UCD Privacy Statement for Students

University College Dublin (“UCD”) is committed to protecting the privacy and security of personal data.

Throughout this statement, “University”, “we”, “our”, and “us” refer to UCD; “you” and “your” refer to those whose data we process because they were or are enrolled students at the University.

UCD collects, uses and is responsible for certain personal data. This is known as “processing”. When we do so we are regulated under data protection legislation and we are responsible as the “data controller” of that personal data for the purposes of those laws.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Under data protection legislation, there is also ‘special category’ personal data, which is more sensitive personal data. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

The types of personal data we process about students at UCD include:

• Student ID number
• Gender
• EU/EEA residency status
• Unique Personal Identifiers and Biographical Information, such as Student Number, Name, Title, Date of Birth)
• Your Contact Details (Note: you can update these when they change)
• PPS number
• Email address(es)
• Next of kin/emergency contact details
• Details of Students’ Education (including your college(s), The courses you have completed, your subjects, dates of study, details of any awards, scholarships or other accolades achieved during your University years)
• Information to provide student support services such as counselling, where applicable
• Image in digital photograph for ID card
• Financial information (including details of funding and fees)
• Bank details, including IBAN, BIC, Name of bank/building society
• Credit card details (processed by our payment provider Realex)
• Academic history
• Grade information including marking and marking of grade components
• Details of previous examination results from other institutions
• Qualifications awarded
• Details of what correspondence we have sent to you
• Information about parties who are providing funding, including names and financial information to allow us to contact them and process payments
• Information to enable us to carry out vetting procedures, to meet our social and legal obligations
• Information on your usage of student library services

We also process the following “special categories” of more sensitive personal information:

• Information about your health (for example, for absence records)
• Disability information (for example, where needed for the provision of counselling or student support services)
• In some cases, vetting procedures may require us to process criminal conviction information

Students’ personal data are normally gathered by the University:

1. Via the admissions processes including:

• Information you provide to us during registration such as any applications you complete
• Any other admission procedures operated by UCD
• Information you provided through a specified application process route, such as the Central Applications Office (CAO) (see more below)

2. Through communication between you and UCD by telephone, email, or via the website.
    For example, when you call to make enquiries about a course or when you are raising concerns or queries.

3. We may also obtain your personal data from third parties, for example: 

• Information about you provided by referees you have nominated
• Information from your sponsor/grant awarding body (e.g. Student Universal Support Ireland (SUSI) and information from your previous educational establishments
• Information provided by an agent or representative acting on your behalf

The University will process your personal information for a range of purposes, including the following:

• To deliver and administer your education, record the details of your studies (including any placements with external organisations), and determine/confirm your academic achievements (e.g. results, prizes)
• Where relevant (e.g. for PhD students), to monitor, evaluate and support your research activity
• To administer the relationship with any of your funders
• To deliver Library, Virtual Learning Environment (VLE) and IT facilities to you
• To enable you to apply to live in UCD Student Residences
• To enable your participation at events (e.g. functions, graduation)
• To identify and contact students who may need additional support. (Our staff may use analysis tools to identify such cases in our systems, so we can make contact to offer assistance and advice where that is appropriate)
• To communicate effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars to support your learning
• To operate security (including CCTV), governance, disciplinary (including plagiarism and academic or other misconduct), complaint, audit and quality assurance processes and arrangements
• To support your training, medical, safety and welfare requirements
• To compile statistics and conduct surveys and research for internal and statutory reporting purposes
• To carry out strategic and management planning and forecasting
• To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation
• To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us)
• To enable placements with employers
• To support your ongoing development through the UCD Careers Network

We will only use your personal information when we have a legal basis to do so. Most commonly, we’ll use your personal information on the following legal bases:

• Where it is necessary for the performance of tasks and functions we carry out under the Universities Act 1997, and related legislation, which form the basis for our University operations, including teaching and research activities
• Where it is necessary for compliance with a legal obligation, such as visa monitoring, immigration rules, or reporting information to funding or regulatory bodies where the law provides for this
• Where it is necessary for the pursuit of the legitimate interests of the University and our associated bodies, such as to enable your access to University services, and your interests and fundamental rights do not override those interests
• To protect the vital interests of the data subject or of another person (for example, in the case of a medical emergency)
• Where it is necessary for the performance of a contract have entered into, or are about to enter into, with you
• Where it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences

Should we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time.

Please be aware, in some exceptional cases, the University may process your personal data without your knowledge or consent, in compliance with our policies and procedures, where there is a lawful basis for doing so.

We will not use your personal information to carry out any wholly automated decision-making that affects you.

We may only process special category personal data in the following circumstances where, in addition to a lawful basis for processing, there exists one of the following grounds:

• Explicit consent – where you have given us explicit consent
• Legal obligation related to employment - the processing is necessary for a legal obligation in the field of employment and social security law or for a collective agreement
• Vital interests - the processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies
• Public information - the processing relates to personal data which is manifestly made public by the data subject or is already in the public domain
• Legal claims - the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
• Substantial public interest - the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law
• Healthcare - the processing is necessary for healthcare purposes and is subject to suitable safeguards
• Public health - the processing is necessary for public health purposes and is based on Union or Member State law
• Archive - The processing is necessary for archiving, scientific or historical research purposes, or statistical purposes and is based on Union or Member State law

In addition to cases where UCD is required by law or permitted to disclose your details to others, third party disclosure may take place including to:

• Funding bodies and agencies that support or sponsor your education. Please note that once registered and where appropriate, fees will be claimed on your behalf from the relevant funding body
• External companies to process information about you on the University’s behalf such as third-party service providers. For example, we send payment and financial information to our payment service provider Realex to administer your payments
• Professional, educational or similar institutions and individuals that you have authorised or with whom UCD is collaborating in respect to your education. (Includes parent/guardian of minors)
• The organisers of conferring ceremonies where your graduate status or other award is publicly acknowledged
• A debt collection agency where necessary, because of outstanding UCD fees or other charges
• UCD Students’ Union for the purposes of Union membership, representation and elections. Read the UCDSU Privacy Notice about what they do with the information they collect
• UCD Sport & Fitness and UCD Clubs and Societies to manage your access to membership and facilities
• UCD Alumni Relations Office and UCD Foundation to facilitate future contact between you, UCD and fellow alumni e.g. university mailings, events, reunions and university-related fundraising activities. (See also our Privacy statement for alumni)
• Some of your information may be sent to the Higher Education Authority (HEA), or other regulatory bodies, where we are required to do so. Read the HEA Data Collection Notice.
• Some of your information may also be shared with government departments, such as the Department for Justice & Equality, Inland Revenue, or the Department for Social Services, as provided for in legislation
• Students entitled to reasonable accommodation, who have permission to Audio Record lectures. It is possible that any or all lectures students are attending are being audio recorded by student(s) with disabilities who have been granted this reasonable accommodation. Please read the UCD Access and Lifelong Learning Disability Support Privacy Statement
• In the case of an emergency, your emergency contact(s), based on details you’ve provided (we will assume that you have checked with the individuals before you supply their contact details to us)
• the HSE to support the contact tracing work of the public health authorities.

This is not an exhaustive list and other disclosures to third parties not listed here are made only where there is a legal basis to do so.

For those students who are involved with one of our overseas partners, or who have funding sponsors or guarantors, or other nominated contacts, who are based outside of the European Economic Area (“EEA”), some of your information may be transferred to those other locations. Where personal data are transferred to countries outside the EEA, you should be aware that these countries may not have similar data protection laws to the EU and Ireland.

If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security and privacy measures are taken with the aim of making sure that your privacy rights continue to be protected as outlined in this statement.

When you give us personal information, we take steps to ensure that appropriate technical and organisational controls are in place to protect it.

For financial and payment processing, your payment details are handled by our payment process provider, Realex, and UCD administrative staff will not have access to full payment or card details at any stage.

When we determine for how long we keep your information, we consider a number of factors, such as legal, reporting, and accounting requirements.

You have a number of rights regarding access to and control of your personal data, including:

• Right of Access:You have the right to know what type of personal data UCD holds about you and to obtain a copy of this data.
• Right of Erasure:Under certain circumstances, GDPR allows you to have personal data erased. We will assess whether it is possible to implement such a request but please be aware that UCD will need to retain certain information about you in order to carry out our lawful functions
• Right to Object:Under certain circumstances, you can object to the processing of your personal data
• Right to Portability:Under certain circumstances, you have the right to request that we provide elements of your data in a commonly used, machine-readable format
• Right to Rectification:You have the right to have any inaccurate personal data which we hold about you updated or corrected
• Right to Restriction:You have the right to block the processing of your personal data in certain circumstances. We will assess whether it is possible to implement such a request
• Automated Decision-Making:You have the right to object to automated individual decision-making (i.e. making a decision solely by automated means without any human involvement) and profiling (i.e. automated processing of personal data to evaluate certain things about an individual). UCD does not make any decisions about students using wholly automated means

If you wish to make a request under any of the above, including aSubject Access Request, please go to the GDPR website where you will find a link to our Subject Access Request Form and the relevant mailbox address for data protection-related requests.

We regularly review our privacy information to ensure that it remains accurate and current. If there are any changes, we will update these pages to tell you. From time to time, we may also tell you in other ways about the processing of your data where appropriate.

This Privacy Statement was last updated on 14 May 2023.