Data Protection at Ulster University
The purpose of Data Protection is to enhance and strengthen the protections afforded to individuals' rights and freedoms, especially their right to privacy with respect to the processing of personal data.
Due to the nature of business at Ulster University it is required to hold and process, both electronically and manually, large amounts of personal data.
Data Protection provides a framework to ensure that personal information processed and stored by the University, whether in hard copy or electronic format, is handled properly both on and off campus.
The University is committed to protecting the data rights of individuals and recognises its legal obligation to ensure the correct and lawful treatment of Personal Data.
The aims of this Data Protection Policy are to set out the University’s strategy for ensuring compliance, to ensure that all staff, students or third party Processors engaged by the University, are aware of their rights and responsibilities under Data Protection and to minimize the risk to the University of any potential breach of the Data Protection Legislation. A breach could result in damaging valued relationships with stakeholders as well as causing reputational damage to the University and the individual.
This Policy relates to all Personal Data as defined by the UK GDPR held by the University and applies equally to information held in paper and electronic format stored in hard files, on PCs, laptops and other fixed or portable data storage devices. The Policy also applies to photographic material and CCTV footage.
-
Definitions
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the Processing of personal data. The University is a data Controller.
"Data Subject" means an identified or identifiable natural person about whom Personal Data is held. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the University, Data Subjects include current, past and present students and staff (including affiliated and visiting staff), and other third parties such as suppliers, contractors, consultants or referees.
"Personal Data" means any information relating to a Data Subject. It includes, by way of example only, name, date of birth, images and photographs.
"Processing" means any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
"Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning physical or mental health or data concerning a person’s sex life or sexual orientation.
-
Contacts
The Data Protection & Information Compliance Manager, Eoin Coyle, is the University's designated Data Protection Officer. The Data Protection Officer has the primary responsibility for coordinating Data Protection compliance across the University, including reporting, and is the ultimate arbitrator within the University in respect of Data Protection matters.
The Data Protection Officer is supported by the Data Protection & Information Compliance Co-Ordinator and they are the first point of contact for queries and advice on responsibilities and compliance under the GDPR and DPA; for requests and objections by Data Subjects, including Subject Access Requests; and for liaising with the ICO and other agencies where appropriate. Contact details are provided below.
In addition, the Vice-Chancellor, Deputy Vice-Chancellor, Pro-Vice-Chancellors, Chief People Officer, Chief Finance and Strategy Officer, Deans, Provosts, Heads of School, Research Institute Directors and Directors/Heads of Professional Services Departments all play a key role in assisting the University's Data Protection and Information Compliance Unit and are responsible for having in place appropriate procedures to ensure compliance with the Data Protection legislation within their areas of responsibility across the University. These officers have nominated suitable representatives (Data Protection Nominees) who have undertaken specialist data protection training and work with the Data Protection Officer and Policy Coordinator to respond to requests and objections by Data Subjects including Subject Access Requests and in relation to implementation and dissemination of good practice. Contact details are provided below.
Data Protection Contacts Department Staff Member Data Protection & Information Compliance Manager/Data Protection Officer Eoin Coyle Data Protection & Information Compliance Co-Ordinator Jemma Bacon Data Protection & Information Compliance Support Assistant Katie Morgan Records Co-Ordinator Paul Chapman Records Filtering Assistant Irene Jardine
Principles
The University is committed to the six data protection principles contained within the UK GDPR. These principles represent best standards of practice with respect to the transmission, retention and disposal of Personal Data. All staff, students and others who process or use any personal data must comply with these principles.
- Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
- Data minimisation - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
- Integrity and confidentiality - Personal data must be processed securely, including being protected against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
The University’s Appropriate Policy Document provides information about the legal basis and safeguards the University has put in place for processing special category and criminal offence data.
Lawful Basis for Processing
- Consent
- Contract
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
Accountability Obligations
- Staff and Student Responsibilities
- Data Protection Impact Assessments
- Records Retention & Disposal Schedule
- Personal Data Breaches
If you discover a breach, or are unsure if there has been an incident, please complete a personal data breach report form or email gdpr@ulster.ac.uk without undue delay. The Data Protection Officer will contact you, in confidence, once the details have been received.
Complaints
Under Article 77 of the UK GDPR, an individual has the right to make a complaint if they feel their personal information has not been handled by the University in accordance with the UK GDPR. A complaint may be submitted in writing by email to gdpr@ulster.ac.uk
Alternatively, a complaint may be made to the Office of the Information Commissioner
Data Subject Rights
An individual has the following rights (all of which are qualified in different ways):
Privacy Notices
- AACSB Accreditation Privacy Notice
- Applicant & Employee Privacy Notice
- Competitions Privacy Notice
- Complainants Privacy Notice
- Contractors and Consultants Privacy Notice
- Corporate Events Privacy Notice
- Development and Alumni Relations Privacy Notice
- Federal Loans Privacy Notice
- Global Mobility Privacy Notice
- Learning Enhancement Directorate (LED) Privacy Notice
- Marketing and Communications Privacy Notice
- Student Privacy Notice
Use of Personal Data by Processors and other Data Sharing Arrangements
Where a processor, including for example, consultants or contractors are engaged by the University on work that requires the processing of personal data, the University remains the controller of that personal data and these organisations will be required to provide sufficient guarantees to demonstrate that they have arrangements in place to comply with the requirements of the Data Protection legislation, this policy and that the rights of data subjects are protected.
Whenever the University uses a processor it must have a written contract in place.
In line with this policy, a Third Party Processing Agreement must be used when engaging such processors (or alternatively, duplicate provisions can be included within the corresponding "main contract" as appropriate.
A template Agreement and guidance in relation to its use is available and for further information please email gdpr@ulster.ac.uk
It should be noted that Processors must only act on the documented instructions of the University as the controller.
The processor will however have some direct responsibilities under the Data Protection legislation and may be subject to fines or other sanctions if they do not comply.
It should be noted that Personal Data Processing arrangements (as outlined above) form only one category of data sharing.
There are 3 broad categories, including the sharing of personal data with another data controller to be used for joint purposes and also the passing of personal data to a data controller for it to use for its own purposes. Further guidance and template documents as required for use in relation to such data sharing arrangements are available upon request from the Office of the University Secretary by emailing gdpr@ulster.ac.uk
International Transfers
There are restrictions imposed on the University by the UK GDPR when transferring personal data outside the UK.
These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined. Personal data can only be transferred outside of the UK in compliance with the conditions for transfer set out in Chapter 5 of the UK GDPR.
Transferring personal data outside of the EEA is a complex process which requires a strict procedure to be followed in order for such transfer to be lawful. For further guidance in this regard, please contact the Data Protection & Information Compliance Unit by emailing gdpr@ulster.ac.uk