CCT College Dublin Data Protection: Handling Personal Data, Study notes of Law

Download CCT College Dublin Data Protection: Handling Personal Data and more Study notes Law in PDF only on Docsity! PROVIDER NAME: CCT College Dublin (CCT) POLICY AREA: Standard 10: Information Management Policy and Procedure Title: Data Protection Policy Document Number: CCTP1002 Version: 1.2 CCT College Dublin The purpose of this document is to provide a concise policy statement regarding the Data Protection obligations of CCT College Dublin. This includes obligations in dealing with personal data, in order to ensure that the organisation complies with the requirements of the EU General Data Protection Regulation (GDPR). CCT College Dublin is committed to complying with the Data Protection principles set out in the GDPR. This Policy applies to all Personal Data collected, processed and stored by CCT College Dublin in relation to its staff, students, and service providers. CCT College Dublin makes no distinction between the rights of Data Subjects who are employees, and those who are not. All are treated equally under this Policy. The policy covers both personal and special categories of personal data (sensitive data) processed in relation to data subjects by CCT College Dublin. The policy applies equally to personal data held in manual and automated form. All Personal and Special Categories of Personal Data will be treated with equal care by CCT College Dublin. Both categories will be equally referred-to as Personal Data in this policy, unless specifically stated otherwise. This policy should be read in conjunction with the associated Subject Access Request procedure, the Records Retention and Destruction Policy and procedure, the CCTV Policy and Procedure, the Privacy Statement of CCT College Dublin, and the Data Breach Notification policy and procedure. CCT College Dublin as a Data Controller In the course of its daily organisational activities, CCT College Dublin acquires, processes and stores personal data in relation to: ● Employees ● Former employees ● Students ● Applicants (to programmes and employment vacancies) ● Graduates ● Third party service providers engaged by the College In accordance with the GDPR, this data must be acquired and managed fairly. Not all staff members will be expected to be experts in Data Protection legislation. However, CCT College Dublin is committed to ensuring that its staff have sufficient awareness of the GDPR in order to be able to anticipate and identify a Data Protection issue, should one arise. In such circumstances, staff must ensure that the Data Protection Contact is informed, without delay, in order that appropriate corrective action is taken. As a higher education provider, there is regular and active exchange of personal data between CCT College Dublin and its Data Subjects. In addition, CCT College Dublin may exchange personal data with Data Processors and or Joint Data Controllers on the Data Subjects’ behalf. In particular, in order to comply with the Government’s COVID-19 Return to Work Protocol, CCT College Dublin shall be obliged to maintain contact tracing logs in respect of all persons attending upon its premises and these logs may contain personal data relating to Data Subjects. This is consistent with CCT College Dublin’s obligations under the terms of its contract with its Data Processors, Joint Data Controllers and its Data Subjects. This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a CCT College Dublin staff member is unsure whether such data can be disclosed. In general terms, the staff member should consult with the Dean of Academic Affairs, as the Data Protection Contact, to seek clarification. Data Protection Contact All personal data enquiries, or requests to exercise your rights as a data subject, can be directed to Naomi Jackson, Dean of Academic Affairs, CCT College Dublin, 30 – 34 Westmoreland St., Dublin 2, or by email to njackson@cct.ie If you are dissatisfied with the information provided or believe your request to exercise your rights has not been addressed you can make a complaint to the supervisory authority. As CCT College Dublin operates primarily in Ireland, the supervisory authority is the Data Protection Commissioner who can be contacted through the following means: By post: Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. By phone +353 (0761) 104800, or By email: email info@dataprotection.ie Data Subjects’ Rights Under GDRP data subjects have increased rights and data controllers are required to notify data subjects of their rights. Individuals have the right to: ⮚ be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. ⮚ withdraw consent, where consent is the legal basis for data processing ⮚ access their personal data (a data subject access request). ⮚ have inaccurate personal data rectified or completed if incomplete. ⮚ have personal data erased (the right to be forgotten) in certain circumstances ⮚ request the restriction or suppression of their personal data, in certain circumstances ⮚ data portability, allowing individuals to reuse their data across different services, where feasible ⮚ object to personal data processing, in certain circumstances ● Implementing regular audits to ensure the full and proper adherence to the records retention policy ● Training staff in their responsibilities and obligations regarding retention of personal data ● Implementing appropriate measures for the secure destruction, deletion or archiving of personal data at the end of the retention period. f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. CCT College Dublin will fulfil its obligations in this regard by: ● employing appropriate standards of security in order to protect the personal data under its care. ● Implementing security measures to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by CCT College Dublin in its capacity as Data Controller. ● Limiting access to and management of staff and student / graduate records to those staff members who have appropriate authorisation and password access. ● Providing appropriate training for staff to know their obligations and responsibilities in respect of personal data. ● Implementing appropriate measures to determine security of data transfers to other countries and only transferring outside of the EU where the transfer is: - made with the individual’s informed consent; - necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request; - necessary for the performance of a contract made in the interests of the individual between the controller and another person; - necessary for important reasons of public interest; - necessary for the establishment, exercise or defence of legal claims; - necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or - made from a register which under Irish or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register). In addition, the College commits to facilitating access to personal data of a data subject, within the legal specified timeframe, where a valid subject access request is received. Data Subject Access Requests As part of the day-to-day operation of the organisation, CCT College Dublin’s staff engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by CCT College Dublin, such a request gives rise to access rights in favour of the Data Subject. There are specific time-lines within which CCT College Dublin must respond to the Data Subject, depending on the nature and extent of the request. These are outlined in the Data Access Request policy and procedure CCT College Dublin’s staff will ensure that, where received, such requests are forwarded to the Data Protection Contact in a timely manner, and they are processed as quickly and efficiently as possible, but within not more than one month (30 days) from receipt of the request, except in those circumstances where an extension of the response time is legitimate. Subject access requests will not normally be subject to a fee. Implementation As a Data Controller, CCT College Dublin ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Data Protection legislation. Failure of a Data Processor to manage CCT College Dublin’s data in a compliant manner will be viewed as a breach of contract, and may be pursued through the courts. Failure of CCT College Dublin’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings. Definitions For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy. Personal Data Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Special Categories of Personal Data A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Data Subject A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly. Data Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Data Protection Contact A person appointed by CCT College Dublin to monitor compliance with the appropriate Data Protection legislation, to deal with Subject Access Requests, and to respond to Data Protection queries from staff members, students, and all data subjects or potential data subjects Relevant Filing System Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable. Personal Data Breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; Supervisory Authority an independent public authority which is established by a Member State pursuant to Article 51; In Ireland, the supervisory authority is the Data Protection Commissioner. Monitoring Monitor (Job Title) Frequency Monitoring Method(s) Dean of Academic Affairs Annually Review of ongoing accuracy and legality of the policy Review of data protection enquiries, breaches, complaints, requests, withdrawals of consent Integration with associated policies – subject access request policy, CCTV policy, website / cookies policy, records retention policy, privacy statement etc.