Privacy Notices

 

The objective of this webpage is to provide guidance to staff of Trinity College Dublin (the University) on the information that must be provided to data subjects in order to meet the principle of transparency and the right of notification under the General Data Protection Regulation and to provide information to students and staff regarding the processing of their personal data.

Student Data

What is a privacy notice?

A privacy notice is often referred to as a privacy statement, privacy policy or a data protection statement and it is simply a statement by an organisation which describes how it will process personal data about individuals.

Why do I need a privacy notice?
In order to lawfully process personal data about an individual you most do so in a way that is fair and that meets the principles set out in the GDPR.
The principles require that personal data is processed in a transparent manner which means that individuals should be provided with information about the use of their personal data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.  It is important to consider the individuals about whom the data will be processed. If it is likely that an individual would be surprised at the use of their data by the University then your privacy information may not be sufficient.
The principle of transparency is directly linked to the right to be informed in the GDPR.  This means that individuals have a right to be informed about the processing of their personal data including the purpose and the lawful basis for processing their personal data.

 

When should a privacy notice be provide?
If data is collected directly from an individual it must be provided prior to or at the point of collection of the data. If you have obtained the data indirectly e.g. from a third party then you should provide the information to the individuals within a reasonable time frame but within one month of obtaining the data.  If the individual already has all the relevant information then you will not need to provide it to them again however this and other exemptions which may apply should be discussed with the Data Protection Officer.

 

 

How should a privacy notice be provided?
The manner in which a privacy notice should be provided really depends on the way in which the data will be collected. It is important to ensure that the information is accessible by individuals and that they do not have to read through pages upon pages of legal terms and conditions in order to understand how their data will be used. If you are collecting personal data via a form on a website you should consider a layered approach whereby you include some bullet points with the important information alongside the web form and include a link to a more detailed privacy notice that individuals can access separately. You could also use a pop up box that includes the same information and link to the detailed privacy notice. 
If you are collecting data on a written form then you could provide the individual with information ether on a separate leaflet or embedded within the form e.g. researchers generally provide information in a patient information leaflet which can be amended to incorporate the relevant privacy information.
If you are collecting information via an app or mobile device then the GDPR does support the use of icons and pop-ups “in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.”

 

What information must a privacy notice include?

The following is a list of the information that must be provided to the data subjects when the data is collected directly from them:

  • The identity and contact details of the controller
  • Contact details for the data protection officer
  • The purposes and legal basis for the processing
  • Details on legitimate interest if processing is based on this
  • Details of the statutory requirement or contract if processing is based on this
  • Recipients of the personal data
  • Details of transfers to third countries and the details of the relevant safeguards
  • The rights of the data subject
  • Retention period or criteria used to determine the retention period
  • The right to withdraw consent if processing is based on consent
  • The right to lodge a complaint with the DPC
  • Whether automated decision making or profiling is carried out.

 

If you obtain the data indirectly e.g. from another third party then you must provide the following information to the data subjects about who the data has been collected:

  • The identity and contact details of the controller
  • Contact details for the data protection officer
  • The purposes and legal basis for the processing
  • Details on legitimate interest if processing is based on this
  • Categories of personal data obtained
  • Recipients of the personal data
  • The source of the data including data obtained from a public source
  • Details of transfers to third countries and the details of the relevant safeguards
  • The rights of the data subject
  • Retention period or criteria used to determine the retention period
  • The right to withdraw consent if processing is based on consent
  • The right to lodge a complaint with the DPC
  • Whether automated decision making or profiling is carried out.

Cookies
If you are using cookies or tools such as Google Analytics you will also need to add this information to your privacy notice when collecting data via a webpage.

Privacy Notice Template

You can use the attached templated as a guide when completing your privacy notice however it is important to note that your privacy notice should describe how personal data is used in your area and therefore should be tailored and formatted to provide useful and transparent and clear information to individuals.

Privacy Notice Template