1. 1. 1. ESG Standard: Information Management
ESG standard 1.7
Institutions should ensure that they collect, analyse and use relevant information for the effective management of their programmes and other activities.
1. 1. 2 Purpose
The purpose of this policy is to set out the principles underpinning the College’s management of Data for the purposes of:
-
Ensuring the College collects, analyses and uses relevant data to facilitate informed decision-making and the enhancement of the internal quality assurance system.
-
Ensuring the College’s collection, storage, processing and retention of data falls under the EU’s General Data Protection Regulation (GDPR) and fulfils the College’s obligations under GDPR and Irish legislation pertaining to data protection.
1. 1. 3 Scope
This is an overarching policy, and it applies to all staff, faculty, associate faculty and third parties that may be involved in the College’s use of Data.
1. 1. 4 Policy Statement
The College will ensure that decision-making is informed by the analysis of reliable information and data, and that this process supports the College’s quality enhancement agenda. The information gathered for this purpose will reflect the context and mission of the College.
The College is committed to only collecting and processing data for purposes that are lawful, fair and necessary for the purposes of programme provision or the fulfilment of the College’s legal obligations. The College respects the privacy and Data Protection rights of its students, staff, and any other persons whose data it holds, and commits to complying with its obligations under all relevant legislation. The College processes data lawfully, for specified purposes.
Processing shall be considered lawful only if and to the extent that at least one of the following applies:
-
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
-
processing is necessary for compliance with a legal obligation to which the controller is subject;
-
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
-
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
-
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Data will be stored safely and securely by the College, in a format suitable to processing. Data will be disclosed solely to the subject of the data and individuals authorised to process the data. Data retention will adhere to the College’s Data Retention Schedule and data will be retained for no longer than is necessary for legal, administrative, financial or historical purposes.
Risk assessments are an essential part of data protection. The College produces Data Risk Assessment Reports. These Reports:
-
Identify threats that could breach GDPR and thus indirectly affect the College’s reputation and assets.
-
Identify and rank the value, sensitivity, and criticality of data by determining the level of risk that data carries if threatened
-
Apply cost-effective actions to mitigate or reduce the risk
Areas included are:
-
College IT systems.
-
College Website and Social Media Platforms.
-
Online Learning Platforms
-
Data Processing Systems and Operations
The College does not require all staff members to be experts in relation to data protection legislation. However, the College will ensure that all staff receive sufficient training to be able to recognize data protection issues they may encounter in the course of their duties and respond appropriately. It is the responsibility of all employees and authorised agents of the College to ensure they have the competence, training and experience to comply with the data protection policy and procedures outlined in the College’s QA Manual.
1. 1. 5 Responsibility
-
The Director of Academic Programmes is responsible for the preparation of reporting templates and ensuring that data used for reporting, monitoring and benchmarking is robust, transparent and traceable.
-
All Staff, faculty and associate faculty are responsible for the implementation and execution of the policy and associated procedures.
-
All Students and Staff are responsible for reporting any suspected breaches of their personal data to the Data Protection Representative.
-
The Admissions Office is responsible for overseeing the admission of learners to programmes under the oversight of the Director of Academic Affairs.
1. 1. 6 Related Legislation, Regulation or Guidelines
-
The Data Protection Act 1998 (The Principal Act)
-
The Data Protection (amendment) Act 2003
-
The Data Protection Bill 2017, and any subsequent published Act
-
Data Protection Act 2018
-
The General Data Protection Regulation (GDPR) 2018
-
ePrivacy Directive 2019
-
Core Statutory Quality Assurance Guidelines 2016 (QQI).
-
Sector Specific (Independent/Private) Statutory Quality Assurance Guidelines 2016 (QQI).
-
Policies and criteria for the validation of programmes of education and training 2017 (QQI)
-
Policy and Criteria for Making Awards 2014 (QQI)
-
Standards and Guidelines for Quality Assurance in the European Higher Education Area (ESG, 2015).