
(g) Data Protection Impact Assessment – Staff Guide
(h) Data Protection Impact Assessment - Screening Questionnaire
(i) Data Protection Impact Assessment - Template
(j) Information & Communications Technology (ICT) Security Policy
(k) Website Privacy Statement – (Public Facing)
The above can be accessed at this link.
In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Policy by reference into notices used at various points of data capture when collecting personal data (e.g. research surveys & questionnaires, application forms, online forms etc.).
This Policy applies to all units of the University, both academic and support, including its research centres and its wholly owned campus companies. These are all hereinafter collectively referred to as either the ‘University’’, “DCU”, “us” or ”we”.
DCU adheres to the principles relating to the Processing of Personal Data set out in GDPR which requires Personal Data to be:
(a) Processed lawfully, fairly and in a transparent manner;
(b) collected only for specified, explicit and legitimate purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed;
(d) accurate and where necessary kept up to date;
(e) not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed;
(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage;
(g) not transferred to another country without appropriate safeguards being in place; and
(h) made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data.
DCU is responsible for, and must be able to demonstrate compliance with, the data protection principles listed above.
When DCU determines the purposes and means of the Processing of Personal Data it acts as a Data Controller. DCU is a statutory authority under the Universities Act, 1997 (“Universities Act”). The data Processing undertaken by DCU is generally undertaken in fulfilment of its statutory objects, functions and duties under sections 12 and 13 of the Universities Act, which in particular provide that the functions of a university are “to do all things necessary and expedient… to further the objects and development of the university”.
In relation to such processing, Art. 6(1)(e) of the GDPR provides an appropriate legal basis, which permits Processing that is necessary for the performance of a task which is in the public interest, where such “public interest” is laid down in EU or Irish law (such as in the Universities Act). Section 34(1) of the Data Protection Act 2018] further makes it clear that DCU can rely on this public interest basis as a lawful basis for Processing Personal Data where Processing is [necessary for the performance of a function of a Data Controller conferred by or under an enactment, or the administration by or on behalf of a Data Controller of any non-statutory scheme, programme or funds where the legal basis for such administration is a function of a controller conferred by or under an enactment.
Where Processing activities are not specifically supported by a particular statutory basis (such as under the Universities Act), DCU relies on other legal bases under Data Protection Law. These include: Art. 6(1)(a) of the GDPR which permits Processing where the data subject has given his or her consent; Art 6(1)(b) which permits Processing where necessary for the performance of a contract to which the data subject is a party; Art. 6(1) (c) which permits Processing that is necessary for compliance with a legal obligation to which the Data Controller is subject; and Art. 6(1) (d) which permits Processing that is necessary in order to protect the vital interests of the data subject or of another person.
In certain instances DCU will act as a joint controller of Personal Data (“Joint Controller”), whereby DCU together with other entities determines the means and purposes of the relevant Processing. In such circumstances the essence of the arrangement as between DCU and the other Joint Controllers will be made known to the relevant individuals in a transparent manner. Examples of such scenarios may include where DCU and other institutions engage in collaborative research projects.
In some cases, DCU may act as a Data Processor, under the instructions of a Data Controller.
When acting as a Data Processor, DCU complies with its relevant obligations under Data Protection Law. These include ensuring that the data that is Processed by DCU on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions required by Data Protection Law.
Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes. DCU cannot use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless the Data Subject has been informed of the new purpose and have consented where necessary.
Much of the data Processing undertaken by DCU is for the purpose(s) of fulfilling DCU’s statutory functions and objects under the Universities Act. The following are illustrative and non-exhaustive examples of the types of public interest Processing undertaken by DCU, which are specifically supported by the Universities Act:
i) Examinations and Academic Records
ii) Recording of Learning Activities
In addressing student’s learning needs (including students studying remotely and online) the University delivers part of its learning activities online via live sessions and recorded video along with other types of learning activities. This model of delivery necessitates the recording of some live learning activities.
The University utilises a range of digital tools and e-learning platforms to deliver learning activities (e.g. Loop with Moodle Virtual Learning Environment (VLE) at its core, Zoom for the live streaming and recording of lectures, Mahara (the open-source platform) for e-portfolios and Unicam to support video and rich media learning). Digital technologies such as these help students to participate more flexibly and to widen participation generally.
This range of learning activities delivers student-centric multi-modal learning experiences and provides students with a choice to attend either a traditional classroom environment or to participate online, via the VLE, according to their needs or preferences.
The recording of some live learning activities and the processing of personal data associated with such live learning activities, in both the traditional learning environment and the virtual learning environment, is necessary for the compliance by DCU with the legal obligations to which it is subject under the Universities Act 1997, specifically:
● Section 12 (a to k) of the Universities Act, 1997 (to advance knowledge through teaching, scholarly research and scientific investigation: to promote learning in its student body and in society generally)
● Section 13 (a to h) of the Universities Act, 1997 (shall provide courses of study, conduct examinations and award degrees and other qualifications: shall promote and facilitate research).
In administering the university in such a manner as to enable DCU to “provide courses of study” in an efficient manner it is necessary for DCU to Process Personal Data, including the full student record. Registry may also process personal data of a sensitive nature which is provided by the student to DCU, for example health data to support a deferral of an academic year or postponement of an assessment. This is clearly both necessary and expedient to further the objectives and development of the university as per the Universities Act.
iv) Research and Publications
v) Alumni Affairs
Among DCU’s statutory functions under the Universities Act is to “collaborate with graduates, convocations of graduates and with associations representing graduates both within and outside the State”. This function provides appropriate statutory support for Processing activities undertaken by DCU’s Alumni Office when liaising with and contacting DCU graduates in relation to University events, initiatives, HEA Surveys and external accreditation / ranking bodies (where applicable).
vi) DCU Educational Trust
The Universities Act specifically states that universities may accept gifts of money, land and other gifts on the trusts and conditions specified by the donor. Taken together with the statutory function of “collaborating with associations representing graduates both within and outside the State”, DCU has explicit statutory support to engage and collaborate with alumni organisations such as the DCU Educational Trust. Pursuant to this statutory function, DCU shares certain Personal Data of DCU alumni (limited to student number, title, DOB, first name, surname, gender, graduation date, qualification, faculty of study, postal address, home phone, student email, graduation year, description of course, graduation name) with the DCU Educational Trust, which is a registered charity established to advance the development of DCU. If for any reason you would prefer that your Personal Data is not shared with the DCU Educational Trust contact the DCU Data Protection Unit (email: email@example.com).
vii) DCU Student Union (“Student Union”)
While the Office of Student Life (i.e. OSL, being the umbrella name for the DCU Student Union and its Clubs & Societies) is a student entity distinct from DCU, one of DCU’s objects under the Universities Act is to “promote the cultural and social life of society” within the university. Pursuant to this object, DCU actively collaborates with the Student Union on various initiatives. This includes the sharing of certain DCU student data with the Student Union, such as email addresses to facilitate the Student Union to “promote the cultural and social life of society” and accordingly such disclosure of Personal Data is in accordance with DCU's public interest objectives under the Universities Act. The Student Union will act as a Data Controller in relation to any Personal Data provided to it by DCU. If for any reason you would prefer that your Personal Data is not shared with the Student Union contact the DCU Data Protection Unit (email: firstname.lastname@example.org).
viii) Other Universities / Institutions
In accordance with its statutory objects and functions under the University Acts to promote and facilitate “the highest standards in, and quality of, teaching and research” and to “disseminate the outcomes of its research in the general community”, to collaborate with educational, business and other institutions both within and outside the State, DCU will engage in certain collaboration with such organisations. Such collaborations may involve the sharing of certain personal data as between DCU and its partner institutions and other organisations for research purposes and for similar purposes including but not limited to student exchange programmes (such as the Erasmus programme) and staff sabbaticals. Personal Data of students and staff may be disclosed to such other institutions as necessary for these purposes and written agreements will be put in place.
ix) Student Support & Development (“SS&D”)
DCU students, employees and stakeholders provide information to SS&D for a variety of reasons when availing of its services and resources. Such information may include personal data. In addition, in the course of engagements with SS&D, new records containing personal data may be created (e.g. records relating to meetings, correspondence, letters of support, financial assistance provided, workshop and event attendance, and other engagement with the service).
Information of a sensitive nature (also known as ‘Special’ categories of personal data) may also be processed as part of an engagement with SS&D. Examples include records relating to disabilities, health, sex life and/or sexual orientation, ethnic background, counselling notes, criminal convictions and religious/philosophical beliefs. Such categories of special personal data may be collected and processed in accordance with data protection law, based on one or more of the following legal bases:
• explicit consent;
• for the provision of preventive medicine or for health or social/pastoral care;
• to protect the vital interests of an individual and/or third parties; &
• where it is necessary in order for DCU to comply with a legal obligation.
Personal Data and/or Special Categories of Personal Data may be disclosed to other departments in DCU in accordance with the law and the SS&D Confidentiality & Disclosure Policy.
Given the potentially sensitive nature of the personal data collected and processed by SS&D, special care is taken to maintain the security and confidentiality of such data. Such data will not be disclosed to third parties outside DCU without your consent or except in limited circumstances such as an emergency, a valid request from law enforcement, or to meet the terms and conditions of public funding bodies.
x) DCU Sport
DCU will share certain of your Personal Data with DCU Sport in accordance with its statutory functions and otherwise as collected by DCU Sport directly from students and staff from time to time based on your consent. Such data may include details of any health conditions and or you next-of-kin to enable DCU Sport to take appropriate measures in the case of an accident or emergency when making use of DCU’s sports facilities.
xi) Data Sharing & Governance Act 2019
DCU, as a ‘Public Body’ defined by the Act, is obliged to adhere to its provisions and may share Personal Data with other Public Bodies.
Special categories of data (“SCD”) are defined by the GDPR and include data such as racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life details and sexual orientation.
DCU processes SCD in certain circumstances, typically related to the ordinary course of employee and student administration, the provision of student support and development services and the processing of Garda vetting forms for students and employees, where required by law.
Section 41 of the Data Protection Act 2018 provides a general lawful basis for processing SCD where it is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. As required by Data Protection Law, DCU applies suitable and specific measures in respect of such Processing of SCD.
DCU Processes Garda vetting forms for students and employees as authorised by the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 (the “National Vetting Act”) in respect of DCU students and staff that undertake placements and studies which involves engagement with children and vulnerable persons. Garda vetting forms may contain Personal Data relating to criminal convictions/offences and because DCU is subject to a legal obligation to Process such data, Art, 6(1)(c) of the GDPR provides the lawful basis for such Processing.
As part of our record keeping obligations under Art. 30 of the GDPR, DCU retains a record of the processing activities under its responsibility. This comprises the following:
Art. 30 GDPR Requirement
Name and contact details of the controller
Dublin City University
Data Protection Unit, Office of the Chief Operations Officer, Albert College Extension, DCU Glasnevin Campus, Collins Avenue Extension, Dublin 9, D09 V209.
Name and contact details of the Data Protection Officer (DPO)
Phone: 01 7005118 / 7008257
The purposes of the processing
(see Policy Statement / Section D / Purposes of Processing and Annex II).
Description of categories of data subjects and personal data
See Annex II
The categories of recipients to whom the personal data have been or will be disclosed
See Policy Statement / Section K / Disclosing Personal Data
Transfers of personal data to a third country outside of the EEA
Envisaged time limits for erasure of the different categories of data
See Policy Statement / Section L / Data Retention
General description of the technical and organisational security measures referred to in Article 32(1)
See Policy Statement / Section J / Data Security & Data Breach
Arts. 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
Any data subject wishing to exercise their Data Subject Rights should write to the DCU Data Protection Officer (“DPO”) by post to the Data Protection Officer, Office of the Chief Operations Officer, Albert College, DCU Glasnevin Campus, Collins Avenue Extension, Dublin 9, D09 V209 or by email at email@example.com. Please provide as much detail as possible in relation to your request to enable us to identify your personal data and facilitate your request. Your request will be dealt with in accordance with DCU’s Data Subject Rights Procedure (Internal to DCU). For further information on your Data Subject Rights please refer to the Data Subject Rights Procedure (External to DCU).
While DCU will take all appropriate and reasonable measures to respect and facilitate the protection rights of the individual whose Personal Data it processes, data protection is not an absolute right and must be balanced against certain other rights and principles. In particular, the Universities Act recognises the principle of academic freedom and similarly both the GDPR and the Data Protection Act 2018 recognise that in certain circumstances it may be necessary to limit data protection rights in the interests of freedom of expression and the freedom to receive information. In meeting its statutory and public interest obligations, it is the policy of DCU to endeavour to protect these freedoms in a manner that least impacts on the data protection rights of individuals.
DCU has closed circuit television cameras (“CCTV”) located throughout its campuses covering buildings, internal spaces, car parks, roads, pathways and grounds. CCTV cameras are also located at the University sports grounds. DCU’s CCTV system is implemented in a proportionate manner as necessary to protect DCU (and DCU Campus Company) property against theft or pilferage and for the safety and security of staff, students and visitors to the DCU campuses (to protect their vital interests).
Whilst CCTV footage is monitored by DCU security staff, access to recorded footage is strictly limited to authorised personnel. Footage is retained for 28 days, except where incidents or accidents have been identified in which case such footage is retained specifically in the context of an investigation of that issue. CCTV footage may be used in the context of disciplinary proceedings involving DCU staff or students (to protect the vital interests of DCU, staff, students and affected individuals). CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instances disclosure is based on a valid request. Signage indicating that CCTV is in use is displayed prominently throughout the DCU campuses. For information on CCTV operations at DCU please contact the Director of Estates.
Body Worn Cameras are used by DCU Security Staff in a proportionate manner as necessary to protect DCU property against theft or pilferage and for the safety and security of staff, students and visitors to the DCU campuses (to protect their vital interests).
Video conferencing technology, including the recording of Learning Activities, is used in a university setting for the following purposes:
• Facilitating the delivery of learning activities in an off-campus, online virtual setting;
• Recording the attendance of students at certain of those classes / modules delivered online;
• Retaining the recordings of classes / modules delivered online; and
• Sharing those recordings with members of the class / module in question for the duration of the relevant academic year.
We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, and IT measures such as encryption and restricted access through approvals and passwords. For more information on security measures see our Information & Communications Technology (ICT) Security Policy.
The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. We will manage a Data Breach in accordance with the Data Breach Reporting Procedure. For further information on how to report a suspected Data Breach please refer to this document or contact the DCU DPO at the contact details at Section 9.1 above.
From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency submits a valid request for access to Personal Data).
We may also share Personal Data: (a) with another statutory body, a public body, or a government Department where there is a lawful basis to do so; (b) with selected third parties including sub-contractors or partner exchange universities; (c) if we are under a legal obligation to disclose Personal Data (e.g. to the Gardaí).
Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data. Examples of such third-party service providers that we engage, and to whom Personal Data may be disclosed, include but are not limited to external examiners, communications providers, payroll service providers, occupational health providers, marketing or recruitment agencies, international student recruitment agencies, operators of data centres used by us, security providers, catering services, and professional advisors such as external lawyers, accountants, tax and pensions advisors
Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. DCU will ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires that data to be kept for a minimum time. DCU must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate purposes for which DCU originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements. DCU will take all reasonable steps to destroy or erase from its systems all Personal Data that it no longer requires. This includes requiring third parties to delete that data where applicable.
We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which the Personal Data are processed. Further details of the retention period for Personal Data are set out in our Data Retention Policy.
Staff will, in the course of their employment with Dublin City University, come into contact with and acquire access to Personal Data. DCU, as a Data Controller, is responsible for ensuring the security of the data and its compliance with the requirements of data protection legislation. Therefore, upon leaving employment with DCU all staff must:
- return any Personal Data in their possession to DCU; and
- not seek to remove, copy or transfer any records containing Personal Data.
Personal Data must be accurate and, where necessary, kept up to date. DCU will ensure that the Personal Data DCU uses, and holds is accurate, complete, kept up to date and relevant to the purpose for which it was collected. DCU will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards and take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
It is the responsibility of all those engaged in the processing of personal data (e.g. DCU staff, students & researchers) to
- be aware of the policy;
- to implement its principles in all relevant areas of their work, studies or research; &
- to take and participate in the data protection training provided by the University.
Any queries regarding this policy can be directed to the Data Protection Unit.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider).
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the [Data Protection Act 2018] and any other laws which apply to DCU in relation to the Processing of Personal Data.
“DCU Campus Companies” means the following wholly owned subsidiary companies of DCU:
|Campus Company||Principal Activity|
|DCU Educational Support Services DAC||Holding company|
|Campus Property DAC||Property rental company|
|Campus Residences DAC||Provision of student accommodation|
|DCU Executive Education DAC||Dormant company|
|DCU Ryan Academy DAC||Dormant company|
|DCULS DAC||Provision of language courses|
|Dublin Business School Fund DAC||Support of campus developments|
|Dublin Software Park DAC||Property development|
|DCU Healthy Living Centre DAC||Dormant company|
|Invent DCU DAC||Office space and facilities rental|
|Trispace DAC||Catering services and sports facilities|
|UAC Management DAC||Operates the Helix|
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number; details about an individual’s location; or any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.
The following are indicative categories of Personal Data but DCU will process other categories of Personal Data from time to time
|Type of Personal Data||Purpose||GDPR Lawful Basis for Publishing|
Data is processed for:
|Other Student Data|
|Data Subject: Employees *|
|Suppliers, Contractors and Business Contacts|
|Research and Academic Purposes|