About WIT Headers

Documents And PoliciesData Protection

Data Protection

General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and replaces the Data Protection Directive 95/46/EC. From this date, GDPR, in conjunction with specific Irish law, will give more rights to the individual and will place more obligations on Waterford Institute of Technology (WIT), in terms of accountability and transparency, when using and storing personal data.

In undertaking the business of WIT, staff create, gather, store and process large amounts of data on a variety of data subjects including students (potential, current and former), staff, third parties and members of the public. Our use of personal data ranges from CCTV footage, financial transactions with commercial customers through to the processing a student’s details throughout their journey, from application through to graduation.

Policies Relevant to Data Protection

WIT is in the process of reviewing and updating policies inline with GDPR. Please find some relevant documents below. This list is not exhaustive and additional policies will be added in due course.

 

 

 

GDPR What is GDPR?

The EU General Data Protection Regulation (GDPR) is here and requires Waterford Institute of Technology to comply with all regulations. It replaces the Data Protection Directive 95/46/EC. It has been designed to standardise data protection laws within the EU and to give greater power to data subjects.

The GDPR rules & regulations apply to all individuals the Institute proceses data on.

 

What it Means for WIT?

An enhancement of regulations around the current practice of data protection (see Processing Principles tab).

What are The Main Areas of Change?

  • Changes to consent requirements
  • Increased rights for data subjects
  • Increased obligations on organisations with regard to accountability and transparency 
  • Mandatory breach reporting to the Data Protection Commission within 72 hours
  • Ensuring any new projects where data is being processed are designed with data privacy in mind 
  • Administrative fines 

 

What is WIT Doing to Comply?

  • Raising Awareness through training & communications
  • Engaging in a review of policies, processes & privacy statements 
  • Updating website privacy & cookies
  • Employee Training

 

Where Can I Get Further Information About GDPR?

The Irish Data Protection Commission has created a specific website containing information on GDPR visit http://www.gdprandyou.ie or you can also visit http://www.dataprotection.ie 

Waterford Institute of Technology has established the following high level principles relating to Data Protection in order to comply with GDPR requirements.

  • Personal Data shall only be Processed fairly, lawfully and in a transparent manner (Principles of Lawfulness, Fairness and Transparency);
  • Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further Processed in any manner incompatible with those purposes (Principle of Purpose Limitation);
  • Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed (Principle of Data Minimisation);
  • Personal Data shall be accurate, and where necessary kept up to date (Principle of Accuracy);
  • Personal Data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the Personal Data are Processed  (Principle of Data Storage Limitation);
  • Personal Data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to:
    • prevent and / or identify unauthorised or unlawful access to, or processing of, Personal Data; and
    • prevent accidental loss or destruction of, or damage to, Personal Data (Principles of Integrity and Confidentiality)

 

Under Article 15 of the GDPR regulation you have a right to access information held by WIT about you. In order to receive this information you must send a request in writing either via email to [email protected] or to The Data Protection Officer, Room TL2.54 Tourism & Leisure Building, Waterford Institute of Technology, Waterford.

You should provide any and all details which would help in progressing the request which might include Student/Staff ID, Company name or any other details relevant. You should be as precise as possible as to the the data you wish to access in order to ensure material is returned within the time limits as per the new legislation (20 days). There are some limited instances where there may be an extention of the timeframe as per GDPR regulations. See here for further details.

See below details of the Data Protection Officer

cp
 
Corina Power,
Data Protection Co-ordinator,
Room TL2.54 Tourism & Leisure Building,
Waterford Institute of Technology,
Waterford
[email protected], +353 51 302608

   pdf  Data Protection Act 2018 Full Text

   pdf  EU General Data Protection Regulation Full Text 

   pdf  Compendium of Data Protection Acts 1998 & 2003

Photo Consent

We take and use photos and videos at the institute all the time. They are an important part of our activity but we also need to ensure that when we use someone’s image (where they are the subject of or central to the photo or video being taken), we have permission to do so. Below you will find some advice and consent forms for adults and under 18s.

pdf Advice when taking photos or video

wordWIT Photo & Video consent form

wordWIT Photo & Video consent form for under 18s

Practical Tips & Resoruces

Things to Help With GDPR Compliance

Advising Data Subjects About How You Will Use Thier Data

Approved Data Protection Impact Assessment Template

How GDPR Changes The Rules For Research IAPP Article

Health Research Decision Tree - Consent

If you cannot find an answer to your question below please contact us [email protected] or call 051 302608

What is Personal Data?

According to GDPR personal data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, using one or more pieces of information.

What types of data are covered?

Any type of record created by an employee or a person acting on behalf of the organisation which contains personal data including but not limited to email, video, handwritten material(including entries in a diary), audio recordings, social media posts, class lists etc.

Relevant Definitions in GDPR

Personal Data

Information which relates to a living individual who is identifiable either directly from the data itself or from the data in conjunction with other information.

Examples of personal data include, but are not limited to:

Name, email, address, phone number
The contents of an individual student file or HR file
A staff appraisal assessment
Details about lecture attendance or course work marks
Notes of personal supervision, including matters of behaviour and discipline
Results of an interview panel 
Specific details about a student/staff illness
Bank/Payroll details of a staff member
 
Sensitive Personal Data

Sensitive Personal Data (or Special Categories of Personal Data) relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life, criminal convictions or the alleged commission of an offence; trade union membership.

Data Controller

A data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Data Processor

A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Processing Data

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms ‘Process’ and ‘Processed’ should be construed accordingly.

Consent

Means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. In this context, “signifies” means that there must be some active communication between the parties. Thus, a mere non-response to a communication from the Institute cannot constitute Consent.

Personal Data Breach

GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”  Examples of personal data breaches include:

Loss or theft of data or equipment
Inappropriate access controls allowing unauthorised use
Equipment failure
Unauthorised disclosure (e.g. email sent to the incorrect recipient)
Human error
Hacking attack

The Data Protection Commissioner must be notified without undue delay and not later than 72 hours after becoming aware of the breach.

Data Retention

Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed it should be disposed of securely. Retention periods are set based on good practice guidance and on a legal basis.

What are my rights under GDPR?

The GDPR gives data subjects the right to access personal information held about them by the Institute. The purpose of a subject access request is to allow individuals to confirm the accuracy of personal data and check the lawfulness of processing to allow them to exercise rights of correction or objection if necessary. However, individuals can request to see any information that Waterford Institute of Technology holds about them which includes copies of email correspondence referring to them or opinions expressed about them.

Data subjects have a number of rights under GDPR. These include:

Right of Access;
Right to Rectification;
Right to Erasure (sometimes referred to as the Right to be Forgotten, this is not absolute);
Right to Restriction of Processing;
Right to Data Portability;
Right to Object to Direct Marketing;
Right to Object to Automated Decision Making, including Profiling. 

Any requests made to invoke any of the rights above must be dealt with promptly and in any case within one month of receiving the request. Members of staff should consult the Data Protection Officer for all data requests.

How do I make an access request?

Under Article 15 of the GDPR regulation you have a right to access information held by WIT about you. In order to receive this information you must send a request in writing either via email to [email protected] or to The Data Protection Coordinator, Room TL2.54 Tourism & Leisure Building, Waterford Institute of Technology, Waterford. You should provide any and all details which would help in progressing the request which might include Student/Staff ID, Company name or any other details relevant. You should be as precise as possible as to the data you wish to access in order to ensure material is returned within the time limits as per the new legislation (1 month). There are some limited instances where there may be an extention of the timeframe as per GDPR regulations. See here for further details.

See below details of the Data Protection Coordinator

Corina Power
Data Protection Coordinator
Room TL2.54 Tourism & Leisure Building,
Waterford Institute of Technology,
Waterford
data [email protected], +353 51 302608

What are the exemptions under which access can be refused?

There are some instances where a data access request can be refused. According to the Data Protection Act 2018 these are:

  • to safeguard cabinet confidentiality, judicial independence and court proceedings, parliamentary privilege, national security, defence and the international relations of the State
  • for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties
  • for the administration of any tax, duty or other money due or owing to the State, a local authority or other public authority or body
  • in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure
  • for the enforcement of civil law claims, including matters relating to any liability of an organisation in respect of damages, compensation or other liabilities or debts related to the claim, or
  • For the purposes of estimating the amount of the liability of an organisation on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the interests of the organisation in relation to the claim.

 

In addition, an access request may be refused if the data is:

  • considered part of an expression of interest
  • likely to cause you serious mental or physical harm in the opinion of a medical practitioner 
  • seen to safe guard certain aspects of public interest 
  • likely to affect the rights of others

 

For more information on your rights you can consult the following Rights of Individuals under the GDPR produced by the Data Protection Commissioners office.