Privacy Notice
This is a statement of the practices of the Human Resources Department of Trinity College Dublin, The University of Dublin (the "University") of College Green, Dublin 2, Ireland in connection with the capture and the use of personal data and the steps taken by the University to protect your personal data and respect your right to privacy.
The University fully respects your right to privacy and actively seeks to preserve the privacy rights of those who share information with the University. Any personal information which you volunteer to the University will be treated with the highest standards of security and confidentiality, in accordance with Irish and European Data Protection legislation. The University shall process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018.
The privacy notice explains the following:
- How we collect and use personal data
- The purpose and legal basis for collecting personal data
- The length of time we keep your data
- How we store and secure personal data
- Special categories of data
- Details of third parties with whom we share personal data
- University Archives
- Will you be subject to profiling or fully automated decision making?
- What are your rights?
- Contact
If you have any queries about this privacy notice, please contact the Deputy Director of Human Resources.
How and why we collect personal data
The data we collect from you will be used by the University in accordance with the purposes outlined in this privacy notice. We collect personal data via website forms, written application forms and documents, email and phone enquiries and surveys. We also collect information via third parties such as the Revenue Commissioners, applicant referees and international affiliates.
Staff
We collect personal data for the purposes of recruitment and for the formation and administration of the contract of employment and employee relationship. Furthermore we may collect personal data for human resource and pension administration purposes in connection with your contract of employment. Additional personal data may be collected from staff when they register to use other services within the University e.g. Sports or Health Centre.
See Appendix 1.
Board and Council
We process the personal data of Board and Council members of the University for the formation and administration of the contract of service and service relationship. Additional personal data may be collected if you register to use other services within the University.
Service Providers
We process the personal data of service providers to the University for the formation and administration of the contract of service and service relationship.
Students
We process data relating to students as detailed in the table below. Additional privacy information for students is available from the Academic Registry website and will be included with the student's terms and conditions at registration.
Purpose for processing personal data
- Processing of payments of wages/salaries
- Statutory and other deductions
Category
Payroll
Legal basis for processing
Performance of a contract.
Statutory requirements.
Necessary to carry out the objects and functions under the Universities Act 1997 (as amended).
Members of the Public and Consumers
We collect data from members of the public in order to respond to enquiries, process transactions and administer some services.
Website Users
Information on internet traffic is collected routinely by the University and also at other points along the route in the internet (e.g. HEAnet, Lynda.com). This technical information is used to ensure the smooth running of the computer network in the University and for statistical or administrative purposes. It is NOT used to gather identifiable personal information on individual website visitors, except in so far as this is permitted by law and may be necessary in order to prevent or detect problems or offences in relation to the operation of the website.
CCTV
CCTV cameras are in operation on Campus in consultation with the Gardai in order to provide enhanced protection for students, staff and visitors as well as University buildings and facilities in the context of an open campus.
You can find more information in our CCTV Policy.
Photography
Photographs or videos of staff and students may be taken on Campus at official events such as graduation ceremonies. As a number of public events also take place on Campus the University will frequently take photographs or video at these events which may be shared on the University website or social media accounts. Where the use of photographs or video may not be reasonably expected by individuals the University will seek consent to publish photographs or video where it is practical to do so. Individuals have the right to object to the use of their photograph and should contact the event organiser in the first instance or the University Data Protection Officer, see contact details below.
Cookies
We use information gathered from cookies to help improve your experience of tcd.ie. Some cookies are essential so you can move around the website and use its features. Our website also contains third party cookies. You can refuse or consent to third party cookies when you first visit our website or by following the guidelines in our Cookie Policy. You can find more information in our Cookie Policy.
The purpose and legal basis for collecting your data
In order for the use of personal data to be lawful, it should be processed on the basis of either the consent of an individual concerned or another legal basis as set out in the General Data Protection Regulation or in the Data Protection Act 2018.
The University will ensure that your data is processed fairly and lawfully in keeping with the principles of data protection and will process personal data under various legal bases depending on the purpose for which the data is collected.
Specific information on the legal basis for processing your personal data will also be provided at the point of collection of personal data. These may include:
- Where the processing of personal data is a statutory function of the University as a public authority. The statutory functions of the University are set out in sections 12 and 13 of the Universities Act 1997 (as amended).
- Where the University is required to process personal data by law including the sharing of data with the Higher Education Authority or for complying with employment law.
- Where the processing of personal data is necessary for the formation of a contract with you;
- Where the processing of personal data is not related to the official functions of the University we may sometimes process personal data based on legitimate interests e.g. evaluating a candidate for a role.
- Where the University might need to protect your vital interests or those of another person e.g. where we know or have reason to believe that you may suffer harm.
- Generally, when using sensitive personal data the University will seek explicit consent for the processing of data except where another condition applies e.g. employment law, legal claims or medical diagnosis when using the College Health Centre.
The length of time we keep your data
The personal data that we collect from you and process will span a period starting during the recruitment process, throughout your relationship with the University and following the termination of the relationship with the University.
In keeping with the data protection principles we will only store your data for as long as is necessary and in accordance with our Records Management Policy and Records Retention Schedule (PDF).
How we store and secure your data
Any data we collect from you will be stored confidentially and securely as required by the University Information Security Policy. The University is committed to ensuring all accesses to, uses of, and processing of University data is performed in a secure manner.
When we store your personal data on our systems the data will primarily be stored either on the University premises and secure IT platforms within the European Economic Area (EEA) which are also subject to European data protection requirements.
We may store or share your data outside the EEA in the following circumstances:
- For processing international applications and sharing data with partner Universities.
- When using cloud services for the secure storage of data. Some cloud service providers store data in international data centres e.g. the US. The University will only use services which are compliant with the European General Data Protection Regulation and who satisfy the conditions for processing personal data outside the EEA.
- For research projects with other research partners where we have your consent to do so.
- If we are required to do so by law.
Special categories of data
The University processes special categories of data that relate to you in limited circumstances and in accordance with Data Protection Law. These are typically related to the ordinary course of human resources administration and would include the exercising of rights and performance of obligations under employment and social security law. The University will process special category data where necessary for the purposes of assessing the working capacity of employees and for the purposes of occupational and preventative medicine and ill health retirements. The University may, in certain circumstances, disclose certain special category data to occupational healthcare providers. Further, your special category data may be processed where
- it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
- for reasons of substantial public interests,
- where it is necessary and proportionate for the performance of a function conferred by or under an enactment, and
- in relation to the management of medical risk and medical claims.
Details of third parties with whom we share personal data
The University will share your data with third parties where necessary for purposes of the processing and where there is a legal basis to do so. The University may share relevant personal data with the following categories of third parties:
- State or regulatory bodies including the Higher Education Authority, Department of Education and Skills, Department of Finance, Revenue, Department of Public Expenditure and Reform, Department of Social Welfare, Department of Justice and Equality.
- Research sponsors and external funding agencies.
- Research and academic partners.
- Potential employers where you have requested us to share your data.
- Your professional service providers where you have requested us to share your data.
- Occupational Health Providers and medical practitioners as specified in the Sick Leave Policy.
- Firms that provide professional services to the University such as legal firms and auditors.
- Firms and individuals that provide services to the University such as insurance brokers and providers and pension administrators.
- IT or cloud service providers that provide essential services to the University e.g. Microsoft.
- Firms that provide archiving and storage and disposal of confidential waste.
- Trade Unions when we are required to do so by law.
- An Garda Síochána when we are required to do so by law.
When we share your data with the third parties outlined here the University will endeavour only to share the data that is needed, that the data is only processed according to our specific instructions and that the same standards of confidentiality and security are maintained. Once the processing of the data is complete any third parties with whom data was shared will be required to return the data to the University save where they are required to retain it by law.
University Archives
One of the functions of the University is the curation of the University Archives, which comprise the University’s administrative, legal and historical records of archival value. This collection – whose earliest record is the foundation charter of 1592 – represents the corporate memory of TCD and is of important historical value. The University will process personal data of archival value in accordance with section 42 of the Data Protection Act 2018 which permits that personal data of archival value in the public interest may be retained. Personal data retained by the University for archival purposes in the public interest will be stored and secured in accordance with the principles of data protection.
Will you be subject to profiling or fully automated decision making?
You will not be subject to fully automated decision making or profiling.
What are your rights?
You have the following rights over the way we process your personal data. You will note that these rights are available subject to certain criteria and exceptions in accordance with data protection law.
Right of Access
You have the right to request a copy of the personal data we are processing about you and to exercise that right easily and at reasonable intervals.
Consent
You have the right to withdraw your consent where that is the legal basis of our processing.
Rectification
You have the right to have inaccuracies in personal data that we hold about you rectified.
Erasure
You have the right to have your personal data deleted where we no longer have any justification for retaining it subject to exemptions such as the use of anonymised data for scientific research.
Object
You have the right to object to processing your personal data if:
- We have processed your data based on a legitimate interest or for the exercise of the public tasks of the University if you believe the processing to be disproportionate or unfair to you.
- The personal data was processed for the purposes of direct marketing or profiling related to direct marketing.
- We have processed the personal data for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Restriction
You have the right to restrict the processing of your personal data if:
- You are contesting the accuracy of the personal data;
- The personal data was processed unlawfully;
- You need to prevent the erasure of the personal data in order to comply with legal obligations;
- You have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.
Portability
Where it is technically feasible you have the right to have a readily accessible electronic copy of your data transferred or moved to another data controller if we are processing your data based on your consent and if that processing is carried out by automated means.
Review
The Human Resources Privacy Notice will be reviewed from time to time to consider any changes in the law and the data protection practices of the University. You are required to regularly review this policy for changes and to make yourself aware of same.
Contact
If you have any queries relating to the processing of your personal data or if you wish to make a complaint or escalate an issue relating to any of your rights, you can contact the Data Protection Officer at dataprotection@tcd.ie or at:
Data Protection Officer
Secretary’s Office, Trinity College Dublin,
Dublin 2, Ireland.
+353 1 896 8486
Finally if you are not satisfied with the information we have provided to you in relation to the processing of your data or you can also make a complaint to the Data Protection Commissioner via the link in their website Making a Complaint to the DPC.
Appendix 1
Recruitment related data
Data Elements
Personal data collected as part of the recruitment process. This includes contact details, date of birth, curriculum vitae, work and educational details, referee names, interview notes and related documentation.
Purpose for processing personal data
The data is collected in order to complete the recruitment process and to assess candidate suitability for the role.
Legal basis for processing the data
The data processing is necessary to execute effective recruitment processes and in order to carry out the objectives and functions under the Universities Act 1997. It is also necessary as follows:
- Performance of a contract
- Statutory requirement
- In the vital interest of the individual
- Legal claims
- Permitted by section 42 of the Data Protection Act 2018
If an applicant does not provide the data required Trinity College may be unable to consider their employment application.
Categories of recipients
The information may be shared with Government Departments & Agencies. HSE & Hospitals where joint appointment take place and other external agencies who provide services to Trinity College HR e.g. HR Advisors, Legal Advisors, Pension Advisors, Board of Assessors, Overseas Externs, Referees, Occupational Health Partner(s).
Payroll related data
Data Elements
Personal data collected and retained includes: Name, PPSN, salary details, marriage status/tax status, working hours, annual leave, exclusion orders This may include special categories of personal data.
Purpose for processing personal data
This data is processed for payment purposes.
Legal basis for processing the data
In order for the HR to perform their contractual obligations arising from employment contracts, they must have on file payment information relating to data subjects. This data is also retained by consent. The data subject has expressly provided their data to be used for this purpose.
Categories of recipients
This information may be shared with Government Departments & Agencies and other external agencies who provide services to Trinity College HR, e.g. HR Advisors, Legal Advisors, Pension Advisors, Occupational Health Partner(s).
Employee Services – personal data
Data Elements
The relevant personal data contained in the personnel file may include contracts of employment and HR records including contact details, PPSN, payment details, bank account details, working hours, annual leave, disciplinary sanctions, performance improvement plans, public holiday records, emergency contact details, family details for benefits entitlement, learning and development data, applied under various Trinity College Policies and all other relevant documents necessary in fulfilment of Trinity College’s statutory functions, legal obligations and objects under the Universities Act 1997 (as amended).
Purpose for processing personal data
This data is processed to comply with employment, pensions and social protection laws, to ensure that terms and conditions of employment are properly adhered to and managed and to defend and prepare for legal cases.
Legal basis for processing the data
The processing is necessary to comply with various employment and social protection laws. The processing is also necessary for the performance of the employment contract and in the legitimate business interests of the University.
Emergency contact and/or Next of Kin details are collected from employees to protect employees’ vital interests in the event of an accident or emergency. This processing is necessary for the performance of Trinity College’s statutory functions in the public interest.
If the individual does not supply the requested data, Trinity College may be unable to continue their employment.
Categories of recipients
The information may be shared with Government Departments & Agencies and other external agencies who provide services to Trinity College e.g. HR Advisors, Legal Advisors, Pension Advisors, Occupational Health Partner(s).
Promotions and Probations data
Data Elements
The personal data held as part of this process includes: Performance review records, promotions & progressions information, probation information
Purpose for processing personal data
This data is retained in pursuance of complying with a contractual entitlement. As part of the employment contract, it is a power vested in the employer to assess employees for the purposes of progressing within the organisation. This data is further retained for legitimate interest (might be public interest). It is an essential aspect of the workings of a University that they can assess the progress and capabilities of their employees for the purposes of progression.
Legal basis for processing the data
The process is necessary for Trinity College to support an effective probation and promotions process in line with the objects and functions under the Universities Act.
If an applicant does not provide the data Trinity College may be unable to consider their application for promotion.
Categories of recipients
Internal Access: HR Staff, Relevant Managers
External Access: External assessors
Pension Data
Data Elements
The relevant personal data contained in the personnel file may include contracts of employment and HR records including contact details, PPS number, payment details, bank account details, working hours, annual leave and public holiday records, emergency contact details, family details for benefits entitlement etc. This may include special categories of personal data.
Purpose for processing personal data
This data is retained by contract. As part of the employment contract, the employer has a pension scheme in place. This data is also retained by consent whereby the data subject has expressly provided their data for the purposes of opting into the pension scheme.
Legal basis for processing the data
The processing is necessary to comply with pension laws and for the performance of the pension contract with the employee. The processing is also necessary for the performance of the employment contract. Processing of special categories of personal data is carried out for pension purposes in line with the Data Protection Acts.
The consequences for the individual of not providing the data is that Trinity College may be unable to administer their pension.
Categories of recipients
The information may be shared with Government Departments & Agencies and other external agencies who provide services to Trinity College, e.g. HR Advisors, Legal Advisors, Pension Advisors, Occupational Health Partner(s).
General Data – Grievance, Disciplinary, Performance Improvement Plans, Research Integrity Investigations and/or Dignity and Respect Investigations
Data Elements
All information gathered during these processes shall be processed.
Purpose for processing personal data
The data is used to ensure employee complaints are fairly and properly investigated in accordance with natural justice and relevant University policies and to enable Trinity College to fulfil its statutory functions, meet its legal obligations and achieve its objects under the Universities Act 1997 (as amended).
Legal basis for processing the data
The processing is necessary to apply fair procedures to any employee investigation, for the performance of the employment contract, to achieve the legitimate interests of Trinity College and to meet Trinity College’s legal obligations as an employer.
Categories of recipients
The information may be shared with Government Departments & Agencies and other external agencies who provide services to Trinity College e.g. Independent investigators, HR Advisors, Legal Advisors, Pension Advisors, Occupational Health Partner(s).
Medical information
Data Elements
Medical data which may be processed by Trinity College in the course of employment. This may include sick certificates, sick leave records, sick pay records, occupational health assessments etc.
Purpose for processing personal data
The purpose that this data is used for is to manage employee absences, to manage sick pay in accordance with the contract of employment, to allow the company to assess the fitness to work of relevant employees and to assess qualification for payments under the Critical Illness Protocol and Temporary Rehabilitation Remuneration (TRR) as permitted by data protection law.
Legal basis for processing the data
The processing is necessary to assess, subject to appropriate safeguards, the working capacity of the employee and to carry out obligations and exercise rights under employment law and to achieve the legitimate business interests of Trinity College and to meet Trinity College’s legal obligations as an employer.
Categories of recipients
The information may be shared in limited circumstances with Government Departments & Agencies and other external agencies who provide services to Trinity College, e.g. HR Advisors, Legal Advisors, Pension Advisors, Occupational Health Partner(s).
General Data - Termination of employment
Data Elements
The following termination related information may be processed, e.g. resignation letters, exit interviews, reference letters etc.
Purpose for processing personal data
This data is used to manage the termination of the employment relationship properly
Legal basis for processing the data
The processing is necessary to comply with the employment contract and in accordance with Trinity College’s legal obligations to properly manage the termination of the employment relationship in line with company policies.
Categories of recipients
The information may be shared with Government Departments & Agencies and other external agencies who provide services to Trinity College’s , e.g. Independent investigators, HR Advisors, Legal Advisors, Pension Advisors, Occupational Health Partner(s).
Email and internet usage
Data Elements
This may include emails stored in an employee’s email inbox and data relating to an employee’s browsing history and IT usage.
Purpose for processing personal data
The purpose for which the data may be used is, for example, to protect against the dangers associated with e-mail and internet use and to ensure employees are using such systems in accordance with Trinity College policies.
Legal basis for processing the data
The processing necessary in connection with Trinity College’s statutory functions and objects under the Universities Acts to manage employee performance and ensure the security of e-mail and internet.
Categories of recipients
The information may be shared with Government Departments & Agencies and other external agencies who provide services to Trinity College, e.g. HR Advisors, Legal Advisors, Occupational Health Partner(s).