General Data Protection Regulation (GDPR)
Student Data – Privacy Notice
This Privacy Notice explains how the Connacht Ulster Alliance (CUA) Institutes (Galway Mayo Institute of Technology, Institute of Technology, Sligo, and Letterkenny Institute of Technology) collect, use and share your personal data to provide a service which allows candidates to use an online RPL application tool to apply for advanced entry to a higher education programme and/or gain exemptions from programme modules. This Privacy Notice concerns our processing of personal data of past, present and prospective students of the CUA Institutes and your rights in relation to the personal data we hold.
The Institute is the data controller of all personal data that it holds and processes and is subject to the Data Protection Acts 1998 and 2003 and to the General Data Protection Regulation (GDPR) from 25 May 2018.
Types of Information Collected
The CUA Institutes may obtain, hold and process the personal data of students including personal details, education and training records, and employment information.
Data relating to student names, email addresses, institute/department/programme of study are mandatory on the RPL Site. Other data relating to student residential addresses, student profile images, interests etc are optional.
The following types of personal data may be collected:
- Name, contact information (address, email address, telephone numbers), date of birth, nationality and country of domicile
- Information relating to education and training records
- Information relating to employment to include character references
How we Collect Information
Personal data and sensitive personal data held by the CUA Institutes relating to applicants is obtained directly from the student or applicant with their consent.
Personal data may be collected directly from applicants who provide information to the Institute expressing an interest in becoming a student, and/or through the application or registration processes.
Purpose of Collecting Information
The RPL Assessment Tool holds the personal data of its students in order to implement and manage all services and processes relating to student access to programmes in CUA Institutes. Only information required for these purposes is obtained and processed, and without it the Institutes may not be able to provide the RPL Assessment service. Information is passed between various sections of the Institute for operational reasons as is necessary and proportionate for intended purposes.
We may use information collected for the following purposes;
- Admission and Registration
- Research and Statistical Analysis
- Safety and wellbeing of students
- To enable effective communication with you
- To provide information to organisations such as the HEA in line with legal and government requirements
- To comply with statutory reporting requirements
- To administer voluntary surveys of student opinion about your experience of the RPL Assessment process
- To create and publish print & electronic material (e.g. prospectus, brochures, website, etc) for promotional and archival purposes
- To assist with law enforcement or where required or authorised by law
- To confirm the details of your academic achievements, and for statistical and historical purposes, a core record of your studies is retained indefinitely
- To enable our continued contact with you after you complete your studies (e.g. survey of graduate work destinations, alumni networks, marketing, etc)
- To respond to requests for information made under data protection legislation.
Basis for Processing Information & Sharing your Data with Third Parties
CUA Institutes process student data through the RPL site as applicant e-portfolios are received and assessed. This process determines an applicant’s eligibility for entry into relevant programmes.
Application data associated with the CUA Institutes is only available to the CUA Institute that the candidate has applied for RPL assessment. Application data is used for assessment purposes and to process the candidates’ registration on a programme with the CUA Institute.
CUA Institutes may contract a third-party service provider to maintain the RPL assessment system. This requires them to provide backend services, such as database programming and database cleaning within the RPL site. Any third parties contracted to access the database tool have signed a Non-Disclosure Agreement.
The CUA Institutes may disclose student’s personal data and sensitive personal data/special category data to external agencies to which it has obligations or a legitimate reason.
If you would like an up-to-date register of all our third-party service providers, please contact: firstname.lastname@example.org, email@example.com, or Letterkenny Institute of Technology directly and we will be happy to provide it.
Individuals whose personal data and sensitive personal data/special category data is held by the Institute have the following rights regarding their data:
- The right to be informed
- The right to request access to their personal data held by the Institute.
- The right to rectification – to have inaccurate or incomplete personal data rectified.
- The right to erasure of personal data – this will only apply where there is no legitimate reason for the Institute to continue to process the personal data. If you exercise your right to erasure, we will retain a core set of personal data which, for alumni, will include: name, subject(s) studied, graduation details, date of birth and unique identification number so that we do not contact you inadvertently in future, and to maintain your education details for archive purposes. We may also need to retain some financial records about you
- The right to restrict the processing of personal data – individuals have the right to block the processing of their personal data by the Institute in specific situations.
- The right to data portability – students have the right to request provision of some elements of their information (for example academic progress details) in digital form in order to provide it to other organisations.
- The right to object – students can object to the processing of their personal data by the Institute in certain circumstances, including the sending and receipt of direct marketing material.
- The right to object to automated decision making and profiling – individuals have the right to object to decisions taken by automatic means without human intervention in some circumstances.
Where the processing of personal data or sensitive personal data/special category data is based on the consent of the student, they have the right to withdraw their consent at any time by contacting the department or service who obtained that consent or the Institute’s Data Protection Officer.
If a student is unhappy with the Institute’s handling of their personal data or believes that the requirements of the Data Protection Acts or GDPR may not be fully complied with, they should contact the Institute’s Data Protection Officer in the first instance. The Institute’s formal complaint procedure can be invoked if appropriate, and they also have the right to submit a complaint to the Data Protection Commissioner.
Data Storage & Retention
The purpose of processing the personal data is to document prior learning and recognise this for entry to relevant programmes and exemptions from modules. Your personal information is stored securely in-line with GDPR compliance requirements.
Personal data may be deleted at an individual’s request; however, it is necessary to retain some personal data (e.g. a student’s qualification) collected in the RPL process indefinitely in the event a person returns at a future stage to add to their RPL profile. If you exercise your right to erasure, we will retain a core set of personal data which, for applicants, will include name, programme applied for, and assessment record to maintain your application details for archive purposes.
We will always respect a request by you to stop contact by any or all methods of communication, or for any specific purpose.
Accessing Information held about You
Under Section 3 of the Data Protection Acts, you have a right to find out, free of charge, if a person (an individual or an organisation) holds information about you. You also have a right to be given a description of the information and to be told the purpose(s) for holding your information.
You must make the request in writing. The person must send you the information within 21 days.
Under Section 4 of the Data Protection Acts, 1988 and 2003, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation.
All you need to do is write to the Data Protection Officer at the Institute and ask for it under the Data Protection Acts.
Your request could read as follows:
Dear Data Protection Officer. I wish to make an access request under Section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to.... (Fill in as much information as possible to assist the Institute to locate the data that you are interested in accessing).
You may be asked for evidence of your identity. This is to make sure that personal information is not given to the wrong person. You may be asked to pay a fee, but this cannot exceed €6.35.
Once you have made your request, and paid any appropriate fee, you must be given the information within 40 days.
Are there any exceptions to the right of access?
Yes. Sections 4 & 5 of the Data Protection Acts set out a small number of circumstances in which your right to see your personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand. For example, you do not have a right to see communications between the Institute and our legal advisors, where that communication would be subject to legal privilege in court. The right of access to medical data and social workers' data is also restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data. Your right to obtain access to examination results and to see information relating to other people is also curtailed. Further details on these points can be obtained at: "Access Rights and Responsibilities - A guide for Individuals and Organisations".