On 25th May 2018, new EU legislation came into force, the General Data Protection Regulation (“GDPR”), applying to all data relating to, and descriptive of, living individuals defined in the Regulation as “personal data.” Individuals are referred to as “data subjects.”
In undertaking the business of IT Sligo, we all create, gather, store and process large amounts of data on a variety of data subjects such as on students (both potential, current and former), staff, third parties and members of the public. Our use of personal data ranges from CCTV footage, through to the processing a student’s details throughout their journey, from application through to graduation.
The GDPR places obligations on IT Sligo and the way it handles personal data. In turn the staff and students of the Institute have responsibilities to ensure personal data is processed fairly, lawfully and securely. This means that personal data should only be processed if we have a valid condition of processing (e.g. consent obtained from the data subject, or a contract with them) and we have provided information to the individuals concerned about how and why we are processing their information (i.e. a privacy notice). There are restrictions on what we are allowed to do with personal data such as passing personal information on to third parties, transferring information outside the EU or using it for direct marketing.
IT Sligo is committed to a policy of protecting the rights of individuals with respect to the processing of their personal data.
In line with the development of policies by THEA, IT Sligo is currently working on a number of Policies that must be adhered to in order to comply with GDPR.
Key Points to Note
- All breaches or suspected breaches of personal data once discovered should be reported to the Data Protection Officer at firstname.lastname@example.org without delay, for assessment. Under the GDPR, a breach, which is reportable to the Data Protection Commissioner, must be reported not later than 72 hours after having become aware of it. An example of this would be sending names, addresses and exam results of students in error to a third party.
- All Staff are encouraged to have a “Clean desk” – where sensitive/critical information about Institute employees, students, Institute intellectual property, and Institute vendors is handled correctly, is secure and out of sight. This includes locking pc’s when away from your desk.
- Ensure that all categories of personal data that you come into contact with in your area are recorded on the Personal Data Register that is in place for the Institute and which can be accessed through the staff portal here.
- Do not unnecessarily share or store personal data. Consult with Institute Data Protection Policies and Procedures and/or Data Protection Officer if required.
- If not already done so please complete the online GDPR training course that we have partnered with Legal Island to deliver and which you should have received details about.