The General Data Protection Regulation ("GDPR") came into force across the European Union on 25th May 2018 and along with the Data Protection Act 2018, replaces the Data Protection Act 1998.
The purpose of the GDPR and DPA is to enhance and strengthen the protections afforded to individuals' rights and freedoms, especially their right to privacy with respect to the processing of personal data.
Due to the nature of business at Ulster University it is required to hold and process, both electronically and manually, large amounts of personal data.
The GDPR and DPA provide a framework to ensure that personal information processed and stored by the University, whether in hard copy or electronic format, is handled properly both on and off campus.
The University is committed to the six data protection principles contained within the GDPR. These principles represent best standards of practice with respect to the transmission, retention and disposal of Personal Data. All staff, students and others who process or use any personal data must comply with these principles.
- Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
- Data minimisation - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
- Integrity and confidentiality - Personal data must be processed securely, including being protected against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
Lawful Basis for Processing
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
Under Article 77 of the GDPR, an individual has the right to make a complaint if they feel their personal information has not been handled by the University in accordance with the GDPR. A complaint may be submitted in writing to the Data Protection Officer, Clare Jamison, or by email to firstname.lastname@example.org
Alternatively, a complaint may be made to the Office of the Information Commissioner
Data Subject Rights
An individual has the following rights (all of which are qualified in different ways):
- Competitions Privacy Notice
- Corporate Events Privacy Notice
- Development and Alumni Relations Privacy Notice
- Student Privacy Notice
- CHERP Privacy Notice
Use of Personal Data by Processors and other Data Sharing Arrangements
Where a processor, including for example, consultants or contractors are engaged by the University on work that requires the processing of personal data, the University remains the controller of that personal data and these organisations will be required to provide sufficient guarantees to demonstrate that they have arrangements in place to comply with the requirements of the GDPR and DPA, this policy and that the rights of data subjects are protected.
Whenever the University uses a processor it must have a written contract in place.
In line with this policy, a Third Party Processing Agreement must be used when engaging such processors (or alternatively, duplicate provisions can be included within the corresponding "main contract" as appropriate.
A template Agreement and guidance in relation to its use is available and for further information please email email@example.com
- Template Third Party Processing Agreement (with guidance notes)
- Template Third Party Processing Agreement (clean version)
It should be noted that Processors must only act on the documented instructions of the University as the controller.
The processor will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they do not comply.
It should be noted that Personal Data Processing arrangements (as outlined above) form only one category of data sharing.
There are 3 broad categories, including the sharing of personal data with another data controller to be used for joint purposes and also the passing of personal data to a data controller for it to use for its own purposes. Further guidance and template documents as required for use in relation to such data sharing arrangements are available upon request from the Office of the University Secretary by emailing firstname.lastname@example.org
There are restrictions imposed on the University by the GDPR when transferring personal data outside the European Economic Area (EEA).
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Personal data can only be transferred outside of the EEA in compliance with the conditions for transfer set out in Chapter 5 of the GDPR.
Transferring personal data outside of the EEA is a complex process which requires a strict procedure to be followed in order for such transfer to be lawful. For further guidance in this regard, please contact the Office of the University Secretary by emailing email@example.com