The purpose of these procedures is to assist College employees in supporting the College’s commitment to protect the privacy rights of individuals in accordance with data protection legislation. The guidelines set out the areas of work in which data protection issues arise, and outline best practice in dealing with these issues.

All staff should familiarise themselves with the relevant procedures; Guidelines for Staff.

Data Retention

Personal data should be retained according to the timeframes set out in the College Records Retention Schedule.
Personal data should be disposed of when they are no longer needed for the effective functioning of the College and its members. The method of disposal should be appropriate to the sensitivity of the data. Shredding is appropriate in the case of manual data and reformatting or overwriting in the case of electronic data. Particular care should be taken when personal computers are transferred from one person to another or outside the College or are being disposed of.
One of the functions of the University is the curation of the University Archives, which comprise the University’s administrative, legal and historical records of archival value. This collection – whose earliest record is the foundation charter of 1592 – represents the corporate memory of TCD, and is of important historical value. The University will process personal data of archival value in accordance with section 42 of the Data Protection Act 2018 which permits that personal data of archival value in the public interest may be retained. Personal data retained by the University for archival purposes in the public interest will be stored and secured in accordance with the principles of data protection.

Consent and Lawful Processing

MYTH I need to get consent for all processing of personal data.
FACT Consent is one way to legally process personal data, it is not the only way nor is it always the best way.


  • The College must protect personal data from unauthorised access when in use and in storage and the data must be protected from inadvertent destruction, amendment or corruption.
  • Personal electronic data should be subject to appropriate stringent controls, such as passwords, encryption, access logs, backup, etc.
  • Screens, printouts, documents, and files showing personal data should not be visible to unauthorised persons.
  • Personal manual data must be held securely in locked cabinets, locked rooms or rooms with limited access.
  • Subject to retention guidelines, personal manual data should be destroyed by confidential shredding when the retention period has expired.
  • When upgrading or changing your personal computer, ensure the hard drive is cleaned by an appropriate IT staff member.
  • Special care must be taken where laptops and personal computers containing personal data are used outside the College.
  • Health and social work personal data can only be released following consultation with the relevant professional.
  • Disclosing personal data to a Data Processor should be done only under a written contract specifying security rules to be followed.
  • To help staff ensure that they are GDPR compliant in their day-to-day handling of electronic personal data in the University, IT Services have provided updated advice and information on GDPR and the use of IT systems and services on the IT Security website.


All researchers, be they students or staff, involved in collecting personal data, especially sensitive personal data, must comply with the requirements of European data protection legislation including domestic legislation if working win consortiums or with partners in other member states. Initially, they must ensure that data are obtained and processed fairly. It is essential that the necessary consent from data subjects is obtained. Whenever possible, personal data should be pseudonymised or anonymised.
Personal data shall be kept only for one or more specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those. This restriction may limit the usefulness of data for research purposes. If personal data are made anonymous, however, they cease to be personal data subject to the terms of the Act.
In addition, there is some flexibility in data protection rules for personal data kept for statistical, research or other scientific purposes, so long as the data are not used in a way that may harm the data subject and the processing of the data is necessary. The rules in question being the restrictions on further processing personal data that is incompatible with the original purpose, on not keeping data longer than necessary for the purpose and on not disclosing the purpose when the data were obtained. It should be noted that if research data are retained in personally identifiable format they may be subject to an access request from a data subject and are subject to restrictions on the transfer of data outside the European Economic Area. If you have any queries or require clarification on any aspect of this document, please contact Data Protection Officer, Secretary’s Office, Trinity College, Dublin 2. Email: