Maynooth University collects, processes and uses data (in electronic and manual format) for a variety of purposes about its staff, students and other individuals who come in contact with the University. The General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 to 2018 (“Data Protection Law”) confer rights on individuals regarding their personal data as well as responsibilities on those persons processing personal data.
This policy outlines the obligations of Maynooth University under Data Protection Law and describes the steps to be taken to ensure compliance with those obligations.
This policy applies to the University’s employees and students and any other person who interacts with the University.
It is the responsibility of all Staff and Students to comply with this policy.
This policy is a statement of the University’s commitment to protect the rights and privacy of individuals, and to enable them to exercise their rights, in accordance with Data Protection Law. It is the University’s policy to ensure that it processes personal data in accordance with Data Protection Law and the terms of this policy.
Controller or data controller means any person who, either alone or with others, controls the purposes and means of the processing of personal data. Controllers can be either legal entities such as universities, companies, government departments or voluntary organisations, or they can be individuals.
Processor or data processor means a person who processes personal data on behalf of a controller, but does not include an employee of a controller who processes such data in the course of his/her employment.
Data subject means an individual who is the subject of personal data.
Personal data means information relating to a living individual who is or can be identified either directly or indirectly, including by reference to an identifier (such as a name, an identification number, location data or an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual). This can be a very wide definition depending on the circumstances.
Processing means performing any operation or set of operations on personal data including: (a) recording the personal data; (b) collecting, organising, structuring, storing, altering or adopting the personal data; (c) retrieving, consulting or using the information or personal data; (d) disclosing the personal data by transmitting, disseminating or otherwise making it available; or (e) aligning, combining, restricting, erasing or destroying the personal data.
Special Categories of Personal Data means personal data relating to an individual’s: racial or ethnic origin; political opinions or religious or philosophical beliefs; trade union membership; genetic or biometric data processed for the purpose of uniquely identifying a natural person; physical or mental health, including in relation to the provision of healthcare services; sex life or sexual orientation. Individuals have additional rights in relation to the processing of any such data.
4. Principles of Data Protection Law
As a c ontroller, Maynooth University complies with its responsibilities under the legislation in accordance with the following general data protection principles:
a) Personal data shall be processed lawfully and fairly.
For personal data to be obtained fairly, data subjects must be provided with certain information, generally at the time at which the personal data is obtained. It is Maynooth University’s policy to do so by setting out the relevant information in an appropriately worded data protection/privacy notice and to provide this to data subjects at the time that data is collected, where it is possible to do so.
The purposes of the processing of personal data by Maynooth University include compliance with the Universities Act 1997 (Section 13(2) refers) the organisation and administration of courses, research activities, the recruitment and payment of staff, contractual obligations and compliance with statutory obligations.
b) Personal data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes.
Maynooth University only processes personal data for purposes that are specific, lawful and clearly stated. Staff and students should not collect information about people routinely and indiscriminately without having a sound, clear and legitimate purpose for doing so. The University’s practice is to keep personal data for lawful purposes which are set out in the data protection/privacy notices.
c) Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
Maynooth University’s practice is to ensure that it collects and keeps only such personal data as is necessary for the purposes set out in its privacy notices. The types of information about individuals which the University collects and keeps are periodically reviewed to ensure compliance with this requirement, and information that is no longer required is deleted in accordance with Maynooth University’s
5. Record Retention Policy
- d) Personal data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Maynooth University seeks to ensure that the personal data it holds is at all times accurate, complete and up to date. The University takes every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay in accordance with the procedures set out in the Documenting and Monitoring Compliance section of this policy and Maynooth University’s Record Retention Policy
e) Personal data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed.
Unless legally required Maynooth University does not retain personal data in a form that permits
the identification of data subjects indefinitely. The University’s policy is to ensure that its record retention give effect to this principle. Maynooth University records retention schedule contains
details of the periods for which the University retains the various categories of records that it holds.
Personal data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against
unauthorised or unlawful processing, and
accidental loss, destruction or damage.
Maynooth University’s practice is to ensure that access to personal data which is held by the University is restricted relevant to work processes. To the extent that any third party processes personal data on behalf of the University, the University ensures that there is a written
agreement in place which includes appropriate security obligations regarding such personal data.
Access to the University’s IT systems and manual systems that hold personal data are subject
to security and acceptable use policies which outline responsibilities in using these systems.
6. Data Subject Rights
Data subjects for whom the University holds personal data have the following rights in relation to the processing of their personal data (subject to certain limited exceptions)
: The right to obtain access to personal data. Data subjects have the right to be provided with copies of their personal data along with certain details in relati on to the processing of their personal data. The right to information. Data subjects have the right to be provided with certain
information, generally at the time at which their personal data is obtained. Maynooth University complies with this obligation via its data protection/privacy notices.
The right to rectification. Data subjects have the right to have inaccurate personal data that a controller holds in relation to them rectified.
The right to object and restrict processing. Data subjects have the right to require that a controller restricts its processing of their data in some circumstances, and have the right to object to the processing of their personal data in certain circumstances.
(v)Rights in relation to automated decision making. Data subjects have the right not to be subjected to processing which is wholly automated and which produces legal effects or otherwise which significantly affects them, and which is intended to evaluate certain personal matters, such as creditworthiness or performance at work, unless one of a number of limited exceptions applies.
The right to request erasure of personal data. Under certain circumstances a data subject has the right to request the erasure of their personal data.
The right to data portability. Under certain circumstances, Maynooth University may be required to provide a
data subject with a copy of their personal data in a structured, commonly used and machine readable format. Maynooth University is obliged to comply with any requests by a data subject to exercise the above rights within strict timelines imposed under Data Protection Law (20 days).
7. Third Parties
A processor is a third party that processes personal data on behalf of Maynooth University. If a third party has access to personal data that belongs to or is controlled by the University in order to provide a service to the University, then the third party is acting as a processor on behalf of
Prior to engaging processors, the University:
undertakes due diligence to ensure that it is appropriate to engage the processor; and
ensures that it puts in place an agreement in writing with the processor that complies with
the requirements under Data Protection Law.
The Personal Data Inventory sets out details of the processors that are engaged by the University. The details of processors in the Data Inventory
will be kept up to data in accordance with the procedure set out in the Documenting and Monitoring Compliance section of this policy.
8 .Transfers of Personal Data Outside the European Economic Area (EEA)
Under Data Protection Law, Maynooth University may not (save where one of a limited number of exceptions applies) transfer personal data outside of the EEA to any third country, unless that third country is deemed by the European Commission to provide an adequate level of protection in relation to the processing of personal data. The most relevant exceptions are: The data subject has explicitly consented to the transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; A data transfer agreement, incorporating the model clauses in the form approved by the EU Commission;
(c)The transfer is made pursuant to a Code of Conduct or a certification mechanism that has been approved under applicable Data Protection Law, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
(d) The data importer is subject to a framework approved by the European Commission to facilitate transfers (e.g. the EU – U.S. Privacy Shield).
Ensuring Compliance Maynooth University has in place policies and procedures to ensure that it can demonstrate its compliance under Data Protection Law.
9. Personal Data Inventory and Personal Data Processing Register
Maynooth University maintainsan inventory of the personal data that it holds. The inventory andregisterinclude the following details about the University’s processing of personal data:categories of personal data held and processedthe purposes of the processing;categories of data subjectsto which the personal datarelatesthe categories of recipients to whom the personal data have been or will be disclosedincluding recipients in third countries or international organisations;
(e)details of transfers of personal data to a thirdcountry, including the identification of thatthird country;
(f) where possible, time limits for retention; and
(g)where possible, a description of the technical and organisationalsecurity measures that are undertaken to protect the data.
(h)Contact details of the controller and the Data Protection Officer The University’s and Personal Data Processing Register is maintained by the Data Protection Officer and reviewed on a periodic basis Privacy by Design and Default Two of the key princi ples under Data Protection Law are that data protection compliance shall be implemented by design and by default. This means: Data Protection by Design
– Data protection by design means that the purposes of the processing of personal data are designed, fr om the beginning, with data protection in mind. The University seeks, where possible, to implement and practice methods of data minimisation. Other methods of data protection by design include staff training and audit and policy reviews in the context of data protection. Data Protection by Default – Maynooth University aims to ensure that, by default, only personal data which is necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of its processing, the period of its storage and their accessibility. Maynooth University ensures data protection by design and data protection by default through, among other things, following the procedures set out below, whenever it implements a new project. Data Protection Impact Assessment Maynooth is obliged to ensure that a Data Protection Privacy Impact Assessment (“ DPIA ”) (url link) is undertaken before commencing any processing that is likely to result in a “high risk” to data subject’s rights and freedoms. Examples of such processing that are given in the GDPR are the “large scale” processing of sensitive personal data or profiling activities. will also considers whether a Privacy Impact Assessment is necessary when it engages in changes to its processing of personal data that do not require a DPIA. Both DPIAs and PIAs are carried out before the processing activity in question is commenced.
Training aims to ensure that staff and students whose roles involve the processing of personal data are made aware of and, when necessary, receive training in respect of data protection law and principles
implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks to personal data that may arise in connection with the processing activities the University undertakes.
Data Incidents and Breaches Protection Law defines a ‘personal data breach’ as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. It is essential that all data security incidents and breaches or suspected incidents and breaches are reported to the Data Protection Officer immediately
Tel +353 1 7086184
Where a personal data breach occurs, it must be reported to the Data Protection Commissioners Office without delay and, where feasible, not later than 72 hours after the becomes aware of the breach
Maynooth University has overall responsibility for ensuring compliance with the Data Protection law All employees and students of the University who collect and/or control the contents and use of personal data are also responsible for compliance with the Data Protection legislation. Students and Staff must report any personal data security breaches to the Data Protection Officer (url link to data breach procedures and reporting form) The Data Protection Officer will assist the University and its staff in complying with the Data Protection legislation by providing and facilitating, support, assistance, advice and training.
11. Contact us
If you wish to make an access request Or exercise your rights as outlined underdata protection law Or have any queries about this policy please contact the Universities Data Protection Officer:
: +353 1 7086184
: Data Protection Officer,
information is available on the University web:
If you are dissatisfied with the decision of the data Protection Officer, you have the right to make a complaint to the Data Protection Commissioner
Lo Call Number
1890 252 231
+353 57 868 4757
Data Protection Commissioner
University may occasionally update this policy. We encourage you to periodically review this policy for the latest information on our privacy practices. We also encourage you to advise us of any changes to your personal data which we hold so that we can ensure that your personal data is accurate and up to date.
All Data Protection issues should be addressed to the: Data Protection Officer Ann McKeon firstname.lastname@example.org Controller
14. Cookies Statement
All of our web pages use “cookies”. A cookie is a small file of letters and numbers that we place on your computer or mobile device. These cookies allow us to distinguish you from other users of our website while you are browsing. This helps us to provide you with a good experience when you browse our website. We also use this information as a guide to improving the website and content.
Types of cookies we use
We use the following types of cookies:
- Necessary cookies – these are essential in to enable you to move around the websites and use their features. Without these cookies the services you have asked for, such as logging in and using certain Library services (primarily staff and students), cannot be provided.
- Performance cookies – these cookies collect information about how visitors use a website, for instance which pages visitors go to most often, how long they spend there and the path they took to find the page or content. We use this information to improve our websites and help us to diagnose problems or improve user journeys (help people find content quickly). For example, we use Google Analytics to collect anonymous traffic data to help us analyse how users use the site. These cookies do not collect information that can identify a user.
- Functionality cookies – these cookies allow the website to remember choices you make and provide personal features. For example, a functional cookie can be used to remember the volume level you prefer to use when watching video on the sites or the information that you used in a form that you accidentally navigated away from. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
1 NOTE – It is best practice to deal with the processing of personal data separately in the Data Protection Policy.
2 NOTE – NUIM to confirm if this Cookies Statement is relevant to any other websites, e.g.https://www.maynoothstudentpad.ie/ or https://content.web.nuim.ie/.3 NOTE – Cookies could be deemed to collect personal data which is not ‘volunteered’ in certain circumstances, so it is probably best to refer users to the Data Protection Policy in respect of the collection and processing of personal data.
Advertising cookies/Re-targeting Cookies-
When you first visit these websites you will see a message informing you about cookies. If you click the ‘Accept Cookies’ button, you are agreeing that the types of cookies listed above and outlined below (see “Our Cookies”) can stored on your machine to enhance your browsing experience.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them please visit: www.allaboutcookies.org/.
For further information on the privacy of Google Analytics data, including details of how to opt-out, please visit: www.google.com/analytics/learn/privacy.html.
The University is not responsible for the content or privacy practices of other websites. The privacy practices on these websites may differ from that on Maynooth University’s websites, and we advise that you review these other policies before providing personal data. Within the University domain (maynoothuniversity.ie) you may find websites that the University has no editorial responsibility over. Such sites can include the websites of student organisations, etc. While the University expects compliance with this Cookies Statement, please email@example.com if you encounter University websites that are not compliant with this Cookies Statement.
Cookies may be set either by the www.maynoothuniversity.ie (“1st party cookies”), or by a third party website (“3rd party cookies”). The tables below identify the cookies we use and explain the purposes for which they are used.
We will keep this information up-to-date. Some cookies may be set from time to time by information feeds from 3rd party websites that we make available on our sites (E.g. RSS research feeds, Twitter and Facebook feeds).
the pages you have visited, publishers and advertisers can draw up a profile and use
If you arrive on our website via a digital
advertisement we will set a cookie on your browser to track conversions. We also
may set ‘re-targeting’ cookies on your browser which record your visit to our Site and
it to serve you advertisements about Maynooth University on websites where we
serve our adverts.
1st Party Cookies
This cookie is used to remember whether you wish to view the cookie notice or not.
This cookie is used to determine whether you’ll see the javascipt menus or not.
Customer support app.
_ga _gac_UA-4060749-1 __utmz
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website, where visitors have come to the site from and the pages they visited.
Overview of Google Analytics privacy
3rd Party Cookies
These cookies are used by Google to gather data for advertising.
Overview of Google privacy
Conversion tracking cookies used by Doubleclick (owned by Google).
Overview of Google privacy
SAPISID LOGIN_INFO YSC
YouTube may still set cookies on the user’s computer once the visitor clicks on the YouTube video player, but YouTube will not store personally- identifiable cookie information for playbacks of embedded videos using the privacy- enhanced mode.
__cfduid optimizelyEndUserId _hp2_id.3538148622 _gac_UA-10218544-16 _ga
Cloudlfare is cloud based storage which we use to server up fonts and CSS (stylesheets) for parts the site
auth_token external_referer ct0
Conversion tracking cookies from Doubleclick (a business owned by Google) used for maps related to events.
www.theguardian.com/techn ology/2012/apr/23/doubleclic k-tracking-trackers-cookies- web-monitoring
ub ruds rud smd cmd eud euds rrs uidfc rds rv
Advertising/Retar tgeting cookies.
If you wish to:
- exercise any of your rights under data protection law, or
- if have any queries about this policy,
please contact the University’s Data Protection Officer:Ann McKeonE-mail: firstname.lastname@example.org
Telephone: +353 1 7086184
Postal Address: Controller, Maynooth University, Maynooth, County Kildare, Ireland
Phone: +353 1 708 6000
Further information is available on the University web: www.maynoothuniversity.ie/data- protection
If you are dissatisfied with the decision of the Data Protection Officer, you have the right to make a complaint to the Data Protection Commission (www.dataprotection.ie).
Lo Call Number: 1890 252 231
Fax: +353 57 868 4757
Postal Address: Data Protection Commissioner Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
This statement was updated on 25/05/2018
Technical details in connection with visits to this website may be logged by the University’s internet service provider for accounting and auditing purposes.
It is the policy of the University not to disclose such technical information in respect of individual website visitors to any third-party (apart from the University’s internet service provider, which records such data on the University’s behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by a rule of law. The technical information will be used only for statistical and other administrative purposes. You should note that technical details, which the University cannot associate with any identifiable individual, do not constitute “personal data” for the purposes of the Data Protection Act 1988 Data Protection Amendment) Act 2003.
This statement is subject to review in light of any legislative or other indications.