1.1 The National College of Ireland is referred to in this Privacy Statement as “NCI”, “us” or “we”. This Privacy Statement provides details of how and why we Process Personal Data in line with our obligations under Data Protection Law. This statement applies to all individuals whose Personal Data is Processed by NCI except for NCI staff who should refer to NCI’s Staff Data Processing Notice, which is available on request from NCI’s Data Protection Officer (see section 15 below for contact details).

2.1 The purpose of this Privacy Statement is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Statement outlines our duties and responsibilities regarding the protection of such Personal Data. 

2.2 This Privacy Statement is not an exhaustive statement of our data protection practices or policies. The manner in which we Process Personal Data will evolve over time and we will update this Policy from time to time to reflect changing practices and changes to the law. In addition, we operate a number of other workplace policies and procedures which inter-relate with this Privacy Statement, including the following: 

(a) Data Protection Policy; 

(b) Data Retention Policy; 

(c) Website Privacy Statement; and 

(d) Staff Data Processing Notice. 

2.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Statement by reference into notices used at various points of data capture when collecting Personal Data (e.g. application forms, website forms etc.).

3.1 When NCI determines the purposes and means of the Processing of Personal Data it acts as a Data Controller. The primary example is where NCI collects and processes Personal Data relating to NCI students. In relation to such processing, NCI relies on a number of legal bases under Data Protection Law. These include: 

(a) Art. 6(1)(a) of the GDPR which permits Processing where the data subject has given his or her consent; 

(b) Art 6(1)(b) which permits Processing where necessary for the performance of a contract to which the data subject is a party; 

(c) Art. 6(1)(c) which permits Processing that is necessary for compliance with a legal obligation to which the Data Controller is subject; 

(d) Art. 6(1)(d) which permits Processing that is necessary in order to protect the vital interests of the data subject or of another person; and 

(e) Art. 6(1)(f) which permits Processing pursuant to the legitimate interests of NCI or a third party. 

3.2 In certain instances, NCI will act as a joint controller of Personal Data (“Joint Controller”), whereby NCI together with other entities determines the means and purposes of the relevant Processing. In such circumstances the essence of the arrangement is between NCI and the other Joint Controllers will be made known to the relevant individuals in a transparent manner. Examples of such scenarios may include where NCI and other institutions engage in collaborative research projects.

4.1 In some cases, NCI may act as a Data Processor, under the instructions of a Data Controller. When acting as a Data Processor, NCI complies with its relevant obligations under Data Protection Law. These include ensuring that the data that is Processed by NCI on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions required by Data Protection Law.

5.1 Much of the data Processing undertaken by NCI is for the purpose(s) of fulfilling NCI’s contractual obligations in respect of its students to provide both undergraduate, postgraduate and professional courses and qualifications across a range of disciplines. The following are illustrative and non-exhaustive examples of the types of Processing typically undertaken by NCI when providing courses of education and for connected purposes: 

(a) Student Registration: In administering the college it is necessary for NCI to Process Personal Data, including contact details and financial details of students. This is necessary in relation to NCI’s contractual relationship with its students. 

(b) Examinations and Academic Records: The Processing of Personal Data, including but not limited to student numbers, names, exam scripts, exam results, details of qualifications and degrees conferred is necessary in order for NCI to perform its contractual obligations. To ensure the integrity of this system, it is also necessary and proportionate for NCI to maintain records of exam results, degrees conferred and other relevant details. NCI Processes such Personal Data in accordance with this Privacy Statement and its other policies and procedures. 

(c) Research and Publications: NCI Processes Personal Data in the course of its research and publishing activities and such Processing is always undertaken in accordance with this Privacy Statement and NCI’s legitimate interests in publishing and disseminating certain information and research. 

(d) Alumni Affairs: Processing activities undertaken by NCI’s Alumni Office when liaising with and contacting NCI graduates in relation to their alumni events and initiatives are necessary for the performance of NCI’s legitimate interests to maintain contact with alumni and to promote NCI. 

(e) NCI Students Union: The NCI Students Union is the representative body for NCI students and NCI actively collaborates with the Students Union on various initiatives. This is necessary for NCI’s legitimate interests in fostering an inclusive and vibrant student body. 

(f) SV Fitness: S.V. Fitness Health Club (“S.V. Fitness”) makes health and fitness services available to all NCI students. It is a term of NCI full-time undergraduate registration that students are enrolled as members of S.V. Fitness. In order for S.V. Fitness to make such services available to NCI students, NCI shares with S.V. Fitness certain NCI student personal data, including student names and student numbers. Of course, you may also provide other data to S.V. Fitness in connection with your gym membership. S.V Fitness will act as data controller in respect of all data that it holds and processes relating to NCI students and will process such data only for purposes connected with your membership. 

(g) Other institutions: NCI will engage in certain collaboration with educational, business and other institutions both within and outside the State. Such collaborations may involve the sharing of certain Personal Data as between NCI and its partner institutions and other organisations for research purposes and for similar purposes including staff sabbaticals. Personal Data of students and staff may be disclosed to such other institutions as necessary for these purposes and written agreements will be put in place. 

(h) Student Support: NCI students and employees provide information to NCI for a variety of reasons when availing of the student support services. Such information may include Personal data of a sensitive nature (known as “special categories of Personal Data”) including details of disabilities, health, sex life and/or sexual orientation and of your background. Such Personal Data may be collected in the form of records of meetings and disability records, counselling notes, records of financial assistance provided, health and disability records as well as workshop and event attendance records. Such data will be collected based on your explicit consent and otherwise to protect the vital interests of the data subject and/or third parties and where it is necessary in order for NCI to comply with any legal obligations it may have. Given the potentially sensitive nature of the Personal Data collected and processed by NCI special care is taken to maintain the security and confidentiality of such data. Such data will not be disclosed to third parties outside of NCI except in exceptional circumstances such as an emergency or a valid request from law enforcement. 

(i) NCI Early Learning Initiative (“ELI”): NCI’s ELI operates a number of programmes which involve active participation and engagement within the local community. These programmes involve NCI staff working with parents/guardians and young children in family homes and/or within NCI and the local community. The ELI programmes involve the processing of Personal Data to administer the programme and to monitor the progress and participation levels of those participating in the ELI programmes. The legal bases for this is consent of the participating families (as provided by the parents / guardians on behalf of their children) and or the legitimate interests pursued by NCI in undertaking and promoting educational initiatives within the local community.

6.1 NCI processes Special Categories of Data (“SCD”) in certain circumstances, typically related to the ordinary course of employee and student administration, the provision of student support, early learning initiatives and development services and the processing of Garda vetting forms for students and employees, where required by law. 

6.2 Section 45 of the Data Protection Act 2018 provides a general lawful basis for processing SCD where it is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. As required by Data Protection Law, NCI applies suitable and specific measures in respect of such Processing of SCD. 

6.3 NCI Processes Garda vetting forms for employees as authorised by the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 to 2016 (the “National Vetting Act”) in respect of staff and students that undertake placements and studies which involves engagement with and exposure to children and/or vulnerable persons. Garda vetting forms may contain Personal Data relating to criminal convictions/offences and because NCI is subject to a legal obligation to Process such data and Art. 6(1)(c) of the GDPR provides the lawful basis for such Processing.

7.1 As part of our record keeping obligations under Art. 30 of the GDPR, NCI retains a record of the processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement	NCI Record
Name and contact details of the controller	National College of Ireland, IFSC, Mayor Street, North Dock, Dublin 1, D01 Y300
Name and contact details of the acting Data Protection Officer	Name: Niamh Scannell Email: dpo@ncirl.ie Telephone: +353 1 4498523
The purposes of the processing	To fulfil the functions of NCI as described in this Privacy Statement (see Section 5 and Annex II)
Descriptions of categories of data subjects and Personal Data	See Annex II
The categories of recipients to whom the Personal Data have been or will be disclosed	See Section 12
Transfers of Personal Data to a third country outside of the EEA	On occasion, Personal Data may be transferred to other institutions for the purposes of collaborative research projects
Envisaged time limits for erasure of the different categories of data	See Section 13
General description of the technical and organisational security measures referred to in Article 32(1)	See Section 11

8.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (“Data Subject Rights”): 

(a) The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller); 

(b) The right of access to Personal Data; 

(c) The right to rectify or erase Personal Data (right to be forgotten); 

(d) The right to restrict Processing; 

(e) The right of data portability; and 

(f) The right of objection; and 

(g) The right to object to automated decision making, including profiling and where processing is based on the Controller’s legitimate interests. 

8.2 Please note that the Data Subject Rights will not be available in all circumstances and are subject to certain conditions. 

8.3 Any data subject wishing to exercise their Data Subject Rights should write to NCI’S Data Protection Officer (“DPO”) by post to the National College of Ireland, IFSC, Mayor Street, North Dock, Dublin 1, D01 Y300, or by email at dpo@ncirl.ie. Please provide as much detail as possible in relation to your request to enable us to identify your personal data and facilitate your request.

9.1 While NCI will take all appropriate and reasonable measures to respect and facilitate the protection rights of the individual whose Personal Data it processes, data protection is not an absolute right and must be balanced against certain other rights and principles. The GDPR and the Data Protection Act 2018 recognise that in certain circumstances it may be necessary to limit data protection rights in the interests of freedom of expression and the freedom to receive information. In performing its tasks as an educational institution, it is the policy of NCI to endeavour to protect these freedoms in a manner that least impacts on the data protection rights of individuals.

10.1 NCI has closed circuit television cameras (“CCTV”) located throughout its premises covering buildings, internal spaces, car parks, roads, pathways and grounds. NCI’s CCTV system is implemented in a proportionate manner as necessary to protect NCI property against theft or pilferage and for the security of staff, students and visitors to the NCI premises to protect their vital interests. 

10.2 Whilst CCTV footage is monitored by NCI security staff and other authorised personnel, access to recorded footage is strictly limited to authorised personnel. Footage is retained for 30 days, except where incidents or accidents have been identified in which case such footage is retained specifically in the context of an investigation of that issue. CCTV footage may be used in the context of disciplinary proceedings involving NCI staff or students (to protect the vital interests of NCI, staff, students and affected individuals). CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instances disclosure is based on a valid request. Signage indicating that CCTV is in use is displayed prominently throughout the NCI premises. For information on CCTV operations at NCI please contact Mr Bertie Kelly by email at bkelly@ncirl.ie.

11.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. 

11.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches. We will manage a Data Breach in accordance with the Data Breach Incident Procedure. To report a suspected Data Breach please immediately contact the NCI DPO at the contact details at Section 7.1 above.

12.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency submits a valid request for access to Personal Data). We may also share Personal Data: (a) with statutory bodies, such as the Higher Education Authority where there is a lawful basis to do so; (b) with selected third parties including sub-contractors; (c) if we are under a legal obligation to disclose Personal Data (e.g. to the Gardaí). 

12.2 Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data. Examples of such third party service providers that we engage, and to whom Personal Data may be disclosed, include but are not limited to communications providers, payroll service providers, occupational health providers, marketing or recruitment agencies, operators of data centres used by us, security providers, catering services, and professional advisors such as external lawyers, accountants, tax and pensions advisors. 

12.3 We may disclose Personal Data to third parties, including where processing is necessary for the performance of a contract to which a data subject is a party or in order to take steps at a data subject's request prior to entering into a contract. This may include disclosing personal data to the Irish Naturalisation and Immigration Service and the Department of Justice and Equality for the purposes of applying for and obtaining student visas, to government entities for the purposes of managing student financial grants and aid and to other such third parties where we have obtained your consent. 

12.4 We may also disclose Personal Data to third parties where processing is necessary in order to comply with the requirements of Section 65 (4) of the Qualifications and Quality Assurance (Education and Training) Act 2012 to provide Protection for Enrolled Learners. Protection for enrolled learners is provided through membership of the Higher Education Colleges Association Protection for Enrolled Learners Scheme (“HECA PEL Scheme”). The HECA PEL Scheme provides that in the event of the member institution ceasing to provide the programme before completion, for any reason, enrolled learners may transfer to a similar programme at another provider, or, if this is not practicable, the fees most recently paid will be refunded. By registering you are giving permission that in certain specified circumstances, as set out in the HECA PEL Scheme, your Personal Data may be shared with (1) Quality and Qualifications Ireland (“QQI”), (2) Higher Education Colleges Association (“HECA”) and (3) any other HECA PEL scheme member institution providing academic bonding to NCI under the PEL Scheme. For more information on the PEL Scheme see here.

13.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are processed. Further details of the retention period for Personal Data is set out in our Data Retention Policy.

14.1 From time to time we may transfer Personal Data outside the EEA. Such transfer will be subject to appropriate safeguards in accordance with applicable Data Protection Law (for example through the use of EU-approved Model Contract Clauses) and in accordance with this Privacy Statement. An example of where we transfer Personal Data outside the EEA is for the purpose of collaborative research projects with other institutions.

15.1 Students studying at NCI will be invited to participate in StudentSurvey.ie. This is an initiative managed as a collaborative partnership and is co-sponsored by the Higher Education Authority (HEA), institutions’ representative bodies (the Irish Universities Association and the Technological Higher Education Association), and the Union of Students in Ireland. If you choose to take part, some of your information will be sent to International Graduate Insight Group in the UK to ensure that the survey is offered only to relevant target groups. Your information will be matched to your survey responses in order to allow for anonymous analysis of results, for example, by gender or full-time/ part-time. Your responses will be treated confidentially, and no individual student will be identifiable in any reports or results generated as a result of this survey.

For further information please consult the StudentSurvey.ie website.

16.1 The College holds a number public events, including student graduation ceremonies, awards ceremonies, and talks. These public events may be recorded and shared on the NCI website, and its social media platforms. In addition, photographs may be taken at these events and shared online. NCI will endeavour to give individuals prior notice of any recordings and photography.

16.2 Certain ceremonies and events may be accompanied by publications. For example, the College produces a graduation booklet each year and this celebrate the awards of its students. Personal information included in such publications may include, for example, the name of students/graduates/staff members/guest speakers, their award, and photographs. 
 

17.1 The College uses personal data to produce certain statistical information on its applicants, students, staff, and services. This statistical information is anonymous and is included in publications that are made available to the public and College records that are accessible under the Freedom of Information Act. 

18.1 The College bases the processing of this personal data on its legitimate interests as marketing and fundraising enables NCI to 

(a)    Develop and maintain business relationships
(b)    Develop and maintain relationships with prospective students
(c)    Inform contacts of events or marketing campaigns that may be of interest
(d)    Develop and improve College services and programmes
(e)    Provide students with opportunities and apprenticeships
(f)    Provide students with certain scholarship opportunities
(g)    Keep partners and stakeholders informed with up-to-date information on the College’s development, services, projects, and plans
(h)    Successfully expand the College and develop its second campus
(i)    Deliver and support ELI programmes, services, campaigns, and projects. Further information on ELI. 

18.2 The College may contact you by post, email, phone, or other electronic communication channels. You may opt-out of or manage any such communications by following instructions provided or by hitting the “unsubscribe” button if contacted by email. You may also contact the NCI Information Governance and Data Protection Officer to opt-out or manage marketing and fundraising communications.

19.1 Student Universal Support Ireland (SUSI) is the single national awarding authority in Ireland for higher and further education grants. SUSI process applications under the criteria laid out in the Student Support Act 2011, the Student Support Regulations, and the Student Grant Scheme. SUSI run the Student Grant Scheme on behalf of the Department of Education and Skills. 

19.2 The following categories of personal data are shared between SUSI and NCI

Information provide to NCI by SUSI	Information provide to SUSI by NCI
SUSI application number College code CAO number PPS number Surname Forename Date of birth Graduate type Course code Course description Course last year Course of current year Course type Course level Rate last year Rate this year Percentage of fees payable File ID	Student ID Eligible for free fees Fees payable value Registered and progressing Registration last updated Comments on student attendance

19.3 The purpose of processing this data; Section 28(5) of the Student Support Act 2011 allows personal data to be shared between SUSI and NCI for the following purposes: 

(a) Obtaining information to determine whether an application is eligible for a grant 

(b) Verifying data supplied as part of the application process 

(c) Providing data to assist in an inquiry under section 22 or the prosecution of an offence under section 23 of the Student Support Act 

(d) Assisting in the processing of an application for a grant by a student and assisting in the payment of grants to students, and 

(e) Verifying that a student is enrolled or registered, in accordance with the rules of an approved institution, and continuing to attend an approved course at an approved institution 

19.4 If NCI do not share the above personal data with SUSI, the College will not be able to assist SUSI in assessing your application, assist SUSI in the administration and maintenance your grant if you are eligible, or assist SUSI in complying with obligations under the Student Support Act. 

19.5 The processing of this data is based on Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” and Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”. 

19.6 Retention of this data: Most documentation from SUSI concerning a student’s grant status is disposed of after grant status has been approved. However, some of your personal data is retained for 7 years in total as section 285 of the Companies Act 2014, section 886 of the Taxes Consolidation Act 1997, and the Revenue Commissioners require the College to hold certain accounting records for a minimum of 6 years after a transaction has occurred. 

19.7 Please see section 8 of this privacy statement for further information on your rights under data protection law, section 22 on your right to lodge a complaint with a supervisory authority, and section 22 on how to contact the NCI Data Protection Officer. 

19.8 If you have any queries in relation to how SUSI process your personal data, you can contact them through the following means: 

Phone: 353 1 668 0614 

Email: dataprotection@cdetb.ie 

Post: CDETB, Town Hall, 1-3 Merrion Road, Ballsbridge, Dublin 4, Ireland Please consult the SUSI privacy statement for further information.

20.1 The College is required to comply with guidelines, instructions, and protocols issued by the Irish Government, public health authorities, and other relevant authorities to manage the impact and spread of COVID-19. 

20.2 Physical distancing and logs; Higher Education and Further Education facilities are advised that a physical distance of 2 metres is to be maintained between students and/or staff. While students and staff are on campus, it is necessary to keep a record of attendance as well as close contact groups. This is to facilitate the HSE and relevant authorities in carrying out contact tracing if required. 

Records of attendance are kept through the swipe card facilities provided throughout the College. Where group work or face-to-face meetings take place, staff and students are required to keep record of such group work and meetings to assist in contact tracing where required. The logs will also act as a memory aid where assistance is required by public health authorities 

From a further education and training perspective, instructors should keep a record of the class and/or tutorial groups they have interacted with in person. 

20.3 Return to campus form; Before returning to campus students are required to fill out a form indicating if they have any active COVID-19 symptoms or if they have recently travelled to high risk areas. The purpose of this form is to enable a safe return to campus and enable the College to comply with any Government, public health authority, and relevant public authority guidance as well as compliance with health and safety legislation. It is also to make students aware of the symptoms of COVID-19 and assist them in complying with any Government, public health authority, and relevant public health authority requirements they need to follow. Where students may not be able to return to campus based on their answers in the form, a College COVID Manager will be in contact to provide support or advice. 

20.4 Graduation ceremonies; it is recommended that graduation ceremonies are either postponed or replaced with virtual ceremonies. NCI is currently holding virtual ceremonies to celebrate student achievements. Please see section 16 of this privacy statement in relation to public events, awards ceremonies, and publications for further information. 

20.5 Educational trips, field work, and visiting students and teaching staff; where such trips, field work, and visits are made, it is necessary to keep a record of attendance and close contract groups. This is done via the swipe card system, sign-in sheets, and logs. 

20.6 Suppliers, contractors, and general visitors; where suppliers, contractors, and visitors are on campus, they will need to sign in and out at the main reception or with the security office. These details will be used as a log where contact tracing is required. 

20.7 International students; The Irish government have specific protocols for international students which NCI must follow. These protocols require international students to inform the College of when they will enter Ireland by completing an arrivals form which provides their flight and accommodation details. In compliance with government protocols, these flight and accommodation details must be shared with the third party that provides the greet and transport service on behalf of the College. 

20.8 Temperature checking; staff, students, and visitors are under no obligation to have their temperature checked. The College has made the facility available if individuals would like to check their own temperatures. 

20.9 Falling sick; If a student, staff member, or visitor falls sick while on campus, the College will have to arrange for them to stay in isolation before organising transport for them. Individuals will either be transported home or to a medical facility (where required) as public transport must be avoided. 

20.10 Monitoring; where an outbreak or cluster of COVID-19 is identified in NCI, the College will assist local health authorities to ensure the outbreak is properly managed. 

20.11 Where NCI act under the direction of public health authorities and other relevant authorities to implement measures to protect against COVID-19, the legal bases are as follows: 

(a) Article 6(1)(e) which states “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” 

(b) Article 9(2)(i) which states “processing is necessary for reasons of public interest in the area of public health” 

(c) Section 53 of the Irish Data Protection Act 2018 which allows special categories of data to be processed for purposes of public interest in the area of public health 

(d) Article 6(1)(c) which states “processing is necessary for compliance with a legal obligation to which the controller is subject”. For example, health and safety legislation 

(e) Article 6(1)(f) which states “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”. NCI must ensure that it follows any government, public health, or relevant authority guidelines and recommendations. It must also ensure there are supports in place for students and staff where required. 

Employees are requested to consult the COVID privacy statement for staff and the Staff Data Processing notice for further information. 

20.12 NCI will ensure it treats your personal data with the upmost confidentiality. However, there are certain circumstances in which the College may have to disclose some of your personal data. For example: 

(a) Where public authorities need to contact students, staff, or visitors as part of contact tracing 

(b) Where the College has to arrange for a student, staff member, or visitor, to be transported home or to a medical facility, data may be shared with the transport company and where required, the medical facility 

(c) The greet and transport service 

(d) Where the College is required to seek legal counsel 

20.13 Retention; the contact tracing logs will be kept as per HSE guidelines, arrival forms will be retained as per Government guidelines, the return to campus forms are kept for 1 month, and temperatures on not stored on memory 

20.14 Staff are requested to consult the Staff COVID Privacy Statement and the NCI Staff Data Processing Notice for further information on how their data is processed in relation to the return to work. Please also consult, the NCI Return to Campus Protocol for Staff and Contractors, the NCI Return to Campus video, and any relevant HSE and Government advice. 

The Department of Employment and Social Affairs is the largest payment organisation in the Irish State. Its mission is to promote active participation and inclusion in society through the provision of income supports, employment services, and other services. 

All third level institutions are legally obliged to provide the Department with certain details of full-time registered students to assist the Department in controlling and investigating entitlements to benefits under the Social Welfare Consolidation Act 2005 or schemes administered by, or on behalf of, the Minister of Employment and Social Affairs.

21.1 The legal basis for processing this information is Article 6(1)(c), compliance with a legal obligation. The following information is shared with the Department under SI 142 of 2007 and the Social Welfare Consolidation Act 2005:

• Name
• Address
• Date of Birth
• PPS Number
• Nature of the course of study being pursued
• Duration of the course being pursued
• Details of attendance at NCI
• Details of any grants or payments being made to students

21.2 Retention: The file shared with the Department is held for 4 years to allow for queries to be answered over the period of College courses.

21.3 Under data protection legislation, you have a number of rights. Please consult section 8 of this statement and our Data Subject Rights Procedure for further information. The contact details of the NCI Data Protection Officer are also available in section 8 of this statement as well as the Data Subject Rights Procedure if you would like to submit a request or have queries in relation to the data NCI processes about you. Please also consult section 22 of this statement for information on our complaints procedure and your right to lodge a complaint with a supervisory authority.

21.4 If you would like to exercise your rights or have queries in relation to information that the Department of Employment and Social Affairs processes, you may submit a request to their DPO:

Address: Data Protection Officer, Department of Social Affairs, Goldsmith House, Pearse Street, Dublin 2

Email: dpo@welfare.ie 

Website: https://www.gov.ie/en/organisation/department-of-social-protection/

 

21.1 For further information about this Privacy Statement and/or the Processing of your Personal Data please contact NCI’s Data Protection Officer, Niamh Scannell, at dpo@ncirl.ie. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the Data Protection Officer in the first instance to give us the opportunity to address any concerns that you may have.

In this Privacy Statement, the terms below have the following meaning: 

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. 

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider). 

“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018 and any other laws which apply to NCI in relation to the Processing of Personal Data. 

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway. 

“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number; details about an individual’s location; or any other information that is specific to that individual. 

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly. 

“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

The following table indicates the categories of Personal Data typically Processed by NCI but we may Process other categories of Personal Data from time to time and will endeavour to provide you with a privacy notice whenever we collect other Personal Data.

A. Student Registry Data

Types of Personal Data	Purpose	GDPR Lawful Basis for Processing
Name, contact details, student ID number; Date of birth, gender, next of kin, nationality, photograph, admission and application record, student    grant information; PPSN, passport number, student grant information (which may include SCPD), bank details, nationality; Academic records, examination materials, graduation record; Health and medical data; Data relating to criminal offences contained in Garda vetting forms; and Facial images on student and staff access cards.	Data is processed for: student registration, provision of financial support and administration, examinations and ancillary services such as student support and development; administering payment of fees, student registration, provision of student grants and funding, administration of exams and student communications; department administration (such as module registration and payment of fees) and in connection with visa applications (where applicable); and for security purposes and as necessary for the conduct of examinations and student attendance purposes.	Necessary    for performance of a contract under Art. 6(1)(b) GDPR; and Performance of NCI’s legitimate interests under Art. 6(1)(f) GDPR.

B. Other Student Data

Types of Personal Data	Purpose	GDPR Lawful Basis for Processing
NCI Sport clubs and societies; Health and medical data; Health data, such as details of health conditions or disabilities in case of emergencies; and Student next of kin contact details.	Access to amenities such as sports facilities and contacting next-of-kin in emergencies/accidents; Ancillary services for students such as clubs and societies; and Student registration and exam purposes (e.g. extenuating circumstances).	Consent under Article 6(1)(a); and Necessary to protect the vital interests of the data subject under Art. 6(1)(d).

C. Visitors to NCI Campus & Events

Types of Personal Data	Purpose	GDPR Lawful Basis for Processing
Names and details of conference, meeting and work-shop attendees and photographs taken at events; Parents of students; and Other visitors.	Administration of conferences and for promotional purposes in relation to photographs taken; Open days; and CCTV surveillance of NCI premises.	Consent under Article 6(1)(a); and   Performance of NCI’s legitimate interests under Art. 6(1)(f) GDPR.

D. Employees*

*Refer to the Staff Data Processing Notice

E. Suppliers, Contractors and Business Contacts

Types of Personal Data	Purpose	GDPR Lawful Basis for Processing
Name, contact details of suppliers,  contractors and business contacts Personal Data relevant to performance of contract	Performance of services/supply of goods; and Maintenance of customer relationship management (or CRM) system.	Consent under Article 6(1)(a); Necessary for performance of a contract under Art. 6(1)(b) GDPR; and   Necessary for the legitimate interests pursued by NCI under Art. 6(1)(f).

F. Research & Academic Purposes

Types of Personal Data	Purpose	GDPR Lawful Basis for Processing
Staff details, external and visiting academics and teaching staff; Contacts with other educational institutions, journals; and Research participants in trials/studies.	Administration and coordination of research and publication. Conferences and related academic purposes.	Necessary for performance of a contract under Art. 6(1)(b) GDPR; Necessary for the legitimate interests pursued by NCI under Art. 6(1)(f) Consent under Article 6(1)(a) and; Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes under Article 9(2)(j)

G. Website Visitors*

Types of Personal Data	Purpose	GDPR Lawful Basis for Processing
IP address, Cookie ID, online identifiers, device, and browser; and Location of device.	Technology such as cookies help us understand which parts of our website are the most popular and how much time visitors spend on the site. NCI also uses cookies to study traffic patterns on our site in order to improve website performance, to customise the user experience, and to better match the users' interests and preferences. *For further information please refer to our Cookies Policy.	Necessary for the legitimate interests pursued by NCI under Art. 6(1)(f).

This version was last updated in November 2021.

In line with data protection requirements and good practice, National College of Ireland (‘NCI’) wish to put in place, and be able to demonstrate, appropriate and effective management of personal data throughout the Organisation. 

NCI wishes to demonstrate commitment and compliance with the current Data Protection Acts and the General Data Protection Regulation (GDPR). Fundamental to the GDPR are the principles of accountability and transparency. This means that Controllers and Processors are both responsible and, accountable for the protection of personal data, and must be able to demonstrate how they maintain compliance with data protection requirements. 

The implementation of an approved Data Protection Policy goes towards demonstrating NCI’s commitment to the protection of personal data, and provides a basis for maintaining and improving compliance with data protection requirements and good practice.

1.1 PURPOSE OF THIS DOCUMENT

NCI collects, processes, and stores significant volumes of personal data and sensitive personal data (special category data) on an ongoing basis. NCI are committed to complying with data protection legislation and good practice. 

The purpose of this document is to provide a statement of intentions and directions of NCI for managing compliance with data protection requirements which is formally approved by senior management. The aim of this policy is to ensure that any individual who handles personal data, whether they are a member of staff or a contractor, is fully aware of the requirements and act in accordance with data protection procedures. 

The objectives of the data protection policy are to: 

1. Enable NCI to meet its own requirements for the management of personal data. 
2. Ensure NCI meets applicable statutory, regulatory, contractual and/or professional duties. 
3. Protect the interests of individuals and other key stakeholders. 
4. Support organisational objectives and obligations. 
5. Impose controls in line with NCI acceptable level of risk. This document also highlights key data protection procedures within NCI. 

1.2 SCOPE AND CONSTRAINTS 

This policy applies to all personal data processed by NCI, regardless of the media on which the personal data is stored (paper-based, electronic, CCTV or otherwise). 

This policy applies to: 

• any person who is employed by NCI or is engaged by NCI, whether on a paid or voluntary basis, including contractor and sub-contractors, and who process personal data in the course of their employment or engagement. Failure of any staff member or agent to comply with this policy may lead to disciplinary action being taken in accordance with NCI’s disciplinary procedures. Failure of a third party contractor/subcontractor to comply with this policy may lead to termination of the contract and/or legal action. 

1.3 POLICY REVIEW, APPROVAL, AND CONTINUOUS IMPROVEMENT 

In line with best practice, this policy has been approved by senior management, along with a commitment of continual improvement. This document will be reviewed at least annually by senior management and the NCI Data Protection Officer to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, legal developments, legislative obligations, and information commissioner guidance. 

1.4 REFERENCES 

1. General Data Protection Regulation 
2. Data Protection Act 2018 
3. E-Privacy Directive
4. S.I No. 336/2011 – European Communities (Electronic Communications, Networks, and Services) (Privacy and Electronic Communications) Regulations 2011 
5. Article 29 Working Party Guidelines on the concepts of “controller” and “processor” 
6. Guidelines, recommendations, and best practice issued by the European Data Protection Board 

This document forms part of the NCI Personal Data Management System, and should be read in conjunction with the other documents within the management system: 

• NCI Data Retention Policy (Document Reference: NCI-PDMS-03) 
• NCI Privacy Notice(s) (Document Reference: NCI-PDMS-04) 
• NCI Data Breach Incident Procedure (Document reference: NCI-PDMS-05) 

1.5 DEFINITIONS 

The following key GDPR terms and definitions are provided here for ease of use. For a complete list of definitions refer directly to the regulation. 

1. ‘Anonymisation’ is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. 

2. 'Personal Data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Recital 26 also clarifies anonymous information “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes”. 

3. ‘Special Categories of Personal Data’ refers to the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. 

NCI will avoid all processing of special categories of personal data where possible. It is understood that certain business activities within NCI require the processing of special categories of data (e.g. processing of data concerning health and disability). The general processing of special categories is prohibited in NCI, and in the rare instance it is required, Head of Departments must ensure all processing is defined in the data inventory, along with an appropriate legal basis (reference 1, Art 6), and derogation (reference 1, Art 9) for processing of such special categories recorded within the data inventory. 

4. 'Data controller' means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

In certain instances, NCI alone determines the purpose and means of processing, and in other instances, NCI might jointly determine the purpose and means of processing with a third party. In both circumstances, NCI would be considered a controller of this information. Section 8 of this policy provides further information on the responsibilities of controllers, processors, and third parties. 

5. ‘Data subject’ any living individual who is the subject of personal data held by an organisation. Data subjects within NCI may include members of the public, students (current, past, and prospective), employees (current, past, and prospective), suppliers (e.g. sole traders or staff acting on behalf of the supplier), and other individuals such as external third parties, CPD members, and any other individual NCI might communicate with. 

6. 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

7. 'Processor' means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. 

8. ‘Third Party’ means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons, who, under the direct authority of the controller or processor, are authorised to process personal data 

9. ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. This can include analysing or predicting aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. 

10. ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. 

Examples of pseudonymisation within NCI may include the use of student IDs instead of student names for access authorisation. Where anonymisation cannot be used, the next best of pseudonymisation should be used. 

11. 'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

All NCI staff and contractors are responsible for ensuring compliance with NCI’s data protection requirements and obligations. It is the responsibility of all staff to ensure: 

1. They familiarise themselves with this policy and handle personal data in accordance with this policy, the data protection principles, and data handling rules. 
2. They complete the mandatory data protection training provided. Data protection training is mandatory for all NCI employees. Annually, all NCI staff will have to complete this training and a record maintained for audit purposes. 
3. Queries in relation to personal data are promptly and courteously dealt with. When an employee receives an enquiry about the handling of personal data, they must know what to do, and/or where to refer it. 

To ensure all users are aware of their responsibilities as users of NCI systems, the following sections include additional requirements based on key data protection roles within NCI. 

While all staff and agents of NCI have a responsibility to ensure data protection compliance, the following sections include additional requirements for key, specific data protection roles within NCI. 

2.1 GOVERNING BODY AND SENIOR MANAGEMENT 

The Governing Body and senior management are responsible for approving and reviewing this policy, and for mandating the allocation of appropriate resources to ensure its successful implementation. Each member of the Board is responsible for ensuring compliance with the Data Protection Acts and GDPR in their respective areas of responsibility. 

2.2 DATA PROTECTION OFFICER 

In line with the requirements of the GDPR and Data Protection Acts, NCI has appointed a Data Protection Officer. The individual performing the role of DPO must be suitably trained, independent, and of sufficient seniority to perform the tasks required. The role may be performed as a team function provided a single individual is the lead person “in-charge” and roles within the Data Protection Officer team are clearly defined. 

Within NCI, our Data Protection Officer and the team may be contacted at: 

Data Protection Officer Contact Details

Name:	Niamh Scannell
Address:	Data Protection Officer IFSC Mayor Street North Dock Dublin 1 D01 Y300
Email:	dpo@ncirl.ie
Telephone:	(+353 1) 4498 523 (01) 4498 523

The responsibility of the Data Protection Officer function within NCI is to: 

1. Respond to individuals (data subjects) whose data is processed on all issues related to the processing of their data and the exercise of their data protection rights. 
2. Cooperate with the Supervisory Authority, and act as the Organisation’s contact point for the Supervisory Authority on all issues related to the processing of Personal data in NCI. 
3. Inform and advise NCI and its employees of their obligations pursuant to privacy regulations. 
4. Monitor compliance with the data privacy obligations in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations and the related audits. 
5. To provide advice and assistance regarding the requirement to perform Data Protection Impact Assessments, and monitor their performance. 
6. Arrange at least annual data protection training sessions. 
7. Maintain a log of all data breaches and communication of breaches to all relevant parties when required to do so (Supervisory Authority, Controllers, and Data Subjects). Please refer to Section 6 for more details. 

To allow for the effective performance of the Data Protection Officer’s tasks, NCI will ensure: 

1. The Data Protection Officer will be suitably trained and have expert knowledge of Data Protection Law. 
2. NCI will support the Data Protection Officer in performing the tasks above by providing resources necessary to carry out those tasks. The key to this is to provide sufficient time, finance, and staff where appropriate to fulfil the Data Protection Officer duties. 
3. No tasks and duties result in a conflict of interests for the Data Protection Officer. 
4. That the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data, and will be in a position to perform their duties and tasks in an independent manner. Specifically: 

a. The Data Protection Officer will report directly to the NCI Board. 

b. The involvement of the Data Protection Officer will be sought where decisions with data protection implications are taken. All relevant information must be passed on to the Data Protection Officer in a timely manner in order to allow him or her to provide adequate advice. 

c. The Data Protection Officer will participate regularly in meetings with senior and middle management. 

d. The opinion of the Data Protection Officer will always be given due weight. 

e. The Data Protection Officer must be consulted without delay in the event of a data breach or other data protection incident occurring. 

2.3 HUMAN RESOURCES 

NCI human resources personnel have a key role in the management and protection of personal data which includes responsibility for: 

1. Ensuring all new members of staff are made aware of this policy document at induction stage and that it is referenced in staff terms and conditions, contracts, and role descriptions. 
2. Ensuring new starters and temporary staff who require training complete the first available data protection training course after their start date. 
3. Handling all employee-related personal data in accordance with this policy, the data protection principles, and data handling rules. 

2.4 HEAD OF FUNCTIONS AND DEPARTMENTS, BUSINESS OWNERS, LINE MANAGERS 

Line Managers and Heads of Functions or Departments have a key role in the management and protection of personal data which includes responsibility for:

1. Ensuring all processing within their department is in compliance with the NCI Data Protection Policy and privacy best practice. Specifically, maintaining the data inventory of all information processed by their department, and for ensuring that staff in their area are aware of the policy, and the general obligations and requirements of data protection. 
2. Ensuring their reporting staff complete the mandatory data protection training. 
3. Ensuring sufficient resources are available to support the effective implementation of this policy. 
4. Ensuring appropriate technical and organisational security measures, including anonymisation for statistical and research purposes, are in place in areas for which they are responsible. Specifically, security risk assessments will be undertaken to check that the personal data is sufficiently protected in line with security policy. Security risk assessments will be commissioned regularly and evidence retained for audit purposes. To deal with appropriate technical and organisational security measures, the Line Manager/Head of Function may delegate the security tasks, in full or partially, to another NCI representative. This delegation does not exempt the Line Manager/Head of Function from their responsibility and they must make sure that the delegated jobs have been carried out correctly. 
5. Ensuring data privacy risks are appropriately managed within their function. Specifically, to ensure the handling of personal data is regularly assessed and evaluated. Under the GDPR, there are a number of changes which will affect both in-house changes and contracts for new projects. It is therefore important that if any new projects are being considered then data protection needs to be built in at the beginning (Privacy by Design and Default), and contracts will need to reflect the necessary changes. 
6. Ensuring that where processing “is likely to result in a high risk to the rights and freedoms of natural persons” and/or “processing on a large scale of special categories of data”, a Data Protection Impact Assessment is formally carried out in relation to each new project or proposal (see section 5 for more details on Data Protection Impact Assessment). The NCI Data Protection Officer must be consulted at each stage of the DPIA process in line with section 5.3 of this document. 
7. Ensuring regular consultation with the Data Protection Officer, and facilitating the DPO in performing their compliance audits. 

2.5 TECHNICAL SOLUTIONS ARCHITECTS / TECHNICAL DESIGN LEADS / PROJECT MANAGERS 

Members of staff and other third parties involved in the planning, design, build, and change of technical solutions have a key role in the protection of personal data which includes: 

1. Ensuring the protection of personal data is considered for all changes and managed projects within NCI. 
2. Where changes and projects do not include the collection and processing of personal data, this must still be documented and signed off by the Project Manager, and retained as evidence for audit purposes. 
3. Implementing the principles of data protection by design and data protection by default, and retaining evidence of this for audit purpose as part of the Project Management Lifecycle (see Section 5 for more details).

NCI is committed to ensuring all personal data is processed in line with the data protection principles and good practices. This includes: 

3.1 “LAWFULNESS, FAIRNESS AND TRANSPARENCY” 

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. 

NCI is committed to ensuring the lawful, fair, and transparent collection of data. Our data inventory records all information processed, including the lawful basis of such processing. In addition, our privacy notice provides all necessary information to Data Subjects about the processing of their data. The information is given in a concise, transparent, intelligible, and easily accessible form, and includes the purposes of processing, the period of processing, their rights, and the lawful basis for the processing. These privacy notices must be provided to Data Subjects prior to collecting personal data regardless of the collection method (phone, CCTV, forms, interview, website etc.). 

3.1.1 Where the lawful basis is “consent” 

Where the lawful basis of processing is based on consent, NCI shall incorporate procedures for the obtaining and withdrawal of consent. Where consent is withdrawn, processing based on consent must cease. Specifically, where other departmental requirements or legislation require explicit consent (e.g. for marketing), the departments shall contain procedures for collecting this consent. The department must also monitor all requests for removal or withdrawals of consent, maintain a register of all such requests, and ensure that all removals are completed without undue delay. 

Where processing on the lawful basis of consent, and the processing relates to a child (reference 2 – this is 16 years of age), the department must ensure they have obtained and recorded consent provided by the holder of parental responsibility for the child. 

Refer to the NCI Data Protection Officer for further guidance, clarification, and consultation in relation to the lawfulness of processing, and conditions for consent. 

3.2 “PURPOSE LIMITATION“ 

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 

NCI is committed to only collect and process information for an explicit purpose. All information processed, along with the business purpose, is detailed within the data inventory which will be reviewed and updated at least annually, or when any significant changes occur to the data processed, where it is processed, or with whom it is shared. 

Personal data will only be processed for the defined purpose. All requests for changes to the use of personal data must be compatible with the original purpose for processing. If additional purposes are required, consent may be required to be sought from the data subject for this change of purpose. 

3.3 “DATA MINIMISATION” 

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 

NCI is committed to only collect and process appropriate information to the extent needed to fulfil the operational and service needs, and to comply with all applicable statutory, regulatory, contractual and/or professional duties. Data will be minimised, and the minimisation shall be enforced through Data Protection Impact Assessments (DPIAs), and Data Protection by Design and Default procedures within the change management/project management teams. 

3.4 “ACCURACY” 

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 

NCI is committed to taking all reasonable efforts to ensure the accuracy of the personal data. This will be planned for, and enforced, through DPIAs, and Data Protection by Design and Default procedures within our change management/project management teams. 

3.5 “STORAGE LIMITATION” 

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal data are processed. 

NCI have documented the required data retention periods along with justification and action to be taken when the retention period expires. The Data Retention Policy outlines the retention period for all personal data across NCI, and what will occur when the retention period expires. It applies to all personal data, regardless of the media on which it is stored (paper-based, electronic, CCTV or otherwise). This policy helps ensure that NCI is maintaining the personal data for an appropriate length of time, based on legal and business requirements and in line with the data protection ‘storage limitation’ principle. All staff and contractors are responsible for ensuring this policy is adhered to. 

3.6 INTEGRITY AND CONFIDENTIALITY 

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

NCI is committed to protect and not disclose personal data, either within or outside of NCI, to any unauthorised recipient. All staff and contractors are responsible for protecting personal data against accidental loss, destruction or damage, regardless of the media on which it is stored (paper-based, electronic, CCTV or otherwise).

All data subjects have a wide array of rights in relation to the personal data which NCI process on their behalf. The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist. 

4.1 COMMON PROCEDURES TO EXERCISE INDIVIDUAL RIGHTS 

Any queries regarding data protection, or any requests for personal data, whether from the person themselves or from a third party, must be referred to the Data Protection Officer. Any person wishing to exercise this right must apply in writing (or email) to the DPO. The procedure is as follows: 

1. All data access requests directed to NCI must be in writing (or email), to the DPO. On receipt of a query or access request by telephone, please ask the caller to put their request in writing (or email), and to address it to the NCI Data Protection Officer. 
2. The DPO will check the validity of the access request. The GDPR does not introduce an exemption for requests that relate to large amounts of data, however, all efforts will be made to try to narrow the search to provide the data subject with relevant and concise information and avoid a disproportionate effort. Where the request is considered excessive, unfounded, or information which the data subject already holds, consideration will be given as to the validity of the request. 
3. The request must include sufficient identification and details for the DPO to satisfy themselves that sufficient material has been supplied to definitively identify the individual. If the DPO can demonstrate they are not in a position to identify the data subject, additional information will be requested as necessary to confirm the identity of the data subject and the request will not be enacted upon until such identification is provided to the DPO. Personal data should never be provided to a data subject that has not been identified, nor should personal data be provided to the parent or legal guardian of a data subject where that subject is 16 years or older (reference 2). 

4.2 RIGHT TO ACCESS 

Data subjects (including employees, students, other individuals and members of the general public that may have availed of NCIs services, or received communications or information from NCI) have the right to access personal data held about them (this includes factual information, expression of opinion, and the intentions of NCI in relation to them, irrespective of when the information was recorded). 

1. Where the access request is relevant to a number of departments, the DPO will contact the relevant departments and request them, in writing, to conduct a search of all data held by them. Such searches will be conducted in accordance with guidance provided by the DPO, and all steps taken to locate and collate data will be noted and documented. 
2. Each department must redact all information not relevant or not in scope for release. Where the department is unsure of what is relevant they must consult with the DPO. However, the responsibility for redacting irrelevant information remains with each department. 
3. Once any required review and redaction are completed, the personal data that is recommended for disclosure/deletion will be forwarded to the DPO for consideration. Department responses must also include an analysis of the relevant exemptions being relied upon, a description of the purpose of processing, to whom the data may have been disclosed, and the source of the data. 
4. If personal data relating to other parties (other than the requesting data subject) is involved, the personal data of the other parties must not be disclosed without their consent. Alternatively, the other party personal data may be anonymised so as not to reveal their identity. If an opinion of other parties (other than the requesting data subject) is involved, their opinion may be disclosed unless it is an opinion which was given in confidence on the clear understanding that it would be treated as confidential. 
5. A final decision on disclosure/deletion of the requested information will be taken by the DPO, in conjunction with the head of the relevant department(s) and legal advice where required. 

4.2.1 CCTV Footage 

CCTV footage is personal data within the meaning of the Data Protection Acts. Any disclosure of CCTV footage must follow the same procedure as stated in steps 1-5 stated above, and be approved by the DPO. The following provides the Irish Data Protection Commission’s position with regard to access to CCTV footage made under Subject Access Requests (reference DPC Annual Report Case Study 13 of 2013. This is available in the “pre-GDPR” section of their website): 

1. Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. 
2. When making an access request for CCTV footage, the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought - i.e. they should provide details of the approximate time and the specific date(s) on which their image was recorded. For example, it would not suffice for a requester to make a very general request saying that they want a copy of all CCTV footage held on them. Instead, it is necessary to specify that they are seeking a copy of all CCTV footage in relation to them which was recorded on a specific date between certain hours at a named location. Obviously, if the recording no longer exists on the date on which the data controller receives the access request, it will not be possible to get access to a copy. Requesters should be aware that CCTV footage is usually deleted within one month of being recorded. 
3. For the data controller's part, the obligation in responding to the access request is to provide a copy of the requester's personal data. This normally involves providing a copy of the footage in video format. In circumstances where the footage is technically incapable of being copied to another device, or where the supply of a copy in video format is impracticable, it is acceptable to provide stills as an alternative. Where stills are supplied, it would be necessary to supply a still for every second of the recording in which the requester's image appears in order to comply with the obligation to supply a copy of all personal data held. 
4. Where images of parties other than the requesting data subject appear on the CCTV footage, the onus lies on the data controller to pixilate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requester. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester. 
5. Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, it takes on and is obliged to comply with all associated data protection obligations. 

The following provides the UK Information Commissioners Office with regard to access to CCTV Footage made under Subject Access Requests.

When disclosing surveillance images of individuals, particularly when responding to subject access requests, you need to consider whether the identifying features of any of the other individuals in the image need to be obscured. In most cases the privacy intrusion to third party individuals will be minimal and obscuring images will not be required. However, consideration should be given to the nature and context of the footage. 

Example: If footage from a camera that covers the entrance to a drug rehabilitation centre is held, then consider obscuring the images of people entering and leaving it as this could be considered sensitive personal data. This may involve an unfair intrusion into the privacy of the individuals whose information is captured and may cause unwarranted harm or distress. On the other hand, footage of individual’s entering and exiting a bookshop is far less likely to require obscuring. 

Following the above, a case-by-case assessment is required as to the context of the CCTV. If unsure, please refer to DPO. 

4.3 RIGHT TO RECTIFICATION 

Data subjects (including employees, students, other individuals and members of the general public that may have availed of NCI’s services, or received communications or information from NCI) have the right to the rectification of any inaccurate personal data concerning him or her that is held by NCI. This applies if data is inaccurate or misleading to a matter of fact. This is not an absolute right, and restrictions apply. For example, it does not apply to witness statements or opinions of others such as assessors, etc. Refer the data subject to the DPO for all requests under the “Right to Rectification”. 

In the case of backups, the right to rectification may not be practical or possible, and may therefore be exempt. This would depend on the backup types, and the DPO should be consulted if there is any uncertainty. 

4.4 RIGHT TO ERASURE 

Data subjects have the right to obtain from the controller the erasure of personal data concerning him or her where there is no longer a legal ground for processing of the information. This is not an absolute right, and restrictions apply. Refer the data subject to the DPO for all requests under the “Right to Erasure”. 

In the case of backups, the right to erasure may not be practical or possible, and may therefore be exempt. This would depend on the backup types, and the DPO should be consulted if there is any uncertainty. 

4.5 RESTRICTIONS 

There are restrictions, and in certain circumstances, it may be prudent for NCI not to adhere to certain individual rights. The Data Protection Officer will consider each request on a case by case basis and it is likely that such restrictions would not apply to the complete data set and more likely to a restricted and very specific set of personal data. For example, NCI may not be permitted to apply a blanket exemption to the right of access to an entire set of a student’s data because some elements may be considered privileged, such as an opinion given in confidence regarding the student. 

If NCI wishes to withhold certain subject rights, this must be referred to the DPO, who may seek legal counsel. Restrictions on exercise of data subject rights are laid out in the Data Protection Act (reference 2), and shall be considered carefully when performing data subject access requests. 

It should be noted that the existence of proceedings between a data subject and the data controller, for any reason, does not preclude the data subject making a data subject access request under the Act, nor does it justify the data controller in refusing the request. For example, if a data subject access request is refused, a response clarification as to which exemption is being applied, including the specific restriction, must be cited.

The GDPR requires NCI to implement technical and organisational measures to ensure an appropriate level of security. NCI must take into account the current state and availability of security technologies, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. NCI must also ensure their processors also implement appropriate measures. Some examples of appropriate measures as mentioned in the Regulation are: 

a) the pseudonymisation and encryption of personal data; 

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services 

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 

NCI fulfil these obligations by a number of means, specifically: 

1. Deployment of Data Protection by Design and by Default within our Project Management Lifecycle for all new systems/changes to processing (reference Section 5.1 for further details). 
2. Regular risk assessments/testing to assess and evaluate the effectiveness of technical and organisational measures on existing processing (reference Section 5.2 for further details). 
3. Formalised Data Protection Impact Assessments (DPIAs) where processing “is likely to result in a high risk to the rights and freedoms of natural persons” and/or “processing on a large scale of special categories of data” (reference Section 5.3 for further details). 

Records of all of the above activities will be forwarded to the NCI Data Protection Officer and retained for audit purposes. 

5.1 DATA PROTECTION BY DESIGN AND DEFAULT 

The GDPR requires: 

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons 

As part of the implementation of Data Protection by Design and Data Protection by Default principles, a data protection and security design review will be performed during the development stage, and as part of the project management of all projects. The following is a minimum checklist for the areas that will be examined as part of this review, and records of the examination of each area must be maintained for audit purposes: 

1. Has the Data Inventory been updated with any new forms of processing including data categories processed, where it is processed, and with whom it is shared? 
2. Has a valid lawful basis for this processing been defined within the Data Inventory? 
3. Do any new forms of processing include a relevant data privacy notice with all required information as defined in the NCI Data Privacy Notice(s) policy (reference NCI-PDMS-04)? 
4. Is the information collected for a specifically defined purpose? 
5. Is only the required information collected, or is information collected which may be deemed excessive (i.e. is the personal data that is collected minimised)? 
6. How is the personal data kept reasonably accurate and up-to-date? 
7. How long is the personal data retained for, and does the retention period and destruction method comply with the NCI Data Retention Policy (reference NCI-PDMS-03)? 
8. Is it necessary for NCI to be able to identify the individuals whose data is being processed, or could anonymisation be used? 
9. Could pseudonymisation be enforced to protect the personal data, for example, could individuals making enquiries regarding courses be restricted to a reference number until such time as they submit an application? 
10. Can the personal data be encrypted at rest and/or in transit, and if not, are other security measures in place to adequately address the risks associated with the processing activity? 
11. How is the information protected against unlawful or accidental loss, destruction or damage? 
12. How does the new form of processing allow for the implementation of individual rights, including the right to access, rectification, and erasure? 
13. Is all processing within the EEA? 
14. Has a technical penetration test or risk assessment been performed and remediation actions were taken? 
15. Are appropriate access controls in place? Specifically: 

a. Is physical or remote access needed to the office in order to access the personal data? 

b. Is user access restricted on a need-to-know basis? 

c. Is all user access audited and do is there an audit trail of all user access? 

d. Is there a formal process for joiners/movers/leavers to facilitate user access management? 

e. Are user access reviews performed which are signed-off by relevant business owners and recorded for audit purposes? 

16. Are other relevant and appropriate technical and organisational security measures applied? Specifically: 

a. Is a formalised patching policy applied and maintained? 

b. Are reliable and recent backups in place, and are these tested regularly? 

c. Are all backups encrypted? 

d. Are appropriate perimeter security controls applied? e. Is appropriate anti-malware deployed? 

17. Can personal data which is shared externally for reporting purposes, or retained for analytics/statistics, be anonymised? 

5.2 REGULAR RISK ASSESSMENT 

The GDPR Requires: 

A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

It is the responsibility of the Head of the Department to ensure appropriate technical and organisational security measures are in place in areas for which they are responsible. Specifically, regular security risk assessments must be commissioned to check that the personal data is sufficiently protected based on the level of risk. Security risk assessments will be conducted regularly, and a record maintained for audit purposes with the output from each area examined. At a minimum, the risk assessment must evaluate and record the technical and organisational measures identified in the previous section (Section 5.1). Heads of Department may commission other NCI resources to assist with risk assessments. 

NCI will ensure that any risks to the privacy of data are assessed, and that measures that are implemented are appropriate to the risks of the processing on the systems used. To facilitate this, each data category name, data store, and recipient/s (or third parties) are assigned a risk level based on a defined set of criteria for each department’s Personal Data Inventory. 

5.3 DATA PROTECTION IMPACT ASSESSMENT (DPIA) 

The GDPR requires that a formalised Data Protection Impact Assessment (DPIA) is performed where processing “is likely to result in a high risk to the rights and freedoms of natural persons” and/or “processing on a large scale of special categories of data”. 

A data protection impact assessment will be carried out by NCI prior to the processing of the personal data, paying particular attention to the likelihood and severity of the risk, taking into account the: 

1. Nature 
2. Scope 
3. Context and purposes of the processing 
4. The sources of the risk 

At a minimum, the DPIA will contain: 

1. A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller. 
2. An assessment of the necessity and proportionality of the processing operations in relation to the purposes. 
3. An assessment of the risks to the rights and freedoms of the data subjects. 
4. The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned. (Note: the list provided for Data Protection by Design and Default will also be completed for the Data Protection Impact Assessment) 
5. Where appropriate, NCI will seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations. 

It is the responsibility of NCI and its designated business owners, not the DPO, to carry out DPIAs as necessary. However, the DPO shall be consulted at each stage of the DPIA, and shall provide advice and guidance as follows: 

• whether or not to carry out a DPIA 
• what methodology to follow when carrying out a DPIA 
• whether to carry out the DPIA in-house or whether to outsource it 
• whether or not the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR 
• whether or not prior consultation with the supervisory authority is required in line Article 36 of the GDPR following a review of the DPIA 
• whether or not to go ahead with the processing following a review of the DPIA • what safeguards to apply if processing does go-ahead 

All consultation with the DPO will be retained as evidence for audit purposes. Where the advice of the DPO is not taken, the Article 29 Data Protection Working Party: Guidelines on Data Protection Officers recommends that the reasons for not adhering to the advice of the DPO should be documented. NCI shall formally record these reasons in the DPIA documentation. 

Further external guidance in the performance of a DPIA is provided by the following resources: 

• Privacy Impact Assessment Code of Practice
• Privacy Impact Assessment
• Guide to Undertaking Privacy Impact Assessments
• 10 Steps to Undertaking a Privacy Impact Assessment
• A Practical Guide to Impact Assessments

6.1 WHAT IS A PERSONAL DATA BREACH? 

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

Example of typical data breaches are: 

1. Loss or theft of data or equipment on which data is stored 
2. Loss or theft of documents/folders 
3. Unforeseen circumstances such as a flood or fire which destroys information 
4. Inappropriate access controls allowing unauthorised use 
5. A hacking/cyber attack 
6. Obtaining information from the organisation by deception, misaddressing of e-mails, human error, etc. 

The above examples include the accidental loss of personal data as statistics indicate that most breaches are internal in nature and due to non-malicious user behaviour (e.g. loss of unencrypted laptop or USB, paper files, etc.). 

6.2 HOW DO EMPLOYEES REPORT A DATA PROTECTION BREACH? 

In order for NCI to be able to comply with the GDPR, it is essential that all incidents (including suspected incidents) which give rise to the risk of unauthorised disclosure, loss, destruction or alteration of personal data are reported without delay to the DPO using the contact details found in section 2.2 of this document. Where the DPO is unavailable, a secondary point of contact shall be identified, and the incident shall be reported in line with the agreed procedure. 

In the event of a suspected personal data breach happening, employees shall notify the DPO immediately. Employees shall not assume that the DPO is already aware of the suspected breach. 

6.3 HOW PERSONAL DATA BREACHES WILL BE HANDLED IN NCI 

The GDPR requires that NCI: 

1. Document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance. 

NCI has developed a separate, comprehensive Data Breach Incident Procedure in order to handle data breaches in line with the requirements of the GDPR. In the event of a suspected personal data breach, a summary of the personal data breach shall be recorded in the NCI Data Breach Log as per the procedure. Each summary shall contain the facts relating to the personal data breach, its effects, and the remedial action taken. The NCI Data Breach Log shall be maintained by the DPO. The DPO will assess the breach, and make a decision on the next steps to be taken. 

Refer to the NCI Data Breach Incident Procedure for full procedures regarding: 

1. Notifications to the supervisory authority 
2. Notifications to data subjects 
3. Notifications to controllers 

All staff and contractors must familiarise themselves with the NCI Data Breach Incident Procedure.

All NCI personal data must remain within the European Economic Area (EEA). Where a business need requires the transfer or processing information outside of the EU, the NCI DPO shall be contacted for consultation. 

Particular attention is required to the selection of processors when using online services, such as cloud services, for the processing of information as NCI must ensure all processing remains within the EU (e.g. online marketing surveys etc.).

8.1 WHAT IS OUR ROLE WITHIN NCI – DATA CONTROLLER OR PROCESSOR 

The Article 29 Data Protection Working Party of the European Commission published a guidance document on the concepts of controller and processor (reference 3). 

'Data controller' means: 

1. the natural or legal person, public authority, agency or other body which, 
2. alone or jointly with others, 
3. determines the purposes and means of the processing of personal data; 

The following provides 3 example scenarios within NCI:

Scenario	NCI	Third-Party
Processing of Student Personal Data	Controller	Processor (FEI)
Processing of personal data for the provision of college accommodation (TCAS)	Controller	Controller
Processing of Student Personal Data	Processor	Controller (HEA)

In most instances, NCI has been identified as the Data Controller. Where there is uncertainty regarding the designation of NCI as either controller, processor, or joint controller, the DPO shall be consulted for clarification. 

8.2 WHAT ARE OUR REQUIREMENTS IN THE USE OF DATA PROCESSORS AND HOW WE COMPLY WITH THEM? 

Whenever NCI share personal data with a recipient outside of the Organisation, the sharing of the information must be governed by a contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. This applies to all forms of sharing of information with recipients. For example, engaging the services of an external solicitor is no different to engaging the services of any other service provider. For that reason, it is unlawful for NCI to pass any personal data to an external solicitor unless NCI have put a contract in place describing the nature and purpose of processing, in addition to other specific contractual requirements as detailed in this section (the data protection principles and subject rights retained). 

8.3 EVALUATION OF PROCESSORS AND PRE-PROCESSING AGREEMENTS 

NCI must use only processors providing sufficient guarantees to implement, and be able to demonstrate, appropriate technical and organisational measures taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. 

Please see Addendum 1 for a list of standard questions which must be asked when engaging a processor, and prior to engagement of processor (used to help evaluate the suitability of the processor pre-contract). Processors must get permission to use further sub-processors – e.g. brokers. 

8.4 WHAT ARE OUR REQUIREMENTS AS DATA CONTROLLER AND HOW WE COMPLY WITH THEM? 

All processing agreements must be governed by a contract that is binding on the processor with regard to the controller and that sets out: 

1. subject-matter 
2. duration of the processing 
3. nature and purpose of the processing 
4. type of Personal data and categories of data subjects 

That contract or other legal act shall stipulate, in particular, that the processor: 

1. Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 
2. Processes all personal data within the EU. 
3. Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 
4. Shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including as appropriate: 

a. the pseudonymisation and encryption of personal data; 

b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 

c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 

d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

e. the account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 

5. Assist NCI by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights under data protection requirements and good practice. 

6. Assists NCI in ensuring compliance with the data protection obligations taking into account the nature of processing and the information available to the processor. 

7. At the choice of NCI, deletes or returns all the personal data to NCI after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data. 

8. Makes available to NCI all information necessary to demonstrate compliance with our data protection obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by NCI or another auditor mandated by NCI. 

9. The processor shall immediately inform the controller if, in its opinion, an instruction infringes any data protection regulations, acts or good practices. 

10. Where a processor engages another processor for carrying out specific processing activities on behalf of NCI, the same data protection obligations as set out in the contract between NCI and the processor shall be imposed on that other processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet NCI requirements. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to NCI for the performance of that other processor's obligations.

Please see below a list of standard questions which must be asked when engaging a processor, and prior to engagement of processor (used to help evaluate the suitability of the processor pre-contract). Processors must get permission to use further sub-processors – e.g. brokers.

Ref	Requirement
1)	NCI requires the solution to adhere to good industry security practice and must be in compliance with all applicable legislative and regulatory requirements, specifically: NCI Policies Legislative Requirements (e.g. EU GDPR, Data Protection Acts) NCI policies will be made available to the successful tenderer. If partially compliant, please specify explicitly the areas of non-compliance.
2)	Please confirm you will make available to NCI all information necessary to demonstrate compliance with data protection good practice and GDPR.
3)	The supplier must allow for, and contribute to, audits and vulnerability testing, conducted by NCI or another auditor mandated by NCI. The supplier agrees to facilitate such a technical verification test and agree to repair defects found which are as a result of not conforming to a requirement detailed in this document.
4)	Please describe all external/public interfaces to the proposed solution, in particular, those which may be accessed directly by the public.
5)	Please describe all internal and administrative interfaces to the proposed solution along with the user profiles/type of user expected to use each interface.
6)	It must be possible to trace all activity on the system through the use of an audit trail (e.g. login events/failed logins etc.). The audit trail should be timestamped and retained for a sufficient period of time to allow for the offline retention and/or enable investigation of incidents.
7)	Please describe security controls implemented on the external/public interfaces, specifying how controls are implemented to prevent (for example): a)    Input validation issues such as SQL Injection, Command Injection, Cross-Site Scripting, etc. b)    Authentication issues (e.g. bypassing authentication). c)    Authorisation issues (e.g. ability to view or manipulate other users’ data) d)    Access control issues (e.g. masquerading as a different user). e)    Password strength and brute-force issues (e.g. password lockout/reset issues) f)    Session management issues (e.g. session predictability, hi-jacking or lack of session management, etc.) g)    Parameter tampering (e.g. ability to manipulate values on the server for gain, or to gain access to unauthorised data). h)    Administrative processes and issues (e.g. ability to escalate privileged commands or connect to the administrative interface). i)    Other flaws which may result in breaches of confidentiality, integrity or availability.   It is expected that best practice web application security will be applied in the solution to prevent the above issues.
8)	The solution design needs to be compliant with the data protection requirements and good practice, including: a)    Secure by Design b)    Secure by Default c)    Pseudonymisation (where possible) d)    Data Retention period enforcement e)    Encryption of data at rest and in transit f)    Implementation of “minimum rights” for users g)    Auditing of user access Please describe how your solution demonstrates compliance with above (a) – (g), in particular for High Risk and Special Categories of personal data (e.g. medical or financial data).
9)	The information needs to be processed in compliance with the EU GDPR principles, including: a)    Data minimisation: only process the information required. b)    Accuracy: information processed needs to be reasonably kept up to date. c)    Stored for only the period required: For example, should a student not complete their application process and record of the incomplete application is no longer required, how the information is removed from the solution. d)    Data transfers: only transferred in line with the GDPR Please describe how your solution demonstrates compliance with above (a) – (c), in particular for High Risk and Special Categories of Personal data (e.g. medical or financial data).
10)	Processing of Special Categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), is prohibited under the EU GDPR unless explicit consent is provided. Please describe:  a)    All Special Categories of information proposed to be processed. b)    Where the information will be stored. c)    Necessity and proportionality of the information processing i.e. why it is required. d)    How the solution proposes to collect explicit consent for the processing of Special Categories of personal data. e)    How the solution proposes to maintain records of explicit consent for Special Categories.
11)	The subjects have a right to access, rectification, and erasure of the information. Please describe: a)    How the solution supports extracting all information relating to a specific individual (in order to fulfil Subject Access Requests). b)    How the solution supports erasure of all information related to a particular individual (to support the Subjects Rights to Erasure).

In order to apply appropriate technical and organisational measures, it is necessary to classify and define handling rules for the different classifications of personal data. 

10.1 PERSONAL DATA RISK LEVELS 

At the heart of the GDPR, is an analysis of the risks from the various types of processing taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. This is based on the impact or level of damage that may be suffered by the Data Subject (as opposed to NCI). 

A risk rating has been assigned to each Personal Data Category based on the following criteria:

Category Risk Level	Description	Third-Party
High	This category contains personal data which includes Special Categories of personal data, personal data relating to criminal convictions and offences, bank account, or payment card number details.	Anything revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning medical or health, data concerning a natural person's sex life or sexual orientation. Bank account or payment card details Other information highly sensitive in nature, such as personal data relating to an individual’s criminal convictions and offences
Medium	This category contains personal data which the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to the data may result in a high risk to the rights and freedoms of natural persons.	Identification data such as social security numbers, copies of passports which may be able to identify ethnic origin, CCTV footage, etc.  Employee information including performance reviews, resumes, employee contracts or other non-Special Category data Student information including course details, grades, assessments, and other non-Special Category data
Low	This category contains personal data which the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to the data is less likely to result in a high risk to the rights and freedoms of natural persons.	All other forms of personal data including names, addresses, contact details etc.

10.2 DATA HANDLING RULES 

The following defines the minimum handling requirements for each personal data classification. Note that all personal data (regardless of its format), may only be processed in line with data retention requirements:

Storage Item	Low	Medium	High
Storage on public or shared work drives (e.g. network file shares)	Laptops not be used as a storage location
Storage on public or shared work drives (e.g. network file shares)	May be stored in line with Data Retention requirements.  All personal data must be restricted on need to know basis.	Must not be stored on public or shared work drives.
Storage on personal work drives (e.g. personal home folder)	May be stored however should be structured in such a manner/system which ensures implementation of the Data Retention Policy.
Email transfer Note: Email is a method of communication and must not be used as a storage location.	May be used for the transfer of information only. Email must not be considered as an area in which to store information for the long-term. Emails which are important must be saved into an appropriate storage area with other records on the same topic. This will ensure a full and complete record is kept and that emails containing personal data are not ‘lost’ or hard to retrieve should they be deleted or archived. A contract must be in place for all recipients with whom personal data is shared, and the sharing should be appropriately risk assessed.
	Consider encryption of email based on risk.		Must be encrypted if transferred via email.
Processed within NCI structured applications (e.g. Microsoft CRM, Quercus+, etc.).	May be stored in line with Data Retention requirements, however, data stored must be minimised, and restricted on a “need-to-know” basis.		Should not be stored unless deemed absolutely necessary and where appropriate technical and organisational controls are in place to protect the personal data.
Paper-based files – access control and transfers	A contract must be in place for all recipients with whom personal data is shared, and the sharing of the data must be appropriately risk assessed. Must be restricted on a need to know and minimum rights basis.
	Must not be stored in public/common areas. Should not be stored or processed offsite except if there is an absolute business requirement and the risk appropriately assessed.
CCTV footage	Must not be disclosed unless: A contract is in place Legally required to disclose the footage (such as official investigation by Gardai where formal, written request has been made) Must only be reviewed by authorised persons. Must be processed on NCI controlled systems and within NCI physical location. Must be securely destroyed in line with recommended data retention guidelines (current recommendation is 30 days).
Everything else (Including spoken communications etc.)	Must not be disclosed unless a contract is in place. Processed on NCI controlled systems and within NCI physical location.
Data destruction	Must be securely destroyed in line with Data Retention requirements.

The above identifies minimum handling requirements only. Additional controls may be put in place for certain personal data types if required in addition to the above.

This version was last updated in October 2019.

This Notice describes the practices of National College of Ireland (“NCI”) regarding the collection, use, transfer, disclosure and other handling and Processing of your Personal Data as an employee of NCI (and its affiliates).

In particular, NCI is committed to Processing the Personal Data of its employees in a fair, lawful and transparent manner. Accordingly, this Notice provides NCI employees with certain information about how their Personal Data is used by NCI. NCI has also adopted a Privacy Policy (the “NCI Privacy Policy”) that addresses data protection more generally. Capitalised terms used in this Notice are defined in the Glossary in Annex I to this Notice.

In relation to Personal Data provided by you to NCI, NCI will act as Data Controller of such Personal Data. This means that NCI determines why and how such data is used. NCI’s data Processing is generally undertaken in connection with the employment contract between each employee and the NCI.

Personal data is any information relating to a living individual which allows either directly or indirectly the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable. The type of Personal Data that NCI collects and Processes in relation to employees is described in more detail in the table at Appendix II of this Notice.

The table at Appendix II also describes in detail the particular purposes and lawful basis for NCI’s Processing of employee Personal Data as required by Data Protection Law. NCI will generally Process your Personal Data for personnel administration purposes and for purposes necessary for and connected with the performance of NCI’s legitimate interests.

NCI may obtain Personal Data about you from third parties, such as former employers, educational institutions, recruitment agencies, recruitment platforms such as LinkedIn, government agencies, from information in the public domain and available on the internet and from other employees (e.g., other NCI staff, supervisors, members of the HR Department, etc.). We may also seek Personal Data about you from third parties in connection with: (I) locating former employees and beneficiaries for purposes of administering retirement, pension or other benefits; (II) performance evaluations; (III) academic and processional references; (IV) disciplinary matters and internal investigations; (V) purposes that relate to your employment relationship with us; and (VI) other purposes permitted in accordance with applicable law. Where we obtain Personal Data about you from third parties, we will do so in accordance with Data Protection Law.

NCI Processes Special Categories of Data (“SCD”) relating to employees in limited circumstances, typically related to the ordinary course of personnel administration which is in accordance with the Data Protection Law. Such Processing of SCD is permitted under several provisions of the Data Protection Law, including the following:

4.1 Article 9(2)(b) where it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law” and section 46 of the Data Protection Act 2018 which permits the processing of special categories of personal where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. As required by Data Protection Law, NCI applies suitable and specific measures in respect of such Processing.

4.2 Article 9(2)(f) GDPR where it is “necessary for the establishment, exercise or defence of legal claims” and this ground is amplified under the Data Protection Act 2018 which permits the Processing of SCD where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights (and which may include Processing in the context of disciplinary proceedings);

4.3 Article 9(2)(g) GDPR which permits such Processing for reasons of substantial public interests and this is amplified under the Data Protection Act 2018 which provides a general lawful basis for Processing of SCD where it is necessary and proportionate for the performance of a function conferred by or under an enactment; and

4.4 In relation to the management of medical risk and medical claims, the Data Protection Act 2018 permits the Processing of SCD where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care.

4.5 In relation to equality, diversity, and inclusion, as well as Athena Swan, Article 9(2)(j) of GDPR and the Data Protection Act 2018 allows the processing of SCD for statistical purposes

In addition, where NCI employees will be working in close proximity with children vulnerable persons, in accordance with the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 and the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016, they NCI will require such employees to undergo Garda Vetting.

5.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (together the “Data Subject Rights”):

(a) The right of a data subject to receive detailed information on the Processing (by virtue of the transparency obligations on the Data Controller); 

(b) The right of access to Personal Data; 

(c) The right to rectify or erase Personal Data (known as the “right to be forgotten”); 

(d) The right to restrict Processing; 

(e) The right of data portability; 

(f) The right of objection (in circumstances where Processing is undertaken based on the legitimate interests of the Controller); and 

(g) The right to object to automated decision making, including profiling.

5.2 Please note that the Data Subject Rights are available subject to certain circumstances. Any data subject wishing to exercise their Data Subject Rights should contact the NCI Data Protection Officer (“NCI DPO”): Niamh Scannell by email at dpo@ncirl.ie and by phone (01) 4498 523. Your request will be dealt with in accordance with NCI’s Data Subject Rights Procedure.

Your obligations and responsibilities are set out in detail in the NCI Data Protection Policy, which in particular include the following: 6.1 All NCI employees are required to treat all Personal Data that they access and use are during the course of their employment in the strictest confidence and shall only disclose such Personal Data to external third parties as is necessary in the performance of your role.

6.2 All NCI employees are required to direct any data subject requests to exercise data subject rights to NCI’s DPO at: dpo@ncirl.ie or by person /in writing to: Finance Department, National College of Ireland, Lower Mayor Street, Dublin 1, as soon as is reasonably possible.

6.3 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches (Art. 34). We will manage a Data Breach in accordance with our Data Breach Incident Procedure. All NCI employees are required to report any suspected data breaches to NCI’s DPO immediately upon detection of the suspected data breach at the details below. If you are unsure what constitutes a data breach please refer to section 6 of the NCI Privacy Policy which deals with Data Beach Handling or contact the NCI DPO:

Name	Niamh Scannell
Email	dpo@ncirl.ie
Phone	(01)4498 523

7.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.

8.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data). We may also share Personal Data: (a) with another statutory body where there is a lawful basis to do so; (b) with selected third parties including sub-contractors; (c) if we are under a legal obligation to disclose Personal Data. For example, this may include where a member of the academic staff spends time in another institution on sabbatical or be seconded to a government department or body and also includes exchanging information with other organisations for the purposes of fraud prevention or investigation.

8.2 Where we enter into agreements with third parties to Processes Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data where required by Data Protection Law. Examples of such third party service providers that we engage, and to whom we may provide Personal Data include but are not limited to communications providers, payroll service providers, pension administrators, occupational health providers, marketing or recruitment agencies, operators of data centres used by us, security services, catering service providers, and professional advisors such as external lawyers, accountants, tax and pensions advisors.

We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed. Further details of the retention period for Personal Data is set out in our Data Retention Policy.

From time to time we may need to transfer Personal Data outside the EEA. This transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Model Contract Clauses) and in accordance with the NCI Privacy Policy when transferred outside the EEA.

Unfortunately, the transmission of information via email is not completely secure. Although we will do our best to protect your information, we cannot guarantee its security and when giving us your information you do so at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

You can ask a question or make a complaint about this Notice, the NCI Privacy Policy and/or the Processing of your Personal Data by contacting the NCI DPO, Niamh Scannell, at the details set out in paragraph 6 above. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the NCI DPO in the first instance to give us the opportunity to address any concerns that you may have.

In this Notice, the terms below have the following meaning: 

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. 

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider). 

“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the [Data Protection Act 2018] and any other laws which apply to NCI in relation to the Processing of Personal Data. 

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway. 

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly. 

“Special Categories of Personal Data” (or “SCD”) are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

The following table describes the type of Personal Data that is collected by NCI relating to NCI employees and the purposes and lawful basis for Processing that data under by Data Protection Law:

Description of Personal Data	Purpose of Processing	GDPR Lawful Basis
Information contained in: CVs, cover letters and job applications (including previous employment background, education history, professional qualifications, references, language and other relevant skills, certification, certification expiration dates), interview notes and feedback; details on performance management ratings, development programs planned and attended, e-learning programs, performance and development reviews, willingness to relocate or driver’s license information.)	Recruitment, personnel administration and HR management, including performance analysis and promotion purposes.	Contract performance and steps prior to entering a contract (Art. 6(1)(b) GDPR) and The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR).
HR files and records (including CPD and training records, disciplinary records, salary details, benefits, compensation type, pay grade, salary step within assigned grade, awards, pay frequency, effective date of current compensation, salary reviews, banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data, national insurance or other number, marital/civil partnership status, domestic partners and dependents, ethnicity, disability, gender).	Personnel administration and HR management, including performance analysis, promotion purposes, and equality, diversity, and inclusion.	For the performance of a contract (Art. 6(1)(b) GDPR) Compliance with legal obligations under employment legislation (Art 6(1)(c) GDPR); and Protecting the vital interests of employees and other persons (Art 6(1)(d) GDPR). The NCI's legitimate interests in relation to equality, diversity, and inclusion (Art. 6(1)(f) GDPR) Statistical purposes (Art 9(2)(j) GDPR, and sections 42 and 54 of the Data Protection Act 2018)
Photographs of employees and Security Access Cards	For security purposes in relation to Security Access Cards. For use on Outlook to enable staff to identify colleagues.	The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR); and Protecting the vital interests of employees and other persons (Art. 6(1)(d) GDPR).
Data related to pensions	To enable NCI pension trustees and related service providers to administer your pension entitlements.	Contract performance (Art 6(1)(b) GDPR).
Medical information (including medical certificate and sick notes).	Personnel administration and to verify employee absences from work on sick leave and purposes of preventative or occupational medicine.	To assess the working capacity of an employee (section 52 Data Protection Act 2018).
Name, role, email address (work), telephone number (work), office number, profile photograph and details of: previous roles, research areas/interests and academic publications.	For publication on various sections of NCI website and in hard copy materials and to promote the NCI and enhance its profile.	The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR).
Data in relation to memberships of clubs or societies associated with NCI (for example a book club or sports club)	To enable participation in clubs/societies associated with NCI.	Employee consent, which can be withdrawn at any time (Art 6(1)(a) GDPR).
Data Processed in relation to optional staff schemes or benefits	In relation to Travelpass, Bike-to-work scheme etc.	Employee consent, which can be withdrawn at any time (Art 6(1)(a) GDPR); and Contract performance (Art 6(1)(b) GDPR).
CCTV Footage	NCI has closed circuit television cameras (“CCTV”) located throughout its premises covering buildings, internal spaces, car parks, roads, pathways and grounds. NCI’s CCTV system is implemented in a proportionate manner as necessary to protect NCI property against theft or pilferage and for the security of staff, students and visitors to NCI premises (to protect their vital interests).	The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR); and Protecting the vital interests of employees and other persons (Art 6(1)(d) GDPR).

Subject to certain criteria under data protection law, you have the following rights:

Right	Explanation
Access	GDPR gives you the right to request a copy of your personal data which is processed by NCI, or processed on behalf of NCI, and details concerning the way in which it is processed.
To be Informed	GDPR gives you the right to know what personal information the College holds about you, the purpose and the legal basis for processing this information, the categories of personal data being processed, the source of the personal data, who the personal data is shared with, and the retention of the personal data.
Rectification	Under certain circumstances, GDPR gives you the right to have inaccurate or incorrect personal data rectified.
Erasure	Under certain circumstances, GDPR gives you the right to erasure.
Restriction	Under certain circumstances, GDPR gives you the right to restrict the processing of personal data. This means you can limit the way NCI uses your personal data.
Portability	Under certain circumstances, GDPR gives you the right to receive your personal data in a structured, commonly used, and machine-readable format so it can be transmitted to another controller of your choice. This does not apply to paper records.
Objection	Under certain circumstances, GDPR gives you the right to object to certain processing carried out by NCI or on NCI’s behalf.
Automated Decision Making	GDPR gives you the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal affects or significant affects upon you.

(a) You may request to exercise the above rights by contacting National College of Ireland’s Information Governance and Data Protection Officer in writing at dpo@ncirl.ie or Finance Department, National College of Ireland, Mayor Street Lower, Dublin 1, D01 Y300

(b) To help us respond to your request, please be as specific as possible and use one of the forms provided on our website. The forms may also be requested from the Information Governance and Data Protection Officer

(c) If you would like a third party to submit a request to exercise your rights on your behalf, you will have to provide National College of Ireland with written authorisation to allow us to disclose any personal data to the third party of your choice.

(d) National College of Ireland may need to verify your identity before proceeding with a request. This is to ensure your personal data is not disclosed to the wrong person. Acceptable forms of identification include a current driving licence, a current passport, valid student ID, or valid staff ID. In most cases, a copy will suffice but we do reserve the right to request to see original documents or request further supporting documents and information.

Subject Access Request Form

Data Subject Rights Form