The Department of Education when processing your data or that of your child adheres to the principles of transparency, accountability and security of the General Data Protection Regulation. This Department has put in place appropriate technical and organisational measures in order to ensure – and to be able to demonstrate – that our processing of your personal data is in compliance with the higher standards of the General Data Protection Regulation (GDPR), having regard to the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity that might arise therefrom for the rights and freedoms of individuals.
The Department’s Data Protection Policy sets out the steps to be taken by the Department of Education when processing personal data.
The GDPR provides the following rights for individuals:
The Data Protection Commissioner has prepared a Guide to the Rights of Individuals under the General Data Protection Regulation (GDPR)
Under Article 15 of the General Data Protection Regulation, you have a right to obtain a copy of any personal information relating to you. To access a copy of personal data held by the Department, in relation to you, please complete the Subject Access Request (SAR) Application Form. The completed form, along with some photographic identification (passport, drivers licence or Public Service Card) together with proof of address (utility bill, official letter) should be returned to the Department’s Data Protection Officer, please see contact details below.
The Department will provide the required information to you at the time personal data is collected. The Department will ensure that the information provided is detailed and specific, and that such notices are understandable and accessible In order to balance the requirements above, the Department may implement appropriate policies to make information available on its website or from schools and other educational organisations. The information provided will include information about personal data collected both directly from the data subject and from other sources.
The Department has taken steps to ensure it provides greater transparency in how it processes your personal data for specific processing activities. Please see the specific privacy notices for the various processing activities undertaken by this Department.
The Department follows best practice in order to protect the confidentiality, integrity and availability of its information processing systems and services.
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer at
Address: Department of Education, Data Protection Unit, Cornamaddy, Athlone, Co. Westmeath N35 X659
Phone: (090) 648 3908
The General Data Protection Regulation (GDPR) from 25th May, 2018 replaces current data protection laws in the European Union. The new law gives individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.
You may find more information on the Data Protection Commissioner’s micro website www.gdprandyou.ie
The purpose of the Data protection Act 2018 is to give further effect to the GDPR, to transpose the separate Law Enforce Directive into national law and to establish the Data Protection Commission with the means to supervise and enforce enhanced data protection standards in an efficient manner. The GDPR which as an EU Regulation has direct effect does allow national governments a limited margin of flexibility which are provided for in Part 3 of the Act.
The term "personal data” means any information relating to a living person who is identified or identifiable (such a person is referred to as a "data subject”).
A person is identifiable if they can be identified directly or indirectly using an "identifier”. The GDPR gives examples of identifiers, including names, identification numbers, and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.
The term "processing” refers to any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as "special categories” of personal data. The special categories are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation. Processing of these special categories is prohibited, except in limited circumstances set out in Article 9.
This is data in respect of criminal convictions or alleged offences.
The Data Subject is a living individual to whom personal data relates
A data controller refers to a person, company, or other body which determines the purposes and means of processing of personal data.
A data processor refers to a person, company, or other body which processes personal data on behalf of a data controller
There are six different legal bases on which personal data may be processed:
Many of the Department’s processing activities are carried out as tasks in the public interest or in the exercise of official authority to the extent that such processing is necessary and proportionate for:
Personal data should be retained/stored for no longer than is necessary for the purposes or purpose for which it is being processed. As the Department is subject to the National Archives Act, 1986 records with personal data may have to be retained for archiving where there is no disposal order from the National Archives in place with respect to that category of record.
It is where personal data may be shared between two data controllers. The sharing of data is required to have a legal basis and to be transparent.
The policy of the Department is to include a privacy statement on any forms which we may use to collect personal data as part of a processing activity. The statement will provide information on the main purposes for collecting the personal data and whether the data is being shared with any other organisation. The statement will include a link to a more detailed privacy notice and provide more details on the processing activity.
A Privacy Notice is used by the Department to provide details on each processing activity undertaken which involves personal data. It will provide you with information on the purpose; legal basis; source of the personal data where it has not been obtained from you directly (often the department as part of its functions will have received the data via a school or other educational organisation); storage period; persons or organisation to whom the data or part of the data may be disclosed to and why. The Privacy Notice will also provide you with information on your Data Subject Rights and how you can exercise these. It will include relevant contact details. For large processing activities it may provide links to further information or a more detailed Fair Processing Notice for the processing activity.
The Data Protection Commissioner's Website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from
The Data Protection Commissioner's Office
Co. Laois. R32 AP23
You can contact the Data Protection Commissioner's Office by email (firstname.lastname@example.org) or by phone 1890 252231.
|Address||Department of Education
Data Protection Unit
|Telephone||(090) 648 3908|