What is data protection?

It is the means by which the privacy rights of individuals are protected in relation to the use of their personal data. Data protection gives various rights to individuals (data subjects) about whom personal data is processed and puts various obligations on organisations which process that data.


What is the General Data Protection Regulation (GDPR)?

It is European Union (EU) legislation which came into effect on 25 May 2018, and governs the processing of personal data. The GDPR permits EU Member States to legislate in respect of data protection in some areas. Ireland’s Data Protection Acts 1988 to 2018 require to be read in conjunction with the GDPR.


What is personal data?

Personal data is any information by which an individual is identified or identifiable, for example, name, postal or email address, PPSN, student ID number or image.

The term ‘special categories of personal data’ refers to personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, the processing of genetic or biometric data for the purpose of identifying an individual, data concerning health or data about an individual’s sex life or sexual orientation. Special categories of personal data are afforded extra protections within the GDPR, as is data relating to criminal convictions and offences.


What are my data protection rights?

Data subjects have the following rights with regard to the processing of their personal data:

  • Right to information: means that we have to be transparent about what data we hold and what it is used for. Information about our data processes are available in our Privacy Notices
  • Right to access: you can obtain a copy of the data we hold
  • Right to rectification: we will correct inaccurate data and complete incomplete data
  • Right to erasure: you can have your data deleted
  • Right to restrict processing: you can limit how we use your data
  • Right to object to processing: you can object to how we use your data
  • Right of data portability: you have can your data transferred to another organisation.
  • Right to information on automated decision-making: you have the right not to be subject to a decision with significant effects made solely by an automated system.

Data subject rights are not absolute in many cases and restrictions are set out in both the GDPR and the Data Protection Acts.


What are the responsibilities of organisations which process personal data?

Under the GDPR, personal data must be processed in compliance with a set of core principles. We will ensure that:

  • Data processing is lawful, fair and transparent
  • Data is collected for specified, explicit and legitimate purposes
  • Processing is adequate, relevant and limited to what is required
  • Data is accurate and kept up to date
  • Data is kept in a form which permits identification of data subjects for no longer than is necessary
  • Data will be kept safe and secure.


What is meant by ‘consent’?

Consent of the data subject means that an individual can give consent to an organisation to use his/her personal data for a particular purpose. There are various criteria for valid consent, including that: the data subject has a free choice in whether or not to give consent; it is specific to a particular purpose and is verifiable; and that consent may be withdrawn.

Organisations do not always require the consent of the data subject to process personal data. There are other possible legal bases that organisations can rely on, including that the organisation is under a legal obligation to process the personal data or that processing is required in connection with a contract.


What is a data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Employees who discover an actual or suspected data breach, or are aware that data has been placed ‘at risk’ are to contact the Data Protection Officer immediately. Carlow College, St. Patrick’s will investigate reported breaches under its Personal Data Breach Response Plan.


Who do I contact if I have a query about data protection?

Our Data Protection Officer’s contact details are available here

How do I make a data protection request?

You can use this form to submit a data protection request.


Is there a charge for making a data protection request?

No. You are entitled to receive one free copy of personal data relating to you but if the request is ‘manifestly unfounded or excessive’ we may charge a reasonable fee.


How long does it take to obtain a reply to a data protection request?

We must normally reply within one month but would aim to respond within a much shorter timeframe. The one-month response period may be extended by two further months in limited circumstances. Where we require to extend the response period we will inform you during the first month.


How long is personal data kept for?

Personal data is kept for no longer than is necessary in order for us to fulfil our purpose in processing it. Retention periods vary. For example, many learner records are kept for the duration of a learner’s studies, but in some cases we retain data for longer periods, including to fulfil audit requirements. We retain a core educational record relating to learners indefinitely in order that we can certify their qualifications into the future. We are currently working on records retention schedules which will set out retention periods for personal as well as non-personal College records.