Carlow College, St. Patrick’s requires to process the personal data of persons with whom the College comes into contact. The General Data Protection Regulation (GDPR) governs the processing of personal data. Carlow College, St. Patrick’s takes its responsibilities under data protection legislation very seriously and has in place a range of measures to ensure the lawful and secure processing of personal data.
Carlow College, St. Patrick’s processes the personal data of learners, employees and other stakeholders with whom it comes into contact. The purposes for which the College processes personal data include: the organisation, administration and assessment of programmes of study; the provision of health services and academic supports to learners; keeping in touch with former learners; promoting our programmes of study; the recruitment, management and remuneration of employees; event and accommodation provision and management; compliance with statutory, contractual and regulatory obligations; compliance with the conditions of funding schemes, including learner grants; and the safety and security of the College premises.
‘Personal data’ means any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly. It includes a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Special categories of personal data’ means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, sexual orientation or sex life.
‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Principles
Under the GDPR, all personal data must be processed in compliance with a set of core principles. In compliance with these principles we will ensure that:
· Data processing is lawful, fair and transparent
· Data is collected for specified, explicit and legitimate purposes
· Processing is adequate, relevant and limited to what is required
· Data is accurate and kept up to date
· Data is kept in a form which permits identification of data subjects for no longer than is necessary
· Data will be kept safe and secure.
Data subject rights
All data subjects have the following rights:
- Right to information: means that we will tell you what information we hold and what we do with it. Further information is available in our Privacy Notices
- Right to access: you can obtain a copy of the data we hold
- Right to rectification: we will correct incorrect data
- Right to erasure: you can have your data deleted
- Right to restrict processing: you can limit how we use your data
- Right to object to processing: you can ask us to stop using your data
- Right of data portability: you can have your data transferred to another organisation
- Right to information on automated decision-making, including profiling: you have the right not to be subject to a decision with significant effects made solely by an automated system
Data subject rights are not absolute in some cases and restrictions are set out in the legislation.
Data subject requests
Informal procedures are in place in Carlow College St. Patrick’s for learners to access their learner file as held by Academic Administration, and for employees to access their employee file as held by the Human Resources. Learners and employees may also apply to the Data Protection Officer for access, if so wished.
Responses to all other data subject requests will be coordinated by the Data Protection Officer.
Data subject requests must be in writing. This form can be used to submit a request to the Data Protection Officer.
We must verify the identity of requesters. Please include a form of identification with your request (eg student ID, passport, driver’s licence).
Requests are answered free of charge except where they are manifestly unfounded or excessive. In such cases we may charge a reasonable fee. If we hold a large amount of data, we may ask you to specify which data you are interested in. One copy of the data is provided free of charge. A reasonable fee may be charged for further copies.
Data subject requests will be answered as soon as possible, and within one month, unless we decide that an extension is needed, in accordance with the legislation.
Third party processing
Where we engage external companies to process data on our behalf we ensure that a written contract is in place to protect personal data.
International data transfers
Carlow College, St. Patrick’s requires to transfer personal data outside the EU on occasion. For example, transfers take place in connection with Study Abroad and Exchange Programmes offered in conjunction with US colleges. Where such transfers occur, we ensure that safeguards are in place.
We have in place a range of controls to enhance data security, for example, employees have been instructed to keep manual data in locked storage units; to share data only with authorised persons; to dispose of data in a secure manner; and there is robust technical security in place for our IT systems.
Personal data breaches
We have a range of measures in place to minimise the risk of a personal data breach. We have prepared a Personal Data Breach Response Plan to permit us to act promptly in the case of any issue arising. We will notify the Office of the Data Protection Commissioner within 72 hours of any breach that presents a risk to data subjects. We will notify data subjects of any breach affecting them, where it is necessary.
Employee responsibilities and training
All employees who handle personal data as part of their duties have been made aware of College policies and their responsibilities.
Employees receive data protection training commensurate with their duties.
Data Protection Officer,
Carlow College, St. Patrick’s
Email: firstname.lastname@example.org; email@example.com