Data Protection at Ulster University

The purpose of Data Protection is to enhance and strengthen the protections afforded to individuals' rights and freedoms, especially their right to privacy with respect to the processing of personal data.

Due to the nature of business at Ulster University it is required to hold and process, both electronically and manually, large amounts of personal data.

Data Protection provides a framework to ensure that personal information processed and stored by the University, whether in hard copy or electronic format, is handled properly both on and off campus.

The University is committed to protecting the data rights of individuals and recognises its legal obligation to ensure the correct and lawful treatment of Personal Data.

The aims of this Data Protection Policy are to set out the University’s strategy for ensuring compliance, to ensure that all staff, students or third party Processors engaged by the University, are aware of their rights and responsibilities under Data Protection and to minimize the risk to the University of any potential breach of the Data Protection Legislation. A breach could result in damaging valued relationships with stakeholders as well as causing reputational damage to the University and the individual.

This Policy relates to all Personal Data as defined by the UK GDPR held by the University and applies equally to information held in paper and electronic format stored in hard files, on PCs, laptops and other fixed or portable data storage devices. The Policy also applies to photographic material and CCTV footage.

• Download a PDF copy of the Policy

The University’s Appropriate Policy Document provides information about the legal basis and safeguards the University has put in place for processing special category and criminal offence data.

Accountability Obligations

• Staff and Student Responsibilities
• Data Protection Impact Assessments
• Records Retention & Disposal Schedule
• Personal Data Breaches

If you discover a breach, or are unsure if there has been an incident, please email gdpr@ulster.ac.uk or the Data Protection Officer without undue delay.  The Data Protection Officer will contact you, in confidence, once the details have been received.

Complaints

Under Article 77 of the UK GDPR, an individual has the right to make a complaint if they feel their personal information has not been handled  by the University in accordance with the UK GDPR. A complaint may be submitted in writing  by email to gdpr@ulster.ac.uk

Alternatively, a complaint may be made to the Office of the Information Commissioner

Data Subject Rights

Under the Data Protection legislation, a Data Subject has the following rights, all of which are qualified in different ways:

(i) The right to be informed: a Data Subject has the right to be informed about the collection of their Personal Data and to be informed of how their Personal Data is being  used by the University. This is a key transparency requirement under the UK GDPR.

(ii) The right of access to your Personal Data: a Data Subject has the right to request  access to their Personal Data held by the University, which is known as a “Subject  Access Request”. A Subject Access Request does not have to be submitted in  any particular format nor does the request have to include the phrase 'subject access  request' or refer to Data Protection legislation.

(iii) The right to rectification: a Data Subject has the right to have inaccurate Personal  Data held by the University rectified or completed if it is incomplete.

(iv) The right to be forgotten: a Data Subject has the right to have their Personal Data held  by the University erased. This right is not absolute and only applies in certain circumstances as detailed in Article 17 of UK GDPR.

(v) The right to restrict processing: a Data Subject has the right to restrict processing of  their Personal Data. This right is not absolute and only applies in certain circumstances  as detailed in Article 18 of UK GDPR.

(vi) The right to data portability: a Data Subject has the right to receive copies of their  Personal Data in a machine readable and commonly used format. This right is not  absolute and only applies in certain circumstances as detailed in Article 20 of UK GDPR.

(vii) The right to object: a Data Subject has a right to object to the processing of their  Personal Data. This right is not absolute and only applies in certain circumstances as  detailed in Article 21 of UK GDPR.

Any person who wishes to exercise any of those rights listed above, can make their request  either verbally on telephone no. 028 701 24533 or by email to gdpr@ulster.ac.uk. Should a member of University staff receive a request to exercise any of those rights listed  above, they should immediately share the request with the DPO by emailing gdpr@ulster.ac.uk. It is important that University staff can recognise a request to exercise  an individual’s rights and in particular recognise a Subject Access Request so that they can  share the request immediately with the DPO to allow the University to comply with the statutory  timeframes for response.

Privacy Notices

• AACSB Accreditation Privacy Notice
• Applicant & Employee  Privacy Notice
• Competitions Privacy Notice
• Complainants Privacy Notice
• Contractors  and Consultants Privacy Notice
• Corporate Events Privacy Notice
• Development and Alumni Relations Privacy Notice
• Federal  Loans Privacy Notice
• Global Mobility Privacy Notice
• Learning Enhancement Directorate (LED) Privacy Notice
• Marketing and Communications Privacy Notice
• Student Privacy Notice

Further Information on Privacy Notices

Use of Personal Data by Processors and other Data Sharing Arrangements

University staff may only share the Personal Data entrusted to the University with third parties,  such as its service providers or other public bodies, if:

• they have a need to know the information for the purposes of providing the contracted services;
• sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
• the third party has agreed to comply with the required data security standards, policies  and procedures and put adequate security measures in place;
• the transfer complies with any applicable cross-border transfer restrictions; and
• a data sharing agreement has been entered. To note, the University has a range of  data sharing agreements which address the range of relationships that may arise  which are available upon request to gdpr@ulster.ac.uk.

We have also prepared a data sharing checklist available Your Guide to Data Protection, which you should consult in advance of proceeding to transfer Personal Data with an external third party.

International Transfers

There are restrictions imposed on the University by the UK GDPR when transferring personal data outside the UK.

These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined. Personal data can only be transferred outside of the UK in compliance with the conditions for transfer set out in Chapter 5 of the UK GDPR.

Transferring personal data outside of the UK is a complex process which requires a strict procedure to be followed in order for such transfer to be lawful.  For further guidance in this regard, please contact the Data Protection & Information Compliance Unit by emailing gdpr@ulster.ac.uk