University College Cork National University of Ireland, Cork Data Access Request Procedure 1
Document Location http://www.ucc.ie/en/ocla/comp/data/dataaccess/ Revision History Date of this revision: 28/02/2014 Date of next review: 28/02/2015 Version Revision Summary of Changes Number/Revision Date Number 1.1 17/06/13 Revised existing Data Access Procedures 2.0 16/08/13 Procedures completed 2.1 28/02/14 Fees no longer required (section 4) Consultation History Revision Consultation Names of Parties in Summary of Changes Number Date Consultation 1.1 11/06/13 N. Geary, J. FitzGerald Consulted with NG & JF No changes required 2.1 28/02/14 N. Geary, M. Farrell Fees no longer required Approval This document requires the following approvals: Name Title Date Approved Michael Farrell Corporate Secretary 23/09/2013 Michael Farrell Corporate Secretary 28/02/2014 This procedure shall be reviewed annually by the Information Compliance Officer in light of any legislative or other relevant developments who will consult as necessary before submitting any amendments for approval. 2
TABLE OF CONTENTS 1. INTRODUCTION... 4 2. PURPOSE OF THIS PROCEDURE... 4 3. PROCEDURE FOR MAKING A DATA ACCESS REQUEST... 4 Making an access request... 4 Fees... 4 Identification... 4 Submitting the request... 5 Right to complain to Data Protection Commissioner... 5 4. DEFINITIONS... 5 5. REVIEW... 6 6. FURTHER INFORMATION... 6 3
1. INTRODUCTION At University College Cork ( the University ) your privacy and data protection rights are very important to us. Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data, in both paper and electronic format. The Data Protection Acts, 1988 and 2003 (the Data Protection Acts ), lay down strict rules about the way in which personal data and sensitive personal data are collected, accessed, used and disclosed ( processed ). Under section 4 of the Data Protection Acts, individuals ( data subjects defined below) are entitled to make a request for access to their personal data and have the right to have their personal data amended if found to be incorrect. 2. PURPOSE OF THIS PROCEDURE The purpose of this procedure is to ensure that the University complies with the access request provisions of the Data Protection Acts and to enable individuals to submit data access requests where required. 3. PROCEDURE FOR MAKING A DATA ACCESS REQUEST Making an access request If you wish to make a data access request, it must be in writing. There is no requirement to refer to the Data Protection Acts, but it will assist the University if you do so. Please complete and sign the application form and send it to UCC s Information Compliance Officer (address below). Alternatively, you may write to the Information Compliance Officer. Your letter or email (to foi@ucc.ie) should read something like: "Dear... I wish to make an access request under section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to..." To help us to respond to your request, please be as specific as possible about the information you wish to access. Please include any additional details that would help to locate your information - for example, a staff or student number, names of departments/offices that you were associated with, etc. If you wish a third party to submit a data access request on your behalf (e.g. a family member or solicitor), you must provide written authorisation to allow the University to disclose your personal data to that third party. Fees No application fee is required to process your data access request. Identification In order to ensure that personal data is not disclosed to the wrong person, you may be required to provide proof of identity before any personal data is released to you. Acceptable forms of identification include: copy of passport or driving licence; staff/student ID card; copy of bank statement; copy of utility bill. Copies are acceptable in most cases, however we reserve the right to 4
ask to see original documents where necessary. If you are required to provide copies of such documents to the University, they will be securely destroyed once we have verified your identity. Submitting the request All requests for access to personal data held by University College Cork should be sent to: Catriona O'Sullivan Information Compliance Officer University College Cork 4 Carrigside, College Road Cork Tel: +353 (0)21 4903949 Email: foi@ucc.ie A decision on your request will be made within 40 days of receipt of your request. Right to complain to Data Protection Commissioner If you are unhappy with the outcome of your request, you may make a complaint to the Data Protection Commissioner (Canal House, Station Road, Portarlington, Co. Laois), who will investigate the matter for you. Further details on your rights under the Data Protection Acts are available on the Data Protection Commissioner's website www.dataprotection.ie 4. DEFINITIONS The following are some important definitions used in this procedure, taken from section 1 of the Data Protection Acts, with additional comments provided where appropriate: Data means information in a form which can be processed. It includes both automated data and manual data. Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer. Manual data means information that is kept as part of a relevant filing system or with the intention that it should form part of a relevant filing system. Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. Sensitive personal data receives greater protection under the Data Protection Acts and means personal data relating to - 5
(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade union (c) the physical or mental health or condition or sexual life of the data subject, (d) the commission or alleged commission of any offence by the data subject, or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. Data subjects have additional rights in relation to the processing of any such data. Data subject is an individual who is the subject of personal data. Data controllers are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, Government Departments or voluntary organisations, or they can be individuals such as G.P.s, pharmacists or sole traders. UCC, for example, is a data controller in relation to personal data relating to its own staff and students. Processing is widely defined under the Data Protection Acts and means performing any operation or set of operations on the information or data, including- (a) obtaining, recording or keeping data (b) collecting, organising, storing, altering or adapting the data, (c) retrieving, consulting or using the data, (d) disclosing the data by transmitting, disseminating or otherwise making it available, or (e) aligning, combining, blocking, erasing or destroying the data. 5. REVIEW This procedure has been approved by the Corporate Secretary, UCC. Any additions or amendments to this or related procedures will be submitted to the Corporate Secretary for approval or to whatever authority the Corporate Secretary may delegate this role. The procedure will be reviewed annually by the Information Compliance Officer in light of any legislative or other relevant developments who will consult as necessary before submitting any amendments for approval. 6. FURTHER INFORMATION If you have any queries in relation to this procedure, please contact: Catriona O Sullivan Information Compliance Officer Office of Corporate & Legal Affairs University College Cork Tel: 021 4903949 Email: foi@ucc.ie 6