Full policy

1. Introduction & Scope 

1.1 Dublin City University includes the DCU Campus Companies and is referred to in this Privacy Policy as “DCU”, “us” or “we”. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law. 

2. Background and Purpose 

2.1 The purpose of this Privacy Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. 

2.2 This Privacy Policy is not an exhaustive statement of our data protection practices. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices. In addition, we operate a number of other workplace policies and procedures which inter-relate with this Privacy Policy, including the following: 

(a) Staff Data Processing Notice – (Internal to DCU) 

(b) Data Retention Policy – (Public Facing) 

(c) Data Breach Reporting Procedure – (Public Facing) 

(d) Data Breach Reporting Procedure – (Internal to DCU) 

(e) Data Subject Rights Procedure – (Public Facing) 

(f) Data Subject Rights Procedure – (Internal to DCU) 

(g) Data Protection Impact Assessment Guidelines – (Internal to DCU) 

(h) Data Protection Impact Assessment Template – (Internal to DCU) 

(i) Information & Communications Technology (ICT) Security Policy 

(j) Website Privacy Statement – (Public Facing) 

2.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into notices used at various points of data capture when collecting personal data (e.g. application forms, website forms etc.). 

3. DCU as a Data Controller 

3.1 When DCU determines the purposes and means of the Processing of Personal Data it acts as a Data Controller. DCU is a statutory authority under the Universities Act, 1997 (“Universities Act”). The data Processing undertaken by DCU is generally undertaken in fulfilment of its statutory objects, functions and duties under sections 12 and 13 of the Universities Act, which in particular provide that the functions of a university are “to do all things necessary and expedient... to further the objects and development of the university”. 

3.2 In relation to such processing, Art. 6(1)(e) of the GDPR provides an appropriate legal basis, which permits Processing that is necessary for the performance of the task which is in the public interest, where such “public interest” is laid down in EU or Irish law (such as in the Universities Act). [Section 34(1) of the Data Protection Act 2018] further makes it clear that DCU can rely on this public interest basis as a lawful basis for Processing Personal Data where Processing is [necessary for the performance of a function of a Data Controller conferred by or under an enactment, or the administration by or on behalf of a Data Controller of any non-statutory scheme, programme or funds where the legal basis for such administration is a function of a controller conferred by or under an enactment]. 

3.3 Where Processing activities are not specifically supported by a particular statutory basis (such as under the Universities Act), DCU relies on other legal bases under Data Protection Law. These include: Art. 6(1)(a) of the GDPR which permits Processing where the data subject has given his or her consent; Art 6(1)(b) which permits Processing where necessary for the performance of a contract to which the data subject is a party; Art. 6(1)(c) which permits Processing that is necessary for compliance with a legal obligation to which the Data Controller is subject; and Art. 6(1)(d) which permits Processing that is necessary in order to protect the vital interests of the data subject or of another person. 

3.4 In certain instances DCU will act as a joint controller of Personal Data (“Joint Controller”), whereby DCU together with other entities determines the means and purposes of the relevant Processing. In such circumstances the essence of the arrangement as between DCU and the other Joint Controllers will be made known to the relevant individuals in a transparent manner. Examples of such scenarios may include where DCU and other institutions engage in collaborative research projects. 

4. DCU as a Data Processor 

4.1 In some cases, DCU may act as a Data Processor, under the instructions of a Data Controller. 

4.2 When acting as a Data Processor, DCU complies with its relevant obligations under Data Protection Law. These include ensuring that the data that is Processed by DCU on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions required by Data Protection Law. 

5. Purposes of Processing 

5.1 Much of the data Processing undertaken by DCU is for the purpose(s) of fulfilling DCU’s statutory functions and objects under the Universities Act. The following are illustrative and non-exhaustive examples of the types of public interest Processing undertaken by DCU, which are specifically supported by the Universities Act: 

(a) Examinations and Academic Records: One of DCU’s core functions under the Universities Act is to “provide courses of study and to conduct examinations and award degrees and other qualifications”. Accordingly, the Processing of Personal Data, including but not limited to student numbers, names, exam scripts, exam results, details of qualifications and degrees conferred is necessary in order for DCU to perform these statutory functions as prescribed by the Universities Act. To ensure the integrity of this system, it is also necessary and proportionate for DCU to maintain records of exam results, degrees conferred and other relevant details. DCU Processes such Personal Data in accordance with this Privacy Policy and its other policies, regulations and procedures, including the Examination Appeals Procedure. 

(b) Registry: In administering the university in such a manner as to enable DCU to “provide courses of study” in an efficient manner it is necessary for DCU to Process Personal Data, including the full student record. Registry may also process personal data of a sensitive nature which is provided by the student to DCU, for example health data to support a deferral of an academic year or postponement of an assessment. This is clearly both necessary and expedient to further the objectives and development of the university as per the Universities Act. 

(c) Research and Publications: DCU has a clear statutory mandate under the Universities Act to both “promote and facilitate research” and scientific investigation and to “disseminate the outcomes of its research with the wider community”. DCU often Processes Personal Data in the course of its research and publishing activities and such Processing is always undertaken in accordance with this Privacy Policy and DCU’s other policies, for example on Research Ethics. While Data Processing undertaken by DCU in pursuit of these objectives is supported by Universities Act, DCU will endeavour to strike an appropriate balance between these goals and the data protection rights of affected individuals. 

(d) Alumni Affairs: Among DCU’s statutory functions under the Universities Act is to “collaborate with graduates, convocations of graduates and with associations representing graduates both within and outside the State”. This function provides appropriate statutory support for Processing activities undertaken by DCU’s Alumni Office when liaising with and contacting DCU graduates in relation to their alumni events and initiatives. 

(e) DCU Educational Trust: In addition, the Universities Act specifically states that universities may accept gifts of money, land and other gifts on the trusts and conditions specified by the donor. Taken together with the statutory function of “collaborating with associations representing graduates both within and outside the State”, DCU has explicit statutory support to engage and collaborate with alumni organisations such as the DCU Educational Trust. Pursuant to this statutory function, DCU shares certain Personal Data of DCU alumni (limited to student number, title, DOB, first name, surname, gender, graduation date, qualification, faculty of study, postal address, home phone, student email, graduation year, description of course, graduation name) with the DCU Educational Trust, which is a registered charity established to advance the development of DCU. If for any reason you would prefer that your Personal Data is not shared with the DCU Educational Trust contact the DCU Data Protection Unit (email: data.protection@dcu.ie). 

(f) DCU Student Union (“Student Union”): While, the Office of Student Life (i.e. OSL, being the umbrella name for the DCU Student Union and its Clubs & Societies) is a student entity distinct from DCU, one of DCU’s objects under the Universities Act is to “promote the cultural and social life of society” within the university. Pursuant to this object, DCU actively collaborates with the Student Union on various initiatives. This includes the sharing of certain DCU student data with the Student Union, such as email addresses to facilitate the Student Union to “promote the cultural and social life of society” and accordingly such disclosure of Personal Data is in accordance with DCU's pubic interest objectives under the Universities Act. The Student Union will act as a Data Controller in relation to any Personal Data provided to it by DCU. If for any reason you would prefer that your Personal Data is not shared with the Student Union contact the DCU Data Protection Unit (email: data.protection@dcu.ie). 

(g) Other Universities / institutions: In accordance with its statutory objects and functions under the University Acts to promote and facilitate “the highest standards in, and quality of, teaching and research” and to “disseminate the outcomes of its research in the general community”, to collaborate with educational, business and other institutions both within and outside the State, DCU will engage in certain collaboration with such organisations. Such collaborations may involve the sharing of certain personal data as between DCU and its partner institutions and other organisations for research purposes and for similar purposes including but not limited to student exchange programmes (such as the Erasmus programme) and staff sabbaticals. Personal Data of students and staff may be disclosed to such other institutions as necessary for these purposes and written agreements will be put in place. 

(h) Student Support & Development (“SS&D”): DCU students and employees provide information to DCU’s SS&D for a variety of reasons when availing of the services and resources made available by SS&D. Such information may include Personal data of a sensitive nature (known as “special categories” of personal data) including details of disabilities, health, sex life and/or sexual orientation and of your background if you apply to the DCU Access Programme. Such personal data may be collected in the form of records of meetings and disability records, counselling notes, records of financial assistance provided, health and disability records as well as workshop and event attendance records. Such data will be collected based on your explicit consent and otherwise to protect the vital interests of the data subject and/or third parties and where it is necessary in order for DCU to comply with any legal obligations it may have. Given the potentially sensitive nature of the personal data collected and processed by SS&D special care is taken to maintain the security and confidentiality of such data. Such data will not be disclosed to third parties outside DCU except in exceptional circumstances such as an emergency or a valid request from law enforcement. In limited circumstances, Personal Data provided to SS&D may be disclosed to other Departments/Units within DCU based on your consent (for example, if you are unable to sit an exam or meet an assignment deadline for health related reasons). 

(i) DCU Sport: DCU will share certain of your Personal Data with DCU Sport in accordance with its statutory functions and otherwise as collected by DCU Sport directly from students and staff from time to time based on your consent. Such data may include details of any health conditions and or you next-of-kin to enable DCU Sport to take appropriate measures in the case of an accident or emergency when making use of DCU’s sports facilities. 

6. Special Categories of Data 

6.1 DCU processes Special Categories of Data (“SCD”) in certain circumstances, typically related to the ordinary course of employee and student administration, the provision of student support and development services and the processing of Garda vetting forms for students and employees, where required by law. 

6.2 [Section 41 of the Data Protection Act 2018 provides a general lawful basis for processing SCD where it is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. As required by Data Protection Law, DCU applies suitable and specific measures in respect of such Processing of SCD.] 

6.3 DCU Processes Garda vetting forms for students and employees as authorised by the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 (the “National Vetting Act”) in respect of DCU students and staff that undertake placements and studies which involves engagement with children and vulnerable persons. Garda vetting forms may contain Personal Data relating to criminal convictions/offences and because DCU is subject to a legal obligation to Process such data, Art, 6(1)(c) of the GDPR provides the lawful basis for such Processing. 

7. Record Keeping 

7.1 As part of our record keeping obligations under Art. 30 of the GDPR, DCU retains a record of the processing activities under its responsibility. This comprises the following:

Art 30 GDPR Requirement	DCU Record
Name and contact details of the controller	Dublin City University, DCU Mailroom, John & Aileen O’Reilly Library, DCU Glasnevin Campus, Collins Avenue Extension, Dublin 9, D09 V209
Name and contact details of the data protection officer	The data protection officer is Martin Ward whose email address is data.protection@dcu.ie and whose phone number is 01 7005118 / 7008257.
The purposes of the processing	To fulfil the statutory functions of DCU under the Universities Act and otherwise as described in this Privacy Policy (see Section 5 and Annex II)
Description of categories of data subjects and personal data	See Annex II
The categories of recipients to whom the personal data have been or will be disclosed	See Section 12
Transfers of personal data to a third country outside of the EEA.	Exchange programmes Princess Nora Bint Abdul Rahman University (PNU)  Personal Data is transferred to other institutions for the purposes of collaborative teaching partnerships (e.g. to the US, Canada and China) and collaborative research projects.
Envisaged time limits for erasure of the different categories of data.	• See Section 13.
General description of the technical and organisational security measures referred to in Article 32(1)	See Section 11

8. Individual Data Subject Rights 

8.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in 

question are as follows (“Data Subject Rights”): 

(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller); 

(b) the right of access to Personal Data; 

(c) the right to rectify or erase Personal Data (right to be forgotten); 

(d) the right to restrict Processing; 

(e) the right of data portability; 

(f) the right of objection; and 

(g) the right to object to automated decision making, including profiling. 

8.2 Arts. 17 and 20 of the GDPR state that the right to be forgotten and the right of data portability do not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. 

8.3 Any data subject wishing to exercise their Data Subject Rights should write to the DCU Data Protection Officer (“DPO”) by post to the Data Protection Officer, Office of the Chief Operations Officer, DCU Mailroom, John & Aileen O’Reilly Library, DCU Glasnevin Campus, Collins Avenue Extension, Dublin 9, D09 V209 or by email at data.protection@dcu.ie. Please provide as much detail as possible in relation to your request to enable us to identify your personal data and facilitate your request. Your request will be dealt with in accordance with DCU’s Data Subject Rights Procedure (Internal to DCU). For further information on your Data Subject Rights please refer to the Data Subject Rights Procedure (External to DCU). 

9. Academic Freedom and Freedom of Expression Information 

9.1 While DCU will take all appropriate and reasonable measures to respect and facilitate the protection rights of the individual whose Personal Data it processes, data protection is not an absolute right and must be balanced against certain other rights and principles. In particular, the Universities Act recognises the principle of academic freedom and similarly both the GDPR and [the Data Protection Act 2018] recognise that in certain circumstances it may be necessary to limit data protection rights in the interests of freedom of expression and the freedom to receive information. In meeting its statutory and public interest obligations, it is the policy of DCU to endeavour to protect these freedoms in a manner that least impacts on the data protection rights of individuals.

10. CCTV on the DCU Campuses 

10.1 DCU has closed circuit television cameras (“CCTV”) located throughout its campuses covering buildings, internal spaces, car parks, roads, pathways and grounds. CCTV cameras are also located at the University Sports Grounds at St Clare’s. DCU’s CCTV system is implemented in a proportionate manner as necessary to protect DCU (and DCU Campus Company) property against theft or pilferage and for the safety and security of staff, students and visitors to the DCU campuses (to protect their vital interests). 

10.2 Whilst CCTV footage is monitored by DCU security staff, access to recorded footage is strictly limited to authorised personnel. Footage is retained for 28 days, except where incidents or accidents have been identified in which case such footage is retained specifically in the context of an investigation of that issue. CCTV footage may be used in the context of disciplinary proceedings involving DCU staff or students (to protect the vital interests of DCU, staff, students and affected individuals). CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instances disclosure is based on a valid request. Signage indicating that CCTV is in use is displayed prominently throughout the DCU campuses. For information on CCTV operations at DCU please contact the Director of Estates. 

11. Data Security and Data Breach 

11.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. For more information on security measures see our Information & Communications Technology (ICT) Security Policy. 

11.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. We will manage a Data Breach in accordance with the Data Breach Reporting Procedure. For further information on how to report a suspected Data Breach please refer to this document or contact the DCU DPO at the contact details at Section 7.1 above. 

12. Disclosing Personal Data 

12.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency submits a valid request for access to Personal Data). 

12.2 We may also share Personal Data: (a) with another statutory body where there is a lawful basis to do so; (b) with selected third parties including sub-contractors [or partner exchange universities]; (c) if we are under a legal obligation to disclose Personal Data (e.g. to the Gardaí). 

12.3 Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data. Examples of such third party service providers that we engage, and to whom Personal Data may be disclosed, include but are not limited to communications providers, payroll service providers, occupational health providers, marketing or recruitment agecies, operators of data centres used by us, security providers, catering services, and professional advisors such as external lawyers, accountants, tax and pensions advisors. 

13. Data Retention 

13.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which the Personal Data are Processed. Further details of the retention period for Personal Data is set out in our Data Retention Policy. 

14. Data Transfers outside the EEA 

14.1 From time to time we may transfer Personal Data outside the EEA. Such transfer will be subject to appropriate safeguards in accordance with applicable Data Protection Law (for example through the use of EU-approved Model Contract Clauses) and in accordance with this Privacy Policy. An example of where we transfer Personal Data outside the EEA is for the purpose of collaborative research projects and taught programmes with other institutions. 

15. Further Information/Complaints Procedure 

15.1 For further information about this Privacy Policy and/or the Processing of your Personal Data please contact DCU Data Protection Officer, Martin Ward, at data.protection@dcu.ie. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the Data Protection Officer in the first instance to give us the opportunity to address any concerns that you may have. 

Full policy

Cookies are small snippets of data a website may store on your computer to record basic information, such as visitor preferences. Cookies are used to track usage patterns, traffic trends, and visitor behavior.  They are also sometimes used by online applications to improve user functionality.

Most web browsers automatically accept cookies. You may set your browser to refuse cookies from any website that you visit, including Loop.  You should note that if a user sets up his or her browser to reject the cookie, he or she may still use the website, but functionality may be impaired.

Cookies may be used by Loop to collect non-personal information about how users use Loop or to remember display preferences.  Temporary session cookies may also be used in some areas to enable specific functionality (e.g. portal pages).  Session cookies are deleted once you close your browser session.

Occasionally for the purposes of DCU online services we must pass some cookie information to third parties.  These cookies may persist after your browser session has ended.  This information will not include any of your personal data or information from which you will be readily identifiable. This information may be used for evaluating your use Loop, compiling reports on Loop activity for DCU and providing other services relating to Loop activity and internet usage.  It is stored and used in the aggregate only and is not used to obtain personal data or to contact you personally, but instead to improve Loop services.  DCU actively seeks to preserve user privacy in any interaction with third parties.

Some areas within Loop use online data entry forms to collect personal information from web visitors who choose to identify themselves for the purpose of transacting e-commerce or receiving products, services, or information.  Areas within DCU that collect data of any type are required to abide by our Privacy Statement. We request no more information than is required to fulfill the purpose for which the information is being collected.

Technical details in connection with visits to this website may be logged by the University's internet service provider for accounting and auditing purposes. This technical information will be used only for statistical and other administrative purposes. You should note that technical details, which the University cannot associate with any identifiable individual, do not constitute `personal data' for the purposes of the Data Protection Acts 1988 to 2018.

Full policy

All materials here including any recordings of lectures are provided for your own personal study; you should not reproduce it or pass it on to anyone else