NCI Staff Data Processing Notice

Niamh Scannell
Niamh Scannell
  • Updated


NCI Staff Data Processing Notice

Policy Information

Policy:  Version Number: 0.5 Review Date: 
Date: 20/02/2023 Status: Active  Author/s: HR


Document Version History

Version Number

Version Date

Revised By




Arthur Cox

Initial draft document created



Niamh Scannell

Made amendments as noted and inserted clause on risks related to electronic communications



Niamh Scannell and Mary Connelly

Section on risks related to electronic communications added



Niamh Scannell

Lawful basis for assessing capacity of employee corrected



Niamh Scannell and HR Team

Updated section 4 and appendix 2



Niamh Scannell and HR Team

Updated appendix 2



This Notice describes the practices of National College of Ireland (“NCI”) regarding the collection, use, transfer, disclosure and other handling and Processing of your Personal Data as an employee of NCI (and its affiliates). 

In particular, NCI is committed to Processing the Personal Data of its employees in a fair, lawful and transparent manner. Accordingly, this Notice provides NCI employees with certain information about how their Personal Data is used by NCI. NCI has also adopted a Privacy Policy (the “NCI Privacy Policy”) that addresses data protection more generally. Capitalised terms used in this Notice are defined in the Glossary in Annex I to this Notice. 

In relation to Personal Data provided by you to NCI, NCI will act as Data Controller of such Personal Data. This means that NCI determines why and how such data is used. NCI’s data Processing is generally undertaken in connection with the employment contract between each employee and the NCI. 



Personal data is any information relating to a living individual which allows either directly or indirectly the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual and that would allow the individual to be identified or identifiable.  The type of Personal Data that NCI collects and Processes in relation to employees is described in more detail in the table at Appendix II of this Notice.



The table at Appendix II also describes in detail the particular purposes and lawful basis for NCI’s Processing of employee Personal Data as required by Data Protection Law. NCI will generally Process your Personal Data for personnel administration purposes and for purposes necessary for and connected with the performance of NCI’s legitimate interests. 

NCI may obtain Personal Data about you from third parties, such as former employers, educational institutions, recruitment agencies, recruitment platforms such as LinkedIn, government agencies, from information in the public domain and available on the internet and from other employees (e.g., other NCI staff, supervisors, members of the HR Department, etc.). We may also seek Personal Data about you from third parties in connection with: (I) locating former employees and beneficiaries for purposes of administering retirement, pension or other benefits; (II) performance evaluations; (III) academic and processional references; (IV) disciplinary matters and internal investigations; (V) purposes that relate to your employment relationship with us; and (VI) other purposes permitted in accordance with applicable law. Where we obtain Personal Data about you from third parties, we will do so in accordance with Data Protection Law.



NCI Processes Special Categories of Data (“SCD”) relating to employees in limited circumstances, typically related to the ordinary course of personnel administration which is in accordance with the Data Protection Law.  Such Processing of SCD is permitted under several provisions of the Data Protection Law, including the following:

4.1 Article 9(2)(b) where it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law” and section 46 of the Data Protection Act 2018 which permits the processing of special categories of personal where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. As required by Data Protection Law, NCI applies suitable and specific measures in respect of such Processing.

4.2 Article 9(2)(f) GDPR where it is necessary for the establishment, exercise or defence of legal claims and this ground is amplified under the Data Protection Act 2018 which permits the Processing of SCD where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights (and which may include Processing in the context of disciplinary proceedings);

4.3 Article 9(2)(g) GDPR which permits such Processing for reasons of substantial public interests and this is amplified under the Data Protection Act 2018 which provides a general lawful basis for Processing of SCD where it is necessary and proportionate for the performance of a function conferred by or under an enactment; and

4.4 In relation to the management of medical risk and medical claims, the Data Protection Act 2018 permits the Processing of SCD where it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, for the management of health or social care systems and services or for ensuring high standards of quality and safety of health care. 

In addition, where NCI employees will be working in close proximity with children vulnerable persons, in accordance with the National Vetting Bureau (Children and Vulnerable Persons) Act 2012 and the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016, they NCI will require such employees to undergo Gard Vetting.

4.5 In relation to equality, diversity, and inclusion, as well as Athena Swan, Article 9(2)(j) of GDPR and the Data Protection Act 2018 allows the processing of SCD for statistical purposes.



5.1 Data Protection Laws provide certain rights in favour of data subjects. The rights in question are as follows (together theData Subject Rights):

  • The right of a data subject to receive detailed information on the Processing (by virtue of the transparency obligations on the Data Controller); 
  • The right of access to Personal Data;
  • The right to rectify or erase Personal Data (known as the “right to be forgotten”);
  • The right to restrict Processing;
  • The right of data portability;
  • The right of objection (in circumstances where Processing is undertaken based on the legitimate interests of the Controller); and
  • The right to object to automated decision making, including profiling.

5.2 Please note that the Data Subject Rights are available subject to certain circumstances. Any data subject wishing to exercise their Data Subject Rights should contact the NCI Data Protection Officer (“NCI DPO”): Niamh Scannell by email at and by phone (01) 4498 523. Your request will be dealt with in accordance with NCI’s Data Subject Rights Procedure



Your obligations and responsibilities are set out in detail in the NCI Data Protection Policy, which in particular include the following: 

6.1 All NCI employees are required to treat all Personal Data that they access and use are during the course of their employment in the strictest confidence and shall only disclose such Personal Data to external third parties as is necessary in the performance of your role.

6.2 All NCI employees are required to direct any data subject requests to exercise data subject rights to NCI’s DPO at: or by person /in writing to: Finance Department, National College of Ireland, Lower Mayor Street, Dublin 1, as soon as is reasonably possible.

6.3 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of Personal Data security breaches (Art. 34). We will manage a Data Breach in accordance with our Data Breach Incident Procedure. All NCI employees are required to report any suspected data breaches to NCI’s DPO immediately upon detection of the suspected data breach at the details below. If you are unsure what constitutes a data breach please refer to section 6 of the NCI Privacy Policy which deals with Data Beach Handling or contact the NCI DPO: 

Name Niamh Scannell
Phone (01) 4498 523



7.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.  Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.



8.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data). We may also share Personal Data: (a) with another statutory body where there is a lawful basis to do so; (b) with selected third parties including sub-contractors; (c) if we are under a legal obligation to disclose Personal Data. For example, this may include where a member of the academic staff spends time in another institution on sabbatical   or be seconded to a government department or body and also includes exchanging information with other organisations for the purposes of fraud prevention or investigation. 

8.2 Where we enter into agreements with third parties to Processes Personal Data on our behalf we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data where required by Data Protection Law.  Examples of such third party service providers that we engage, and to whom we may provide Personal Data include but are not limited to communications providers, payroll service providers, pension administrators, occupational health providers, marketing or recruitment agencies, operators of data centres used by us, security services, catering service providers, and professional advisors such as external lawyers, accountants, tax and pensions advisors.



We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed. Further details of the retention period for Personal Data is set out in our Data Retention Policy.



From time to time we may need to transfer Personal Data outside the EEA. This transfer will occur in accordance with applicable Data Protection Law. We take reasonable steps to ensure that the Personal Data is treated securely (typically through the use of EU-approved Model Contract Clauses) and in accordance with the NCI Privacy Policy when transferred outside the EEA.



Unfortunately, the transmission of information via email is not completely secure. Although we will do our best to protect your information, we cannot guarantee its security and when giving us your information you do so at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.



You can ask a question or make a complaint about this Notice, the NCI Privacy Policy and/or the Processing of your Personal Data by contacting the NCI DPO, Niamh Scannell, at the details set out in paragraph 6 above. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the NCI DPO in the first instance to give us the opportunity to address any concerns that you may have.



In this Notice, the terms below have the following meaning:

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor” means the party that Processes Personal Data on behalf of the Data Controller (for example, a payroll service provider). 

Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the [Data Protection Act 2018]] and any other laws which apply to NCI in relation to the Processing of Personal Data.

European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

Special Categories of Personal Data” (or “SCD”) are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.



The following table describes the type of Personal Data that is collected by NCI relating to NCI employees and the purposes and lawful basis for Processing that data under by Data Protection Law: 

Description of Personal Data  

Purpose of Processing 

GDPR lawful basis 

Information contained in:CVs,  cover letters and job applications (includingprevious employment background, education history, professional qualifications, references, language and other relevant skills, certification, certification expiration dates), interview notes and feedback; details on performance management ratings, development programs planned and attended, e-learning programs, performance and development reviews, willingness to relocate or driver’s license information.)


Recruitment, personnel administration and HR management, including performance analysis and promotion purposes. 

Contract performance and steps prior to entering a contract (Art. 6(1)(b) GDPR) and


The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR). 


HR files and records (including CPD and training records, disciplinary records, salary details, benefits, compensation type, pay grade, salary step within assigned grade, awards, pay frequency, effective date of current compensation, salary reviews, banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data, national insurance or other number, marital/civil partnership status, domestic partners and dependents, ethnicity, disability, gender).

Personnel administration and HR management, including performance analysis, promotion purposes, and equality, diversity, and inclusion.


For the performance of a contract (Art. 6(1)(b) GDPR)


Compliance with legal obligations under employment legislation (Art 6(1)(c) GDPR); and


Protecting the vital interests of employees and other persons (Art 6(1)(d) GDPR). 

The NCI's legitimate interests in relation to equality, diversity, and inclusions (Art. 6(1)(f) GDPR)


Statistical purposes (Art 9(2)(j) GDPR, and sections 42 and 54 of the Data Protection Act 2018)

Photographs of employees and Security Access Cards

For security purposes in relation to Security Access Cards. For use on Outlook to enable staff to identify colleagues.  

The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR); and


Protecting the vital interests of employees and other persons (Art. 6(1)(d) GDPR).

Data related to pensions 

To enable NCI pension trustees and related service providers to administer your pension entitlements. 


Contract performance (Art 6(1)(b) GDPR).


Medical information (including medical certificate and sick notes).


Personnel administration and to verify employee absences from work on sick leave and purposes of preventative or occupational medicine.


To assess the working capacity of an employee (section 52 Data Protection Act 2018). 

Name, role, email address (work), telephone number (work), office number, profile photograph and details of: previous roles, research areas/interests and academic publications. 


For publication on various sections of NCI website and in hard copy materials and to promote the NCI and enhance its profile.

The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR). 

Data in relation to memberships of clubs or societies associated with NCI (for example a book club or sports club)


To enable participation in clubs/societies associated with NCI. 


Employee consent, which can be withdrawn at any time (Art 6(1)(a) GDPR). 

Data Processed in relation to optional staff schemes or benefits 

In relation to Travelpass, Bike-to-work scheme etc. 

Employee consent, which can be withdrawn at any time (Art 6(1)(a) GDPR); and


Contract performance (Art 6(1)(b) GDPR).


CCTV Footage 

NCI has closed circuit television cameras (“CCTV”) located throughout its premises covering buildings, internal spaces, car parks, roads, pathways and grounds. NCI’s CCTV system is implemented in a proportionate manner as necessary to protect NCI property against theft or pilferage and for the security of staff, students and visitors to NCI premises (to protect their vital interests).


The NCI’s legitimate interests in recruitment staff ((Art. 6(1)(f) GDPR); and


Protecting the vital interests of employees and other persons (Art 6(1)(d) GDPR).


Was this article helpful?



Please sign in to leave a comment.