The GDPR gives individuals greater control over their personal data by setting out clearly defined rights for individuals whose personal data is collected and processed by organisations such as Trinity College. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.

Personal data is any information that can identify an individual person. This includes a name, an ID number, a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

The GDPR is based on the core principles of data protection which require organisations to:

  • collect no more data than is necessary from an individual for the purpose for which it will be used;
  • obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
  • retain the data for no longer than is necessary for that specified purpose;
  • to keep data safe and secure; and
  • provide an individual with a copy of his or her personal data if they request it.

Under GDPR individuals have the significantly strengthened rights to:

  • obtain details about how their data is processed by an organisation;
  • obtain copies of personal data that an organisation holds on them;
  • have incorrect or incomplete data corrected;
  • have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
  • obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
  • object to the processing of their data by an organisation in certain circumstances; and
  • not to be subject to (with some exceptions) automated decision making, including profiling.

What does this mean for Trinity College staff and students?

Organisations collecting and processing personal data are required to meet a very high standard in how they collect, use and protect personal data. Trinity College is responsible for ensuring that the rights of students, staff and members of the public about whom personal data are processed are sufficiently protected. All staff and students who are dealing with personal data should ensure that they take reasonable measures to keep that data safe and secure at all times.

For organisations which breach the law, the Data Protection Commission has been granted robust powers to impose substantial sanctions, including the power to impose fines. The GDPR also permits individuals to seek compensation through the courts for breaches of their data protection rights.

Where can I get advice?

The Data Protection Officer can give advice and training on data protection issues. Inquiries about Data Subject Rights and notification of Data Breaches should be made to the Data Protection Officer at dataprotection@tcd.ie.
To ensure that you are GDPR compliant in your day-to-day handling of electronic personal data why not have a look at our GDPR IT Checklist.
General GDPR information is available from the Data Protection Commission and the European Data Protection Board.
An accessible, searchable version of the GDPR is available at https://gdpr-info.eu/.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
  • Sensitive Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
  • Data Controller: The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
  • Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • Privacy by Design: All processing of personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that privacy must be built into a system during the whole life cycle of the system or process.
  • Privacy by Default: When a product or service is released, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to provide the product or service.
  • Cloud Computing: A method of delivering Information and Communication Technology (ICT) services where the customer pays to use, rather than necessarily own, the resources. These services are typically provided by third parties using Internet technologies.
  • ISO 27001: An international standard published by the International Standardization Organization. It describes how to manage information security in an organisation. A company, IT Service or product can be independently certified as meeting this standard.