Frequently Asked Questions
GDPR / Data Protection FAQs
This page is a summary guide to some of the most common Data Protection questions raised by UCC staff. For more detailed advice, please refer to the Information Compliance webpages (see www.ucc.ie/en/gdpr and www.ucc.ie/en/ocla/comp/data/
GDPR stands for General Data Protection Regulation. It is a new regulation which comes into force across the EU on 25th May 2018. It will replace the current EU data protection laws and be supplemented by Irish Data Protection Acts, 1988 and 2018.
While many of the main concepts and principles of GDPR are similar to those in our current Data Protection Acts, GDPR introduces new elements and significant enhancements which UCC is required to accommodate. See UCC’s GDPR website for further details: https://www.ucc.ie/en/gdpr
Details of the key changes are on UCC’s GDPR website: https://www.ucc.ie/en/gdpr/keygdprchanges/
The University is responsible for, and must be able to demonstrate, compliance (“accountability”) with the following Data Protection Principles:
Personal data shall be:
- Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”);
- Collected, created or processed only for one or more specified, explicit and lawful purpose (“purpose limitation”);
- Adequate, relevant and limited to what is necessary for those purposes (“data minimisation”);
- Kept accurate and, where necessary, up-to-date (“accuracy”);
- Retained no longer than is necessary (“storage limitation”);
- Kept safe and secure (“integrity and confidentiality”)
Does the GDPR apply to data the University already holds?
Yes. After 25 May 2018, all processing of personal data (including the ongoing storage of data) will be covered by the GDPR.
The GDPR defines personal data as: "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity." Examples of personal data could include, names, addresses, photos, video, ID numbers, DNA, IP addresses, job titles, etc.
The GDPR defines a subset of personal data as Special Categories of Personal Data (previously known as “sensitive personal data”), namely information concerning:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade Union membership
- Genetic or biometric data
- Physical or mental health
- Sexuality or sex life
The rules regarding Special Category Data are stricter.
Are email addresses considered to be “personal data”?
Yes – if an individual can be identified from the address then it is their personal data
The term "processing" is very broad. It essentially means anything that is done to, or with, personal data (including simply collecting, storing or deleting the data).
The GDPR defines data processing as: "any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."
A data controller is a person or organisation who controls the contents and use of personal data (e.g. the University is a data controller for the personal data it processes in relation to its staff and students. i.e. it decides what it will do with the data).
A data processor is a third party who processes personal data on behalf of a data controller (e.g. companies which provide services to the University, such as storage of records or destruction of confidential records, are data processors as they are performing this task/processing the data on behalf of the University).
Note: employees of the data controller who process personal data in the course of their employment are NOT regarded as ‘Data Processors’.
Yes. Under GDPR, the time frame for providing the information has been reduced from 40 days to one calendar month.
While many of the main concepts and principles of GDPR are much the same as those in our current Data Protection Acts, GDPR introduces new elements and significant enhancements to individuals’ rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
See: https://www.ucc.ie/en/gdpr/individualrights/ for further information.
Yes. If a video or photograph contains images of identifiable individuals, then it is regarded as personal data relating to those individuals. Sometimes images may contain sensitive / special categories of personal data (e.g. racial origin, sexual orientation, etc.) so extra rules apply to the processing of such data.
A photograph of a person constitutes their personal data and therefore any use of that photograph must be in accordance with the Data Protection Acts. Staff should be informed of all such uses that will be made of their image and given an opportunity to object to such use.
A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the University in any format. Personal data security breaches can happen for a number of reasons, including:
- the disclosure of confidential data to unauthorised individuals
- loss or theft of data or equipment on which data is stored
- loss or theft of paper records
- inappropriate access controls allowing unauthorised use of information
- suspected breach of the University’s IT security and Acceptable Use policies
- attempts to gain unauthorised access to computer systems, e.g. hacking
- records altered or deleted without authorisation by the data “owner”
- viruses or other security attacks on IT equipment systems or networks
- breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information
- confidential information left unlocked in accessible areas
- leaving IT equipment unattended when logged-in to a user account without locking the screen to stop others accessing information
- emails containing personal or sensitive information sent in error to the wrong recipient.
If you discover a data security breach (or a potential breach), inform your Head of Department/Unit straight away. The Head should contact the Information Compliance Manager without delay (email: email@example.com telephone: 021 4903949). Heads should complete part 1 of the Data Breach Report Form and email it to firstname.lastname@example.org (see data security breach procedures).
Note: GDPR introduces mandatory breach notifications. This means that all breaches must be reported by the Information Compliance Manager to the Data Protection Commission (DPC), typically within 72 hours, unless the data was anonymised or encrypted. In practice this means that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself. Therefore, it is vital to act quickly!
You should not release that data unless you have the written consent of the student to do so.
Although those under 18 are regarded as minors under the law, they still have the right under the Data Protection Acts for information about them not to be disclosed without their consent or as otherwise permitted by the Data Protection Acts. This means that the University is not able to give information to parents or guardians regarding the student's progress, results or any other personal circumstances unless the student has given their specific consent or such disclosure would otherwise be in accordance with the Data Protection Acts.
Personal data may be processed on the basis that it is necessary to protect the "vital interests" of the data subject (this essentially applies in "life‑or-death" scenarios). Under GDPR, the “vital interests” processing condition can extend to other individuals (e.g. children of the data subject).
If you are emailing more than one student at a time, you should always use the “Bcc” option to avoid sharing students’ personal data (i.e. their email addresses) with other students.
Yes – but make sure that you only share personal data with colleagues who need to know it.
The Data Protection legislation does not specify timelines for records retention. However, UCC has a Records Management Policy and is presently updating records retention schedules for all areas. These set out retention periods and disposal actions for records held in each area. For further information, contact the University Archivist (email@example.com).
Fully anonymised data is not personal data and therefore is not subject to the Data Protection Acts/GDPR. However, pseudonomised data (e.g. where a person’s name is replaced by a reference number or code) is personal data and the Data Protection Acts apply.
Being fair and transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Acts and the GDPR. The most common way to provide this information is in a Data Protection Notice (also known as a ‘Privacy Notice’).
A Data Protection Notice should be provided at the point at which the data is collected from a person (e.g. when they are completing a form).
If you get the data from another source (i.e. not from the person that the information relates to):
- you must provide a notice at least one month after obtaining the data
- if you use the data to communicate with the individual, you must give them a notice when you first contact them
- if you plan to disclose the data to another person/body, you must provide a data protection notice when the data is first disclosed.
Data Protection Notices must contain specific information (set out in the legislation) which informs data subjects of:
- who is collecting the data (e.g. Department of X, University College Cork)
- why it is being collected
- what legal basis is being relied upon to process the data
- how it will be processed
- how long it will be kept for
- who it will be disclosed to
- what rights people have in relation to their own data
- the right to lodge a complaint with the Data Protection Commission
- the existence of automated decision making, including
Template Data Protection Notices will be made available on the GDPR website (www.ucc.ie/en/gdpr).
Article 30 of the GDPR makes it a responsibility on organisations to maintain a record of all personal data processed by the organisation. We have to document our data processing activities in order to demonstrate that we comply with GDPR. In order for the University to create such a register it is vital that we’re able to determine what personal data is held across the University, and the legal basis that allows its processing.
The GDPR sets a high bar for consent and the GDPR has been designed to give data subjects more control over how their data is used. Some of the most important elements of consent under GDPR are:
- Consent requires a positive opt-in
- The notions of having to opt-out of pre-ticked boxes or any other method of consent by default are not allowed
- Consent needs to be explicit
- We need to be specific, clear and concise with regard to what people are consenting to
- We need to be granular, rather than asking for blanket consent to cover a number of different things.
- Consent should not be a pre-condition of accessing a service
- People should be able to withdraw their consent at any time easily
- We need to retain records of what people have consented to, and consent should be regularly refreshed.
Where we already use consent under the Data Protection Acts, we do not need to obtain fresh consent, as long as it meets the standards required by the GDPR. Therefore, all current processing that uses consent should be reviewed to ensure it meets the GDPR requirements. Note: you cannot use the data for another purpose unless you seek the consent of the data subjects.
Privacy by Design means that organisations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data.
Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones.
For further details, see UCC’s GDPR website: https://www.ucc.ie/en/gdpr/privacybydesigndefault/
Data Protection Impact Assessments (DPIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and reputational damage which might otherwise occur. DPIAs are an integral part of taking a ‘privacy by design’ approach, and are mandatory under the GDPR for processing that is likely to result in a high risk to the rights of data subjects.
It is not mandatory to conduct a DPIA for existing systems but it may help to do one to identify risks and demonstrate compliance with GDPR.
Contact the Information Compliance Manager by email at firstname.lastname@example.org