This department uses appropriate measures to make sure that our processing of your personal data meets the higher standards of the GDPR. These measures allow us to demonstrate that we meet these standards. We consider the nature, scope, context and purposes of our data processing. We also consider the risks that this processing might create to the rights and freedoms of individuals, and the likelihood and severity of these risks.
The department will:
provide notices of the required information to you at the time that your personal data is collected
make sure that the information provided is detailed and specific
make sure that these notices are understandable and accessible.
The information provided will include information about personal data collected both directly from the data subject
and from other sources.
The department follows best practice to protect the confidentiality, integrity and availability of its information processing systems and services.
Data protection contact details
Our data protection officer oversees how we collect, use, share and protect your information to make sure your rights are protected.
Data Protection Unit
Department of Education, Cornamaddy, Athlone, Co Westmeath, N35 X659
Please note, since the establishment of the Department of Further and Higher Education, Research, Innovation and Science, we have had a shared-services arrangement with the Department of Education.
GDPR and data protection
The GDPR came into effect on 25 May 2018. This gives individuals greater control over their data by setting out extra and more clearly-defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes equivalent extra duties on organisations that collect this data.
The purpose of the Data Protection Act 2018 (‘the Act’) is to:
create the Data Protection Commission, to supervise and enforce improved data protection standards efficiently
give further effect to the GDPR
'transpose' (integrate) the separate Law Enforcement Directive into national law
The GDPR has direct effect on EU citizens, meaning you can rely on GDPR in court even where there is no national law in place. The GDPR allows national governments limited flexibility which is provided for in Part 3 of the Act.
The Data Protection Commission's website
explains the rights and responsibilities under the Data Protection Acts. Information is also available from the Data Protection Commissioner's office.
Data subjects, personal data and special category data
Personal data means any information about a living person who is identified or ‘identifiable’ (recognisable) in the data.
A data subject is an identified or identifiable living person.
A person is identifiable if they can be identified directly or indirectly using an identifier.
Examples of identifiers include:
A person may also be identifiable by factors specific to their identity, such as physical, genetic or cultural factors.
Specific types of sensitive personal data have extra protection under the GDPR. These are listed under Article 9 of the GDPR as ‘special categories’ of personal data. The first type of special category is personal data revealing:
racial or ethnic origin
religious or philosophical beliefs
trade union membership
The other types are:
biometric data processed to uniquely identify a natural person
data about health
data about a natural person’s sex life or sexual orientation
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9.
Legal bases for processing personal data
There are six legal bases on which personal data may be processed:
To protect the vital interests of the data subject or another
Task done in the public interest or in the exercise of official authority given to the data controller
Legitimate interest (this doesn’t apply to the performance of public tasks but may apply to organisational specific tasks such as operation of CCTV for security or for the safety of our staff)
Many of the department’s processing activities are carried out as tasks in the public interest or in the exercise of official authority to the extent that such processing is necessary and proportionate for:
the performance of a function of the minister conferred by or under an enactment of the constitution
an administration by or on behalf of the minister of any non-statutory scheme, programme or funds where the legal basis for such administration is a function of the minister conferred by or under an enactment or by the constitution
Privacy statements and privacy notices
The policy of the department is to include a privacy statement on any forms which we may use to collect personal data as part of a processing activity. The statement will provide information on the main purposes for collecting the personal data and whether the data is being shared with any other organisations. The statement will include a link to a more detailed privacy notice, which will provide more details on the processing activity.
A privacy notice is used by the department to provide details on each processing activity
undertaken, which involves personal data. It will include:
source of the personal data where is has not been obtained from the data subject directly (often the department as part of its functions will have received the data via a school or other educational organisation)
persons or organisation to whom the data or part of the data may be disclosed to and why
The privacy notice will also include information on data subject rights and how they can be exercised.
Personal data should be retained for no longer than is necessary for the purposes or purpose for which it is being processed. As the department is subject to the National Archives Act, 1986 records with personal data may have to be retained for archiving where there is no disposal order from the National Archives in place with respect to that category or record.
Data controllers, data processors and data sharing
A data controller refers to a person, company, or other body which determines the purposes and means of processing of personal data.
A data processor refers to a person, company, or other body which processes personal data on behalf of a data controller.
The term 'processing' refers to any operation or set of operations performed on personal data.
Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
Data sharing is where personal data is shared between two data controllers. The sharing of data is required to have a legal basis and to be transparent.
This is a prototype - your feedback will help us to improve it.