Common Terms
Consent |
Means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. In this context, “signifies” means that there must be some active communication between the parties. Thus, a mere non-response to a communication from the University cannot constitute Consent. |
Data Classification |
A process whereby information/data is classified in accordance with the impact of data being accessed inappropriately or data being lost. The resulting data classification needs to be applied when handling data. It is the responsibility of data owners to classify the data under their control. |
Data Controller |
Means a person or organisation who (alone or with others) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed. A Data Controller can be the Sole Data Controller or a Joint Data Controller with another person or organisation or a Separate Data Controller. |
Data Processor |
‘processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller; It is possible for one University or person to be both a Data Controller and a Data Processor, in respect of distinct sets of Personal Data. |
Data Protection Commissioner |
Means the Office of the Data Protection Commissioner (DPC) in Ireland. |
Data Subject |
Refers to the individual to whom Personal Data held relates, including employees, students, customers, suppliers. |
Destruction |
Where the personal data no longer exists, or no longer exists in a form that is of any use to the Data Controller. |
Encryption |
The process of encoding information stored on a device that can add a further layer of security. It is considered an essential security measure where Personal Data is stored on a portable device or transmitted over a public network. |
GDPR |
Means EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the free movement of such Data. |
Loss |
Where the personal data may still exist, but the Data Controller has lost control of or access to it, or no longer has the data in its possession. |
Personal Data |
In Article 4 (1) of GDPR personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Examples of personal data include, but are not limited to:
|
Personal Data Breach |
In Article 4(12) of GDPR, a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” |
Processing |
Means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The terms “Process” and “Processed” should be construed accordingly. |
Restriction of processing |
Means the marking of stored personal data with the aim of limiting their processing in the future; |
Sensitive Personal Data |
Sensitive Personal Data (or Special Category Personal Data) relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life, criminal convictions, or the alleged commission of an offence; trade union membership. |
Third Party |
Means an entity, whether or not affiliated with the University, that is in a business arrangement with the University by contract, or otherwise, that warrants ongoing risk management. These Third-Party relationships include, but are not limited to, activities that involve outsourced products and services, use of independent consultants, networking and marketing arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the University has an ongoing relationship. Third Party relationships, for the purposes of this Policy, generally do not include student or customer relationships. In Article 4(10) of GDPR a ‘Third Party’ means a natural or legal person, public authority, agency, or body, other than the data subject, controller, processor, and persons who, under the direct authority of the Data Controller of Data Processor, are authorised to Process Personal Data. |
Unauthorised or unlawful processing |
This may include disclosure of personal data to (or access to) recipients who are not authorised or do not have a lawful basis to have access to the personal data. |