GDPR at Ulster University
The General Data Protection Regulation ("GDPR") came into force across the European Union on 25th May 2018 and along with the Data Protection Act 2018, replaces the Data Protection Act 1998.
The purpose of the GDPR and DPA is to enhance and strengthen the protections afforded to individuals' rights and freedoms, especially their right to privacy with respect to the processing of personal data.
Due to the nature of business at Ulster University it is required to hold and process, both electronically and manually, large amounts of personal data.
The GDPR and DPA provide a framework to ensure that personal information processed and stored by the University, whether in hard copy or electronic format, is handled properly both on and off campus.
The University is committed to protecting the rights of individuals in accordance with the provisions of the General Data Protection Regulation (GDPR) and Data Protection Act (DPA).
The aims of this Policy are to set out the University’s strategy for ensuring compliance with the GDPR and DPA, to ensure that all staff, students or third party Processors engaged by the University, are aware of their rights and responsibilities under the GDPR and DPA and to minimize the risk to the University of any potential breach of the GDPR or DPA. A breach of the GDPR or DPA could result in damaging valued relationships with stakeholders as well as causing reputational damage to the University and the individual.
This Policy relates to all Personal Data as defined by the GDPR held by the University and applies equally to information held in paper and electronic format stored in hard files, on PCs, laptops and other fixed or portable data storage devices. The Policy also applies to photographic material and CCTV footage.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the Processing of personal data. The University is a data Controller.
"Data Subject" means an identified or identifiable natural person about whom Personal Data is held. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the University, Data Subjects include current, past and present students and staff (including affiliated and visiting staff), and other third parties such as suppliers, contractors, consultants or referees.
"Personal Data" means any information relating to a Data Subject. It includes, by way of example only, name, date of birth, images and photographs.
"Processing" means any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
"Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning physical or mental health or data concerning a person’s sex life or sexual orientation.
The University Secretary, Mr Eamon Mullan, is the University's designated Data Protection Officer. The Data Protection Officer has the primary responsibility for coordinating Data Protection compliance across the University, including reporting, and is the ultimate arbitrator within the University in respect of Data Protection matters.
The Data Protection Officer is supported by the Policy Coordinator and they are the first point of contact for queries and advice on responsibilities and compliance under the GDPR and DPA; for requests and objections by Data Subjects, including Subject Access Requests; and for liaising with the ICO and other agencies where appropriate. Contact details are provided below.
In addition, the Vice-Chancellor, Deputy Vice-Chancellors, Chief Operating Officer, Deans, Provosts, Heads of School, Research Institute Directors and Directors/Heads of Professional Services Departments all play a key role in assisting the University's Data Protection Office and are responsible for having in place appropriate procedures to ensure compliance with the GDPR and DPA within their areas of responsibility across the University. These officers have nominated suitable representatives (Data Protection Nominees) who have undertaken specialist data protection training and work with the Data Protection Officer and Policy Coordinator to respond to requests and objections by Data Subjects including Subject Access Requests and in relation to implementation and dissemination of good practice. Contact details are provided below.
GDPR Contacts Department Staff Member Data Protection Officer Eamon Mullan Legal Services Manager Alison Kerr Policy Coordinator Elinor Byrden
The University is committed to the six data protection principles contained within the GDPR. These principles represent best standards of practice with respect to the transmission, retention and disposal of Personal Data. All staff, students and others who process or use any personal data must comply with these principles.
- Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
- Data minimisation - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
- Integrity and confidentiality - Personal data must be processed securely, including being protected against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
Lawful Basis for Processing
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
Under Article 77 of the GDPR, an individual has the right to make a complaint if they feel their personal information has not been handled by the University in accordance with the GDPR. A complaint may be submitted in writing to the Data Protection Officer, Mr Eamon Mullan, or by email to firstname.lastname@example.org
Alternatively, a complaint may be made to the Office of the Information Commissioner
Data Subject Rights
An individual has the following rights (all of which are qualified in different ways):
Use of Personal Data by Processors and other Data Sharing Arrangements
Where a processor, including for example, consultants or contractors are engaged by the University on work that requires the processing of personal data, the University remains the controller of that personal data and these organisations will be required to provide sufficient guarantees to demonstrate that they have arrangements in place to comply with the requirements of the GDPR and DPA, this policy and that the rights of data subjects are protected. Whenever the University uses a processor it must have a written contract in place.
In line with this policy, a Third Party Processing Agreement must be used when engaging such processors (or alternatively, duplicate provisions can be included within the corresponding "main contract" as appropriate. A template Agreement and guidance in relation to its use is available and for further information please email email@example.com
- Template Third Party Processing Agreement (with guidance notes)
- Template Third Party Processing Agreement (clean version)
It should be noted that Processors must only act on the documented instructions of the University as the controller. The processor will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they do not comply.
It should be noted that Personal Data Processing arrangements (as outlined above) form only one category of data sharing. There are 3 broad categories, including the sharing of personal data with another data controller to be used for joint purposes and also the passing of personal data to a data controller for it to use for its own purposes. Further guidance and template documents as required for use in relation to such data sharing arrangements are available upon request from the Office of the University Secretary by emailing firstname.lastname@example.org
There are restrictions imposed on the University by the GDPR when transferring personal data outside the European Economic Area (EEA). These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Personal data can only be transferred outside of the EEA in compliance with the conditions for transfer set out in Chapter 5 of the GDPR.
Transferring personal data outside of the EEA is a complex process which requires a strict procedure to be followed in order for such transfer to be lawful. For further guidance in this regard, please contact the Office of the University Secretary by emailing email@example.com