Contents.
1. Personal Data
2. OHC in the context of the GDPR
3. Who to contact in OHC about your Personal Data
4. Personal Data collected by OHC and How it is used
5. Sharing Personal Data
6. Data Transfer Outside of the EU
7. Data Security
8. Your Rights as a Data Subject
Introduction
OHC respects the privacy and preserves the privacy rights of all those who share information with OHC.
Information is collected for a specific purpose and OHC commit to only using data for the purpose for which it was collected and retaining that data only for as long as is required for that specific purpose.
If you have any questions regarding your data or how it can be accessed, please contact the Data Protection Officer by writing to the institute address or by email to hello@ohc.com This statement explains how we collect, use, share and protect your personal data.
1.1 Personal Data
Personal Data is any information concerning or relating to a living person who is either identified or identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. The aim of this statement is to inform OHC’s data subjects, and potential data subjects, of how we process personal data and the legal basis we rely on for doing so.
• the principles of GDPR
• OHC Dublin in the context of GDPR
• who to contact in OHC about your personal data• what personal data OHC collects and how it is used
• sharing personal data
• the arrangements for transfer of data to countries outside of the EEA
• how OHC keeps your data safe
• how OHC stores personal data and how it’s destroyed
• your rights in relation to your personal data
The principles of GDPR state that personal data must:
• Be processed fairly and lawfully
• Be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
• Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
• Be accurate and, where necessary, kept up to date.
• Not be kept for longer than is necessary.
• Be processed in accordance with the rights of data subjects under the act.
• Be kept secure with appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
1.2 OHC in the context of the GDPR
OHC Dublin is a data controller under the GDPR and, as such is responsible for deciding how it processes personal data of data subjects and in doing so complies with the GDPR. Under GDPR, OHC is obliged to notify data subjects of the information contained within the Statement. The Privacy Statement is accessible via links in all relevant handbooks.
1.3 Who to Contact in OHC about your Personal Data
All personal data enquiries, or requests to exercise your rights as a data subject, should be directed to the Centre Manager, OHC 2/3 Merrion Square, Dublin 2. hello@ohc.ie.
If you are not satisfied with the outcome a complaint may be made to the supervisory authority:
Office of the Data Protection Commissioner, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
• Telephone +353 (01) 7650100 or 1 800 437737
• Or by webforms: https://www.dataprotection.ie/en/contact/how-contact-us
• Email info@dataprotection.ie
1.4 Personal Data collected by OHC and How it is Used
7¡0¡7.Website.
Data subjects that interact with the OHC website will have data collected from them. Data relating to browsing activity, collected through the use of cookies, web beacons and pixel tags and similar technologies, can include:
• IP (internet protocol) address; referring site URL (website address) where the data subject’s session started, and details about the data subject’s device, including type (e.g., mobile or tablet), brand, model, operating system name and version, browser name, version, language and protocol, and other unique numbers assigned to a device (e.g., IDFA on iPhone, Google ID on Android);
• details about the pages visited and activities on those pages (e.g., products viewed or purchased, including details of purchases made and the time and duration of visits to pages), page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page;
• using a data subject’s IP address, the approximate geolocation (e.g., eircode); and • events relating to ads served on the data subject, such as the number of ads displayed to the data subject and whether the data subject clicked on an ad.
7¡0¡8.Marketing.
OHC will collect personal data for the purpose of informing data subjects of information and events that may be of interest to them where explicit consent to do so has been provided or in the legitimate interests of the business. You may opt out from all marketing information through following the directions contained within that information or contacting the data protection contact detailed in this Statement.
7¡0¡9.Enquiries.About.Programmes.or.Employment.Vacancies.at.OHC.
When a potential student, an employer or a parent / family member enquires about a programme at OHC, or an individual enquires about potential employment in OHC, we will need to collect and use personal data from you to respond to your enquiry. This is limited to name, address, and contact telephone number, postal and or email address, education and or employment history. This information is collected on the legal basis that it is within our legitimate interests as an education provider and an employer to use this personal data to allow enquirers to receive a response to requests for information.
7¡0¡0.Applications.for.Programmes.or.Employment.Vacancies..
To apply for a programme of study or an employment vacancy in OHC, the institute will collect personal data to assist in responding to your application, to allow the institute to check you meet the criteria for admission to the programme or for the vacancy advertised. This is limited to name, address, date of birth, contact telephone number, postal and or email address, education and or employment history nationality, first language, and whether, the applicant is a national of the European Union. Applicants for programmes of study are also requested to provide details of next of kin. Where this is provided, OHC accepts that the applicant has secured the consent of the next of kin to provide those details to the Institute for the use in an emergency. Applicants are also encouraged o disclose any information about their health that we may need to be aware of to make reasonable accommodations. Again, this information is processed based upon contractual necessity. It is disclosed at the discretion of the applicant but may impact on our ability to fulfil the contract and thus render it void if not disclosed at this stage. In some instances, information may be collected through a third party e.g., recruitment
agents. In such cases OHC understands that the applicant has authorised the third party to share the information with OHC and to consider the application in the same way as a direct application.
7¡0¡❶.Registering.with.OHC.and.Enrolling.on.a.Programme.
To enrol on a programme of study, OHC will use the information obtained as part of the application process but will also require gender, term time address (if not already provided), copies of certificates, PPS number, visa / GNIB card details (if applicable), credit card or payment details, copies of identity documentation, and a photograph of you. This information is collected on the legal basis of contractual necessity, meaning it allows us to take the required steps that would allow us to enter a contract as requested by the data subject. It is also collected for the purpose of fulfilling our legal obligations in respect of visa holding students under immigration legislation and in respect of arrangements for the Protection of Enrolled
Learners. Photographs are collected, and a student number is issued, to facilitate the provision of a student card in the legitimate interest of the Institute needing to assure itself of the identity of individuals on institute premises for health, safety, and welfare purposes and to validate student identity for access to services and completion of examinations and assessments.
7¡0¡❷.As.a.Registered.OHC.Student.
As a registered student OHC will collect your personal data to enable us to advise you of services and supports available to you and to communicate with you about any changes in relation to agreements with you e.g., timetable changes. OHC will collect personal data for quality assurance monitoring and reporting in respect of student satisfaction, progression, completion, and achievement. This data processing is undertaken on the legal basis of contractual necessity and in OHC’s legitimate interests as a provider of education programmes required to undertake monitoring of the programmes and learner experience. OHC will collect the personal data relating to the attendance of individual students in classes
and examinations. This data collection is undertaken based on contractual necessity (for examinations and assessments), due to legal obligations (for visa holding students) and based on legitimate interest to facilitate operation of programmes and the institute. OHC collects the images, through the institute CCTV system, of all individuals who access OHC premises. This is in the legitimate interest of Institute security and the health, safety and welfare of staff, students, and visitors. Furthermore, it is used as a means of ensuring the security, reliability and integrity of examinations and exam processes.
7¡0¡❸.As.an.Employee..
As an employee of OHC we will use the personal data provided through the application process and will also request your PPS Number, bank account details, and next of kin information for use in an emergency. These are collected based on contractual necessity. Where next of kin information is provided, OHC accepts that the employee has sought the consent of the named individual for the sharing of their data for this purpose. Personal data of employees may also be
used for the effective management and operation of the business. Wherever possible this will be anonymised. Where that is not possible, it will only be shared with those who need to know for the fulfilment of legitimate interests, contractual necessity, or legal obligations. Information about health and wellbeing may be collected during employment, in relation to employee absence or accommodation requests. This is collected and processed to enable the institution to perform the contract entered. Similarly, information will be collected and processed in relation to professional development, research, and scholarly activity. This is based on the legitimate interests of the institute where staff development is required to be
monitored and reported on to accreditation bodies. OHC collects the images, through the institute CCTV system, of all individuals who access OHC premises. This is in the legitimate interest of Institute security and the health, safety and welfare
of staff, students, and visitors. Furthermore, it is used as a means of ensuring the security, reliability and integrity of examinations and exam processes.
7¡0¡❹.As.a.Former.Employee..
On termination of employment with OHC, the Institute will retain indefinitely such personal data as is required to continue its fulfilment of legal obligations in respect of record keeping, revenue and payroll records. It will also retain contact details to enable the completion of contractual obligations and based on the legitimate interests of the Institute whereby follow-up communication may be required for the ongoing operation and management of the business. In normal cases, after a period of 12 months following termination of contract, the personal data of former employees will comprise of name, address, telephone number, email address, date of birth, PPSN, payroll history, P60s and P45 statements, dates of employment, details of position(s) held.
Performance management records, appraisal records, interview notes, annual leave records, sick leave and medical certification, and records of professional development will normally be securely destroyed 12 months after the termination date. Email accounts, user accounts for OHC services will be deactivated immediately, except by mutual agreement, and the account will be closed within 2 weeks of termination.
7¡0¡❺.Visitors.to.OHC.
Personal data, including CCTV images, name, contact details and or association, pertaining to visitors to OHC will be collected in the legitimate interests of the Institute and also to comply with legal obligations in respect of health, safety and welfare of visitors, students and staff.
7¡0¡76.All.parties..
In rare and exceptional circumstances OHC may use personal data to protect the vital interests of the student / employee/ visitor. Similarly, OHC may use personal data when it is in the public interest e.g., in cases of reportable incidents or illnesses where a data subject refuses or fails to provide personal data that is required by the institution for legitimate reason under GDPR, this may impact on the ability of the Institute to fulfil its contractual agreement with you and can result in the cancellation of that contract and the associated provision of service. This will be communicated at the time should the matter arise.
1.5 Sharing Personal Data
As a student or employee of OHC we will share your personal data with third parties where there is a lawful bases for doing so. Under the GDPR, the lawful bases are:
1. Consent: the data subject has given clear consent to OHC to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract OHC holds with the data subject, or because the data subject has requested OHC to take specific steps before entering a contract e.g., reference checks, communication with INIS.
3. Legal obligation: the processing is necessary for OHC to comply with the law.
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for OHC to perform a task in the public interest or for OHC’s official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for OHC’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
1.6 Data Transfer Outside of the EU
In all instances of personal data transfer to countries outside of the EU, OHC will seek to agree a transfer, or set of transfers, only where the transfer satisfies one or more of the following:
• The transfer is made with the individual’s informed consent.
• The transfer is necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request.
• The transfer is necessary for the performance of a contract made in the interests of the individual between the controller and another person.
• The transfer is necessary for important reasons of public interest.
• The transfer is necessary for the establishment, exercise or defence of legal claims.
• The transfer is necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
• The transfer is made from a register which under Irish or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
1.7 Data Security
Personal data can be breached or compromised when it is lost, damaged, accessed and/or altered by unauthorised sources, used for purposes other than that which it was collected for, retained longer than the purpose warrants, or shared without authorisation or legal basis. OHC implements a range of mechanisms to protect the personal data that it retains. These include:
• Restricted access to personal data to designated roles, relevant to the role and in accordance with the purpose for the data collection.
• Appropriate technical security measures – password protection, encryption, firewalls, back-ups etc.
• Publication and implementation of policies and procedures to protect personal data
• Use of secure physical storage – lockable cabinets and rooms
• The provision of staff training Implementation of data protection audits
• Risk assessment of any third-party data processing on behalf of OHC.
7¡❸¡7.Data.Storage.and.Disposal.
Personal data is retained only for as long as is necessary to fulfil the purpose it was obtained for and will not be used for purposes beyond that. Retention periods as deletion, archiving or destruction methods are documented in the Records Retentions Policy. Individual responsibilities are assigned for the destruction of data in accordance with the policy. OHC takes all reasonable steps to ensure personal data is accurate and up to date. Staff and students are encouraged to notify the relevant department, or the data protection contact in this Statement, of any required updates, or inaccuracies requiring correction in respect of their personal data. Data subjects requiring specific information about their personal data can
contact the data protection contact outlined in this Statement. Records and personal data may be retained for a longer period than that specified in retention schedules in cases of internal or external dispute and legal cases.
1.8 Your Rights as a Data Subject
Under GDRP data subjects have increased rights and data controllers are required to notify data subjects of their rights. This Statement seeks to fulfil the obligation for OHC to notify you of those rights. Individuals have the right to:
• be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
• withdraw consent, where consent is the legal basis for data processing
• access their personal data (a data subject access request).
• have inaccurate personal data rectified or completed if incomplete.
• have personal data erased (the right to be forgotten) in certain circumstances
• request the restriction or suppression of their personal data, in certain circumstances
• data portability, allowing individuals to reuse their data across different services, where feasible
• object to personal data processing, in certain circumstances
To exercise any of these rights, please use the data protection contact details provided in this Statement. Where we require additional information from you to verify your identity and the legitimacy of the request or to establish the specific reasons for the request to enable OHC to respond appropriately, we will do so in a timely manner. There is normally no fee applied in respect of any rights requests.
Test your English