Data Protection

Data Protection and GDPR

Information about individuals is stored on computers and in hard copy. This data ranges from basic contact information (eg names and email addresses) to sensitive personal information (eg date of birth, PPS number, and medical information), as well as information relating to academic programmes (eg re interviews, assignments, and assessments).

As organisations store and process such data, the General Data Protection Regulation (GDPR) addresses the fundamental right of every living person to control their personal information, and to have it adequately protected by any group processing and holding it. In Ireland, the GDPR is regulated by the Data Protection Commissioner (DPC).

GDPR

The General Data Protection Regulation (GDPR) (EU) (2016/679) is an EU Regulation that came into law in 2018, and all organisations must comply with its seven principles. The GDPR requirements for processing personal information must be carried out by all organisations operating within the EU. It also applies to organisations from jurisdictions outside the EU that offer goods and/or services to individuals in the EU.

The obligations of the GDPR apply to Data Processors, with particular responsibilities on Data Controllers, such as MIE. They decide how and why personal information is processed. The Controller has overall responsibility for ensuring compliance with GDPR, while the Processor is an individual who acts on the Controller’s behalf and under the Controller’s instructions.

Data Protection at MIE

Marino Institute of Education (MIE) acquires and processes personal information (data) of individuals who engage with the Institute (including students, staff, and members of the public) when carrying out its various functions. At MIE, the purposes of processing data include the organisation and administration of courses, examinations, research activities, staff recruitment and payment, and compliance with statutory obligations, etc.

As MIE collects and uses personal data in compliance with Data Protection legislation, a comprehensive Data Protection programme promotes a culture of best practice in Data Protection and GDPR awareness and compliance. Those who gather and process personal data on behalf of MIEmust comply with our data management procedures to avoid breaches of data protection legislation. Being compliant with the regulation will protect data subjects, the people we work with, and MIE's reputation.

Glossary

Data Processing

Any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, use, sharing, erasure, or destruction (eg email communication; videoconferencing calls; online teaching, learning and assessment – including streaming and recording of classes; managing files containing personal data, in paper or electronic format).

Data Subject

A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Categories of Personal Data

Personal data which reveals a data subject’s racial or ethnic origin, political opinions, religious beliefs or philosophical beliefs, data relating to trade union membership, genetic data, biometric data for the purpose of uniquely identifying a data subject, data concerning health and data concerning a data subject’s sex life or sexual orientation.

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or finger prints.

Data Recipient

A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law. MIE is a data controller in relation to personal data relating to its students and staff.

Data Processor

An entity which processes personal data on behalf of, and under instruction from, the data controller. In certain instances, MIE is a data processor when providing a service to another entity (eg analysis of data on behalf of a third party as part of a research project).

Third Party

A natural or legal person, public authority, agency or body other than the Data Subject, Data Controller or Data Processor which processes data under MIE’s direct authority.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Supervisory Authority

An independent public authority which is established by a Member State (ref Article 51 of the GDPR). In Ireland, the Supervisory Authority is the Data Protection Commission.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.

Anonymisation

Irreversibly and effectively anonymised data is not ‘personal data’, and is not subject to data protection legislation. However, if the source data is not deleted at the same time that the anonymised data is prepared (ie where the source data could be used to identify an individual from the anonymised data), the data may be considered only ‘pseudonymised’ and still ‘personal data’.

Personal data

If someone can be identified directly or indirectly from information, then it should be considered as personal data which is subject to data protection law.

Examples of personal data include:

name
contact details (eg home address, phone number, email address)
online identifiers (eg IP address)
photographs, video images, voice recordings
date of birth/age
gender, birthplace, citizenship, ethnicity, nationality
signature (including e-signature)
PPS number
student/staff number
ID card
passwords, pass codes, PIN numbers, swipe card data (access controls)
location data
data concerning health
next of kin details
examination/assignment results
CV
qualifications, membership of professional associations
references
employment history including performance history/grievance/disciplinary details
trade union membership
personal financial data (eg bank account details, income, salary).

Key considerations

A number of issues should be considered when addressing matters relating to data protection… If you are unsure about any of these questions in the context of a task in hand, please contact the DPO who will be happy advise you.

Do you really need to process personal data to meet your objective? Are there alternative ways that the same objective could be achieved without processing personal data?
Could anonymised or pseudonymised data be processed instead of data which directly identifies individuals?
Are you familiar with the key principles of data protection?
Do you have a valid reason for processing the data?
Have you identified a legal basis for processing?
Do you know exactly what amount of data will be required to fulfil your objectives?
Has the data subject been informed of the processing, ie been issued with a Privacy Notice?
Have you taken all necessary measures to ensure that the personal data will be secure during the process?
Are you using software, systems, and processes under the control of MIE?
Have you determined an appropriate retention period for the data?
If sharing with third parties are the necessary contracts in place?
Are you planning to transfer the data outside the EEA? If so, do you have the necessary
safeguards/permissions in place to do this?
If you are setting up new systems or processes, have you conducted a Data Protection Assessment (DPA) or Data Protection Impact Assessment (DPIA) to measure risk associated with processing?
Have you completed training in data protection and IT security?

Principles

Care should be taken to process personal data in accordance with the core principles of data protection.

The GDPR (Article 5) sets out seven key principles of data protection, with which all organisations must comply. The GDPR Data Protection Principles set out the main responsibilities:

Lawfulness, fairness and transparency: The GDPR requires that personal data be processed lawfully, fairly and in a transparent manner in relation to individuals.
Minimisation: It must be collected and processed for specific, legitimate purposes only.
Purpose limitation: Any collected data should be limited to what is necessary for the purpose.
Accuracy: Personal data held by the organisation must be accurate, and rectified or erased if it is not accurate.
Storage limitation: It should be kept for no longer than is necessary for the purpose.
Integrity and confidentiality: Data needs to be processed in a secure manner, including protection against unauthorised or unlawful processing, as well as loss, destruction or damage.
Accountability: MIE is responsible for, and must be able to demonstrate, compliance with each of the principles of data protection when processing personal data.

Legal basis

The GDPR places direct data processing obligations on businesses and organisations across the EU. An organisation may only process personal data under an appropriate legal (lawful) basis, and must be based on one of the following legal grounds:

the consent of the individual concerned;
a contractual obligation between the organisation and the individual;
to satisfy a legal obligation;
to protect the vital interests of the individual;
to carry out a task that is in the public interest;
for your organisation’s legitimate interests, only if the fundamental rights and freedoms of the individual are not seriously impacted.

Those who gather and process personal data on behalf of MIEmust comply with data management procedures to avoid breaches of data protection legislation (ref MIE - Data Protection Policy and Procedures).

Data security

There are numerous cyber threats, the most common of which are

malware
phishing
ransomware
Internet of Things (IoT).

However, there are ways in which we can avoid them - by being proactive in PROTECTING our accounts, our devices, andour network.

Malware is malicious software, designed to damage and destroy computers and their systems, and includes viruses, worms, Trojan viruses, spyware, adware, and ransomware. It steals data surreptitiously in preparation for ‘next-stage’ attacks, ransoming, or theft, and can happen through websites, links, images, files, or advertising. At MIE, security systems are in place on MIE devices.

Please ensure your ‘updates’ are current on your work device.
Consider using multi-factor authentication, eg text a code.
Change any compromised passwords immediately, and do not use them again for any of your accounts.
Ensure that you have antivirus and malware software on your personal devices.

Phishing is when someone uses fake emails, texts or phone calls that seem to be from a familiar company or people that you know. These messages often present as urgent or even threatening. They may ask you to click on a link, open an attachment, or give personal information (such as passwords, account details, PPS numbers, or login IDs) so that they can install programmes that can access your computer and your accounts.

If you are in any way uneasy or suspicious about a message, follow your instinct and CHECK IT OUT… Do you know the person or company? Are there any spelling or grammar mistakes in the subject, sender’s address, content? Is the email from account you recognise? If unsure, hover over an email address to check
NEVER open attachments or click links unless you are 100% sure that the message is genuine.
Contact the individual, or the company directly (using a number or an email address that you know to be correct) to confirm that it is valid. Do not use the information from the text/email.
Finally, delete the message, and do not forward it to anybody else.

Ransomware is a type of malware that accesses files, and locks and encrypts them. Access is gained by the user clicking on attachments, etc that seem legitimate but actually contain malicious codes. Thereafter, the criminal can demand the victim to pay a ransom (usually money) to retrieve the files.

Protect your systems – install (and maintain) software such as antivirus, antimalware and firewalls on all personal devices connected to the internet.
Ensure that you backup your valuable data such as work documents, photos, etc.
Turn on two-step authentication – also known as two-step verification or multi-factor authentication – on accounts, where Two-factor authentication can be a text message to your phone or a token to a biometric like your fingerprint to provide enhanced account security.
Never open suspicious links – ‘when in doubt, throw it out’!

Consumer Internet of Things (IoT) refers to the billions of personal devices which are connected to the internet, and collect and share data, such as

smartphones,
cars,
wearable technologies,
healthcare devices,
home security systems,
lighting and appliance controls,
waste/recycling service monitors, etc.

It makes our lives easier, more efficient, and more effective in many ways, and has multiple and invaluable benefits. However, we cannot ensure these benefits unless we practice good ‘cyber hygiene’ by

protecting our personal devices
- use built-in security
- keep software updated;
protecting our accounts
- use long and unique passphrases for all accounts
- turn on multi-factor authentication (MFA);
protecting our personal networks
- use a network firewall
- configure privacy and security settings on a new ‘smart’ device.

Email best practice

Using Email safely and securely

Email, and MS Outlook, are valuable tools in our daily communication, both within and beyond our work and study. Emails and other online links have increasingly become the source of constant threat to data safety. We know that all such incidents could happen anywhere, thus reminding us of the need for particular vigilance.

This advice checklist will help you ensure that email messages are secure so that we in MIE can minimise the chance of data breaches as well as phishing, and ensure your MIE devices remain safe.

Before you click ‘Send’…

double-check that you are sending your message to the correct recipient’s address (*there may be two people with the same name in your address book!), are you sending it back to everyone, or just one person? ‘Reply’ or ‘Reply All’?
use ‘bcc’ (blind carbon copy) when emailing to wide group of recipients to conceal recipients’ addresses from each other;
review any email ‘thread’ to ensure that confidential information or personal/ sensitive data is not shared in error by forwarding messages from someone else for example
ensure that you are not using email to share documents, rather share a link from MS Teams or OneDrive;
note that a standard confidentiality waiver is included in all MIE emails;
be vigilant in checking for possible phishing scams, as they have become increasingly sophisticated. NEVER open an attachment or click on a link from an untrusted source - if it looks suspicious, it probably is. If you see something that you are unsure about, please take a screen shot of the email message (do not forward it) and send that picture to servicedesk@mie.ie or mie.ie/helpdesk.
keep all passwords secure, and change them regularly, as prompted by MIE’s Password Manager system. MIE uses Quest Password Manager tool and this automatically sends a reminder to @mie.ie addresses, in advance of your password expiration;
password should be strong and secure, using an alphanumeric and symbol mix (eg *use a mix of letters, numbers and symbols that are difficult for others to guess)
be cautious if connecting to non-MIE WiFi in public places – public and open WiFi networks are increasingly open to hacking of access to accounts;
to avoid unsolicited bulk mail,
- do not give your email address to sites that you do not trust;
- do not post your email address to public places online (eg message boards, etc);
do not use a personal email account for MIE matters;
avoid sending sensitive information by email;
in the event of an incident that involves personal data loss or disclosure, contact the DPO at dpo@mie.ie.

Dat protection at MIE

An invaluable element of data protection implementation at MIE is our network of support and engagement across the organisation.

A designated Data Protection Officer (DPO), who reports directly to the President,

assists in monitoring internal compliance with the GDPR;
provides advice and guidance on policy review and development;
oversees data protection awareness and training; and
delivers support and advice with regard to data protection laws and requirements.

All data protection queries should be directed to the DPO:

Eileen Jackson,

Data Protection Officer,

Marino Institute of Education (MIE),

Griffith Avenue,

Dublin 9,

D09 R232.

Email: dpo@mie.ie

Telephone: 01 853 5114

GDPR compliance at MIE is supported by specialist data protection consultants, who

provide a secure online platform for all data protection matters;
support development of processes to promote best practice;
advise on data protection laws and regulations;
facilitate online awareness and training.

Data Champions are nominated within departments throughout MIE and have a central role in effective data protection at GDPR implementation. Working closely with the DPO, their role is

to promote good data management and coordinate Data Protection compliance matters within their area of responsibility;
to be a point of contact for the DPO regarding Data Protection matters;
to identify and address organisational risks, as well as actions to mitigate and reduce future risks; and
to bring relevant Data Protection/GDPR to the attention of staff in their area.

The Leadership Team

support the development and implementation of policies and related practices and procedures;
act as Document Reviewers.

Heads of Department

raise awareness across the organisation; and
support awareness and training at departmental level.

The Quality Committee

review and develop policies and related documents.

All Staff

complete the mandatory eLearning data protection and GDPR awareness and training programme;
participate in ongoing additional awareness and training courses;
work to improve compliance throughout the organisation.

Students

engage in awareness and training courses across programmes throughout MIE.

Data protection and GDPR awareness and training at MIE

Awareness and training for staff and students is an important element in developing and nurturing a culture of best practice in data protection at MIE. An ongoing eLearning Data Protection and GDPR awareness and training programme is provided for staff and students. Several courses are available through the Institute's online platform, and include a number of individually focused modules.

Our online programme for staff includes:

mandatory courses for all staff
selected courses for specific departments, projects, etc.
occasional courses, eg keeping data safe on line (malware, ransomware, etc), and cyber security at home (including authentication factors, social media, IoT, online shopping, phishing, etc).

Course modules include:

GDPR principles
legislation and regulation
personal data
sensitive personal data
data subject rights
responsibilities
cyber security
protecting data privacy - using email safely
malware, phishing, ransomware, Internet of Things (IoT)
internet acceptable use
information and device security
phishing
subject access requests (SARs)
lawfulness
consent
data breach
data protection/GDPR in education settings.

The minimum mandatory training time for staff is 130 minutes, and includes

Overview of the main requirements of GDPR for organisations, types of data which need to be protected under the regulation, roles and responsibilities of the Data Controller and the Data Processor, key principles of Lawfulness and Accountability, individual rights guaranteed by GDPR, as well as practical precautions that staff can take and the procedure to follow in the event of a data breach.
Cybersecurity awareness, which aims to ensure a minimal risk of cyber-attacks and data breaches occurring at the Institute and includes a description of typical forms of malware that currently hit organisations, explains how to create safer internet use, data storage and personal devices. It includes a brief introduction to GDPR, the Data Protection Act and other legislation which regulates issues over data breaches and information security.
Data Subject Access Request (SAR) and Data Breach courses, which offer a detailed breakdown of how to complete the steps involved when dealing with data subject access requests (SARs), including explaining the requirements for a valid SAR and handling third party personal data, and explains a data breach and the related GDPR obligations and duties as well as the steps to be followed in the situation of a data incident or data breach.

Selected courses are completed by teams, departments, committees, projects, etc as required and may be coordinated by the DPO or Data Champions within departments, eg

Data Protection Impact Assessment (DPIA) – Why? How? (Leadership Team, Data Champions)
Data Protection by Design and Default (Data Champions)
GDPR and Children (MERC)

An online data protection and GDPR training programme for students includes

GDPR awareness
protecting data privacy - using email safely
malware, phishing, ransomware, Internet of Things (IoT)
data protection in schools or other education settings (pre-placement)
research projects.

All courses are available through MIE’s online platform.

Reporting of data breach/incident

Under GDPR, Article 4 (12), a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

With reference to GDPR, Article 33, if the personal data breach is likely to result in a risk to the rights and freedoms of data subjects, “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”, which, in Ireland, is the Data Protection Commission (DPC).

MIE has robust objectives and controls in place to prevent data breaches, and for managing them in the rare event that they do occur. Procedures and guidelines for identifying, investigating and notification of breaches are detailed in MIE’s Personal Data Breach Policy and Procedures, which aim to mitigate the impact of any data breaches and to ensure that the correct notifications are made in an efficient and timely manner. Such procedures (ref flowchart) include

identification of incident and initial assessment;
containment;
risk assessment;
notification and communication;
evaluation and response;
recording.

MIE’s Data Breach Incident Report Form is designed to assist in the process of addressing a suspected breach/incident.

Staff, students, or associated parties who discover a personal data breach, or suspect that a breach/incident has occurred, should inform the relevant MIE Head of School/Department and contact the DPO immediately. All emails should be marked ‘URGENT’.

It is very important that immediate action be taken on learning of a breach, or suspected incident that involves the disclosure/loss of personal data. As noted above, reporting timeframes are very restricted, and timelines include weekends and public holidays. Failure to comply with such requirements may result in regulatory sanction and related reputational damage to the Institute.

As appropriate and feasible, priority is given to informing individuals affected by the breach in order to reduce any resulting risks to privacy.

Following a data breach, a review will endeavour to ensure that the all appropriate steps were taken in addressing the breach, and to identify areas where attention is required (eg updating policies and/or procedures, awareness and training, or systematic issues), in order to reduce the risk of a reoccurrence of such a breach.

Enquiries

Data Protection Officer (DPO)

All data protection queries should be directed to the DPO:

Eileen Jackson,

Data Protection Officer (DPO),

Marino Institute of Education,

Griffith Avenue,

Dublin 9,

D09 R232.

Email: dpo@mie.ie

Telephone: 01 853 5114

Resources

MIE policies and related documents

All MIE policies and related documents are updated on a regular basis, and are available via the website's Quality Assurance section. The following documents relate to data protection and GDPR, and provide staff and students with guidance and support in order to ensure compliance in these areas, while other guidance is available from the DPO on request.

Data Protection Policy and Procedures

Data Subject Access Request (SAR) Policy and Procedures

Data Subject Access Request (SAR) Form

Data Subject Access Request (SAR) Form - Garda Síochána

Data Breach Policy and Procedures

Data Breach Incident Report Form

Data Protection Impact Assessment (DPIA) Practice and Procedures