Information Compliance Office
All information retained by Mary Immaculate College is subject to the provisions of relevant legislation, principally; Freedom of Information Act 2014 and Data Protection legislation, including the General Data Protection Regulation and Data Protection Acts 1988 to 2018.
Both sets of legislation lay down rules for the collection, storage and management of information. These statutes also provide for the safeguarding of stored data as well as for access to information personal to individuals or which should be disclosed in the public interest (in accordance with certain exemptions).
This section sets out how MIC organises and administers information in compliance with statutory requirements such as the Freedom of Information Act and the General Data Protection Regulation (GDPR).
You will also find information on how to access your personal data or other records retained by the College.
General Data Protection Regulation (GDPR)
The GDPR came into force on 25 May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
Data Protection is the means by which the privacy rights of individuals are safeguarded in relation to the processing of their personal data. The Data Protection Acts and the General Data Protection Regulation (GDPR) confer rights on individuals as well as placing responsibilities on those persons processing personal data.
Under the GDPR you have the right to be given a copy, clearly explained, of any of your personal data kept on computer or manual relevant filing systems simply by making a written request. If you wish to access your personal data held by MIC please complete the Subject Access Request (SAR) form here and the Information Compliance Office will be in touch in due course.
To help us answer your request please be as specific as possible about the information you wish to see, and give as much information as you can to help us find it. You are legally entitled to a decision regarding your request within 30 days of the College receiving your request. However every effort will be made by the College to deal with your request as soon as possible. You will be asked to provide proof of your identity.
See below for more specific information on filing a request.
If you are unhappy with the decision you have the right to complain to the Data Protection Commissioner who will investigate the matter for you. The Commissioner has legal powers to ensure that your rights are upheld.
Further details on your rights under the Data Protection Acts are available at the Data Protection Commissioners website.
Office of the Data Protection Commissioner
3rd Floor, Block 6
Irish Life Centre
Lower Abbey Street
T: + 353 1 8748544
F: + 353 1 8745405
Freedom of Information
Regulations were signed into law on 22 October 2001 by the Minister for Finance providing for the extension of the Freedom of Information (FOI) Act 1997 to Mary Immaculate College. Requests already received will be treated as valid from this date.
The FOI Act establishes three new statutory rights:
- A right for each person to access information held by public bodies
- A right for each person to have official information relating to him/herself amended where it is incomplete, incorrect or misleading
- A right to obtain reasons for decisions affecting her/himself.
These rights are supported by an internal review and an external appeal procedure (Office of the Information Commissioner). The following records come within the scope of the Act:
- All records held by the College which were created after the commencement date of the Act, i.e. 21 April 1998
- Personnel records of staff created since 21 April 1995 or earlier if it is being used adversely against a staff member
- All records relating to personal information held by the College irrespective of when created. Personal information is defined as information that would ordinarily be known only to the individual or their family or friends, or information given to the College on the understanding that it would be treated as confidential.
The purpose of the act is to ensure that publicly funded organisations are accountable to the general community. The following information is intended to advise you of preparations made by Mary Immaculate College for the implementation of this act which will not only affect academic and administrative areas within the College but also those who are under a contract for services to the College.
The Freedom of Information (Amendment) Act 2003 came in to force on 11 April 2003. This Act introduced a number of important amendments to the 1997 Act. A copy of the Freedom of Information (Amendment) Act 2003 can be accessed here.
The Freedom of Information Act 2014, was signed by the President on Tuesday, 14 October 2014, and became effective on that day, subject to certain commencement dates for the specific provisions set out in section 1 of the Act. The FOI Act 2014 can be found here.
Please be aware that the transitional provisions in section 55 of the 2014 Act provide that any action commenced under the 1997 Act but not completed before the commencement of the 2014 Act shall continue to be performed and shall be completed as if the 1997 Act had not been repealed. This means that if an FOI request was made before 14 October 2014, any subsequent review application (up to and including appeals to the Courts) will have to be dealt with under the 1997 Act.
The Act will not impose changes in the College's objectives or functions. It will, however, mean:
- The processing of requests for access to information within strict time limits
- The publication of information about the College's functions, structure, the services it provides, the records it holds and of all procedures, practices and guidelines used in decision-making
- Some changes in the way in which records are created, maintained and used and the way in which decision-making processes and their outcomes are formulated and recorded
Section 8 of the Freedom of Information Act 2014 requires FOI bodies to prepare and publish as much information as possible in an open and accessible manner on a routine basis outside of FOI, having regard to the principles of openness, transparency and accountability as set out in Sections 8(5) and 11(3) of the Act. This allows for the publication or giving of records outside of FOI provided that such publication or giving of access is not prohibited by law. The scheme commits FOI bodies to make information available as part of their normal business activities in accordance with this scheme.
Please find MIC's FOI Publication Scheme below. If the information you require cannot be found here, you may wish to conduct a search on the MIC website, or contact the Freedom of Information Office email: FOI@mic.ul.ie
The College will assist people with special needs in making a request under the Act.
Freedom of Information Officer/ Data Protection Officer
T: +353 61 204511
The Freedom of Information Act 2014 requires Freedom of Information (FOI) bodies such as Mary Immaculate College to publish a disclosure log, which contains details of the types of requests received under FOI since January 2015 and the decisions made by the body in response to those requests. The link to this disclosure log can be found below:
Disclosures are listed in order of the date the request was received by MIC. Please note that, for privacy reasons, identifying information such as the name of the requester is not included in the disclosure log.
In order to ensure compliant and efficient records management, the College operates a system for the controlled retention and disposal of all personal data and corporate records.
Under the Data Protection Act 2018, controllers of personal data must ensure that the personal data of individuals is only retained for as long as is necessary and for the purposes for which they were collected. Section 71 (7) (iv) of the Data Protection Act 2018 requires controllers of personal data to carry out periodic reviews of the need for the retention of that data. Retention periods are governed by a variety of factors, including but not limited to legislation, contract and best practice. Some records may be initially retained for a set period after which they may be either archived or destroyed. Records retention schedules provide a framework within which retention periods can be set and reviewed for individual classes of data.
The MIC Records Retention Schedule categorises the various record types held by the College for administrative purposes and specifies the retention periods and disposal instructions for all such records in line with legal obligations and best practice. This schedule will be reviewed periodically.
Policies & Procedures
See below for specific information relating to privacy statements, policies and rights.
Any queries or concerns you may have about the processing of personal information on this website should be addressed to:
Data Protection Officer
T: +353 61 204511
The College fully respects your right to privacy and actively seeks to preserve the privacy rights of those who share information with the College. The College will not collect any personal information about you on this website without your permission, except as may be required or permitted by law. Any personal information which you volunteer to the College will be treated with the highest standards of security and confidentiality, in accordance with the Data Protection Act 1988, The Data Protection (Amendment) Act 2003 and the General Data Protection Regulation.
Any information which you provide in this way is not made available to any third parties, and is used by the College only in accordance with the purpose for which you provided the information and will only be retained for as long as required for the purpose. This is normally stated on the webpage where the information is requested and should be self-explanatory. However, if you have any specific queries about the purpose for which your information is to be used, you should contact our Data Protection Officer before submitting the information.
Pursuant to the General Data Protection Regulation, you have certain rights to obtain a copy of the data held about you. Any such requests should be made in writing to the Data Protection Officer at the address set out below. For further details on your data privacy rights, please refer to www.dataprotection.ie.
This statement should not be construed as a contractual undertaking. The College reserves the right to review and amend this statement at any time without notice and you should therefore re-visit this webpage from time to time.
Queries and Concerns
Any queries or concerns you may have about the processing of personal information on this website should be addressed to:
Freedom of Information Officer / Data Protection Officer
T: +353 61 204511
© Copyright Mary Immaculate College
The information contained in these web pages is, to the best of our knowledge, true and accurate at the time of publication, and is solely for informational purposes.
Mary Immaculate College accepts no liability for any loss or damage howsoever arising as a result of use of or reliance on this information, whether authorised or not.
The College (in conjunction with the University of Limerick) reserves the right to suspend, alter or initiate programmes, exams and regulations at any time by giving such notice as may be determined by the College in relation to any such changes.
The information found on personal pages/staff profiles should not be considered official material from Mary Immaculate College and the College does not accept any responsibility for its accuracy or otherwise.
Key Points for MIC Researchers
This guide is intended to provide guidance to MIC research postgraduate students on the key data protection points to consider when conducting research that involves personal data. The guide will provide relevant definitions, points to consider, MIC policies, procedures and guidance. The guide should not be construed as legal advice and any queries you may have should be taken up with Mary Immaculate Research Ethics Committee (MIREC) and/ or Information Compliance Office (ICO).
It is acknowledged that postgraduate research is more likely to be of higher risk from a data protection perspective than research conducted as part of an undergraduate programme. However, the key points in this guide still apply.
All researchers are encouraged to complete the MIC GDPR online training modules and can contact Dataprotection@mic.ul.ie to receive a link to the online training.
All researchers should familiarise themselves with MIC Data Protection Policy and the MIC Research Integrity Policy. Researchers should also contact Dataprotection@mic.ul.ie for a copy of the MIC Research Privacy Notice Template and the Guidance on Completing the Research Privacy Notice Template 2023.
All researchers using personal data for their research must be aware and comply with the Data Protection Acts 1988 to 2018 and General Data Protection Regulation (EU) 2016/679.
Personal data means any information about a living individual (data subject), where that individual is either identified or identifiable. Personal data can cover various types of information such as name, date of birth, email address, phone number, IP address, residential address, physical characteristics and location data. Personal data does not have to be in written form. It can also be information about what a data subject looks or sounds like e.g., photos or audio/ video recordings. For more about personal data, visit the Data Protection Commission website here.
Certain types of sensitive personal data, called ‘special categories’ are subject to additional protection under the General Data Protection Regulation (GDPR), and their processing is generally prohibited, except for where specific requirements are met, such as having explicit consent, as set out in Article 9 of the GDPR. Special categories of personal date include racial or ethnic origin, political opinions, religious beliefs, genetic data, medical data, biometric data and sexual orientation.
Any data that is fully anonymised is not considered to be personal data and therefore data protection rules and principles need not apply. However, any data that is pseudo-anonymised and could be reversed, therefore meaning the data subject could possibly be identified, is still deemed to be personal data and all of the relevant data protection rules and principles apply.
If personal data is to be collected, obtained, stored and processed as part of a research project, there must be an appropriate legal basis for processing the data and then it must be done so fairly and lawfully in keeping with the rules and principles of data protection as set out in the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation (EU) 2016/679.
The primary responsibility for ensuring that the proposed research is conducted in a manner keeping with the principles of data protection and best practice lies with the researcher/ research team. ICO will provide advice and guidance, but it is not responsible for its practical implementation, nor does it sign off or approve research proposals.
All MIC postgraduate researchers should complete the MIC GDPR online training and can contact Dataprotection@mic.ul.ie to arrange training.
Data Protection Principles
There are seven principles of data protection to be complied with where personal data is obtained or processed. Guidance on the seven principles can be found at the Data Protection Commission website.
From a research perspective three of the more important principles are:
1. Data Minimisation
Only request the minimum amount, and categories, of personal data needed to perform the research. Each category of personal data shall be adequate, relevant and limited from a research perspective. If you cannot justify the personal data collected, then do not request, collect or process it.
2. Lawfulness, fairness and transparency
Any personal data used for research must be obtained and processed lawfully, fairly and transparently. There should be no surprise to research participants in relation to the use of their personal data. In advance of any data collection, researchers must provide research participants with a Research Privacy Notice which informs research participants of the following:
- The purpose of the research
- The legal basis under GDPR
- Who is collecting the personal data
- With whom that personal data may be shared (and whether it will be transferred outside EEA)
- The methods being used
- How long data will be retained (or criteria to establish the retention period if this is not possible)
- Rights of individuals in terms of their personal data, including the right to lodge a complaint with the Data Protection Commission
- Contact information of the MIC Data Protection Officer (DPO) and Principal Investigator
- The existence of automated decision making, including profiling (if applicable)
Contact Dataprotection@mic.ul.ie to request a Template Research Privacy Notice and the MIC guidance document on how to complete a Research Privacy Notice.
3. Integrity and confidentiality
It is the responsibility of the researcher/ research team to process personal data that ensures appropriate security, protection against unauthorised disclosure or accidental loss. It is important that access rights to personal data are strictly confined to those who have been granted access. The type of security applied to the personal data will depend on the context, with special categories of personal data requiring a more robust level of security.
- Check the data is accurate
- Collect no more data than is necessary for the purpose of the research project
- Pseudonymise or anonymise personal data (unless it would impair your research)
- Keep the data only for as long as necessary (as short as possible)
- Erase or rectify data without delay if requested by a research participant
- Keep data safe and secure in line with ICT Security Policy
- Keep records of all data collected
- If engaging with any Data Processors, please contact Dataprotection@mic.ul.ie to put a DPA in place (Article 28 GDPR)
- If your research involves engaging with a joint data controller e.g., if another university is sharing in the control of the data, please contact Dataprotection@mic.ul.ie to put a Data Sharing Agreement (DSA) in place (Article 26 GDPR)
- Do not transfer data outside EEA without consulting the MIC DPO
- Contact Dataprotection@mic.ul.ie to complete a pre-screening Data Protection Impact Assessment (DPIA) checklist questionnaire
- Conduct a DPIA if the research is considered high risk
- Notify any data breaches to the DPO without undue delay by emailing Dataprotection@mic.ul.ie
For further guidance see the European Commission Checklist here.
- Data Protection
- Freedom of Information
- Records Management
- Policies & Procedures
- Key Points for MIC Researchers