0330 828 0953

Data Protection Policy

1.1 Policy Owner

The policy owner is the Board of Directors.

1.2 Purpose

The purpose of this policy is to provide information and transparency regarding the Data Protection obligations of Cenit College in order to comply with the Data Protection Act (2018). This includes obligations dealing with personal data. It applies to data collected and stored for all employees, learners, and other stakeholders.

1.3 Scope

This policy is applicable to processing activities in relation to personal and sensitive data carried out by Cenit College in the normal course of its business. Specifically, this policy is applicable to:

  • Any individual who receives, handles, or processes personal data on behalf of Cenit College. This cohort includes direct employees (full and part time), tutors etc.,
  • Third part organisations that receive, handle or process personal data on behalf of Cenit College. This cohort is often referred to as a data processors.

1.4 Responsibilities

The Board of Directors are responsible for approving this policy and ensuring organisation wide compliance. Financial Controller is responsible for maintaining all financial records. All employees (full, part time, contracted) are responsible for ensuring compliance in their respective roles and duties. QA Manager is responsible for ensuring that quality is maintained in all personal and sensitive data processing activities and this policy is both current and appropriate. The Data Protection Manager (we are not obligated to appoint a Data Protection Office by law) has the following responsibilities in accordance with article 39 of GDPR;

  • To inform and advise Cenit College and the employees who carry out processing of their obligations pursuant to GDPR and to other data protection legislation
  • To monitor compliance with the GDPR, with other data protection legislation and with the policies of Cenit College in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • To provide advice, where requested, as regards data protection impact assessment (DPIA) and to monitor their performance pursuant to Article 35 of the GDPR;
  • To cooperate with the Office of the Data Protection Commissioner;
  • To act as a contact point for the Office of the Data Protection Commissioner on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate with regard to any other matter.
  • • To act as a liaison with the Office of the Data Protection Commissioner in connection with personal data breaches, when requested by Cenit College;
  • In the performance of his/her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

1.5 Policy Statement

Cenit College processes and stores data in relation to the following;

  • Learners
  • Employees
  • Past employees
  • Applicants (employment and learners)
  • Services providers

Cenit College recognises that data should be processed, managed and stored according to the various EU and National GDPR legislation and is committed to carrying out this legislative requirement within its organisation. This policy and associated procedures, controls and measures ensure that all Cenit College employees and contractors are fully aware of their GDPR commitments. Furthermore, it ensures they should carry out their duties in accordance with the legislation and should any issue arise the data protection officer is instantly informed, so any corrective action is taken immediately.

1.6 Data Protection Contact (Complaints and Enquiries)

All personal data enquires should be made to the Cenit College Data Protection Manager at the following email address: dataprotection@cenitcollege.ie Occasionally, a learner or stakeholder may request Cenit College to provide them with any personal information that Cenit College may hold about them. The provision of such information will be subject to the following: • the supply of appropriate evidence of their identity (Cenit College will usually require a photocopy of the relevant person’s passport notarised plus an original copy of a utility bill showing the requestor’s current address. Cenit College may also withhold personal information that is requested to the extent that it is permitted to do so by legislation. If a data subject is not satisfied with the information provided by Cenit College our you believe that your rights as a data subject have not been addressed, then that data subject can make a formal complaint to the Information Commissioners Office (ICO), who can be contacted as follows. Post: Information Commissioner’s Office, Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF Phone: 0303 123 1113 Online: You can chat online with an advisor: https://ico.org.uk/global/contact-us/contact-us-public/public-advice/

1.7 Rights of the Data Subject

Under GDPR data subjects have increased rights and data controllers are required to notify data subjects of their rights. Individuals have the right to:

  1. Transparency of information. They should be informed about the collection and use of their personal data.
  2. Access their personal information where consent has been given.
  3. Withdraw consent, where consent is the legal basis for data processing
  4. Have a right to rectification, erasure and restriction of data processing and be notified when this has taken place
  5. Request the restriction or suppression of their personal data, in certain circumstances
  6. Data portability, allowing individuals to reuse their data across different services, where feasible
  7. Object to personal data processing, in certain circumstances

1.8 Consent for Data Processing

In pursuant of Article 7 of the GDPR legislation, where processing is based on consent, Cenit College will demonstrate that the data subject has consented to processing of his or her personal data. Where consent is given by the data subject (for example, the use of personal data for marketing purposes) Cenit College insists that this consent is given in writing. Such consent must be clearly presented and distinguished from all other types of information. This should be given in a form that uses clear and plain language. Such consent can be withdrawn at any time by the data subject. However, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. Cenit College will ensure that the following protocols are implemented with regard to consent.

  • Consent will be in writing with the data of consent recorded along with what the data subject was told at the time the consent was given
  • Data Subjects are asked to ‘opt in’- no prefilled boxes should be displayed.
  • Clear and plain language should be used on all forms and information sources
  • It shall be as easy to withdraw as to give consent.
  • The purpose for which the data is collected is explicit and lawful
  • Consent should be periodically reviewed to ensure currency and legitimacy of purpose

1.9 Third Party Processors

As a Data Controller and through its role as a data controller, Cenit College may contract a third party to process Personal Data on its behalf. In such circumstances a written contract is devised with the obligations regarding Personal Data clearly outlined. This must comply with GDPR practices. Cenit College will remain as the Data Controller and is ultimately responsible for how the data is to be used.

1.10 Joint Data Controllers

There may be circumstances, where Cenit College in its role as Data Controller, may be the joint controller for personal data of data subjects. These circumstances are as follows;

  • QQI
  • Education and Training Boards
  • Department of Social Protection
  • Office of the Revenue Commissioners

In such instances each party will understand their obligations in relation to Personal Data, the purpose for which it is collected, processed, retained, and transmitted and the requirement to process the data in compliance with the GDPR. Irrespective of whether Cenit College acts as sole data controller or as joint data controller, data subjects may exercise their rights under GDPR in respect of Cenit College’s data controller obligations. Any joint controller must extend the same rights to the data subjects. In such cases, neither Controller is responsible for the data processing by the joint controller.

1.11 Data Collection Principals

In the course of its daily organisational activities, Cenit College acquires, processes, and stores personal data in relation to:

  • Learners
  • Employees
  • Past employees
  • Contracted Staff
  • Applicants (employment and learners)
  • Services providers

In accordance with Cenit College GDPR policy, this data must be acquired and managed fairly. Cenit College is committed to ensuring that all staff members are GDPR aware and have completed our own GDPR training programme. This programme will be retaken every year to ensure all staff to update and refresh their awareness. Staff should thus be capable of identifying any data protection issues and duly inform the data protection officer of same. The following key principles are contained in the Cenit College GDPR policy and are inherent to the Cenit College Data Protection Policy; As a Data Controller Cenit College ensures that all data shall be;

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject. Cenit College will at all times safeguard the rights and freedom of the data subjects. The processing of data will be achieved in the following manner;
    1. The data collected must be justified i.e., legally, contractual necessity etc., and collected as part of the Cenit College’s lawful activities.
    2. Or it through informed consent from the data subject.
    3. Where video or CCTV is used this information is available publicly.
    4. Data will not be disclosed to a third party other than to those who are contracting to Cenit College and operating on its behalf.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; Cenit College will fulfil this obligation by:
    1. Only obtaining data for purposes which are specific, lawful, and clearly stated.
    2. Cenit College must be able to clearly state the purpose for the data being processed.
    3. Allow the Data Subject the right to question the purpose(s) for which Cenit College holds their data.
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Cenit College will fulfil this obligation by ensuring their usage of the data will be compatible with the purposes for which the data was acquired.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay. Cenit College will fulfil this obligation by;
    1. Ensuring that regular assessment of data accuracy is conducted through defined mechanisms such as audits, administrative and IT validation processes.
    2. Conducting periodic reviews and audits to ensure that relevant data is kept accurate and up to date.
    3. Ensuring that the data subjects have the means to verify the accuracy, currency and completeness of their personal data and are afforded the opportunity for correction action if required.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of the data subject. Cenit College will fulfil this obligation by;
    1. Developing a records retention policy that clearly outlines personal data retention periods. This retention period will be based on the data collection purpose and its legal basis. This will be published by Cenit College and strictly implemented.
    2. Conducting regular audits to ensure full compliance with the records retention policy
    3. Training staff in their responsibilities and obligations regarding retention of personal data
    4. Developing and implementing a policy that addresses the measures for the secure destruction, deletion or archiving of personal data at the end of the retention period.
  6. Processed to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Cenit College will fulfil this obligation by;
    1. employing appropriate standards of security in order to protect any personal data they hold. This included measures to protect against unauthorised access, alteration, or destruction of such data.
    2. Ensure that staff are trained to know their obligations and responsibilities regarding personal data.
    3. Ensuring that access and management of personal data is only accessible by permitted staff members with the given authorisation and password access.
  7. The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”). Cenit College will fulfil this obligation by;
    1. Appointing a Data Protection Officer, if applicable, who will ensure that all data records are adequately maintained, managed and secured. The Data Protection Officer will carry out data impact assessments where appropriate. Additionally, the Data Protection Officer will devise clear contracts with processors acting on their behalf.
    2. Devising internal policies, code of conduct and reporting breeches of data and implementing privacy policies.
    3. Carrying out periodic reviews of its accountability measures.
    4. Complying with other principals (which will assist accountability) such as implementing appropriate technical and organisational measures, having concise accessible transparency information, and having clear record retention policies

1.12 Data Subjects Access Requests

Where a data subject submits a formal request in relation to data held by Cenit College, the access rights will be in favour of the Data Subject. Information regarding Data Access Requests is contained in Cenit College Data Access Request policy. Such requests are processed in a timely manner that will not exceed 30 days. Should a Data Processor fail to manage Cenit College’s data in a compliant manner this will be viewed as a breach of contract and may result in recourse to the legal system. Should any staff member of Cenit College fail to process Personal Data in compliance with this policy this may result in disciplinary proceedings being initiated against them. See the QA8.4 Data Subjects Access Request Policy for more detail.

1.13 Data Protection Impact Assessments (DPIA)

Article 35 of the GDPR legislation states that where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. Cenit College will carry out a DPIA when it is required or advised. GDPR recommends a DPIA in the following circumstances:

  1. When the processing of the personal data may result in a high risk to the rights and freedoms of the data subject
  2. Processing of large amounts of personal data
  3. Processing of special categories of personal data
  4. Where there is automated processing or profiling

Cenit Colleges DPIA will include the following

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Cenit College will review this DPIA to ensure it is current and legitimate.

1.14 Monitoring of this Policy

The QA Manager will monitor this policy as part of their annual QA audit to ensure currency and relevance of this policy. The Data Protection Manager, in conjunction with the Board of Directors, will monitor this policy on an ongoing basis using the following mechanisms; Review of data protection enquiries, complaints, requests, breaches, withdrawals of consent. Integration with other policies such as Privacy Statement, Subject Access Request Policy, Records Retention schedule.