In undertaking the business of LIT, we all create, gather, store and process large amounts of data on a variety of data subjects such as on students (both potential, current and former), staff, third parties and members of the public. Our use of personal data ranges from CCTV footage, financial transactions with commercial customers through to processing a student’s details throughout their journey, from application through to graduation.
Data protection legislation places obligations on LIT and the way it handles personal data. In turn the staff and students of the Institute have responsibilities to ensure personal data is processed fairly, lawfully and securely. This means that personal data should only be processed if we have a valid condition of processing (e.g. consent obtained from the data subject, or a contract with them) and we have provided information to the individuals concerned about how and why we are processing their information (i.e. a privacy notice). There are restrictions on what we are allowed to do with personal data such as passing personal information on to third parties, transferring information outside the EU or using it for direct marketing.
LIT has developed a number of policies that must be adhered to in order to comply with GDPR. These policies are available to download and read here.
This document is a brief introduction to the policies & can be used as a reference point to locate a policy & its requirements.
Data Protection Officer (DPO)
LIT, in meeting its data privacy commitments, have appointed a Data Protection Officer as the point of contact for all data privacy queries that you may have including subject access requests. You can contact the Data Protection Officer at firstname.lastname@example.org.
Personal Data Processing Principles
LIT has established the following high level principles relating to Data Protection in order to comply with GDPR requirements.
- Personal Data shall only be Processed fairly, lawfully and in a transparent manner (Principles of Lawfulness, Fairness and Transparency);
- Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further Processed in any manner incompatible with those purposes (Principle of Purpose Limitation);
- Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed (Principle of Data Minimisation);
- Personal Data shall be accurate, and where necessary kept up to date (Principle of Accuracy);
- Personal Data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the Personal Data are Processed (Principle of Data Storage Limitation);
- Personal Data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to:
- Prevent and / or identify unauthorised or unlawful access to, or processing of, Personal Data; and
- Prevent accidental loss or destruction of, or damage to, Personal Data (Principles of Integrity and Confidentiality);
Outlined below (A-G) are a number of key terms and information on LIT’s commitment to data protection and data protection compliance.
A. Personal Data
Information which relates to a living individual who is identifiable either directly from the data itself or from the data in conjunction with other information held by LIT.
Examples of personal data include, but are not limited to:
- Name, email, address, home phone number
- The contents of an individual student file or HR file
- A staff appraisal assessment
- Details about lecture attendance or course work marks
- Notes of personal supervision, including matters of behaviour and discipline.
B. Sensitive Personal Data
Sensitive Personal Data (or Special Categories of Personal Data) relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life, criminal convictions or the alleged commission of an offence; trade union membership.
C. Processing Data
Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms ‘Process’ and ‘Processed’ should be construed accordingly.
Means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. In this context, “signifies” means that there must be some active communication between the parties. Thus, a mere non-response to a communication from the Institute cannot constitute Consent.
E. Personal Data Breach
A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Examples of personal data breaches include:
- Loss or theft of data or equipment
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
The Data Protection Commissioner must be notified without undue delay and not later than 72 hours after becoming aware of the breach.
Please refer to the Data Protection Incident Response & Breach Notification Policy for more information on data breaches.
F. Subject Access Requests and Data Subject Rights
Data Protection law gives data subjects the right to access personal information held about them by the Institute. The purpose of a subject access request is to allow individuals to confirm the accuracy of personal data and check the lawfulness of processing to allow them to exercise rights of correction or objection if necessary. However, individuals can request to see any information that LIT holds about them which includes copies of email correspondence referring to them or opinions expressed about them.
Data subjects have a number of rights under Data Protection Law. These include:
- Right of Access;
- Right to Rectification;
- Right to Erasure (sometimes referred to as the Right to be Forgotten);
- Right to Restriction of Processing;
- Right to Data Portability;
- Right to Object to Direct Marketing;
- Right to Object to Automated Decision Making, including Profiling.
Any requests made to invoke any of the rights above must be dealt with promptly and in any case within one month or receiving the request. Members of staff should consult the Data Protection Officer for all data requests.
Please refer to the Data Subjects Rights Policy and the Subject Access Request (SAR) Policy for more information on Subject Access Requests and Data Subject Rights.
G. Data Retention
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed it should be disposed of securely. Retention periods are set based on good practice guidance and on a legal basis.
Please refer to the Data Retention Policy for more information on data retention periods and disposal of data.