The Department of Education when processing your data or that of your child adheres to the principles of transparency, accountability and security of the General Data Protection Regulation. This department has put in place appropriate technical and organisational measures in order to ensure – and to be able to demonstrate – that our processing of your personal data is in compliance with the higher standards of the General Data Protection Regulation (GDPR), having regard to the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity that might arise therefrom for the rights and freedoms of individuals.
The department’s Data Protection Policy sets out the steps to be taken by the Department of Education when processing personal data.
The GDPR provides the following rights for individuals:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure/right to be forgotten
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
The Data Protection Commissioner has prepared a Guide to the Rights of Individuals under the General Data Protection Regulation (GDPR)
The department will provide the required information to you at the time personal data is collected. The department will ensure that the information provided is detailed and specific, and that such notices are understandable and accessible. In order to balance the requirements above, the department may implement appropriate policies to make information available on its website or from schools and other educational organisations. The information provided will include information about personal data collected both directly from the data subject and from other sources.
The department has taken steps to ensure it provides greater transparency in how it processes your personal data for specific processing activities. Please see a high level summary privacy notice for the processing activities which take place within the department. More specific privacy notices for the various processing activities undertaken by this department can be found here.
The department follows best practice in order to protect the confidentiality, integrity and availability of its information processing systems and services.
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer at
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. This gives individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.
The purpose of the Data Protection Act, 2018 is to give further effect to the GDPR, to transpose the separate Law Enforce Directive into national law and to establish the Data Protection Commission with the means to supervise and enforce enhanced data protection standards in an efficient manner. The GDPR which as an EU Regulation has direct effect does allow national governments a limited margin of flexibility which are provided for in Part 3 of the Act.
The Data Protection Commission's Website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from
The term “personal data” means any information relating to a living person who is identified or identifiable (such a person is referred to as a “data subject”).
A person is identifiable if they can be identified directly or indirectly using an “identifier”. The GDPR gives examples of identifiers, including names, identification numbers, and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation. Processing of these special categories is prohibited, except in limited circumstances set out in Article 9.
There are six different legal bases on which personal data may be processed:
Many of the Department’s processing activities are carried out as tasks in the public interest or in the exercise of official authority to the extent that such processing is necessary and proportionate for:
The policy of the Department is to include a privacy statement on any forms which we may use to collect personal data as part of a processing activity. The statement will provide information on the main purposes for collecting the personal data and whether the data is being shared with any other organisations. The statement will include a link to a more detailed privacy notice, which will provide more details on the processing activity.
A Privacy Notice is used by the Department to provide details on each processing activity undertaken, which involves personal data. It will include the following information:
The Privacy Notice will also include information on Data Subject rights and how they can be exercised.
Personal data should be retained for no longer than is necessary for the purposes or purpose for which it is being processed. As the Department is subject to the National Archives Act, 1986 records with personal data may have to be retained for archiving where there is no disposal order from the National Archives in place with respect to that category or record.
A data controller refers to a person, company, or other body which determines the purposes and means of processing of personal data.
A data processor refers to a person, company, or other body which processes personal data on behalf of a data controller
The term “processing” refers to any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
Data sharing is where personal data is shared between two data controllers. The sharing of data is required to have a legal basis and to be transparent.