Data Protection and Information Management Policy
LIFFEY COLLEGE | |
Policy Area | Data Protection & Information Management |
Policy Title | Data Protection & Information Management Policy |
Version: 2 | Date: Jan 2025 |
Purpose: Liffey College is committed to ensuring the protection of personal data and the secure management of information in compliance with the General Data Protection Regulation (GDPR), the Irish Data Protection Act and good IT security practices. This policy aims to: ➤ Establish a clear framework for the lawful collection, processing, storage and disposal of personal data. ➤ Ensure IT security measures are integrated to protect digital infrastructure, prevent unauthorised access and mitigate data breach risks. ➤ Define governance responsibilities for compliance, oversight and risk management in data protection and information security. ➤ Align with third-party data processing agreements (including outsourced IT services and cloud storage providers) to ensure regulatory compliance. | |
Policy Statement: Liffey College is dedicated to upholding high standards in data protection, cybersecurity and information governance. This policy ensures that all personal data is: ➤ Processed lawfully, fairly and transparently. ➤ Collected and used for specified purposes only. ➤ Stored securely with access controls and encryption. ➤ Retained only for as long as necessary. ➤ Protected from unauthorised access, loss or misuse. 1. Scope & Applicability This policy applies to: ➤ Learners, staff, external partners and third-party service providers who process or access personal data on behalf of Liffey College. ➤ All personal data collected, stored, processed and disposed of, including: – Learner records (e.g., enrolment, academic performance). – Employee data (e.g., HR files, payroll information). – IT & Digital Records (e.g., databases, cloud storage). – Financial transactions and communications. 2. Data Protection Principles Liffey College adheres to the seven core principles of GDPR: Lawfulness, Fairness and Transparency, Data is collected and processed only on a lawful basis and with transparency. ➤ Purpose Limitation – Personal data is used only for the purposes for which it was collected. ➤ Data Minimisation – Only necessary data is collected, stored and processed. ➤ Accuracy – Data must be accurate and up to date.Storage Limitation – Data is retained for a defined period and securely disposed of thereafter. ➤ Integrity & Confidentiality (Security) – Appropriate technical and organisational security measures are implemented to protect data. ➤ Accountability – The College ensures compliance through audits, documentation and governance policies. 3. Data Subject Rights Individuals have the right to: ➤ Access their personal data and request copies. ➤ Rectification – Request correction of inaccurate data. ➤ Erasure (“Right to be Forgotten”) – Request data deletion, subject to legal obligations. ➤ Restrict Processing – Request limitations on data use. ➤ Data Portability – Receive data in a structured format. ➤ Object – Opt out of specific data processing (e.g., marketing). Data Access Requests: Requests must be made in writing to the Data Protection Officer (DPO) Haseeb Ahmed at haseeb@liffeycollege.ie 4. IT Security & Third-Party Data Management Liffey College has outsourced IT security and data processing to DigitalSofts Ltd., ensuring compliance with GDPR and industry security standards. Security Measures Implemented: ➤ Data Encryption – All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). ➤ Access Controls – Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) restrict data access to authorised personnel. ➤ Network Security – Firewalls, intrusion detection systems and strong password policies safeguard IT infrastructure. ➤ Data Processing Agreements (DPA) – All third-party processors (e.g., AWS, OVH) comply with ISO 27001 security standards. Third-Party Data Processing & Storage: ➤ Cloud Hosting: Data is hosted securely in AWS (London) and OVH (France). ➤ External IT Support: DigitalSofts Ltd. is responsible for system monitoring, IT risk assessments and cybersecurity compliance. 5. Data Breach Management Liffey College follows a structured Data Breach Response Plan: ➤ Low-Risk Breaches: Managed internally with corrective actions. ➤ High-Risk Breaches: – Reported to the DPO and Board of Directors within 72 hours. – If required, notified to the Data Protection Commission (DPC). – Affected individuals will be informed as per GDPR guidelines. 6. Data Retention & Secure Disposal Retention Periods: ➤ Learner records: 6 years after course completion. HEIs generally retain student records for 6 years after course completion for audit, accreditation and compliance purposes. This aligns with QQI’s statutory QA guidelines for learner records and institutional reviews. (Quality and Qualifications Ireland (QQI) – Statutory Quality Assurance Guidelines – https://www.qqi.ie) ➤ Employee records: 7 years post-employment. Payroll, contracts and HR records must be retained for a minimum of 6 years for tax and employment law compliance. An extra year is often included for any potential disputes or audits. (Irish Revenue – Employment Records Retention Guidance https://www.revenue.ie/en/employing-people/index.aspx ) ➤ Financial records: 6 years. Irish law mandates that financial records (including invoices, payroll andtax-related documents) must be retained for at least 6 years for audit and compliance with Revenue requirements. (Companies Act 2014 (Ireland) – Section 281 https://www.irishstatutebook.ie/eli/2014/act/38/enacted/en/html ) ➤ IT system logs: 1 year. IT logs, including system access and authentication logs, should only be retained for as long as necessary to fulfil security and compliance obligations. Best practice suggests retaining logs for 12 months unless a longer retention period is justified (e.g., legal investigations, regulatory requirements). ISO 27001 & IT Security Standards also recommend minimizing long-term storage of sensitive IT logs to reduce security risks. (EU General Data Protection Regulation (GDPR) – Recital 39 & Article 5 https://gdpr.eu/) Secure Disposal Methods: ➤ Physical documents – Shredding or secure destruction. ➤ Electronic records – Permanent deletion with data-wiping technology. 7. Compliance, Oversight & Policy Review ➤ The Data Protection Officer (DPO) ensures compliance, staff training and risk monitoring. ➤ Annual audits assess IT security risks and policy effectiveness. ➤ This policy is reviewed annually and updated based on legal or operational changes. For questions regarding data protection, contact: Data Protection Officer (DPO) Haseeb Ahmed – haseeb@liffeycollege.ie | |
Responsible | Evidence |
➤ Data Protection Officer (DPO) – Oversees compliance, risk reporting and data audits. ➤ IT Security Provider (DigitalSofts Ltd.) – Manages IT security, network protection and cloud storage compliance. ➤Senior Management Team – Ensures policy implementation and regulatory adherence. | ➤ Data Processing Agreements (DPA) with third-party providers. ➤ Internal and external GDPR compliance audits.IT security risk assessments and encryption policies. ➤ Records of data subject requests and access logs. |
Monitoring Frequency | ➤ Annual Data Protection & IT Security Audits. ➤ Quarterly Compliance Reviews by Senior Management. ➤ Immediate Data Breach Investigation and Reporting. |
LIFFEY COLLEGE | |
Policy Area | Data Protection & Information Management |
Supporting Policy Title | Data Protection & Information Management Policy |
Procedure Title | Data Protection & Information Management Procedure |
Version: 2 | Date: Jan 2025 |
Procedure: This procedure defines how Liffey College ensures compliance with data protection laws and IT security measures. The process involves: ➤ Data Collection: Personal data is collected based on a lawful basis, ensuring transparency in data processing. ➤ Data Processing: Secure encryption and access controls are applied to protect sensitive data. ➤ Data Storage: Cloud storage services (AWS & OVH) comply with ISO 27001 security standards. ➤ Data Access & Rights: Individuals can request data access, rectification or erasure under GDPR. ➤ Data Breach Response: Incidents are reported within 72 hours to the Data Protection Commission (DPC). ➤ Data Retention & Disposal: Secure data destruction protocols are followed. Responsibilities: ➤ Data Protection Officer (DPO): Ensures GDPR compliance, responds to data requests and reports breaches. ➤ IT Security Provider (DigitalSofts Ltd.): Implements technical security measures and performs network monitoring. ➤ Senior Management: Reviews compliance reports and enforces policy application. ➤ All Staff & Students: Must adhere to data protection protocols and report security concerns. Process: 1- Data Collection & Processing: ➤ Only necessary personal data is collected for academic, administrative and legal purposes. ➤ Processing activities comply with GDPR and explicit consent is obtained where necessary. 2 – IT Security Measures: ➤ All data is encrypted (TLS 1.2+ for transit, AES-256 for storage). ➤ Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) secure data access. 3 – Data Subject Rights Management: ➤ Individuals submit data access or rectification requests via email to the DPO. ➤ Requests are processed within 30 days, unless an extension is required. 4 – Data Breach Handling: ➤ All suspected breaches must be reported to the DPO immediately. ➤ If high-risk, reported to the Board of Directors & Data Protection Commission (DPC) within 72 hours. ➤ Investigations are conducted and affected individuals are informed. 5 – Data Retention & Disposal: ➤ Student data is retained for 6 years after course completion. ➤ Employee data is retained for 7 years post-employment. ➤ Financial data is retained for 6 years. ➤ Secure disposal methods (shredding, digital wiping) are used. 6 – Compliance, Oversight & Policy Review: ➤ The Data Protection Officer (DPO) ensures compliance, staff training and risk monitoring. ➤ Annual audits assess IT security risks and policy effectiveness. ➤ This policy is reviewed annually and updated based on legal or operational changes. For questions regarding data protection, contact: Data Protection Officer (DPO) Haseeb Ahmed – haseeb@liffeycollege.ie |