Staff Data Protection Privacy Notice

The University only holds personal data that is required for its dealings with a given data subject. The data will be collected, held and processed in accordance with the Data Protection Policy and with this Notice in a reasonable and lawful manner. Your personal data is collected during the application, recruitment and appointment process as well as during the course of your employment. The types of personal data the University may collect includes:

• Identification data – name, date of birth, PPS Number, country of birth, nationality, copy of passport/driver's licence, gender.
• Contact details – address, email address, phone number.
• Image (for identity card)
• Car registration
• Pay and financial information (including bank account, pension, other benefits details, and tax and insurability classification)
• Performance review records, promotions & progressions information, probation information
• Emergency contacts
• Details of previous employment (including CV and references)
• Educational history
• Professional data
• Marital status and dependant details
• Garda vetting data
• Hosting or secondment agreements
• Visa and work permit details
• Technical information generated through your use of University IT systems
• CCTV
• Video & voice recordings (for the provision of online teaching and online meetings)
• Criminal convictions – which may be processed in the context of appropriateness of employment or for disciplinary and grievance procedures.

Special Category Personal Data 

Some types of Personal Data are deemed to be Special Category Personal Data, such as data relating to health or trade union membership. The University will only process this information where the University has received your consent to do so, or where it relies on another lawful basis as described in Section 2 below. Illustrative example of the use of categories of Special Category Personal Data:

• Medical Information - where special workplace accommodations are required to be considered or for compliance with any sick leave scheme, the University may procure medical reports, including Occupational Health Advisor reports, regarding staff. Such reports will contain Special Category Personal Data regarding a staff member’s health status, conditions or illnesses.

Data Protection law requires that the University must have a valid lawful basis in order to process personal data.

The University relies on a number of such lawful bases as follows:

Performance of a contract

The University processes personal data relating to staff for the purposes of recruitment and the formation and administration of the contract of employment and employee relationship.

The purposes for which staff personal data are processed include:

• Recruitment and selection
• Employment matters (e.g. promotion, training and development, conduct, attendance, appraisals, managing progress, processing work permits and visas, grievance and academic misconduct, disciplinary actions and complaints, terminating contracts)
• Maintenance of employee/staff records
• Administering finance (e.g. salary, pension and other staff benefits)
• Providing support services
• Providing operational information
• For the purpose of promoting our services and other operational reasons
• Providing necessary services (Including IT and communication services)
• Safeguarding and promoting welfare of staff
• Internal reporting and record-keeping
• Carrying out audits
• Other reasons for ordinary personnel administration not listed here

Fulfilment of a legal obligation

The University must process your personal data when required to do so under Irish/EU law, in particular for the purposes of compliance with statutory obligations under the Universities Act, 1997 and the Higher Education Acts.

Examples of situations where the University processes personal data for the purposes of fulfilment of a legal obligation include:

• Sharing information with statutory bodies such as the Higher Education Authority and the Revenue Commissioners
• Monitoring equal opportunities
• Providing safety and operational information
• Performing audits
• Ensuring the security of our network and information systems and the integrity and confidentiality of information stored and transmitted on these systems
• Preventing and detecting crime
• Administration of insurance and legal claims
• Garda vetting
• Creation of reports and statistics, which the University is required to return to Government Departments etc.

To protect the vital interests of you or another person

Under extreme circumstances the University would share your personal data with third parties to protect your interests or those of another person, for example:

• Providing medical or emergency contact information to emergency services personnel
• Contacting you or your next of kin, in case of an emergency
• Use of CCTV systems on campus to assist in safeguarding your personal safety and security and to aid the prevention, deterrence and detection of crime.

Consent

Under certain circumstances, the University will only process your personal data with your explicit consent.

Explicit consent requires you to make a positive, affirmative action and be fully informed about the matter to which you are consenting, for example:

• Marketing e.g. use of your image in print or online publications
• References: the provision of references to new employers of staff members
• Participating in University and third-party surveys.

The University will employ reasonable and appropriate administrative, technical, personnel, procedural and physical measures to safeguard your information against loss, theft and unauthorised users’ access, uses or modifications.

Your personal data may be shared between members of staff within the University in order for the University to fulfil its functions and objects.

Such sharing will comply with the following principles:

Confidentiality

Only people who are authorised to use the data will be authorised to access it.

Staff are required to maintain the confidentiality of any of your data to which they have access. 

Integrity

The University will make all reasonable efforts to ensure that your personal data is maintained accurately and remains suitable for the purpose for which it is processed.

Availability

That authorised users should be able to access the data if they need it for authorised purposes.

The University may disclose certain personal data to third parties.

These external organisations, and the purpose for sharing the information, are set out below. (Please note that this list is not exhaustive.) The University will only share your personal data with external third parties where we are required to do so under a statutory or legal obligation, or we are required to do so under a contractual obligation or we have your consent, or we are otherwise permitted to do so in accordance with data protection legislation. The disclosure of your data to third parties includes:

• To agents and contractors of the University where there is a legitimate reason for their receiving the information (including service providers, pension service providers, insurers and external legal and financial advisers).

• To Education Shared Business Services (“ESBS”) for administration of payroll as part of the Higher Education Payroll Shared Services (“HEPSS”) arrangement.

• To potential employers of Staff members (to provide references).

• Department of Justice and Equality / The Irish Naturalisation and Immigration Service (INIS) in relation to visa and immigration obligations.

• To professional and regulatory bodies.

• Academic Institutions/partners, Higher Education Institutions or employers where the Staff member is taking part in an exchange programme or other collaboration as part of the engagement by the University.

• To internal and external auditors.

• Regulatory Authorities (e.g. Office of the Ombudsman, Data Protection Commission, the Information Commissioner’s Office);

• To other public authorities and bodies where required or permitted by law, such as the Higher Education Authority, Department of Further and Higher Education, Research Innovation and Science, Department of Social Protection, or in the case of the Gardaí or other law enforcement authorities where necessary for the purpose of the prevention, investigation or detection of crime.

• Press and the media: With your consent, we may share information about you for publicity and marketing purposes online, in print and on social media;

In some instances, your personal data will be shared with third parties outside of the European Economic Area (EEA). When this is required, the University will only transfer your personal data outside of the EEA where adequate safeguards are in place and when one of the following conditions have been met:

• The European Commission permits the transfer to the non-EEA country or organisation on the basis of an adequacy decision.

• The European Commission has approved the type of transfer i.e. under Binding Corporate Rules or Standard Contractual Clauses.

• You have given us explicit consent for the transfer.

• The transfer is necessary for the performance or conclusion of a contract with you or in your interest.

• The transfer is necessary for important reasons of public interest.

• The transfer is necessary for the establishment, exercise or defence of legal claims.

• The transfer is necessary to protect your vital interest or other persons where you are unable to give your consent.

• The transfer is made from a register which according to the EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU and Member State Law for consultation are fulfilled in the particular case.

The time period for which the University generally retains personal data varies according to use of the information. In some cases, there are legal requirements to keep personal data for a minimum period of time. Unless specific legal requirements dictate otherwise, the University will retain personal data for no longer than necessary for the purpose for which the personal data were collected or for which they are further processed.

The University retains all personal data in accordance with its Records Classification & Retention Schedule.

Your rights relating to your personal data include:

• to be informed (via this privacy notice and other communications);

• your right to request access to Personal Data held by the University, and to have any incorrect Personal Data rectified;

• your right (where appropriate) to the restriction of processing concerning you or to object to processing;

• your right to have Personal Data erased (where appropriate); and

• your right to data portability regarding certain automated Personal Data.

With regard to rights within the legislation relating to “automated decision-making”, the University does not use such processes and they do not arise.

Requests relating to any of the above should be addressed by email to dataprotection@ul.ie or in writing setting out your specific request to the University’s Data Protection Officer, Office of the Corporate Secretary, Room A1-073, University of Limerick, Limerick. Your request will be processed within 30 days of receipt.

Please note, however, that it may not be possible to facilitate all requests, for example, where the University is required by law to collect and process certain personal data.

Updating your details: The GDPR requires that personal data is accurate. Please let the University know if your contact details change.

Processing Personal Data: You must comply with the University’s Data Protection Policy and the GDPR if, as a staff member you have access to the personal data of others or if you wish to collect or process any personal data as part of a research study.

Further information on Data Protection at the University of Limerick may be obtained at www.ul.ie/dataprotection. You can contact the University’s Data Protection Officer at dataprotection@ul.ie or by writing to Data Protection Officer, Room A1-073, University of Limerick, Limerick

You have a right to lodge a complaint with the Office of the Data Protection Commission (Supervisory Authority). While we recommend that you raise any concerns or queries with us first, you may contact the Office at info@dataprotection.ie or by writing to the Data Protection Commission, 21 Fitzwilliam Square South, Dublin2, D02 RD28.

This Privacy Notice will be reviewed and updated from time to time to take into account changes in the law and the experience gained from the operation of the Notice in practice.