Organisation information
Data protection notice
From Department of Further and Higher Education, Research, Innovation and Science
Published on
Last updated on
From Department of Further and Higher Education, Research, Innovation and Science
Published on
Last updated on
When processing your data, the Department of Further and Higher Education, Research, Innovation and Science follows the General Data Protection Regulation (GDPR) principles of:
This department uses appropriate measures to make sure that our processing of your personal data meets the higher standards of the GDPR. These measures allow us to demonstrate that we meet these standards. We consider the nature, scope, context and purposes of our data processing. We also consider the risks that this processing might create to the rights and freedoms of individuals, and the likelihood and severity of these risks.
The department will:
The information provided will include information about personal data collected both directly from the data subject and from other sources.
The department follows best practice to protect the confidentiality, integrity and availability of its information processing systems and services.
Our data protection officer oversees how we collect, use, share and protect your information to make sure your rights are protected.
Find out how to request access to your data (subject access request).
Please note, since the establishment of the Department of Further and Higher Education, Research, Innovation and Science, we have had a shared-services arrangement with the Department of Education.
The GDPR came into effect on 25 May 2018. This gives individuals greater control over their data by setting out extra and more clearly-defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes equivalent extra duties on organisations that collect this data.
The purpose of the Data Protection Act 2018 (‘the Act’) is to:
The GDPR has direct effect on EU citizens, meaning you can rely on GDPR in court even where there is no national law in place. The GDPR allows national governments limited flexibility which is provided for in Part 3 of the Act.
The Data Protection Commission's website explains the rights and responsibilities under the Data Protection Acts. Information is also available from the Data Protection Commissioner's office.
Personal data means any information about a living person who is identified or ‘identifiable’ (recognisable) in the data.
A data subject is an identified or identifiable living person.
A person is identifiable if they can be identified directly or indirectly using an identifier.
Examples of identifiers include:
A person may also be identifiable by factors specific to their identity, such as physical, genetic or cultural factors.
Specific types of sensitive personal data have extra protection under the GDPR. These are listed under Article 9 of the GDPR as ‘special categories’ of personal data. The first type of special category is personal data revealing:
The other types are:
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9.
There are six legal bases on which personal data may be processed:
Many of the department’s processing activities are carried out as tasks in the public interest or in the exercise of official authority to the extent that such processing is necessary and proportionate for:
The policy of the department is to include a privacy statement on any forms which we may use to collect personal data as part of a processing activity. The statement will provide information on the main purposes for collecting the personal data and whether the data is being shared with any other organisations. The statement will include a link to a more detailed privacy notice, which will provide more details on the processing activity.
A privacy notice is used by the department to provide details on each processing activity undertaken, which involves personal data. It will include:
The privacy notice will also include information on data subject rights and how they can be exercised.
Personal data should be retained for no longer than is necessary for the purposes or purpose for which it is being processed. As the department is subject to the National Archives Act, 1986 records with personal data may have to be retained for archiving where there is no disposal order from the National Archives in place with respect to that category or record.
A data controller refers to a person, company, or other body which determines the purposes and means of processing of personal data.
A data processor refers to a person, company, or other body which processes personal data on behalf of a data controller.
The term 'processing' refers to any operation or set of operations performed on personal data.
Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
Data sharing is where personal data is shared between two data controllers. The sharing of data is required to have a legal basis and to be transparent.