General Data Protection Regulation (GDPR)
St. Angela’s College needs to collect and use personal data (information) about its staff, students and other individuals who come into contact with the College. The purposes of processing data includes the organisation and administration of courses, examinations, research activities, the recruitment and payment of staff, compliance with statutory obligations, etc.
Data Protection law safeguards the privacy rights of individuals in relation to the processing of their personal data. The EU General Data Protection Regulation (GDPR), effective May 2018 confers rights on individuals as well as responsibilities on those persons processing personal data.
Personal data, both automated and manual are data relating to a living individual who is or can be identified, either from the data or from the data in conjunction with other information.
Purpose of this Policy
This policy is a statement of St. Angela’s College's commitment to protect the rights and privacy of individuals in accordance with the GDPR.
Scope of this Policy
This policy applies to all personal data created or received in the course of College business in all formats, of any age. It applies to all locations where personal data is held by St Angela’s College. Personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversation or over the telephone. All staff, students, third parties engaged with St Angela’s College and processing personal data are all subject to the provisions of the Data Protection Policy.
Definition of Personal Data
Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Special Categories of Data (previously known as sensitive personal data) can only be processed under specific circumstances as outlined in article 9 of the regulations.
The special categories are,
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Data concerning a person’s sex life or sexual orientation
- Genetic data
- Biometric data
Data Protection Principles
St. Angela’s College undertakes to perform its responsibilities under the legislation in accordance with Article 5 of the GDPR as follows:
- Obtain and process information lawfully, fairly and in a transparent manner St Angela’s College obtains and processes personal data fairly and in accordance with its statutory and other legal obligations
- Keep it only for one or more specified, explicit and lawful purposes St Angela’s College keeps personal data for purposes that are specific, lawful and clearly stated. Personal data will only be processed in a manner compatible with these purposes
- Use and disclosure only in ways compatible with these purposes St Angela’s College only uses and discloses personal data in circumstances that are necessary for the purposes of for which it collects and keeps the data
- Keep it safe and secure St Angela’s College takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of data and against accidental loss or destruction
- Keep it accurate, complete and up-to-date St Angela’s College operates procedures that ensure high levels of data accuracy, completeness and consistency
- Ensure it is adequate, relevant and not excessive Personal data held by St Angela’s College are adequate, relevant and not excessive in data retention terms
- Retain for no longer than is necessary St Angela’s College has a policy on retention periods for personal data
Lawfulness of Processing
There are six available lawful bases for processing personal data. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
The lawful bases are;
- Consent: the individual has given clear consent for St Angela’s College to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract St Angela’s College have with the individual, or because they have asked St. Angela’s College to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for St Angela’s College to comply with the law (not including contractual obligations). St. Angela’s College will rely primarily on this lawful base for processing personal data as necessary for and connected with the performance of its statutory objects and functions, under the Universities Act and related legislation.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for St. Angela’s College to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for St. Angela’s College’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
St. Angela’s College will decide which lawful basis applies depending on the specific purposes and the context of the processing. It will consider which lawful basis best fits the circumstances. More than one basis may apply, however no one basis should be seen as always better, safer or more important than the others and there is no hierarchy in the order of the list in the GDPR.
Rights of Data Subjects
Individuals have the following rights over the way:
Right to erasure (right to be forgotten)
Individuals have the right to have their personal data deleted where St. Angela’s College no longer have any justification for retaining it subject to exemptions such as the use of pseudonymised data for scientific research.
Right to restriction of processing
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, St. Angela’s College is permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing and St. Angela’s College must respond within one calendar month.
Right to data portability
Where it is technically feasible Individuals have the right to have a readily accessible machine readable copy of their data transferred or moved to another data controller where St. Angela’s College are processing their data based on their consent and if that processing is carried out by automated means.
Right to object
Individuals have the right to object to processing or restrict the processing of their personal data if:
- The processing is based on public interest or in order to pursue a legitimate interest
- The personal data was processed unlawfully;
- You need the personal data to be deleted in order to comply with a legal obligations;
Right not to be subject to automated individual decision-making, including profiling In certain circumstances individuals can object to profiling and automated decision making.
Information Technology and Data Protection
The College has established IT policies and procedures to safeguard essential services, protect the privacy of students and staff, and comply with contractual requirements and legislation.
Personal Data Security Breaches
A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the College in any format.
Under GDPR the College, through the Data Protection Officer (DPO), is required to report data breaches to the Data Protection Commissioner within 72 hours from the time of becoming aware of the Data Breach.
The College, as data controller, is expected to respond promptly and appropriately to data security breaches, including all relevant reporting obligations. It is vital to take prompt action in the event of any actual, potential or suspected breach of data security or confidentiality to avoid the risk of harm to individuals, damage to operational business or severe financial, legal and reputational costs to the College.
St. Angela’s College has developed a Personal Data Security Breach Report Form to deal with data breaches efficiently and effectively and to minimise the consequences of any breach occurring to the rights and freedoms of those data subjects, whose data are at the care of St. Angela’s College.
Responsibility St. Angela’s College has overall responsibility for ensuring compliance with GDPR legislation when it is the Data Controller of personal data. However, all employees and students of St. Angela’s College who separately collect and/or control the content and use of personal data are individually responsible for compliance with the legislation.
The Data Protection unit provides support, assistance, advice, and training to all departments and offices to ensure that they are in a position to comply with GDPR. Procedures and Guidelines St. Angela’s College is firmly committed to ensuring personal privacy and compliance with GDPR, including the provision of best practice guidelines and procedures in relation to all aspects of Data Protection.
Review of Policy
This Policy will be reviewed regularly in light of any legislative or other relevant developments. Contact If you have any queries relating to the processing of your personal data for the purposes outlined above or you wish to make a request in relation to your rights you can contact the Data Protection Unit by email firstname.lastname@example.org or telephone +353 719195502