STUDENT DATA PROTECTION PRIVACY NOTICE
The University of Limerick (the University) must process the personal data of its students (you) in order to carry out its functions and manage its operations. The processing of this data is carried out in accordance with the General Data Protection Regulation (GDPR) / Data Protection Acts 1988-2018 and with the University's Data Protection Policy. The University is the Data Controller for personal data we process about you.
The purpose of this Student Data Protection Privacy Notice is to explain how the University uses personal data we collect and hold about prospective, current and graduated students of the University. This notice should be read in conjunction with the University's Data Protection Policy available on the UL Policy Hub.
This notice extends to all your personal data as defined under Article 2(1) of the General Data Protection Regulation (EU) 2016/679.
The full, printable version of the University's Student Privacy Notice can be viewed here.
1. Why the University Holds Your Personal Data
1.1 The University must process your personal data in order to provide educational services through its teaching, research and associated academic and administrative activities, for example, recruitment of students, provision of programmes of study, examinations, engaging with accrediting bodies and Government agencies such as the Higher Education Authority and Department of Education and Skills.
1.2 As part of its administrative activities and in order to ensure a safe and secure campus for you and your fellow students, the University processes personal information through the use of CCTV to monitor and collect images for the purposes of security, the prevention and detection of crime and, where necessary, to assist with serious disciplinary matters.
1.3 Other circumstances in which the University processes your personal data include the sharing of only the required level of data with the UL Students’ Union/Postgraduate Students’ Union and the UL Alumni Association in order to facilitate your membership of these bodies.
1.4 In addition, the University will process your personal data in order to promote University programmes of study; extracurricular services; circulation of UL Links Magazine; the undertaking of surveys, fundraising etc. and in these circumstances your explicit consent will be sought to enable such processing.
2. Student Personal Data Held by the University
2.1 Student data is mainly obtained from the details you provide through the CAO (Central Applications Office), PAC (Postgraduate Applications Centre), or directly through the application/enrolment/registration process. Student academic performance data will be collected during the course of your studies and held by the University on its records systems. Additional data is collected/recorded by a number of services/offices within the University to meet specific needs (e.g. Faculty/Department, Student Affairs Division, Library, Fees Office, Student Health Centre, Student Counselling Service etc).
2.2 The University provides this Privacy Notice, which in broad terms explains how and why we typically process and share your personal data.
2.3 Categories of personal data collected/recorded include:
- Name, Addresses (Home, Term, email), phone number(s), date of birth, nationality, PPS No;
- Course application details, schools attended, previous examination results;
- Curricula Vitae for placement students;
- Financial information, details of funding, fees;
- Image (for Identity card), student ID number;
- Visa requirements/visas; copies of passport, garda vetting record, medical information and other documents required to ensure compliance with legislative and specific course requirements;
- Information about examinations, assessments and results, I-grades, repeat examinations and student progression;
- Degrees/Diplomas/Certificates awarded;
- Socio-Economic Category (optional), Religion (Optional);
- Parents Employment Status (Optional) Parents Socio Economic grouping, Parents Occupation (Optional);
- Details of Disabilities (Optional), Medical Records, Records of visits to Counselling Service;
- University CCTV recordings;
- Disciplinary, grievance procedures data.
3. Lawful Basis for University Processing Personal Data
3.1 Data Protection law requires that the University must have a valid lawful basis in order to process personal data. The University relies on a number of such bases as follows:
3.1.1 Necessary to carry out our objects and functions under the Universities Act 1997/The provision of a contract - much of the personal information the University processes is necessary to meet its commitments to you, for example, processing your data in relation to teaching, assessment and associated administration. The following sets out the main purposes for which we process your personal data:
- Recruitment and admission of students;
- Provision of teaching and associated academic services including examinations, progression and related administration;
- Facilitating accreditation with professional & industrial bodies;
- Managing and administrating students educational contracts;
- Recording and managing student conduct (including disciplinary procedures);
- Maintaining student records;
- Management and administration of student finance (including tuition fees, bursaries and scholarships);
- Graduation – type and status of graduate awards are publicly acknowledged at University of Limerick conferring ceremonies and are published in the University's conferring booklet; Graduation ceremonies are regarded as public events and may be recorded and/or live streamed by the University.
- Delivering plagiarism checking and academic validation services;
- Providing services necessary for the student experience (Including Library, IT and communication services);
- Providing support and maintenance services (including IT);
- Ensuring the security of our network and information systems and the integrity and confidentiality of information stored and transmitted on these systems;
- Safeguarding and promoting welfare of students;
- Dealing with grievances and disciplinary actions;
- Dealing with complaints and enquiries;
- Providing careers and placement advice and services;
- Providing/offering facilities and services to you during your time as a student and thereafter as part of the University’s business (e.g. library access, computing, UL Students’ Unions, Alumni membership and activities);
- Service improvement via feedback and surveys;
- Internal reporting and record keeping;
- Responding to data access requests you make;
- Inclusion in the University’s Outlook directory, website;
- Providing student support services including:
- Disability and learning support services;
- Careers and employment advice and services;
- Health and wellbeing services;
- University SMS text messaging system: as a registered student, you will be automatically added to the list to receive texts regarding University-related information, for example, cancellation/ rescheduling of lectures, exam reminders etc. If you are not interested in receiving text alerts from us, you can opt out of this service in the Student Portal by changing your preferences in your Personal Details page. Regardless of the foregoing, the University will send you an SMS text message in the event of an emergency, where possible.
- University email distribution lists: as a registered student you will automatically be added to a number of email distribution lists to enable the University to manage its operations and provide the full range of services to you. An opt-out option is not permitted for these operations and core services.
3.1.2 Fulfilment of a legal obligation – the University must process your personal data when required to do so under Irish/EU law, for instance:
- sharing information with statutory bodies like the Higher Education Authority;
- Monitoring equal opportunities;
- Providing safety and operational information;
- Performing audits;
- Preventing and detecting crime;
- Administration of insurance and legal claims;
- Garda vetting;
- Creation of reports and statistics which the University is required to return to Government Depts. etc;
3.1.3 To protect the vital interests of you or another person - under extreme circumstances the University would share your personal data with third parties to protect your interests or those of another person, for example,
- Providing medical or emergency contact information to emergency services personnel;
- Contacting you or your next of kin, in case of an emergency;
- Use of CCTV systems on campus to assist in safeguarding your personal safety and security and to aid the prevention, deterrence and detection of crime.
3.1.4 Consent - under certain circumstances, the University will only process your personal data with your explicit consent. Explicit consent requires you to make a positive, affirmative action and be fully informed about the matter to which you are consenting, for example:
- Providing information on UL courses and other programmes of study that may be of interest and benefit to students, applicants and other interested parties;
- Promoting the University’s services (e.g. summer schools, student exchanges, or other events happening on and off campus);
- Marketing, including images, online, in print and on social media; publications, invitations and other communications (eg UL Links etc); e-news and flash emails; the promotion of University events;
- References: Academic staff may agree to provide a reference for you if you apply for a job or further study. You should ensure that the requesting organisation is in a position to provide the academic staff member with a copy of your signed consent to the issuing of your reference to them;
- Participating in University and third party surveys.
4. Protecting Your Personal Data
4.1 Your personal data may be shared between members of staff within the University in order for the University to fulfil its functions and objects.
4.2 In addition to the foregoing principle, the University will employ reasonable and appropriate administrative, technical, personnel, procedural and physical measures to safeguard your information against loss, theft and unauthorised users’ access, uses or modifications.
4.3 The following principles apply:
- Confidentiality - only people who are authorised to use the data will be authorised to access it.
- Staff are required to maintain the confidentiality of any of your data to which they have access.
- Integrity – the University will make all reasonable efforts to ensure that your personal data is maintained accurately and remains suitable for the purpose for which it is processed.
- Availability - that authorised users should be able to access the data if they need it for authorised purposes.
5. Sharing Your Personal Data with Third Parties
5.1 The University may disclose certain personal data to third parties. These external organisations, and the purpose for sharing the information, are set out below (Please note that this list is not exhaustive). The University will only share your personal data with external third parties where we are required to do so under a statutory or legal obligation, or we are required to do so under a contractual obligation or we have your consent, or we are otherwise permitted to do so in accordance with data protection legislation. The disclosure of your data to third parties includes:
- Affiliated Organisations, Organisations established as a separate legal entity whose primary purpose is to support the University in developing and enhancing student engagement and overall student experience. Examples include the Students’ Union and the Postgraduate Students’ Union. As a student of the University, you will be entitled to avail of relevant services provided by these organisations. Your UL email address will be shared with the relevant Students’ Union. These organisations have access to UL Student email distribution lists (not individual student email addresses). This sharing is governed by a Data Sharing Agreement between the organisation and the University;
- CAO, PAC Processing offers of places on undergraduate/postgraduate courses;
- Higher Education Authority (HEA) Statutory annual statistical returns and optional student survey returns. Information regarding the HEA collection of student data from Third Level Institutions is available here;
- Quality and Qualifications Ireland, Sharing data relating to qualification recognition, quality assurance, and qualification details referenced to the National Framework of Qualifications;
- Grant authorities / SUSI / research and funding councils: Information may include details of your progression from year to year to ensure continuance of funding;
- Dept. of Social Protection e.g. verification of employment status requests, details of Registration to verify eligibility for Jobseekers allowances/Back To Education Allowance;
- Department of Justice and Equality / The Irish Naturalisation and Immigration Service (INIS) visa and immigration obligations;
- Revenue Commissioners;
- Regulatory Authorities (eg Office of the Ombudsman, Office of Data Protection Commissioner, Office of the Information Commissioner);
- Legal advisors, Courts.
- Garda Siochana - prevention/detection of crime, apprehension and prosecution of offenders, protection of an individual’s vital interests/welfare or safeguarding national security.
- Garda Vetting Bureau - details of students who have applied for courses that require Garda vetting.
- Insurance companies for the purpose of providing insurance cover or in the event of an insurance related claim.
- Academic Institutions / partner Higher Education Institutions If you are involved in study arrangements with other organisations, e.g. exchanges and/or placements, the University may disclose some of your personal data to the relevant provider including those outside of the European Economic Area (EEA).
- External Examiners Exam scripts for external review, quality assurance.
- Accreditation/Professional bodies The University is obliged to share your personal data with professional bodies to confirm your qualifications and accreditation of your course (e.g. Medical Council, Nursing & Midwifery Board of Ireland, Teaching Council etc).
- Employers, voluntary and charitable organisations. To facilitate co-operative and volunteering placements of students.
- Financial sponsors If a student’s tuition fees are paid under a sponsorship, scholarship or loan arrangement by an external organisation (e.g. your employer), the University may share personal data relating to your attendance and academic progress.
- Prospective employers for confirmation of qualification and provision of references – with your consent.
- External Software As A Service (SAAS) providers. The University has entered into commercial agreements with external software service providers to support and enhance teaching, learning and assessment and research mission of the University. These services include administrative systems, learning management systems, virtual learning environments, online discussion forums, lecture and tutorial recording, research publications, authenticity/plagiarism checking, and feedback and assessment. Data processing agreements are in place with these service providers.
- Press and the media with your consent we may share information about you for publicity and marketing purposes online, in print and on social media.
- Fulfilment (posting of letters) Companies - Data released to printers for the purpose of facilitating mailshots on behalf of the University.
5.2 Parents, guardians and other relatives The University will not disclose your personal data to parents or relatives without your consent, other than in exceptional circumstances.
6. Transfer of personal data to other countries
6.1 In some instances your personal data will be shared with third parties outside of the European Economic Area (EEA). When required, the University will transfer your personal data outside of the EEA where adequate safeguards are in place and when one of the following conditions have been met:
- The European Commission permits the transfer to the non-EEA country or organisation on the basis of an adequacy decision.
- The European Commission has approved the kind of transfer i.e. under EU/US Privacy Shield, Binding Corporate Rules or Standard Contractual Clauses/Model Contracts
- You have given us explicit consent for the transfer.
- The transfer is necessary for the performance or conclusion of a contract with you or in your interest.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defense of legal claims.
- The transfer is necessary to protect your vital interests or other persons where you are unable to give your consent.
- The transfer is made from a register which according to the EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU and Member State Law for consultation are fulfilled in the particular case.
7. Retention of Data After You Graduate
7.1 The University retains all personal data in accordance with its Records Management and Retention Policy. The University will need to maintain some records relating to you after you graduate in order to provide services to you as a graduate of the University. This includes: verifying your award, providing transcripts of your marks, opportunities for further study, academic references, careers support, alumni and networking services
7.2 Alumni: When you graduate/complete your course, you will automatically be included as a member of the University’s Alumni Association, UL Alumni. You will receive emails from Alumni about the benefits of staying in touch. The UL Alumni webpage provides further information as to how your personal data will be used and how you can opt out from communications.
7.3 Data that is not required to fulfil the services the University will provide to you after you graduate will be securely deleted in accordance with the University’s Records Management & Retention Policy.
8. Your Rights
8.1 Your rights relating to your personal data include:
- to be informed (via this privacy notice and other communications).
- your right to request access to Personal Data held by the University, and to have any incorrect Personal Data rectified;
- your right (where appropriate); to the restriction of processing concerning you or to object to processing;
- your right to have Personal Data erased (where appropriate); and
- your right to data portability regarding certain automated Personal Data
- with regard to rights within the legislation relating to “automated decision-making”, the University does not use such processes and they do not arise.
- to restrict the use of the data we hold and the right to object to the University using your data - please contact the Data Protection Officer if you believe your personal data is being used unlawfully or you have reason particular to your personal situation as to why we should not be processing it.
8.2 Requests for any of the above should be addressed by email to email@example.com or in writing setting out your specific request to the University’s Data Protection Officer, Office of the Corporate Secretary, University of Limerick, Limerick. Your request will be processed within 30 days of receipt. Please note, however, it may not be possible to facilitate all requests, for example, where the University is required by law to collect and process certain personal data including that personal information that is required of any student of the University.
8.3 Additionally, you can update your personal data on the SI system or alternatively by contacting the Student Academic Administration Office at firstname.lastname@example.org.
9. Your Responsibilities
9.1 Updating your details: The GDPR requires that personal data is accurate. Please let the University know if your contact details change.
9.2 Processing Personal Data: You must comply with the University’s Data Protection Policy and the GDPR if, as a student, you have access to the personal data of others; or if you wish to collect or process any personal data as part of your studies or research. You must ensure that you notify and seek approval from your supervisor and the relevant University Research Ethics Committee if required, before any processing occurs.
10. Queries, Contacts, Right of Complaint, Review
10.1 Further information on Data Protection at the University of Limerick may be viewed at www.ul.ie/dataprotection. You can contact the University’s Data Protection Officer at email@example.com or by writing to Data Protection Officer, Room A1-073, University of Limerick, Limerick.
10.2 You have a right to lodge a complaint with the Office of the Data Protection Commissioner (Supervisory Authority). While we recommend that you raise any concerns or queries with us first, you may contact that Office at firstname.lastname@example.org or by writing to the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
11.1 This Privacy Notice will be reviewed and updated from time to time to take into account changes in the law and the experience gained from the Notice in practice.
Last updated: July 2020