- Back to Data Protection
- GDPR Overview
- Key GDPR Changes
- Data Protection Notice
- UCC's GDPR Project
- Individual Rights
- Data Security Breaches
- Privacy by Design & Default
- Data Protection Impact Assessments (DPIA's)
- Frequently Asked Questions
- Training and Resources
- Data Protection Policy
Student Data Protection Notice
Student Data Protection Notice
- Who we are
- How we collect your personal data
- How we use your personal data
- Our legal basis for using your personal data
- Personal data provided by you about others
- Who we share your personal data with
- How long we will keep your data
- Keeping your data up-to-date
- Your rights
- Questions or complaints
- Revisions to this notice
At University College Cork, we treat your privacy seriously. Any personal data (i.e. information that can be used to identify you as an individual) which you provide to the University will be treated with the highest standards of security and confidentiality, in accordance with Irish and European Data Protection legislation and the University’s Data Protection Policy. This notice explains how the University collects, uses and shares personal data relating to prospective, current and former students of University College Cork (“you”). It also explains your rights under data protection law in relation to our processing of your data.
Throughout this Notice, “we”, “us”, “our” and “the University” refers to University College Cork.
The personal data that the University holds about you is generally collected directly from you but some information may also be received from third parties including:
- admissions bodies (for example, the Central Applications Office (CAO) and the Postgraduate Applications Centre (PAC);
- other third level institutions (e.g. where you are transferring from those bodies to UCC, where you are a visiting student, where you are applying for a postgraduate course or where you are participating in a joint programme (e.g. with Cork Institute of Technology));
- health and other professional bodies;
- linked education providers;
- agents and recruiters.
The University processes personal data relating to its students for administrative and other purposes necessary for the management and functioning of the University. Primarily, the University processes your personal data during the course of your application, admission and registration, for assessment/examinations, fee collection, IT administration and library administration, on your graduation and at the end of your studies for archival and alumni relations purposes (upon graduation, the Student Records & Examinations Office will automatically transfer your student record to the University’s Development and Alumni Office). This data may, in some cases, include “special categories of data” (as defined in the Data Protection Acts) where it is necessary for the University to collect and process such data.
The University also processes your personal data for the following purposes:
- SMS text messaging system: The University operates an SMS text messaging system which gives certain University offices the option to communicate with students quickly and comprehensively. As a registered student, you will be automatically added to the list to receive texts regarding University related information. This may include, for example, notification of cancelled lectures, reminders relating to your examination, details regarding your library loans, reminders about outstanding fees. If you do not wish to receive text alerts from us, you can opt out of this. Regardless of the foregoing, the University will send a text message in the event of an emergency;
- Publication and acknowledgement of awards: Unless you ask us not to, students and graduates’ names and awards are publicly acknowledged at University ceremonies and published in conferring booklets and other University publications;
- To administer the awarding of scholarships and prizes;
- To support grant applications;
- Photographs/video recordings of University events: The University may take photographs and video recordings of University events such as conferring ceremonies. Such images/recordings may include individual or group shots which may be published or included in video/broadcasts on the University’s website. The University will seek to give advance notice of this whenever possible by, for example, making announcements, placing visible notices in the relevant area or advertising on University notice boards so that those who do not want to participate can avoid being recorded and avoid the area(s) if they wish. In addition, where the University wishes to process images featuring students for promotional purposes, the consent of the students involved will be sought in advance;
- Lecture capture system: The University operates a campus-wide lecture capture system which enables lecturers to record video, audio and presentation material from their lectures as well as audio of questions from students/attendees. The University will seek to give lecture attendees advance notice of any such recording by placing visible notices in the relevant areas and making oral announcements at the start of the lecture;
- To manage insurance/personal accident claims;
- To monitor equal opportunities, to produce University reports using summarised statistics (e.g. Athena Swan) and to comply with other statutory reporting requirements;
- To ensure that the digital services provided by the University are performant, reliable, secure and to support appropriate IT incident resolution;
- The administration of examination appeals and the mitigation process;
- To administer appeals, complaints, grievances, disciplinary matters and matters relating to conduct and suspected breach of examination regulations/plagiarism;
- To communicate with you where necessary and to provide communications about University news and events;
- To provide wellbeing and support services, including disability support services (where you choose to access disability services, your consent will be sought before we process personal data relating to your disability);
- To meet health and safety obligations;
- To operate a CCTV system to protect the security of the University property and premises.
Under data protection law, we are required to ensure that there is an appropriate legal basis for the processing of your personal data, and to let you know what that basis is.
We process your personal data for the purposes outlined in this notice in pursuit of our legitimate interests in managing the University and providing you with the education and support services required during the course of your studies.
Whilst we rely on legitimate interest as the legal basis for processing where this is not overridden by the interests and rights or freedoms of the data subjects concerned, we recognise that it is not the only lawful ground for processing data. As such, where appropriate, we will sometimes process your data on an alternative legal basis – for example, because you have given us consent to do so.
You may provide us with personal data about other individuals, for example, next of kin/emergency contact details and information about your family circumstances and dependents. You should notify the relevant person that you are providing their contact details to us.
In addition to cases where the University is required or permitted by law to disclose your personal data to others, the University may disclose your personal data in connection with the purposes referred to above. These include, but are not limited to:
- Funding bodies, research sponsors, industry funders and other agencies that support, sponsor or otherwise have a valid interest in your education;
- Other institutions and agencies if you go on a placement or study with them;
- Where authorised by you, Officials of UCC’s clubs, societies and student union so that they can communicate with you about UCC related activities;
- The Higher Education Authority (HEA) (see the HEA’s Student Data Collection Notice http://hea.ie/about-us/data_protection/);
- Irish Survey of Student Engagement (ISSE);
- Providers of academic and other services to the University (who are obliged to keep your data safe and secure), which may also include, but is not limited to, wholly/majority owned subsidiaries of the University;
- Debt recovery agencies should you fall into arrears of payment to the University;
- National University of Ireland (NUI);
- Student Universal Support Ireland (SUSI) for grant eligibility purposes;
- Examination Boards and External Examiners;
- Government departments where required (e.g. Department of Education and Skills, Department of Employment Affairs and Social Protection, Revenue);
- Potential employers (where you have requested us to provide a reference);
- Mardyke Arena (for the purpose of membership verification);
- The University’s insurance brokers and providers where required for administering claims;
- Professional and regulatory bodies where programmes are accredited by such bodies;
- Pension administrators;
- External auditors;
- Other higher education institutions, partners or research organisations to or from which a student transfers or pursues an exchange programme or where a student’s programme is being run collaboratively;
- UCC Students’ Union to facilitate student elections;
- Plagiarism detection service providers (e.g. Turnitin) to ensure academic standards;
- Potential employers/recruitment companies for verification of qualifications.
Where we use third parties to process personal data on our behalf (acting as data processors), a written contract will be put in place to ensure that any personal data shared will be held in accordance with the requirements of data protection law and that such data processors have appropriate security measures in place in relation to your personal data.
The University sometimes needs to communicate and share personal data worldwide in the course of its business and transfers personal data to countries outside the European Economic area. The University will only do so on the understanding that we rely on legally approved mechanisms to lawfully transfer data across borders, including the Standard Contractual Clauses approved by the European Commission.
The University may share your personal data between different internal departments for operational reasons where necessary and proportionate for the purposes intended. Some of the personal data that the University holds, such as health details, is known as ‘special category data’ or ‘sensitive personal data’. In addition to the normal standards of confidentiality, we carefully control access to sensitive personal data within the University so that it is only available to those staff who require it to perform their duties.
As the University considers students, even if they are not yet 18 years of age, to have the maturity to give consent for the use of their data, in normal circumstances, the University will not disclose personal data to the parents, guardians or other representatives of a student without the student’s consent. The University’s preference is to receive written consent from the student where possible by way of email from from the student's Umail account. Without such consent the University will not release any details regarding students including details of their registration, attendance, fee payments etc. However, there may be exceptional circumstances, for example, in the case of potential danger to the health or well-being of a student or if a representative such as a solicitor has written to the University making it clear that they are acting on behalf of the student.
In keeping with the data protection principles we will only store your data for as long as is necessary. For the purposes described here we will store your data in accordance with the University’s Record Retention Schedules.
The Data Protection Acts require that personal data about individuals is accurate and kept up-to-date. It is important therefore that you update your personal details regularly (e.g. your postal address, mobile phone number). You can update your details via the student portal (https://www.ucc.ie/en/sit/) or by contacting the Student Records and Examinations Office by emailing firstname.lastname@example.org.
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data, including the right:
- to find out if we use your personal data, to access your personal data and to receive copies of your personal data;
- to have inaccurate/incomplete information corrected and updated;
- in certain circumstances, to have your details deleted from systems that we use to process your personal data or have the use of your personal data restricted in certain ways;
- to object to certain processing of your data by UCC;
- to exercise your right to data portability where applicable (i.e. obtain a copy of your personal data in a commonly used electronic form);
- where we have relied upon consent as a lawful basis for processing, to withdraw your consent to the processing at any time;
- to not be subject to solely automated decision;
- to request that we stop sending you direct marketing communications.
If you wish to avail of any of these rights, please write to the Information Compliance Manager either by email (email@example.com) or by post (The Information Compliance Manager, University College Cork, 4 Carrigside, College Road, Cork).
If you have any queries or complaints in connection with our processing of your personal data, you can contact UCC’s Information Compliance Manager: Information Compliance Manager, Office of Corporate & Legal Affairs, University College Cork, Western Road, Cork E: firstname.lastname@example.org Tel: +353 (0)21 4903949.
You also have the right to lodge a complaint with the Data Protection Commission if you are unhappy with our processing of your personal data. Details of how to lodge a complaint can be found on the Data Protection Commission’s website (www.dataprotection.ie), or by telephoning 1890 252 231.
Please note the University may revise this data protection notice from time to time. Any changes will be posted on the following website https://www.ucc.ie/en/gdpr/dataprotectionnotice/ so you should periodically check this website to review the most recent notice.
Version 1.0 (Approved 25/07/2018. Last revised: 25/07/2018)