Chat is Offline

QA400 Data Protection Policy


NUI Galway ("The University") obtains, processes, collects, keeps, uses, discloses (where permissible by law), and retains Personal Data and/or Special Categories of Personal Data (both as defined below) regarding its staff, students, service users and other individuals who come in contact with, avail of the services of or engage in business with the University. The purpose of processing Personal Data and Special Categories of Personal Data include but are not limited to fulfilling the University’s functions and obligations under University Charter, the Universities Act 1997, University Statutes and Regulations, University policies and procedures, the provision of educational courses and support services to students and staff, assessment of student engagement, the organisation and administration of courses, undertaking of research activities, the recruitment and employment of staff, compliance with statutory obligations, reporting to Government and regulatory bodies, the provision of commercial activities, the management of financial affairs, the provision of information solutions and services, the provision of library services, advertising and promoting the University, publishing University and alumni publications, and undertaking fundraising by or on behalf of the University. The University also processes personal information through CCTV systems that monitor and collect visual images for the purposes of research, security and the prevention and detection of crime and offences.

The University acknowledges that the processing of Personal Data and Special Categories of Personal Data must meet the requirements of applicable Irish and European data protection legislation. Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of Personal and Special Categories of Personal Data. The Act and the GDPR confer rights on individuals as well as responsibilities on persons and organisations processing personal data. Data protection is also an important part of the University’s overall information security practices. All Personal Data and Special Categories of Personal Data must be handled safely and securely according to agreed University policy. It is required that staff and any person processing Personal Data or Special Categories of Personal Data on behalf of the University process such data in accordance with University policy and applicable law.


This policy appleis to:

  • Any person employed or engaged by the University who processes Personal Data or Special Categories of Personal Data in the course of their employment or engagement for academic, administrative, research and/or any other purpose
  • Any person (including but not limited to research placements, secondments, work placements, visitors or interns) who is given access to University systems containing Personal Data or Special Categories of Personal Data, and who processes Personal Data or Special Categories of Personal Data in the course of their access
  • Any student of the University who process Personal Data or Special Categories of Personal Data in the course of their studies for academic, administrative, research and/or any other purpose
  • Individuals who are not directly employed by the University, but who are employed by contractors (or subcontractors) and who process Personal Data or Special Categories of Personal Data in the course of their duties for the University
  • All locations from which University Personal Data or Special Categories of Personal Data are accessed, including access while travelling and home use
  • Any Personal Data or Special Categories of Personal Data held or transmitted in paper, physical or electronic formats and communicated verbally in conversation or over the telephone
  • The University’s clubs and societies

Hereinafter these are collectively referred to as "Member" or "Members".


Definitions in this policy are intended for use within the NUI Galway Policy and operational framework. They are not necessarily the same as definitions of the same terms contained in external documents, whether or not referred to in this policy.

In this Policy:

  • Data Controller: (a) A competent authority that, whether alone or jointly with others, determines the purposes and means of the processing of Personal Data, or (b) where the purposes and means of the processing of Personal Data are determined by the law of the European Union or otherwise by the law of the State, a controller nominated— (i) by that law, or (ii) in accordance with criteria specified in that law
  • Data Processor: Means an individual who, or a legal person, public authority, agency or other body that, processes Personal Data on behalf of a controller, but does not include an employee of a controller who processes such data in the course of his or her employment
  • Data Subject: Means a living person who is the subject of Personal Data
  • Personal Data: means information relating to— (a) an identified living individual, or (b) a living individual who can be identified from the data, directly or indirectly, in particular by reference to— (i) an identifier such as a name, an identification number, location data or an online identifier, or (ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. In practice, any data about a living person who can be identified from the data available (or potentially available) will count as personal data. This will include reversibly anonymized (“pseudonymised”) data. Where a pseudonym is used, it is often possible to identify the data subject by analyzing the underlying or related data.
  • Special Categories of Personal Data: Other than in Part 5 of the Irish Data Protection Act 2018, means— (a) personal data revealing— (i) the racial or ethnic origin of the data subject (ii) the political opinions or the religious or philosophical beliefs of the data subject, or (iii) whether the data subject is a member of a trade union (b) genetic data (c) biometric data for the purposes of uniquely identifying an individual (d) data concerning health, or (e) personal data concerning an individual’s sex life or sexual orientation
  • Processing: Of or in relation to Personal Data, means an operation or a set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including— (a) the collection, recording, organisation, structuring or storing of the data, (b) the adaptation or alteration of the data, (c) the retrieval, consultation or use of the data, (d) the disclosure of the data by their transmission, dissemination or otherwise making the data available, (e) the alignment or combination of the data, or (f) the restriction, erasure or destruction of the data
  • Profiling: Means any form of automated processing of Personal Data consisting of the use of the data to evaluate certain personal aspects relating to an individual, including to analyse or predict aspects concerning the individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
  • Pseudonymisation: Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified natural person. The Data Protection Acts still apply to Personal Dara which has been pseudonymised.

University Member Obligations

Any Member of NUI Galway who handles Personal Data or Special Categories of Personal Data must comply with the Data Protection Principles and this Policy. Compliance with this Policy and applicable law is the responsibility of all members of the University. Failure of an individual University Member to comply with this Policy may lead to action, being taken in accordance with the applicable University’s procedures. Failure of a third-party contractor/subcontractor to comply with this policy may lead to termination of the contract and/or legal action. University Members embarking on new activities involving the use of Personal Data and/or Special Categories of Personal Data and that is not covered by one of the existing records of processing activities should inform the Data Protection Officer ( before starting the new activity.

Right to use Personal Data

In order for it to be legal and appropriate for the University to process Personal Data at least one of the following conditions must be met:

  • The data subject has given his or her consent
  • The processing is required due to a contract
  • It is necessary due to a legal obligation
  • It is necessary to protect someone’s vital interests (i.e. life or death situation)
  • It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • It is necessary for the legitimate interests of the controller or a third party and does not interfere with the rights and freedoms of the data subject (this condition cannot be used by public Authorities in performance of their public tasks)

Universities are classified as public authorities and therefore the use of the 'legitimate interests' justification is not possible in terms of the University’s core activities (public tasks). It may be possible to use legitimate interests for processing that is undertaken outside of the University’s public tasks.

In cases where the University relies on consent as a condition for processing personal data, it must:

  • Obtain the data subject’s specific, informed and freely given consent
  • Ensure that the data subject gives consent by a statement or a clear affirmative action
  • Document that statement/affirmative action
  • Allow data subjects to withdraw their consent at any time without detriment to their interests. All processing of personal data carried out by the University must meet one or more of the conditions above. In addition, the processing of Special Categories of Personal Data requires extra, more stringent conditions to be met in accordance with Article 9 of the GDPR and Sections 45-55 of the Irish Data Protection Act 2018.

Access Requests

Please follow the University Access Request Procedure available on the University Data Protection website. In summary, the individuals for whom the University stores Personal Data can get a copy of their Personal Data by requesting same from the Data Protection Officer in writing. The individual will receive a copy of their data within 30 days of receipt of the request by the Data Protection Officer unless extended under the Act.

Data Security Breach

The University Data Breach procedure is available on the University Data Protection website. In summary, in the event of an incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, the matter must be brought to the attention of bo th the Secretary of the University and the Data Protection Officer as soon as possible.

Download PDF copy of the policy: QA400 Data Protection Policy

Data Protection Officer

Tel: 091 49 2150