Data protection notice

When processing your data, the Department of Further and Higher Education, Research, Innovation and Science follows the General Data Protection Regulation (GDPR) principles of:

• transparency
• accountability
• security

This department uses appropriate measures to make sure that our processing of your personal data meets the higher standards of the GDPR. These measures allow us to demonstrate that we meet these standards. We consider the nature, scope, context and purposes of our data processing. We also consider the risks that this processing might create to the rights and freedoms of individuals, and the likelihood and severity of these risks.

The department will:

• provide notices of the required information to you at the time that your personal data is collected
• make sure that the information provided is detailed and specific
• make sure that these notices are understandable and accessible.

The information provided will include information about personal data collected both directly from the data subject and from other sources.

The department follows best practice to protect the confidentiality, integrity and availability of its information processing systems and services.

Our data protection officer oversees how we collect, use, share and protect your information to make sure your rights are protected.

Request your data

Find out how to request access to your data (subject access request).

Please note, since the establishment of the Department of Further and Higher Education, Research, Innovation and Science, we have had a shared-services arrangement with the Department of Education.

The GDPR came into effect on 25 May 2018. This gives individuals greater control over their data by setting out extra and more clearly-defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes equivalent extra duties on organisations that collect this data.

The purpose of the Data Protection Act 2018 (‘the Act’) is to:

• create the Data Protection Commission, to supervise and enforce improved data protection standards efficiently
• give further effect to the GDPR
• 'transpose' (integrate) the separate Law Enforcement Directive into national law

The GDPR has direct effect on EU citizens, meaning you can rely on GDPR in court even where there is no national law in place. The GDPR allows national governments limited flexibility which is provided for in Part 3 of the Act.

The Data Protection Commission's website explains the rights and responsibilities under the Data Protection Acts. Information is also available from the Data Protection Commissioner's office.

Personal data

Personal data means any information about a living person who is identified or ‘identifiable’ (recognisable) in the data.

Data subject

A data subject is an identified or identifiable living person.

Identifiers

A person is identifiable if they can be identified directly or indirectly using an identifier.

Examples of identifiers include:

• names
• identification numbers
• location data

A person may also be identifiable by factors specific to their identity, such as physical, genetic or cultural factors.

Special categories

Specific types of sensitive personal data have extra protection under the GDPR. These are listed under Article 9 of the GDPR as ‘special categories’ of personal data. The first type of special category is personal data revealing:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership

The other types are:

• genetic data
• biometric data processed to uniquely identify a natural person
• data about health
• data about a natural person’s sex life or sexual orientation

Processing of these special categories is prohibited, except in limited circumstances set out in Article 9.

There are six legal bases on which personal data may be processed:

• Consent
• Contract
• Legal obligation
• To protect the vital interests of the data subject or another
• Task done in the public interest or in the exercise of official authority given to the data controller
• Legitimate interest (this doesn’t apply to the performance of public tasks but may apply to organisational specific tasks such as operation of CCTV for security or for the safety of our staff)

Many of the department’s processing activities are carried out as tasks in the public interest or in the exercise of official authority to the extent that such processing is necessary and proportionate for:

• the performance of a function of the minister conferred by or under an enactment of the constitution
• an administration by or on behalf of the minister of any non-statutory scheme, programme or funds where the legal basis for such administration is a function of the minister conferred by or under an enactment or by the constitution

The policy of the department is to include a privacy statement on any forms which we may use to collect personal data as part of a processing activity. The statement will provide information on the main purposes for collecting the personal data and whether the data is being shared with any other organisations. The statement will include a link to a more detailed privacy notice, which will provide more details on the processing activity.

A privacy notice is used by the department to provide details on each processing activity undertaken, which involves personal data. It will include:

• purpose
• legal basis
• source of the personal data where is has not been obtained from the data subject directly (often the department as part of its functions will have received the data via a school or other educational organisation)
• storage period
• persons or organisation to whom the data or part of the data may be disclosed to and why

The privacy notice will also include information on data subject rights and how they can be exercised.

Personal data should be retained for no longer than is necessary for the purposes or purpose for which it is being processed. As the department is subject to the National Archives Act, 1986 records with personal data may have to be retained for archiving where there is no disposal order from the National Archives in place with respect to that category or record.

A data controller refers to a person, company, or other body which determines the purposes and means of processing of personal data.

A data processor refers to a person, company, or other body which processes personal data on behalf of a data controller.

The term 'processing' refers to any operation or set of operations performed on personal data.

Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.

Data sharing is where personal data is shared between two data controllers. The sharing of data is required to have a legal basis and to be transparent.