Close icon
Close icon

Information Compliance Office


All information retained by Mary Immaculate College is subject to the provisions of relevant legislation, principally; Freedom of Information Act 2014 and Data Protection legislation, including the General Data Protection Regulation and Data Protection Acts 1988 to 2018.

Both sets of legislation lay down rules for the collection, storage and management of information. These statutes also provide for the safeguarding of stored data as well as for access to information personal to individuals or which should be disclosed in the public interest (in accordance with certain exemptions).

This section sets out how MIC organises and administers information in compliance with statutory requirements such as the Freedom of Information Act and the General Data Protection Regulation (GDPR). 

You will also find information on how to access your personal data or other records retained by the College.

For specific Freedom of Information and Data Protection queries, feel free to email and respectively, or contact the staff members below.

Freedom of Information & Data Protection Officer
Elaine Mulqueen
+353 61 204511


Professor Gary O'Brien

Vice-President of Governance and Strategy
Information Compliance Office
  • Phone: +353 61 204332
  • Email:
  • Location: 109

Elaine Mulqueen

Director of Information Governance & Compliance Management
Information Compliance Office
  • Phone: +353 61 204511
  • Email:
  • Location: 110

Catherine Rooney

Information Compliance Manager
Information Compliance Office
  • Phone: + 353 61 204342
  • Email:
  • Location: G44

Don Davern

Information Compliance Office
  • Email:
  • Location: R54 (Res Block)

Data Protection

General Data Protection Regulation (GDPR)

The GDPR came into force on 25 May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

Data Protection is the means by which the privacy rights of individuals are safeguarded in relation to the processing of their personal data. The Data Protection Acts and the General Data Protection Regulation (GDPR) confer rights on individuals as well as placing responsibilities on those persons processing personal data.

Under the GDPR you have the right to be given a copy, clearly explained, of any of your personal data kept on computer or manual relevant filing systems simply by making a written request. If you wish to access your personal data held by MIC please complete the Subject Access Request (SAR) form here and the Information Compliance Office will be in touch in due course.

To help us answer your request please be as specific as possible about the information you wish to see, and give as much information as you can to help us find it. You are legally entitled to a decision regarding your request within 30 days of the College receiving your request. However every effort will be made by the College to deal with your request as soon as possible. You will be asked to provide proof of your identity.

See below for more specific information on filing a request.

To request certain information about you that MIC has on record, please complete the Subject Access Request form available here.

If you are unhappy with the decision you have the right to complain to the Data Protection Commissioner who will investigate the matter for you. The Commissioner has legal powers to ensure that your rights are upheld.

Further details on your rights under the Data Protection Acts are available at the Data Protection Commissioners website.

Office of the Data Protection Commissioner
3rd Floor, Block 6
Irish Life Centre
Lower Abbey Street
Dublin 1

T: + 353 1 8748544
F: + 353 1 8745405

Freedom of Information

Regulations were signed into law on 22 October 2001 by the Minister for Finance providing for the extension of the Freedom of Information (FOI) Act 1997 to Mary Immaculate College. Requests already received will be treated as valid from this date.

The FOI Act establishes three new statutory rights:

  1. A right for each person to access information held by public bodies 
  2. A right for each person to have official information relating to him/herself amended where it is incomplete, incorrect or misleading
  3. A right to obtain reasons for decisions affecting her/himself.

These rights are supported by an internal review and an external appeal procedure (Office of the Information Commissioner). The following records come within the scope of the Act:

  • All records held by the College which were created after the commencement date of the Act, i.e. 21 April 1998
  • Personnel records of staff created since 21 April 1995 or earlier if it is being used adversely against a staff member
  • All records relating to personal information held by the College irrespective of when created. Personal information is defined as information that would ordinarily be known only to the individual or their family or friends, or information given to the College on the understanding that it would be treated as confidential.

The purpose of the act is to ensure that publicly funded organisations are accountable to the general community. The following information is intended to advise you of preparations made by Mary Immaculate College for the implementation of this act which will not only affect academic and administrative areas within the College but also those who are under a contract for services to the College.

The Freedom of Information (Amendment) Act 2003 came in to force on 11 April 2003. This Act introduced a number of important amendments to the 1997 Act. A copy of the Freedom of Information (Amendment) Act 2003 can be accessed here.

The Freedom of Information Act 2014, was signed by the President on Tuesday, 14 October 2014, and became effective on that day, subject to certain commencement dates for the specific provisions set out in section 1 of the Act. The FOI Act 2014 can be found here.

Please be aware that the transitional provisions in section 55 of the 2014 Act provide that any action commenced under the 1997 Act but not completed before the commencement of the 2014 Act shall continue to be performed and shall be completed as if the 1997 Act had not been repealed. This means that if an FOI request was made before 14 October 2014, any subsequent review application (up to and including appeals to the Courts) will have to be dealt with under the 1997 Act.

The Act will not impose changes in the College's objectives or functions. It will, however, mean:

  • The processing of requests for access to information within strict time limits
  • The publication of information about the College's functions, structure, the services it provides, the records it holds and of all procedures, practices and guidelines used in decision-making
  • Some changes in the way in which records are created, maintained and used and the way in which decision-making processes and their outcomes are formulated and recorded

Section 8 of the Freedom of Information Act 2014 requires FOI bodies to prepare and publish as much information as possible in an open and accessible manner on a routine basis outside of FOI, having regard to the principles of openness, transparency and accountability as set out in Sections 8(5) and 11(3) of the Act. This allows for the publication or giving of records outside of FOI provided that such publication or giving of access is not prohibited by law. The scheme commits FOI bodies to make information available as part of their normal business activities in accordance with this scheme.

Please find MIC's FOI Publication Scheme below. If the information you require cannot be found here, you may wish to conduct a search on the MIC website, or contact the Freedom of Information Office email:

MIC Publication Scheme

The College will assist people with special needs in making a request under the Act. 


Information Compliance Office


The Freedom of Information Act 2014 requires Freedom of Information (FOI) bodies such as Mary Immaculate College to publish a disclosure log, which contains details of the types of requests received under FOI since January 2015 and the decisions made by the body in response to those requests. The link to this disclosure log can be found below:

MIC's FOI Disclosure Log

Disclosures are listed in order of the date the request was received by MIC. Please note that, for privacy reasons, identifying information such as the name of the requester is not included in the disclosure log.

Records Management

In order to ensure compliant and efficient records management, the College operates a system for the controlled retention and disposal of all personal data and corporate records.

Under the Data Protection Act 2018, controllers of personal data must ensure that the personal data of individuals is only retained for as long as is necessary and for the purposes for which they were collected. Section 71 (7) (iv) of the Data Protection Act 2018 requires controllers of personal data to carry out periodic reviews of the need for the retention of that data. Retention periods are governed by a variety of factors, including but not limited to legislation, contract and best practice.  Some records may be initially retained for a set period after which they may be either archived or destroyed. Records retention schedules provide a framework within which retention periods can be set and reviewed for individual classes of data.

The MIC Records Retention Schedule categorises the various record types held by the College for administrative purposes and specifies the retention periods and disposal instructions for all such records in line with legal obligations and best practice. This schedule will be reviewed periodically.  

MIC Records Retention Schedule

Policies & Procedures


See below for specific information relating to privacy statements, policies and rights.

Any queries or concerns you may have about the processing of personal information on this website should be addressed to:

Elaine Mulqueen

Data Protection Officer
T: +353 61 204511 

The College fully respects your right to privacy and actively seeks to preserve the privacy rights of those who share information with the College. The College will not collect any personal information about you on this website without your permission, except as may be required or permitted by law. Any personal information which you volunteer to the College will be treated with the highest standards of security and confidentiality, in accordance with the Data Protection Act 1988, The Data Protection (Amendment) Act 2003 and the General Data Protection Regulation.

Any information which you provide in this way is not made available to any third parties, and is used by the College only in accordance with the purpose for which you provided the information and will only be retained for as long as required for the purpose. This is normally stated on the webpage where the information is requested and should be self-explanatory. However, if you have any specific queries about the purpose for which your information is to be used, you should contact our Data Protection Officer before submitting the information.

Pursuant to the General Data Protection Regulation, you have certain rights to obtain a copy of the data held about you. Any such requests should be made in writing to the Data Protection Officer at the address set out below. For further details on your data privacy rights, please refer to

This statement should not be construed as a contractual undertaking. The College reserves the right to review and amend this statement at any time without notice and you should therefore re-visit this webpage from time to time.

Queries and Concerns

Any queries or concerns you may have about the processing of personal information on this website should be addressed to:

Elaine Mulqueen

Freedom of Information Officer / Data Protection Officer
T: +353 61 204511 

© Copyright Mary Immaculate College

The information contained in these web pages is, to the best of our knowledge, true and accurate at the time of publication, and is solely for informational purposes.

Mary Immaculate College accepts no liability for any loss or damage howsoever arising as a result of use of or reliance on this information, whether authorised or not.

The College (in conjunction with the University of Limerick) reserves the right to suspend, alter or initiate programmes, exams and regulations at any time by giving such notice as may be determined by the College in relation to any such changes.

The information found on personal pages/staff profiles should not be considered official material from Mary Immaculate College and the College does not accept any responsibility for its accuracy or otherwise.

Key Data Protection Points for Researchers

This guide is intended to provide guidance to MIC research postgraduate students on the key data protection points to consider when conducting research that involves personal data. The guide will provide relevant definitions, points to consider, MIC policies, procedures and guidance. The guide should not be construed as legal advice and any queries you may have should be taken up with Mary Immaculate Research Ethics Committee (MIREC) and/ or Information Compliance Office (ICO).

It is acknowledged that postgraduate research is more likely to be of higher risk from a data protection perspective than research conducted as part of an undergraduate programme. However, the key points in this guide still apply.

All researchers are encouraged to complete the MIC GDPR online training modules and can contact to receive a link to the online training.

All researchers should familiarise themselves with MIC Data Protection Policy and the MIC Research Integrity Policy. Researchers should also visit the ICO Student Portal page to find a copy of the MIC Research Privacy Notice Template and the Guidance on Completing the Research Privacy Notice Template.

All researchers using personal data for their research must be aware and comply with the Data Protection Acts 1988 to 2018 and General Data Protection Regulation (EU) 2016/679.

Personal data means any information about a living individual (data subject), where that individual is either identified or identifiable. Personal data can cover various types of information such as name, date of birth, email address, phone number, IP address, residential address, physical characteristics and location data. Personal data does not have to be in written form. It can also be information about what a data subject looks or sounds like e.g., photos or audio/ video recordings. For more about personal data, visit the Data Protection Commission website here.

Certain types of sensitive personal data, called ‘special categories’ are subject to additional protection under the General Data Protection Regulation (GDPR), and their processing is generally prohibited, except for where specific requirements are met, such as having explicit consent, as set out in Article 9 of the GDPR. Special categories of personal date include racial or ethnic origin, political opinions, religious beliefs, genetic data, medical data, biometric data and sexual orientation.

Any data that is fully anonymised is not considered to be personal data and therefore data protection rules and principles need not apply. However, any data that is pseudo-anonymised and could be reversed, therefore meaning the data subject could possibly be identified, is still deemed to be personal data and all of the relevant data protection rules and principles apply.

If personal data is to be collected, obtained, stored and processed as part of a research project, there must be an appropriate legal basis for processing the data and then it must be done so fairly and lawfully in keeping with the rules and principles of data protection as set out in the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation (EU) 2016/679.


The primary responsibility for ensuring that the proposed research is conducted in a manner keeping with the principles of data protection and best practice lies with the researcher/ research team. ICO will provide advice and guidance, but it is not responsible for its practical implementation, nor does it sign off or approve research proposals.


All MIC postgraduate researchers should complete the MIC GDPR online training and can contact to arrange training.

Data Protection Principles

There are seven principles of data protection to be complied with where personal data is obtained or processed. Guidance on the seven principles can be found at the Data Protection Commission website

From a research perspective three of the more important principles are:

1. Data Minimisation

Only request the minimum amount, and categories, of personal data needed to perform the research. Each category of personal data shall be adequate, relevant and limited from a research perspective. If you cannot justify the personal data collected, then do not request, collect or process it.

2. Lawfulness, fairness and transparency

Any personal data used for research must be obtained and processed lawfully, fairly and transparently. There should be no surprise to research participants in relation to the use of their personal data. In advance of any data collection, researchers must provide research participants with a Research Privacy Notice which informs research participants of the following:

  • The purpose of the research
  • The legal basis under GDPR
  • Who is collecting the personal data
  • With whom that personal data may be shared (and whether it will be transferred outside EEA)
  • The methods being used
  • How long data will be retained (or criteria to establish the retention period if this is not possible)
  • Rights of individuals in terms of their personal data, including the right to lodge a complaint with the Data Protection Commission
  • Contact information of the MIC Data Protection Officer (DPO) and Principal Investigator
  • The existence of automated decision making, including profiling (if applicable)

Contact to request a Template Research Privacy Notice and the MIC guidance document on how to complete a Research Privacy Notice.

3. Integrity and confidentiality

It is the responsibility of the researcher/ research team to process personal data that ensures appropriate security, protection against unauthorised disclosure or accidental loss. It is important that access rights to personal data are strictly confined to those who have been granted access. The type of security applied to the personal data will depend on the context, with special categories of personal data requiring a more robust level of security.

  • Check the data is accurate
  • Collect no more data than is necessary for the purpose of the research project
  • Pseudonymise or anonymise personal data (unless it would impair your research)
  • Keep the data only for as long as necessary (as short as possible)
  • Erase or rectify data without delay if requested by a research participant
  • Keep data safe and secure in line with ICT Security Policy
  • Keep records of all data collected
  • If engaging with any Data Processors, please contact to put a DPA in place (Article 28 GDPR)
  • If your research involves engaging with a joint data controller e.g., if another university is sharing in the control of the data, please contact to put a Data Sharing Agreement (DSA) in place (Article 26 GDPR)
  • Do not transfer data outside EEA without consulting the MIC DPO
  • Contact to complete a pre-screening Data Protection Impact Assessment (DPIA) checklist questionnaire
  • Conduct a DPIA if the research is considered high risk
  • Notify any data breaches to the DPO without undue delay by emailing

For further guidance see the European Commission Checklist here.

For information on anonymisation and pseudonymisation see the DPC Guidance Note

Access to Information on the Environment (AIE) Regulations

How to Access Environmental Information held by MIC

You have the right to access environmental information held by, or for, public bodies, such as Mary Immaculate College (College), under the Access to Information on the Environment (AIE) Regulations 2007 to 2018. The Regulations provide a definition of environmental information and outline the manner in which requests for information may be submitted to public bodies. The Regulations also provide for a formal appeals procedure in the event that a person is unhappy with a decision on their request.

The European Communities (Access to Information on the Environment) Regulations 2007 (S.I. 133 of 2007) came into effect on 01 May 2007, repealing previous legislation in place since 1998. Three statutory instruments (S.I. 662 of 2011, S.I. 615 of 2014 and S.I. 309 of 2018) revised the Regulations further. Collectively, they may be referred to as the European Communities (Access to Information on the Environment) Regulations 2007 to 2018. The Department of the Environment, Climate and Communications have published a consolidation of the Regulations which can be found here.

The definition of "environmental information" in the Directive and in the Regulations is broad. It covers information "in written, visual, aural, electronic or any other material form" and identifies six separate categories of information dealing with:

  • The state of the elements of the environment (e.g., air, water, soil, land, landscape, biological diversity);
  • Factors affecting, or likely to affect, the elements of the environment (e.g., energy, noise, radiation, waste, other releases into the environment);
  • Measures designed to protect the elements of the environment (e.g., policies, legislation, plans, programmes, environmental agreements);
  • Reports on the implementation of environmental legislation;
  • Analyses and assumptions used within the framework of measures designed to protect the environment; and
  • The state of human health and safety, the food chain, cultural sites and built structures inasmuch as they may be affected by the elements of the environment.

AIE Regulations operate in parallel with the Freedom of Information Act 2014. While both legislations are broadly similar (with respect to environmental information), the AIE Regulations and the FOI Act differ in that a wider range of public bodies are covered by AIE Regulations than by FOI legislation. There are also material differences between both legislation codes in terms of the grounds under which access to information can be refused.

Applications for Access to Information on the Environment should be sent to:

Information Compliance Office


When making a request for information under the AIE Regulations you are required to:

  • State that the application is being made under the AIE Regulations and submit it in writing to
  • Provide your contact details
  • State, in terms that are as specific as possible, the environmental information required, and specify the form and manner of access desired (e.g., Do you wish to seek photocopies? Do you wish to view the original documents? etc.).

 Normally you will be notified of the decision on your request within one month of its receipt.

Under the AIE Regulations we may refuse to give you access to environmental information on certain grounds:

  • International relations, national defence or public security
  • The course of justice (including criminal inquiries and disciplinary inquiries)
  • Commercial or industrial confidentiality
  • Intellectual property rights
  • Material in the course of completion
  • Internal communications of public authorities
  • The request is considered to be unreasonable, due to the volume or range of information sought
  • The request is too general
  • The material is not yet completed

We must refuse to give you access to environmental information on other grounds listed below (subject to the provisions of Article 10):

  • Personal information
  • Information supplied by a third party on a voluntary basis
  • Protection of the environment to which information relates
  • Confidentiality of the proceedings of public authorities

If your original request for environmental information was refused wholly or partially, or if you consider that your request was not properly dealt with in accordance with the provisions of the AIE Regulations, you may, not later than one month following the receipt of the decision of the College, request the College carry out an internal review the decision in part or in whole. No fee will be charged for the internal review process.

A written outcome of the review informing you of the decision, the reason for the decision and advice on your right of appeal to the Commissioner for Environmental Information will be issued to you within one month of the date of receipt of the request.

A written appeal should be submitted to the Commissioner for Environmental Information at the following address:

Office of the Commissioner for Environmental Information
6 Earlsfort Terrace
Dublin 2
D02 W773

Telephone: 01 6395689                 


Further contact details and information on the Commissioner's Office are contained on the Office of the Commissioner for Environmental Information website at As of December 2014, the AIE Regulations provide that a fee of €50 must be charged for an appeal to the Commissioner for Environmental Information. However, provision is also made for a reduced appeal fee of €15 for medical card holders and their dependents and also for people, not party to the original request for access to information, who are appealing a decision to release information which they believe will affect them.

If you have any queries on the above or require assistance in making a request, please contact the College Information Compliance Office, by email at

  • About
  • Staff
  • Data Protection
  • Freedom of Information
  • Records Management
  • Policies & Procedures
  • Key Data Protection Points for Researchers
  • Access to Information on the Environment (AIE) Regulations