Privacy statement

This statement discloses information practices, including what type of data we may collect and hold, how it is used and with whom the data is shared.

1. Introduction & Scope

1.1 The National College of Ireland is referred to in this Privacy Statement as “NCI”, “us” or “we”. This Privacy Statement provides details of how and why we Process Personal Data in line with our obligations under Data Protection Law. This statement applies to all individuals whose Personal Data is Processed by NCI except for NCI staff who should refer to NCI’s Staff Data Processing Notice, which is available on request from NCI’s acting data protection officer (see section 15 below for contact details).

2. Background & Purpose

2.1 The purpose of this Privacy Statement is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Statement outlines our duties and responsibilities regarding the protection of such Personal Data. 

2.2 This Privacy Statement is not an exhaustive statement of our data protection practices or policies. The manner in which we Process Personal Data will evolve over time and we will update this Policy from time to time to reflect changing practices and changes to the law. In addition, we operate a number of other workplace policies and procedures which inter-relate with this Privacy Statement, including the following: 

(a) Data Protection Policy; 

(b) Data Retention Policy; 

(c) Website Privacy Statement; and 

(d) Staff Data Processing Notice. 

2.3 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Statement by reference into notices used at various points of data capture when collecting Personal Data (e.g. application forms, website forms etc.).

3. NCI as a Data Controller

3.1 When NCI determines the purposes and means of the Processing of Personal Data it acts as a Data Controller. The primary example is where NCI collects and processes Personal Data relating to NCI students. In relation to such processing, NCI relies on a number of legal bases under Data Protection Law. These include: 

(a) Art. 6(1)(a) of the GDPR which permits Processing where the data subject has given his or her consent; 

(b) Art 6(1)(b) which permits Processing where necessary for the performance of a contract to which the data subject is a party;

(c) Art. 6(1)(c) which permits Processing that is necessary for compliance with a legal obligation to which the Data Controller is subject;

(d) Art. 6(1)(d) which permits Processing that is necessary in order to protect the vital interests of the data subject or of another person; and (e) Art. 6(1)(f) which permits Processing pursuant to the legitimate interests of NCI or a third party. 

3.2 In certain instances, NCI will act as a joint controller of Personal Data (“Joint Controller”), whereby NCI together with other entities determines the means and purposes of the relevant Processing. In such circumstances the essence of the arrangement is between NCI and the other Joint Controllers will be made known to the relevant individuals in a transparent manner. Examples of such scenarios may include where NCI and other institutions engage in collaborative research projects.

4. NCI as a Data Processor

4.1 In some cases, NCI may act as a Data Processor, under the instructions of a Data Controller. When acting as a Data Processor, NCI complies with its relevant obligations under Data Protection Law. These include ensuring that the data that is Processed by NCI on behalf of the relevant Data Controllers is subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk and ensuring that the Processing is underpinned by a contract which includes the data protection provisions required by Data Protection Law.

5. Purposes of Processing

5.1 Much of the data Processing undertaken by NCI is for the purpose(s) of fulfilling NCI’s contractual obligations in respect of its students to provide both undergraduate, postgraduate and professional courses and qualifications across a range of disciplines. The following are illustrative and non-exhaustive examples of the types of Processing typically undertaken by NCI when providing courses of education and for connected purposes: 

(a) Student Registration: In administering the college it is necessary for NCI to Process Personal Data, including contact details and financial details of students. This is necessary in relation to NCI’s contractual relationship with its students. 

(b) Examinations and Academic Records: The Processing of Personal Data, including but not limited to student numbers, names, exam scripts, exam results, details of qualifications and degrees conferred is necessary in order for NCI to perform its contractual obligations. To ensure the integrity of this system, it is also necessary and proportionate for NCI to maintain records of exam results, degrees conferred and other relevant details. NCI Processes such Personal Data in accordance with this Privacy Statement and its other policies and procedures. 

(c) Research and Publications: NCI Processes Personal Data in the course of its research and publishing activities and such Processing is always undertaken in accordance with this Privacy Statement and NCI’s legitimate interests in publishing and disseminating certain information and research. 

(d) Alumni Affairs: Processing activities undertaken by NCI’s Alumni Office when liaising with and contacting NCI graduates in relation to their alumni events and initiatives are necessary for the performance of NCI’s legitimate interests to maintain contact with alumni and to promote NCI. 

(e) NCI Students Union: The NCI Students Union is the representative body for NCI students and NCI actively collaborates with the Students Union on various initiatives. This is necessary for NCI’s legitimate interests in fostering an inclusive and vibrant student body. 

(f) SV Fitness: SV. Fitness Health Club: S.V. Fitness Health Club (“S.V. Fitness”) makes health and fitness services available to all NCI students. It is a term of NCI full-time undergraduate registration that students are enrolled as members of S.V. Fitness. In order for S.V. Fitness to make such services available to NCI students, NCI shares with S.V. Fitness certain NCI student personal data, including student names and student numbers. Of course, you may also provide other data to S.V. Fitness in connection with your gym membership. S.V Fitness will act as data controller in respect of all data that it holds and processes relating to NCI students and will process such data only for purposes connected with your membership. 

(g) Other institutions: NCI will engage in certain collaboration with educational, business and other institutions both within and outside the State. Such collaborations may involve the sharing of certain Personal Data as between NCI and its partner institutions and other organisations for research purposes and for similar purposes including staff sabbaticals. Personal Data of students and staff may be disclosed to such other institutions as necessary for these purposes and written agreements will be put in place. 

(h) Student Support: NCI students and employees provide information to NCI for a variety of reasons when availing of the student support services. Such information may include Personal data of a sensitive nature (known as “special categories of Personal Data”) including details of disabilities, health, sex life and/or sexual orientation and of your background. Such Personal Data may be collected in the form of records of meetings and disability records, counselling notes, records of financial assistance provided, health and disability records as well as workshop and event attendance records. Such data will be collected based on your explicit consent and otherwise to protect the vital interests of the data subject and/or third parties and where it is necessary in order for NCI to comply with any legal obligations it may have. Given the potentially sensitive nature of the Personal Data collected and processed by NCI special care is taken to maintain the security and confidentiality of such data. Such data will not be disclosed to third parties outside of NCI except in exceptional circumstances such as an emergency or a valid request from law enforcement. 

(i) NCI Early Learning Initiative (“ELI”): NCI’s ELI operates a number of programmes which involves active participation and engagement within the local community. These programmes involve NCI staff working with parents/guardians and young children in family homes and/or within NCI and the local community. The ELI programmes involve the processing of Personal Data to administer the programme and to monitor the progress and participation levels of those participating in the ELI programmes. The legal bases for this is consent of the participating families (as provided by the parents / guardians on behalf of their children) and or the legitimate interests pursued by NCI in undertaking and promoting educational initiatives within the local community.

6. Special Categories of Data

6.1 NCI processes Special Categories of Data (“SCD”) in certain circumstances, typically related to the ordinary course of employee and student administration, the provision of student support, early learning initiatives and development services and the processing of Garda vetting forms for students and employees, where required by law. 

6.2 Section 45 of the Data Protection Act 2018 provides a general lawful basis for processing SCD where it is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. As required by Data Protection Law, NCI applies suitable and specific measures in respect of such Processing of SCD. 

6.3 NCI Processes Garda vetting forms for employees as authorised by the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 to 2016 (the “National Vetting Act”) in respect of staff and students that undertake placements and studies which involves engagement with and exposure to children and/or vulnerable persons. Garda vetting forms may contain Personal Data relating to criminal convictions/offences and because NCI is subject to a legal obligation to Process such data and Art. 6(1)(c) of the GDPR provides the lawful basis for such Processing.

7. Record Keeping

7.1 As part of our record keeping obligations under Art. 30 of the GDPR, NCI retains a record of the processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement NCI Record
Name and contact details of the controller National College of Ireland, IFSC, Mayor Street, North Dock, Dublin 1, D01 Y300
Name and contact details of the acting data protection officer Name: Niamh Scannell
Email: dpo@ncirl.ie
Telephone: +353 1 4498523
The purposes of the processing To fulfil the functions of NCI as described in this Privacy Statement (see Section 5 and Annex II)
Descriptions of categories of data subjects and Personal Data See Annex II
The categories of recipients to whom the Personal Data have been or will be disclosed See Section 12
Transfers of Personal Data to a third country outside of the EEA On occasion, Personal Data may be transferred to other institutions for the purposes of collaborative research projects
Envisaged time limits for erasure of the different categories of data See Section 13
General description of the technical and organisational security measures referred to in Article 32(1) See Section 11

8. Individual Data Subject Rights

8.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (“Data Subject Rights”): 

(a) The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller); 

(b) The right of access to Personal Data; 

(c) The right to rectify or erase Personal Data (right to be forgotten); 

(d) The right to restrict Processing; 

(e) The right of data portability; and 

(f) The right of objection 

(g) The right to object to automated decision making, including profiling and where processing is based on the Controller’s legitimate interests. 

8.2 Please note that the Data Subject Rights will not be available in all circumstances and are subject to certain conditions. 

8.3 Any data subject wishing to exercise their Data Subject Rights should write to NCI’S Acting Data Protection Officer (“DPO”) by post to the National College of Ireland, IFSC, Mayor Street, North Dock, Dublin 1, D01 Y300, or by email at dataprotection@ncirl.ie. Please provide as much detail as possible in relation to your request to enable us to identify your personal data and facilitate your request.

9. Academic Freedom and Freedom of Expression Information

9.1 While NCI will take all appropriate and reasonable measures to respect and facilitate the protection rights of the individual whose Personal Data it processes, data protection is not an absolute right and must be balanced against certain other rights and principles. The GDPR and the Data Protection Act 2018 recognise that in certain circumstances it may be necessary to limit data protection rights in the interests of freedom of expression and the freedom to receive information. In performing its tasks as an educational institution, it is the policy of NCI to endeavour to protect these freedoms in a manner that least impacts on the data protection rights of individuals.

10. CCTV on the NCI Campus

10.1 NCI has closed circuit television cameras (“CCTV”) located throughout its premises covering buildings, internal spaces, car parks, roads, pathways and grounds. NCI’s CCTV system is implemented in a proportionate manner as necessary to protect NCI property against theft or pilferage and for the security of staff, students and visitors to the NCI premises to protect their vital interests.

10.2 Whilst CCTV footage is monitored by NCI security staff, and other authorised personnel access to recorded footage is strictly limited to authorised personnel. Footage is retained for 30 days, except where incidents or accidents have been identified in which case such footage is retained specifically in the context of an investigation of that issue. CCTV footage may be used in the context of disciplinary proceedings involving NCI staff or students (to protect the vital interests of NCI, staff, students and affected individuals). CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instances disclosure is based on a valid request. Signage indicating that CCTV is in use is displayed prominently throughout the NCI premises. For information on CCTV operations at NCI please contact Mr Bertie Kelly by email at bkelly@ncirl.ie.

11. Data Security and Data Breach

11.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. 

11.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches. We will manage a Data Breach in accordance with the Data Breach Incident Procedure. To report a suspected Data Breach please immediately contact the NCI DPO at the contact details at Section 7.1 above.

12. Disclosing Personal Data

12.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency submits a valid request for access to Personal Data). We may also share Personal Data: (a) with statutory bodies, such as the Higher Education Authority where there is a lawful basis to do so; (b) with selected third parties including sub-contractors; (c) if we are under a legal obligation to disclose Personal Data (e.g. to the Gardaí). 

12.2 Where we enter into agreements with third parties to Process Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data. Examples of such third party service providers that we engage, and to whom Personal Data may be disclosed, include but are not limited to communications providers, payroll service providers, occupational health providers, marketing or recruitment agencies, operators of data centres used by us, security providers, catering services, and professional advisors such as external lawyers, accountants, tax and pensions advisors. 

12.3 We may disclose Personal Data to third parties, including where processing is necessary for the performance of a contract to which a data subject is a party or in order to take steps at a data subject's request prior to entering into a contract. This may include disclosing personal data to the Irish Naturalisation and Immigration Service and the Department of Justice and Equality for the purposes of applying for and obtaining student visas, to government entities for the purposes of managing student financial grants and aid and to other such third parties where we have obtained your consent.

13. Data Retention

13.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data Are Processed. Further details of the retention period for Personal Data is set out in our Data Retention Policy.

14. Data Transfers outside the EEA

14.1 From time to time we may transfer Personal Data outside the EEA. Such transfer will be subject to appropriate safeguards in accordance with applicable Data Protection Law (for example through the use of EU-approved Model Contract Clauses) and in accordance with this Privacy Statement. An example of where we transfer Personal Data outside the EEA is for the purpose of collaborative research projects with other institutions.

15. Further Information/Complaints Procedure

15.1 For further information about this Privacy Statement and/or the Processing of your Personal Data please contact NCI’s Acting Data Protection Officer, Niamh Scannell, at dpo@ncirl.ie. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the Data Protection Officer in the first instance to give us the opportunity to address any concerns that you may have.

Annex I - Glossary

In this Privacy Statement, the terms below have the following meaning: 

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. 

Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider). 

Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the [Data Protection Act 2018] and any other laws which apply to NCI in relation to the Processing of Personal Data. 

European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway. 

Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number; details about an individual’s location; or any other information that is specific to that individual. 

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly. 

Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

Annex II - Types of Personal Data

The following table indicates the categories of Personal Data typically Processed by NCI but we may Process other categories of Personal Data from time to time and will endeavour to provide you with a privacy notice whenever we collect other Personal Data.

A. Student Registry Data

Types of Personal Data Purpose GDPR Lawful Basis for Processing
  • Name, contact details, student ID number;
  • Date of birth, gender, next of kin, nationality, photograph, admission and application record, student    grant information;
  • PPSN, passport number, student grant information (which may include SCPD), bank details, nationality;
  • Academic records, examination materials, graduation record;
  • Health and medical data;
  • Data relating to criminal offences contained in Garda vetting forms; and
  • Facial images on student and staff access cards.
Data is processed for:
  • student registration, provision of financial support and administration, examinations and ancillary services such as student support and development;
  • administering payment of fees, student registration, provision of student grants and funding, administration of exams and student communications;
  • department administration (such as module registration and payment of fees) and in connection with visa applications (where applicable); and
  • for security purposes and as necessary for the conduct of examinations and student attendance purposes.

Necessary    for performance of a contract under Art. 6(1)(b) GDPR; and


Performance of NCI’s legitimate interests under Art. 6(1)(f) GDPR.
 

B. Other Student Data

Types of Personal Data Purpose GDPR Lawful Basis for Processing
  • NCI Sport clubs and societies;
  • Health and medical data;
  • Health data, such ads details of health conditions or disabilities in case of emergencies; and
  • Student next of kin contact details.
  • Access to amenities such as sports facilities and contacting next-of-kin in emergencies/accidents;
  • Ancillary services for students such as clubs and societies; and
  • Student registration and exam purposes (e.g. extenuating circumstances).

Consent under Article 6(1)(a); and

Necessary to protect the vital interests of the data subject under Art. 6(1)(d).
 

C. Visitors to NCI Campus & Events

Types of Personal Data Purpose GDPR Lawful Basis for Processing
  • Names and details of conference, meeting and work-shop attendees and photographs taken at events;
  • Parents of students; and
  • Other visitors.
  • Administration of conferences and for promotional purposes in relation to photographs taken;
  • Open days; and
  • CCTV surveillance of NCI premises.

Consent under Article 6(1)(a); and
 

Performance of NCI’s legitimate interests under Art. 6(1)(f) GDPR.
 

D. Employees*

*Refer to the Staff Data Processing Notice

E. Suppliers, Contractors and Business Contacts

Types of Personal Data Purpose GDPR Lawful Basis for Processing
  • Name, contact details of suppliers,  contractors and business contacts
  • Personal Data relevant to performance of contract
  • Performance of services/supply of goods; and
  • Maintenance of customer relationship management (or CRM) system.

Consent under Article 6(1)(a);

Necessary for performance of a contract under Art. 6(1)(b) GDPR; and
 

Necessary for the legitimate interests pursued by NCI under Art. 6(1)(f).
 

F. Research & Academic Purposes

Types of Personal Data Purpose GDPR Lawful Basis for Processing
  • Staff details, external and visiting academics and teaching staff;
  • Contacts with other educational institutions, journals; and
  • Research participants in trials/studies.
  • Administration and coordination of research and publication. Conferences and related academic purposes.

Necessary for performance of a contract under Art. 6(1)(b) GDPR;

Necessary for the legitimate interests pursued by NCI under Art. 6(1)(f); and

Consent under Article 6(1)(a).
 

G. Website Visitors*

Types of Personal Data Purpose GDPR Lawful Basis for Processing
  • IP address, online identifiers, device, and browser; and
  • Location of device.
  • Technology such as cookies help us understand which parts of our website are the most popular and how much time visitors spend on the site.
  • NCI also uses cookies to study traffic patterns on our site in order to improve website performance, to customise the user experience, and to better match the users' interests and preferences.

*For further information please refer to our Cookies Policy.

Necessary for the legitimate interests pursued by NCI under Art. 6(1)(f).

Version

This version was last updated in September 2019.