Data Protection at Ulster University
The purpose of Data Protection is to enhance and strengthen the protections afforded to individuals' rights and freedoms, especially their right to privacy with respect to the processing of personal data.
Due to the nature of business at Ulster University it is required to hold and process, both electronically and manually, large amounts of personal data.
Data Protection provides a framework to ensure that personal information processed and stored by the University, whether in hard copy or electronic format, is handled properly both on and off campus.
The University is committed to protecting the data rights of individuals and recognises its legal obligation to ensure the correct and lawful treatment of Personal Data.
The aims of this Data Protection Policy are to set out the University’s strategy for ensuring compliance, to ensure that all staff, students or third party Processors engaged by the University, are aware of their rights and responsibilities under Data Protection and to minimize the risk to the University of any potential breach of the Data Protection Legislation. A breach could result in damaging valued relationships with stakeholders as well as causing reputational damage to the University and the individual.
This Policy relates to all Personal Data as defined by the UK GDPR held by the University and applies equally to information held in paper and electronic format stored in hard files, on PCs, laptops and other fixed or portable data storage devices. The Policy also applies to photographic material and CCTV footage.
-
Contacts
The Data Protection & Information Compliance Manager, Eoin Coyle, is the University's designated Data Protection Officer. The Data Protection Officer has the primary responsibility for coordinating Data Protection compliance across the University, including reporting, and is the ultimate arbitrator within the University in respect of Data Protection matters.
The Data Protection Officer is supported by the Data Protection & Information Compliance Co-Ordinator and they are the first point of contact for queries and advice on responsibilities and compliance under the GDPR and DPA; for requests and objections by Data Subjects, including Subject Access Requests; and for liaising with the ICO and other agencies where appropriate. Contact details are provided below.
In addition, the Vice-Chancellor, Deputy Vice-Chancellor, Pro-Vice-Chancellors, Chief People Officer, Chief Finance and Strategy Officer, Deans, Provosts, Heads of School, Research Institute Directors and Directors/Heads of Professional Services Departments all play a key role in assisting the University's Data Protection and Information Compliance Unit and are responsible for having in place appropriate procedures to ensure compliance with the Data Protection legislation within their areas of responsibility across the University. These officers have nominated suitable representatives (Data Protection Nominees) who have undertaken specialist data protection training and work with the Data Protection Officer and Policy Coordinator to respond to requests and objections by Data Subjects including Subject Access Requests and in relation to implementation and dissemination of good practice. Contact details are provided below.
Data Protection Contacts Department Staff Member Data Protection & Information Compliance Manager/Data Protection Officer Eoin Coyle Data Protection & Information Compliance Co-Ordinator Jemma Bacon Data Protection & Information Compliance Support Assistant Katie Morgan Records Co-Ordinator Paul Chapman Records Filtering Assistant Irene Jardine
The University’s Appropriate Policy Document provides information about the legal basis and safeguards the University has put in place for processing special category and criminal offence data.
Accountability Obligations
- Staff and Student Responsibilities
- Data Protection Impact Assessments
- Records Retention & Disposal Schedule
- Personal Data Breaches
If you discover a breach, or are unsure if there has been an incident, please email gdpr@ulster.ac.uk or the Data Protection Officer without undue delay. The Data Protection Officer will contact you, in confidence, once the details have been received.
Complaints
Under Article 77 of the UK GDPR, an individual has the right to make a complaint if they feel their personal information has not been handled by the University in accordance with the UK GDPR. A complaint may be submitted in writing by email to gdpr@ulster.ac.uk
Alternatively, a complaint may be made to the Office of the Information Commissioner
Data Subject Rights
Under the Data Protection legislation, a Data Subject has the following rights, all of which are qualified in different ways:
- The right to be informed: a Data Subject has the right to be informed about the collection of their Personal Data and to be informed of how their Personal Data is being used by the University. This is a key transparency requirement under the UK GDPR.
- The right of access to your Personal Data: a Data Subject has the right to request access to their Personal Data held by the University, which is known as a “Subject Access Request”. A Subject Access Request does not have to be submitted in any particular format nor does the request have to include the phrase 'subject access request' or refer to Data Protection legislation.
- The right to rectification: a Data Subject has the right to have inaccurate Personal Data held by the University rectified or completed if it is incomplete.
- The right to be forgotten: a Data Subject has the right to have their Personal Data held by the University erased. This right is not absolute and only applies in certain circumstances as detailed in Article 17 of UK GDPR.
- The right to restrict processing: a Data Subject has the right to restrict processing of their Personal Data. This right is not absolute and only applies in certain circumstances as detailed in Article 18 of UK GDPR.
- The right to data portability: a Data Subject has the right to receive copies of their Personal Data in a machine readable and commonly used format. This right is not absolute and only applies in certain circumstances as detailed in Article 20 of UK GDPR.
- The right to object: a Data Subject has a right to object to the processing of their Personal Data. This right is not absolute and only applies in certain circumstances as detailed in Article 21 of UK GDPR.
Any person who wishes to exercise any of those rights listed above, can make their request either verbally on telephone no. 028 701 24533 or by email to gdpr@ulster.ac.uk. Should a member of University staff receive a request to exercise any of those rights listed above, they should immediately share the request with the DPO by emailing gdpr@ulster.ac.uk. It is important that University staff can recognise a request to exercise an individual’s rights and in particular recognise a Subject Access Request so that they can share the request immediately with the DPO to allow the University to comply with the statutory timeframes for response.
Privacy Notices
- AACSB Accreditation Privacy Notice
- Applicant & Employee Privacy Notice
- CCTV Privacy Notice
- Competitions Privacy Notice
- Complainants Privacy Notice
- Contractors and Consultants Privacy Notice
- Corporate Events Privacy Notice
- Development and Alumni Relations Privacy Notice
- Federal Loans Privacy Notice
- Global Mobility Privacy Notice
- Learning Enhancement Directorate (LED) Privacy Notice
- Marketing and Communications Privacy Notice - Photography/Videography
- Market and Communications Privacy Notice
- Research Privacy Notice
- Student Privacy Notice
Use of Personal Data by Processors and other Data Sharing Arrangements
University staff may only share the Personal Data entrusted to the University with third parties, such as its service providers or other public bodies, if:
- they have a need to know the information for the purposes of providing the contracted services;
- sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
- the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- the transfer complies with any applicable cross-border transfer restrictions; and
- a data sharing agreement has been entered. To note, the University has a range of data sharing agreements which address the range of relationships that may arise which are available upon request to gdpr@ulster.ac.uk.
We have also prepared a data sharing checklist available Your Guide to Data Protection, which you should consult in advance of proceeding to transfer Personal Data with an external third party.
International Transfers
There are restrictions imposed on the University by the UK GDPR when transferring personal data outside the UK.
These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined. Personal data can only be transferred outside of the UK in compliance with the conditions for transfer set out in Chapter 5 of the UK GDPR.
Transferring personal data outside of the UK is a complex process which requires a strict procedure to be followed in order for such transfer to be lawful. For further guidance in this regard, please contact the Data Protection & Information Compliance Unit by emailing gdpr@ulster.ac.uk