IT Carlow Data Protection Policy

A new law around the protection of Personal Data, the General Data Protection Regulation (GDPR) came into force across Europe on 25th May 2018.

Privacy Notice for our Students

This section provides detail on how Institute of Technology Carlow deals with your personal and sensitive personal data.
Personal data, both automated and manual, are data relating to a living individual that is or can be identified, either from the data or from the data in conjunction with other information. Some personal data, i.e. those relating to specific categories like a person’s racial origin; political opinion or religion or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership; are classed as sensitive personal data and offer data subject additional protection rights.
Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data, in both paper and electronic format. The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 confer rights on individuals as well as responsibilities on those persons processing personal data.
Accountability and responsibility for complying with Data Protection: As an organisation, Institute of Technology Carlow needs to collect and use personal data (information) about its staff, students and other individuals, who come into contact with the Institute. The purposes of processing data include inter alia the organisation and administration of courses, examinations, research activities, the recruitment and payment of staff, compliance with statutory obligations.
Institute of Technology Carlow, when it acts as the Data Controller of personal data, has overall responsibility for ensuring compliance with Data Protection legislation. However, all employees and students of Institute of Technology Carlow, who separately collect and/or control the content and use of personal data are individually responsible for compliance with the legislation.

Policy Notice »

Data Collection Notice

HEA Principle 1 of the DPA 1998 and 2003 requires information to be provided, or made readily available, to data subjects so that they are not deceived or misled as to the purposes for which their data is to be processed. In order to satisfy this principle, the HEA supply text for use by HEIs.

HEA Notice »

Data Protection Policy

The Institute’s commitment to protecting the rights and privacy of the data subject are outlined at the link below.

Data Protection Policy »

Records Management

Details on the Institute’s Records Management and Retention Schedule can be found on the Institute’s website here »

Subject Access Requests

The procedure for submitting and processing Subject Access Requests can be found below.

SAR Procedure »

Data subjects must complete the official Subject Access Request form when exercising their rights for access to their personal data.

SAR Request Form »

Data Breach

Any individual who accesses, uses or manages personal data is responsible for reporting data breach incidents to the Data Protection Oversight Group (e-mail and their Head of Function as soon as it is detected. The urgency of reporting a breach, or suspected breach, to the Institute is due to a regulatory requirement of 72 hours to the Data Protection Commissioner.

Further Information

Any further queries in relation to the GDPR or Data Protection can be addressed to the Institute’s Data Protection Oversight Group (e-mail