GDPR / Data Protection FAQs

This page is a summary guide to some of the most common Data Protection questions raised by UCC staff. For more detailed advice, please refer to the Information Compliance webpages (see www.ucc.ie/en/gdpr and www.ucc.ie/en/ocla/comp/data/ 

 

COVID-19 FAQs re Data Protection:

How do I work securely when working remotely?

 

Data Protection Officer:

Who is UCC's Data Protection Officer (DPO)?

 

About GDPR:

What are the key changes that GDPR has brought?

What are the principles of GDPR?

Does the GDPR apply to data the University already holds?

 

Personal Data:

What is personal data?

What’s different about Sensitive Personal Data/Special Categories of Personal Data?

Are email addresses considered to be “personal data”?

 

Data Controllers and Data Processors:

What does “processing” mean?

What is the difference between a Data Controller and a Data Processor?

 

Rights under GDPR:

Rights for the individual

Can data subjects request their own data under GDPR as they do currently?

What other rights do individuals have?

 

Photographs and Videos:

Are videos and photographs of people regarded as personal data?

Can I post photographs of my staff on the UCC website without their consent?

 

Data Security Breaches:

What is a Personal Data Security Breach?

What do I do if I discover a Personal Data Security Breach?

 

Disclosing personal data:

What if a parent or guardian of a student contacts me to request their son or daughter’s personal data (e.g. exam results, registration details, attendance at lectures)?

If a student is under 18 years of age, can I release information to a parent or guardian without the student’s permission?

In an emergency situation, can I disclose personal data without consent?

What if I want to email more than one student at a time?

Can I share personal data with colleagues in the course of performing University functions?

 

Records Management:

How long should I keep records?

How do I dispose of redundant personal data?

Is anonymous data subject to data protection legislation?

Why am I being asked to complete a spreadsheet for the Register of Personal Data?

 

Data Protection Notices:

What is a ‘Data Protection Notice’?

When do I need to give a Data Protection Notice?

What information do I need to provide in a Data Protection Notice?

 

Consent:

What are the new rules around consent?

Where we have acquired consent to process data in the past, do we need to seek consent again?

 

Data Protection Impact Assessments (DPIAs):

What is a Data Protection Impact Assessment (DPIA)?

Do I need to conduct a Data Protection Impact Assessment for existing systems?

What is UCC doing about DPIAs?

 

Contact:

Who do I contact if I have any queries about GDPR/Data Protection?

 

Who is UCC's Data Protection Officer? 

The Data Protection Officer for UCC is:

Catriona O'Sullivan
Information Compliance Manager
Office of Corporate & Legal Affairs
University College Cork 

Telephone: +353 (0)21 4903949

Email: gdpr@ucc.ie 

 

What is GDPR?

GDPR stands for General Data Protection Regulation. It came into force across the European Union on the 25^th May 2018.  It replaced the previous Data Protection Acts 1988 and 2013 and is supplemented by the Irish Data Protection Acts, 1988-2018.

While many of the main concepts and principles of GDPR are similar to those in the previous legislation, the GDPR introduces new elements and significant enhancements which UCC is required to accommodate. See UCC's GDPR website for further details: https://www.ucc.ie/en/gdpr

 

What are the key changes that GDPR has brought?

Details of the key changes are on UCC’s GDPR website: https://www.ucc.ie/en/gdpr/keygdprchanges/

 

What are the principles of GDPR?

The University is responsible for, and must be able to demonstrate, compliance (“accountability”) with the following Data Protection Principles: 

Personal data shall be:

• Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”);
• Collected, created or processed only for one or more specified, explicit and lawful purpose (“purpose limitation”);
• Adequate, relevant and limited to what is necessary for those purposes (“data minimisation”);
• Kept accurate and, where necessary, up-to-date (“accuracy”);
• Retained no longer than is necessary (“storage limitation”);
• Kept safe and secure (“integrity and confidentiality”)

 

Does the GDPR apply to data the University already holds?

Yes. All processing of personal data (including the ongoing storage of data) is covered by the GDPR. 

 

What is personal data?

The GDPR defines personal data as: "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity." Examples of personal data include, names, addresses, photographs, videos, ID numbers, DNA, examination results, CVs, etc.

See https://www.ucc.ie/en/gdpr/gdproverview/scopeofgdpr/

 

What is Sensitive Personal Data or Special Categories of Personal Data?

Certain types of sensitive personal data are subject to additional protection under GDPR. These are listed under Article 9 of the GDPR AS "special categories" of personal data. They were known as "sensitive personal data" under the old legislation. The special categories of personal data are:

• personal data revealing racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data and biometric data processed for the purpose of uniquely identifying a natural person;
• data concerning health;
• data concerning a natural person's sex lilfe or sexual orientation.

Processing of these special catagories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.

Data relating to criminal convictions and offences, whilst not listed as a “special category”, has its own rules in the legislation.

 

Are email addresses considered to be “personal data”?

Yes – if an individual can be identified from the address then it is their personal data.

 

What does “processing” mean?

The term "processing" is very broad. It essentially means anything that is done to, or with, personal data (including simply collecting, storing or deleting the data).

The GDPR defines data processing as: "any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."

 

What is the difference between a Data Controller and a Data Processor?

A data controller is a person or organisation who controls the contents and use of personal data (e.g. the University is a data controller for the personal data it processes in relation to its staff and students. i.e. it decides what it will do with the data).

A data processor is a third party who processes personal data on behalf of a data controller (e.g. companies which provide services to the University, such as storage of records or destruction of confidential records, are data processors as they are performing this task/processing the data on behalf of the University).

Note: employees of the data controller who process personal data in the course of their employment are NOT regarded as ‘Data Processors’.

 

Can data subjects request their own data under the GDPR as they can do currently?

Yes. Under GDPR, the time frame for providing the information has been reduced from 40 days to one calendar month.

 

What other rights do individuals have?

While many of the main concepts and principles of GDPR are much the same as those in our current Data Protection Acts, GDPR introduces new elements and significant enhancements to individuals’ rights: 

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

See: UCC's Data Subject Rights Procedure
Data Subject Rights Procedure

 

Are videos and photographs of people regarded as personal data?

Yes. If a video or photograph contains images of identifiable individuals, then it is regarded as personal data relating to those individuals. Sometimes images may contain sensitive / special categories of personal data (e.g. racial origin, sexual orientation, etc.) so extra rules apply to the processing of such data.

 

Can I post photographs of my staff on the UCC website without their consent?

A photograph of a person constitutes their personal data and therefore any use of that photograph must be in accordance with the Data Protection Acts. Staff should be informed of all such uses that will be made of their image and given an opportunity to object to such use.

 

What is a Personal Data Security Breach?

A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the University in any format. Personal data security breaches can happen for a number of reasons, including:

• the disclosure of confidential data to unauthorised individuals
• loss or theft of data or equipment on which data is stored
• loss or theft of paper records
• inappropriate access controls allowing unauthorised use of information
• suspected breach of the University’s IT security and Acceptable Use policies
• attempts to gain unauthorised access to computer systems, e.g. hacking
• records altered or deleted without authorisation by the data “owner”
• viruses or other security attacks on IT equipment systems or networks
• breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information
• confidential information left unlocked in accessible areas
• leaving IT equipment unattended when logged-in to a user account without locking the screen to stop others accessing information
• emails containing personal or sensitive information sent in error to the wrong recipient.

 

What do I do if I discover a Personal Data Security Breach?

If you discover a data security breach (or a potential breach), inform your Head of Department/Unit straight away. The Head should contact the Information Compliance Manager by email at gdpr@ucc.ie without delay.  Heads should complete part 1 of the Data Breach Report Form and email it to gdpr@ucc.ie.  See Personal Data Breach Report Form

Note: GDPR introduces mandatory breach notifications. This means that all breaches must be reported by the Information Compliance Manager to the Data Protection Commission (DPC), typically within 72 hours, unless the data was anonymised or encrypted. In practice this means that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself. Therefore, it is vital to act quickly!

 

What if a parent or guardian of a student contacts me to request their son or daughter’s personal data (e.g. exam results, registration details, attendance at lectures)?

You should not release that data unless you have the written consent of the student to do so.

 

If a student is under 18 years of age, can I release information to a parent or guardian without the student’s permission?

Although those under 18 are regarded as minors under the law, they still have the right under the Data Protection Acts for information about them not to be disclosed without their consent or as otherwise permitted by the Data Protection Acts. This means that the University is not able to give information to parents or guardians regarding the student's progress, results or any other personal circumstances unless the student has given their specific consent or such disclosure would otherwise be in accordance with the Data Protection Acts.

 

In an emergency situation, can I disclose personal data without consent?

Personal data may be processed on the basis that it is necessary to protect the "vital interests" of the data subject (this essentially applies in "life‑or-death" scenarios). Under GDPR, the “vital interests” processing condition can extend to other individuals (e.g. children of the data subject).

 

What if I want to email more than one student at a time?

If you are emailing more than one student at a time, you should always use the “Bcc” option to avoid sharing students’ personal data (i.e. their email addresses) with other students.

 

Can I share personal data with colleagues in the course of performing University functions?

Yes – but make sure that you only share personal data with colleagues who need to know it.

 

How long should I keep records?

The Data Protection legislation does not specify timelines for records retention. However, UCC has a Records Management Policy and is presently updating records retention schedules for all areas. These set out retention periods and disposal actions for records held in each area. For further information, contact the University Archivist (archives@ucc.ie).

 

How do I dispose of redundant personal data?

Follow the Standard Operating Procedure (SOP) for the Disposal of Redundant Personal Data

Is anonymous data subject to data protection legislation?

Fully anonymised data is not personal data and therefore is not subject to the Data Protection Acts/GDPR. However, pseudonomised data (e.g. where a person’s name is replaced by a reference number or code) is personal data and the Data Protection Acts apply.

 

What is a ‘Data Protection Notice’?

Being fair and transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Acts and the GDPR. The most common way to provide this information is in a Data Protection Notice (also known as a ‘Privacy Notice’).  

The University has published data protection notices for Students, Staff and Alumni which cover most of the processing activities of the University:

• Student Data Protection Notice
• Staff Data Protection Notice
• Alumni & Supporters Data Protection Notice

Where your processing activities are NOT covered by these notices, you may have to develop your own notice (or inform the Information Compliance Manager about the processing you are carrying out so that it can be incorporated into the existing notices). Please contact the Information Compliance Manager before developing your own notice.

 

When do I need to give a Data Protection Notice?

A Data Protection Notice should be provided at the point at which the data is collected from a person (e.g. when they are completing a form).

If you get the data from another source (i.e. not from the person that the information relates to):

• you must provide a notice at least one month after obtaining the data
• if you use the data to communicate with the individual, you must give them a notice when you first contact them
• if you plan to disclose the data to another person/body, you must provide a data protection notice when the data is first disclosed.

 

What information do I need to provide in a Data Protection Notice?

Data Protection Notices must contain specific information (set out in the legislation) which informs data subjects of:

• who is collecting the data (e.g. Department of X, University College Cork)
• why it is being collected
• what legal basis is being relied upon to process the data
• how it will be processed
• how long it will be kept for
• who it will be disclosed to
• what rights people have in relation to their own data
• the right to lodge a complaint with the Data Protection Commission
• the existence of automated decision making, including

A Template Data Protection Notice is available on the GDPR website (www.ucc.ie/en/gdpr).

 

Why am I being asked to complete a spreadsheet for the Register of Personal Data?

Article 30 of the GDPR makes it a responsibility on organisations to maintain a record of all personal data processed by the organisation. We have to document our data processing activities in order to demonstrate that we comply with GDPR. In order for the University to create such a register it is vital that we’re able to determine what personal data is held across the University, and the legal basis that allows its processing.

 

What are the rules around consent?

The GDPR sets a high bar for consent and the GDPR has been designed to give data subjects more control over how their data is used. Some of the most important elements of consent under GDPR are:

• Consent requires a positive opt-in
• The notions of having to opt-out of pre-ticked boxes or any other method of consent by default are not allowed
• Consent needs to be explicit
• We need to be specific, clear and concise with regard to what people are consenting to
• We need to be granular, rather than asking for blanket consent to cover a number of different things.
• Consent should not be a pre-condition of accessing a service
• People should be able to withdraw their consent at any time easily
• We need to retain records of what people have consented to, and consent should be regularly refreshed.

 

Where we have acquired consent to process data in the past, do we need to seek consent again?

Where we already use consent under the Data Protection Acts, we do not need to obtain fresh consent, as long as it meets the standards required by the GDPR. Therefore, all current processing that uses consent should be reviewed to ensure it meets the GDPR requirements. Note: you cannot use the data for another purpose unless you seek the consent of the data subjects.

 

What is a Data Protection Impact Assessment (DPIA)?

Data Protection Impact Assessments (DPIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and reputational damage which might otherwise occur. DPIAs are an integral part of taking a ‘privacy by design’ approach, and are mandatory under the GDPR for processing that is likely to result in a high risk to the rights of data subjects.

 

Do I need to conduct a Data Protection Impact Assessment for existing systems?

It is not mandatory to conduct a DPIA for existing systems but it may help to do one to identify risks and demonstrate compliance with GDPR.

 

What is UCC doing about DPIAs?

UCC has developed a procedure and template, aligned with the University's Risk Management methodology in consultation with the University Risk Manager and the functional areas who are likely to need to perform DPIAs. For further information see https://www.ucc.ie/en/gdpr/procedures/dataprotectionimpactassessmentprocedure/ or contact Catriona O'Sullivan, Information Compliance Manager (Data Protection Officer) at gdpr@ucc.ie or phone +353 (0)21 4903949.