Data Protection Notice Procedure

Introduction

This document outlines the procedure to be followed by UCC Staff when providing a Data Protection Notice in order to meet the data protection principles of fairness and transparency.

What is a data protection notice?

When the University collects personal data, it has to make certain information available to the person to whom the data relates. This information must be provided via what is known as a Data Protection Notice, which is a statement by the University which describes how it will process people’s personal data. The University has general data protection notices in place for staff and students as well as a privacy statement on its website which covers much of the processing of personal data that takes place in the University. However, from time-to-time you may need to collect personal data which is not covered by these central notices and you must then consider whether a separate notice is required.

Why do I need a data protection notice?

In order to process personal data about an individual, you must do so in a way that is fair and that meets the principles set out in the EU General Data Protection Regulation (GDPR). The principles require that personal data is processed in a transparent manner which means that individuals should be provided with specific information about how we use their personal data.  The principle of transparency is directly linked to the right to be informed in the GDPR.  This means that individuals have a right to be informed about the processing of their personal data including the purpose and the lawful basis for processing their data.

When should a data protection notice be provided?

If data is collected directly from an individual, we must provide individuals with a data protection notice at the point at which we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we must provide them with a data protection notice:

  • within a reasonable of period of obtaining the personal data and no later than one month;
  • if we plan to communicate with the individual, at the latest, when the first communication takes place; or
  • if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

 

How should a data protection notice be provided?

We must provide the information in a way that is: 

  • concise
  • transparent
  • intelligible
  • easily accessible and
  • uses clear and plain language.

 

The manner in which a data protection notice should be provided depends on the way in which the data will be collected. It is important to ensure that the information is accessible by individuals and that it is easy for them to understand how their data will be used. If you are collecting personal data via a form on a website, you could consider a layered approach whereby you include some bullet points with the important information alongside the web form and include a link to a more detailed privacy notice that individuals can access separately. You could also use a pop-up box that includes the same information and link to the detailed data protection notice.

If you are collecting data on a written form, then you could provide the individual with information ether on a separate leaflet or embedded within the form e.g. researchers generally provide information in a patient information leaflet which can be amended to incorporate the relevant privacy information. 
If you are collecting information via an app or mobile device, then the use of icons, just-in-time notices/pop-ups may be helpful in providing the information in an easily visible, intelligible and clearly legible manner.

What information must a data protection notice include?

The following is a list of the information that must be provided to the data subjects when the data is collected directly from them:

The name and contact details of our organisation (the data controller)

Be specific, e.g. School of X, University College Cork.

The contact details of our data protection officer

 

Catriona O’Sullivan, Information Compliance Manager, University College Cork, CORK. T: +353 21 4903949 E: foi@ucc.ie.

The purpose(s) of the processing

Why you are collecting/using the data

The lawful basis for the processing (see UCC’s Data Protection Policy – section 5.1).

  • If ‘legitimate interests’ is the lawful basis for the processing, you must specify the legitimate interests pursued by UCC as the data controller or by a third party.
  • If ‘consent’ is the lawful basis for the processing, you must highlight the right to withdraw consent.
  • access their own personal data
  • rectification of their data
  • erasure
  • object to or restrict processing
  • data portability

The recipients or categories of recipients of the personal data (if any).

Who you will disclose the data to

The details of transfers of the personal data to any third countries or international organisations outside of the European Economic Area (if applicable) and details of the safeguards in place.

 

The retention periods for the personal data

How long you will keep the data

The rights available to individuals in respect of the processing.

You must outline their rights to:

The right to lodge a complaint with the Data Protection Commission and how to do it.

Refer to the Data Protection Commission’s website: www.dataprotection.ie

The details of whether individuals are under a statutory or contractual obligation to provide their personal data and the consequences of failure to supply it.

If applicable and if the personal data is collected from the individual it relates to.

The details of the existence of automated decision-making, including profiling, the logic and consequences it may have for the individual.

If applicable

 

If you obtain the data indirectly e.g. from a third party, then you must provide the following information to the data subjects about who the data has been collected in addition to the information listed above:

Categories of personal data obtained

  • g. name and contact details, qualifications, etc.

The source of the personal data including data obtained from a public source

  • g. the name of an organisation who provided you with the data

 

Children

If you are developing a data protection notice for children, it will need to take into account the level of comprehension of the age groups concerned and tailor the notice accordingly.

 

Office of Corporate and Legal Affairs

1 st Floor, East Wing, Main Quadrangle,

Top