Dundalk Institute of Technology take your privacy seriously. It is important that you know what we do with personal information that you and others provide to us, why we gather it and what that means to you. This information is being provided to you in line with our obligations under the General Data Protection Regulation (GDPR) which came into force on 25th May 2018. The GDPR together with the Irish legislative requirements – Data Protection Act 2018 – amend previous data protection law and place enhanced accountability and transparency obligations on all organisations using your personal information. Please take the time to read this notice carefully. If you have any questions about how we use your information please contact the Institute’s Data Protection Office - details listed below.
GDPR is the European Union General Data Protection Regulation. It came into effect on 25th May 2018. It sets out a series of new EU laws concerning how data can be processed and used by organisations. The objective of the Regulation is to strengthen and standardise data protection laws for all EU citizens. Further information on GDPR and the Data Protection Act 2018 can be found on the Data Protection Commission (DPC) web site www.dataprotection.ie
Dundalk Institute of Technology is the Data Controller for all personal data collected for the purpose of its business. The Institute decides what personal data it needs to collect from you to allow it to operate its services. Data processes are documented and issued to relevant staff.
There are approximately 500 staff directly employed by the Institute and we have in excess of 5,000 student population.
You can contact the Institute in any of the following ways:
If you have any queries relating to how we might use your personal data, contact our Data Protection Office in the following ways:
By email: firstname.lastname@example.org
By post: Data Protection Officer, Dundalk Institute of Technology, Dublin Road, Dundalk, Co Louth.
We collect information about you for a range of reasons mainly from yourself but it also can come from other sources. The situations where we collect personal data are as follows:
2.1 When you apply to be considered for a course of study either through the CAO system or upon direct application to the Institute.
2.2 When you actually register as a full time or part-time student.
2.3 When you access any of the student services provided by the Institute you may give additional information – services such as Medical Centre, Counsellor, Clubs & Societies etc
2.4. When you transfer into the Institute from another third level organisation.
2.5 When you commence employment with the Institute.
2.6 When you attend events, functions.
2.7 When you provide services to the Institute such as a supplier or contractor.
3.1 It is the Institute’s policy to only collect the information that is required for the immediate purpose such as those outlined in section 5.
3.2 Personal data collected can include the following:
3.3 At times we also need to collect personal data such as health data and photographs. For example for health data - an employment medical you may undergo as a prospective new staff member or if you are a student availing of any of the health services such as registering with medical centre or Disability Service. Photographs are taken and used for the purpose of identification and security, for example students accessing Institute services will be required to produce their student ID card. Other data may include information concerning trade union membership – as a staff member you may wish to pay a subscription via your salary so Payroll will have a record of this. We acknowledge we can also collect, indirectly, data in relation to the religious beliefs and sexual orientation of students and staff.
The Institute has a number of Acts under which personal data may be legally processed. Our main legislation that we operate under is included in the Regional Technical Colleges Act, Institute of Technology Act and Technical Universities Act however we have a number of other pieces of primary and secondary legislation which allows us to process personal data. The Institute is also entitled and indeed obliged to process personal data under other legislative provisions that provide the basis for all Government Departments to administer a range of services and supports as set out by successive Government decisions.
Please refer to the list of legislation noted as Appendix 1.
We process personal data for the following purposes:
In certain situations we may share your data with other organisations in accordance with legislation and as outlined in Section 7 below. Data sharing arrangements or Statutory Instruments will be in place / operated under for any sharing that occurs.
The bulk of personal data is stored by the Institute electronically on our internal IT systems. These systems are fully protected by anti-virus and anti-malware software. Electronic data includes student application, admission and academic record, recruitment data and for successful applicants subsequent staff employment records, evidence of identity, contact information, financial information, family details, evidence of educational and training achieved and pursuing, copies of electronic correspondence. The main electronic systems in use in the Institute are the student records system Banner; the personnel system CORE HR/Payroll; the Procurement/Creditors payment system Agresso. Additionally, the Library operates a computerised automation system –Koha Interleaf / Discovery Service EBSCO and Outlook is the system used for email.
Access to personal data is restricted to those staff members who need the information to carry out their official duties. Access is controlled by every staff member having a unique login username and password. Minimum permissions are given to allow the staff member to work in a secure environment and to only access the personal data that they need for their jobs.
Where the Institute holds paper records containing personal data, these are stored on individual or category related files which are secured in the relevant staff office for current files or adjacent storage space for less current files. Only staff who need to work on these files will have access to them. Security is achieved by physical safe measures where access to a staff office or department office is by key access or swipe card and where visitors are screened so that unauthorised access to personal data is avoided. For example students are not allowed directly into an academic administration office, but their queries are dealt with via a student queries window.
Sometimes historical paper records will be stored off campus in a secure location operated by a contracted services provider. This Processor is vetted to ensure it operates in line with good data protection practices which includes adhering to Institute instructions on the handling, acquisition and deletion of the data and a data processing /confidentiality agreement is in situ.
The Institute is allowed to share your data with a range of organisations but only where legally enforceable data sharing agreements are in place or where there is a statutory report requirement. In general the types of organisations that the Institute would normally share information with are as follows:
No, your personal data will generally not be stored or transferred outside of the European Union or the EEA Area (EU states plus Iceland, Norway, and Liechtenstein). Where we do share information outside of the EEA or if there were to be exceptional arrangements for storage of your data outside the EEA, we will always take steps to ensure that any transfer of information outside of the EEA is carefully managed to protect your privacy rights under GDPR. This is provided for under EU Security Regulations. An example of when personal data may be shared or transferred: for non-EU International students who may be sponsored by their own country’s embassies or other supporting bodies, in this case they may require as part of the students placement on the programme and with their knowledge, an update of their attendance and progress.
Personal data may only be transferred if appropriate safeguards are provided and on the condition that enforceable data subject rights and effective legal remedies are available. Safeguards may include:
The Institute will keep information relating to you for only as long as required to provide you with access to services. There is some information that we need to retain on students and staff indefinitely. There are a number of reasons for this.
For example for staff we need to keep a record of name, position, PPS number and staff id, date of birth, salary and pension details – this is to be able to verify that a person was indeed a staff member should they require confirmation of same in the future or a transfer of service to another educational or public sector organisation and to administer retired staff pension payments and queries.
For students, we will keep their name, student ID, date of birth, programme of study and academic record indefinitely. Again this is to be able to verify that a student was registered on a programme of study and the level of qualification received and when awarded.
Information held on students / staff will be culled after they have completed their studies or left employment within the timeframe as set down in the Institutes records retention schedule for related records and thereafter the core details maintained indefinitely as noted above. For example finance related records (fees, claims etc) must be kept for a minimum of 7 years as per audit regulations.
The Institute must adhere to the rules of the National Archives’ Office for disposal and retention of records and various other administrative and legal requirements such as retention for audit purposes however the GDPR states that we cannot store any information for longer than it is required and therefore each domain of the Institute is responsible for the data that it collects for its own business reasons and what does not need to be retained indefinitely to be disposed of. Anonymised or pseudonomised data may be kept indefinitely for reference purposes only.
Where data is captured and required for specific reasons and does not need to be retained beyond a set timeframe then this data will be deleted as soon as its purpose has been served. An example of this would be where the Institute has generated an invitation list to an event – such as careers fair or open day – once the event has occurred then the list would be deleted as the purpose has concluded.
As mentioned earlier we are allowed by law to collect and process personal data for a range of reasons. We are also allowed to collect data for a specific reason and use it for another related purpose. This is because the Institute provides a wide range of services and it would be impractical for us to keep asking you for the same information over and over again. For example when you register as a student during the Admissions process you give us a lot of information which allows us to enter you on a programme of academic study. However we will use some of that information in our liaison with other Departments of the Institute to be able to provide further services to you such as Academic Schools, Student Services, Library, IT services and so on.
All our customers (Data Subjects) have rights under EU (GDPR) and Irish data protection legislation.
You are entitled to ask us for copies of any of your personal data that we have collected and stored. Such requests can be submitted in writing or by email to the Data Protection Office, Dundalk Institute of Technology, Dublin Road, Dundalk, Co Louth. You will appreciate that we may need to verify your identity before we deal with any request for copies of your personal data. Under GDPR we have one month to process requests.
The Institute will always try to make sure that the information that we hold on you is accurate and up to date. We may on occasion ask you to verify this information. If your information changes or you believe that we have information that is not up to date, please let us know. You are entitled to ask us to update any incorrect personal data that we may have in relation to you. Again we may ask for proof of identity before processing such a request. We cannot allow anyone else but you to update your personal data unless you have a fully authorised personal representative.
As noted previously the Institute has a records retention schedule that states that some data may be retained indefinitely for various reasons. Where data is held or required for ongoing administration purposes then this data will not be subject to erasure even if requested by the data subject. However, each business area of the Institute should only retain data for as long as is required for the specified purpose it was collected for. You have the right to request that business area to delete any information that you feel is not required for ongoing administration purposes.
The GDPR gives you the right to object to automated decision making by DkIT computer systems where there is a legal or significant impact on you as a customer. An automated decision is a decision which is made entirely by a computer without the intervention of an Officer of the Institute.
We do use a number of automated processes such as in Recruitment of new personnel using CORE HR/Payroll system or our Agresso creditors’ payment system. However, there is no situation where a customer (data subject) will receive a decision, communication or payment without the intervention of an Institute Officer. Automated systems used assist the manual work process already in place rather than replace it.
Data subjects have the right to request their data from one controller so that it can be given to another controller. This right is most relevant to organisations such as utilities, financial institutions etc with which you have a contract and where you may wish to seek to change provider or to get a better deal.
This right says that you can get your personal data in a structured commonly used machine readable format to pass on to another organisation. Should you request this from the Institute, we may have to ask for what specific data is required but we will try to generate for you if doable and provide the information as quickly as possible.
As a customer – student (prospective, current, past) staff member (prospective, current, past) service and goods provider, etc, we are obliged to let you know when your personal data may have been lost, destroyed or given to a person or organisation who shouldn’t have received it. The Institute has a range of security measures in place to protect personal data and it would be very rare that one person’s personal data would be sent to another person who is not a trusted recipient or where it would be lost or stolen. However in the unlikely event that a serious data breach happens, the Institute will write to you to confirm what happened and what part of your data was affected. We will inform the Data Protection Commission Office of the breach also.
If you have any queries with regard to this statement please contact the DPO at email@example.com
The Institute works hard to handle your data responsibly and we take our data protection responsibilities very seriously. If you are unhappy about the way we do this please contact the DPO who will attempt to address any concerns that you may have. However you also have the right to complain to the Data Protection Commission who can be contacted at:
You can make a request under any of these rights by contacting the Data Protection Office – contact details at beginning of this statement.
We may need to confirm your identity first as we cannot give your personal data to others. Once we have verified your identity and location of your data we will endeavour to get the information requested to you as soon as possible. However we have to respond to you within one month from verification of your identity and request. You should give as much information about yourself in your request to assist the Institute in locating your information and fulfilling your request as quickly as possible. For example if you are a former student, you should supply your name, your student ID (if known) your date of birth and the programme of study that you attended and the date(s) you attended the Institute.
For complex requests or where there are a large number of requests, we can extend our time to respond to you by two months but we must tell you we are going to do this within the first month together with the reason for the delay. If we are not going to respond to your request at all we must tell you this within the first month. If you make an electronic request we must respond to you electronically unless you prefer otherwise.
Anything we do in response to your request and information we give you will not incur a charge. If you make excessive requests for example the same one repeatedly, or your requests have no basis in fact we may either charge you a fee or refuse to act on it. A fee will not be applied where you have made a mistake such as a wrong location or date but we will not act on your request.
List of Primary and Secondary Legislation under which DkIT have the authority to collect personal data: