Data Protection Obligations of the University
Data Protection Obligations of the University
The UCD Data Protection Policy is a statement of University College Dublin’s (UCD) commitment to protect the rights and privacy of individuals in accordance with the GDPR.
The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on at least one of six legal grounds/basis.
As a University UCD needs to collect and use personal data (information) about its staff, students and other individuals, who it comes into contact with. The purposes of UCD processing data include the organisation and administration of courses, examinations, research activities, the recruitment and payment of staff, compliance with statutory obligations, etc.
The University acts as ‘Data Controller’, where UCD faculty, staff, or other individuals representing the University, have a high degree of control over the ‘why’ and ‘how’ of the personal data processing. As Data Controller the University automatically takes on full responsibility for who they share the data with, including assessing in advance, whether such sharing might put personal data at risk.
Additionally, if UCD, as data controller, decides to avail of the services of an external third-party supplier/provider, i.e. uses a ‘data processor’ that operates under strict instructions of UCD, UCD takes on responsibility for the processor's GDPR compliance as well. The law requires that UCD clearly sets out such a relationship in a controller Processor contract
Note: All faculty, staff, or students of UCD, who independently i.e. in a non-UCD capacity, collect and/or control the content and use of personal data, are individually responsible for compliance with the legislation for those data sets.
Compliance with GDPR and its accountability requirements needs comprehensive, business specific documentation, both internal and external, about how personal data are collected, processed, and stored by the organisation. Accountability demonstrates that the organisation takes GDPR and the privacy rights of individuals seriously.
Failure to comply with data protection legislation can have very serious consequences. Apart from damage to the University’s reputation, substantial fines can apply. In addition to fines levied by the Data Protection Commission, under GDPR an individual, i.e. a data subject, has the right to take legal actions against an organisation and its members for failing to comply with GDPR.