UCD Privacy Statement for Students
This privacy statement describes the processing of student personal data that is carried out by UCD in order to ensure we can provide you with the experience, support and service you expect as a student, and that we meet our legal and organisational obligations. This statement explains how UCD collects and uses (processes) personal data relating to students, what rights you have in relation to that data and who to contact should you have a query or complaint. This privacy statement is not intended to cover all personal data processing at UCD and data processing activities may be dealt with under separate privacy statements.
University College Dublin (“UCD”) is committed to protecting the privacy and security of personal data.
Throughout this statement, “University”, “we”, “our”, and “us” refer to UCD; “you” and “your” refer to those whose data we process because they were or are enrolled students at the University.
UCD collects, uses and is responsible for certain personal data. This is known as “processing”. When we do so we are regulated under data protection legislation and we are responsible as the “data controller” of that personal data for the purposes of those laws.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Under data protection legislation, there is also ‘special category’ personal data, which is more sensitive personal data. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
The types of personal data we process about students at UCD include:
- Student ID number
- EU/EEA residency status
- Unique Personal Identifiers and Biographical Information, such as Student Number, Name, Title, Date of Birth)
- Your Contact Details (Note: you can update these when they change)
- PPS number
- Email address(es)
- Next of kin/emergency contact details
- Details of Students’ Education (including your college(s), The courses you have completed, your subjects, dates of study, details of any awards, scholarships or other accolades achieved during your University years)
- Information to provide student support services such as counselling, where applicable
- Image in digital photograph for ID card
- Financial information (including details of funding and fees)
- Bank details, including IBAN, BIC, Name of bank/building society
- Credit card details (processed by our payment provider Realex)
- Academic history
- Grade information including marking and marking of grade components
- Details of previous examination results from other institutions
- Qualifications awarded
- Details of what correspondence we have sent to you
- Information about parties who are providing funding, including names and financial information to allow us to contact them and process payments
- Information to enable us to carry out vetting procedures, to meet our social and legal obligations
- Information on your usage of student library services
We also process the following “special categories” of more sensitive personal information:
- Information about your health (for example, for absence records)
- Disability information (for example, where needed for the provision of counselling or student support services)
- In some cases, vetting procedures may require us to process criminal conviction information
We use your data to deliver a high standard of service to you, and we ask that you regularly check that we have correct and up-to-date information about you. We have an online system for students where you can view, edit and update your own details: Student Information System (SISWeb).
We also have a guide that tells you which data you can edit yourself, and where the information has to be updated centrally by our administrative team.
If you still need help or have a concern about data accuracy, relevant contact points are provided at the end of this privacy statement.
Students’ personal data are normally gathered by the University:
1. Via the admissions processes including:
- Information you provide to us during registration such as any applications you complete
- Any other admission procedures operated by UCD
- Information you provided through a specified application process route, such as the Central Applications Office (CAO) (see more below)
2. Through communication between you and UCD by telephone, email, or via the website.
For example, when you call to make enquiries about a course or when you are raising concerns or queries.
3. We may also obtain your personal data from third parties, for example:
- Information about you provided by referees you have nominated
- Information from your sponsor/grant awarding body (e.g. Student Universal Support Ireland (SUSI)) and information from your previous educational establishments
- Information provided by an agent or representative acting on your behalf
The Central Applications Office (CAO) are what is called a “joint data controller” with UCD. This means the CAO, with UCD, make decisions in respect of the information about you we both process. We have a joint controller agreement with the CAO to ensure both organisations are clear about our respective responsibilities and that your data and rights are protected when we work together. This agreement as well the CAO’s Privacy Statement is available from their privacy pages at the link below. http://www.cao.ie/index.php?page=privacy
The University will process your personal information for a range of purposes, including the following:
- To deliver and administer your education, record the details of your studies (including any placements with external organisations), and determine/confirm your academic achievements (e.g. results, prizes)
- Where relevant (e.g. for PhD students), to monitor, evaluate and support your research activity
- To administer the relationship with any of your funders
- To deliver Library, Virtual Learning Environment (VLE) and IT facilities to you
- To enable your participation at events (e.g. functions, graduation)
- To identify and contact students who may need additional support. (Our staff may use analysis tools to identify such cases in our systems, so we can make contact to offer assistance and advice where that is appropriate)
- To communicate effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars to support your learning
- To operate security (including CCTV), governance, disciplinary (including plagiarism and academic or other misconduct), complaint, audit and quality assurance processes and arrangements
- To support your training, medical, safety and welfare requirements
- To compile statistics and conduct surveys and research for internal and statutory reporting purposes
- To carry out strategic and management planning and forecasting
- To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation
- To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us)
- To enable placements with employers.
We will only use your personal information when we have a legal basis to do so. Most commonly, we’ll use your personal information on the following legal bases:
- Where it is necessary for the performance of tasks and functions we carry out under the Universities Act 1997, and related legislation, which form the basis for our University operations, including teaching and research activities
- Where it is necessary for compliance with a legal obligation, such as visa monitoring, immigration rules, or reporting information to funding or regulatory bodies where the law provides for this
- Where it is necessary for the pursuit of the legitimate interests of the University and our associated bodies, such as to enable your access to University services, and your interests and fundamental rights do not override those interests
- To protect the vital interests of the data subject or of another person (for example, in the case of a medical emergency)
- Where it is necessary for the performance of a contract have entered into, or are about to enter into, with you
- Where it is necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences
Should we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time.
Please be aware, in some exceptional cases, the University may process your personal data without your knowledge or consent, in compliance with our policies and procedures, where there is a lawful basis for doing so.
We will not use your personal information to carry out any wholly automated decision-making that affects you.
We may only process special category personal data in the following circumstances where, in addition to a lawful basis for processing, there exists one of the following grounds:
- Explicit consent – where you have given us explicit consent
- Legal obligation related to employment - the processing is necessary for a legal obligation in the field of employment and social security law or for a collective agreement
- Vital interests - the processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies
- Public information - the processing relates to personal data which is manifestly made public by the data subject or is already in the public domain
- Legal claims - the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- Substantial public interest - the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law
- Healthcare - the processing is necessary for healthcare purposes and is subject to suitable safeguards
- Public health - the processing is necessary for public health purposes and is based on Union or Member State law
- Archive - The processing is necessary for archiving, scientific or historical research purposes, or statistical purposes and is based on Union or Member State law
In addition to cases where UCD is required by law or permitted to disclose your details to others, third party disclosure may take place including to:
- Funding bodies and agencies that support or sponsor your education. Please note that once registered and where appropriate, fees will be claimed on your behalf from the relevant funding body
- External companies to process information about you on the University’s behalf such as third-party service providers. For example, we send payment and financial information to our payment service provider Realex to administer your payments
- Professional, educational or similar institutions and individuals that you have authorised or with whom UCD is collaborating in respect to your education. (Includes parent/guardian of minors)
- The organisers of conferring ceremonies where your graduate status or other award is publicly acknowledged
- A debt collection agency where necessary, because of outstanding UCD fees or other charges
- UCD Students’ Union for the purposes of Union membership, representation and elections
- UCD Sport & Fitness and UCD Clubs and Societies to manage your access to membership and facilities
- UCD Alumni Relations Office and UCD Foundation to facilitate future contact between you, UCD and fellow alumni e.g. university mailings, events, reunions and university-related fundraising activities. (See also our Privacy statement for alumni)
- Some of your information may be sent to the Higher Education Authority (HEA), or other regulatory bodies, where we are required to do so. Read the HEA data collection policy
- Some of your information may also be shared with government departments, such as the Department for Justice & Equality, Inland Revenue, or the Department for Social Services, as provided for in legislation
- In the case of an emergency, your emergency contact(s), based on details you’ve provided (we will assume that you have checked with the individuals before you supply their contact details to us)
This is not an exhaustive list and other disclosures to third parties not listed here are made only where there is a legal basis to do so.
For those students who are involved with one of our overseas partners, or who have funding sponsors or guarantors, or other nominated contacts, who are based outside of the European Economic Area (“EEA”), some of your information may be transferred to those other locations. Where personal data are transferred to countries outside the EEA, you should be aware that these countries may not have similar data protection laws to the EU and Ireland.
If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security and privacy measures are taken with the aim of making sure that your privacy rights continue to be protected as outlined in this statement.
When you give us personal information, we take steps to ensure that appropriate technical and organisational controls are in place to protect it.
For financial and payment processing, your payment details are handled by our payment process provider, Realex, and UCD administrative staff will not have access to full payment or card details at any stage.
We ask that you please do not send bank or card details by email to UCD, and only make payments through the service provided via our online payment system.
When we determine for how long we keep your information, we consider a number of factors, such as legal, reporting, and accounting requirements.
You have a number of rights regarding access to and control of your personal data, including:
- Right of Access: You have the right to know what type of personal data UCD holds about you and to obtain a copy of this data.
- Right of Erasure: Under certain circumstances, GDPR allows you to have personal data erased. We will assess whether it is possible to implement such a request but please be aware that UCD will need to retain certain information about you in order to carry out our lawful functions
- Right to Object: Under certain circumstances, you can object to the processing of your personal data
- Right to Portability: Under certain circumstances, you have the right to request that we provide elements of your data in a commonly used, machine-readable format
- Right to Rectification: You have the right to have any inaccurate personal data which we hold about you updated or corrected
- Right to Restriction: You have the right to block the processing of your personal data in certain circumstances. We will assess whether it is possible to implement such a request
- Automated Decision-Making: You have the right to object to automated individual decision-making (i.e. making a decision solely by automated means without any human involvement) and profiling (i.e. automated processing of personal data to evaluate certain things about an individual). UCD does not make any decisions about students using wholly automated means
If you wish to make a request under any of the above, including a Subject Access Request, please go to the GDPR website where you will find a link to our Subject Access Request Form and the relevant mailbox address for data protection related requests.
You can access, view and update or amend some of your information directly by logging into our Student Information System (SISWeb).
We also have a guide that tells you which data you can edit yourself, and where the information has to be updated centrally by our administrative team.
If you wish to make a request relating to any of the above rights, please go to the following website page for contact details: www.ucd.ie/gdpr/contact/
We regularly review our privacy information to ensure that it remains accurate and current. If there are any changes, we will update these pages to tell you. From time to time, we may also tell you in other ways about the processing of your data where appropriate.
This Privacy Statement was last updated on 29 June 2020.
UCD’s data protection contact information, including where to send Subject Access and similar requests, are available on the GDPR web page
If you have any questions about this statement or wish to lodge a complaint about the way in which UCD processes your personal data, please contact our Interim Data Protection Officer (DPO), Dr Ulrike Kolch at firstname.lastname@example.org.
You also have the right to lodge a complaint at any time with the Data Protection Commission, Ireland’s supervisory authority for data protection, but we do ask that you come to us first and give us the opportunity to address your concerns wherever we can.
Details of how to lodge a complaint can be found on the Data Protection Commission’s website.
Thank you for reading. Please check back here regularly for any changes.