SUSI > Privacy Statement > SUSI Data Protection Statement

SUSI Data Protection Statement

SUSI respects individuals’ right to privacy and processes personal data securely and confidentially in accordance with data protection legislation.

When submitting a grant application, applicants and other parties to their applications are required to confirm that they have read and understood this SUSI Data Protection Statement.

Who we are

The Student Grant Schemes are administered by the SUSI Unit of City of Dublin Education and Training Board (CDETB) as the student grant awarding authority designated by the Minister for Further and Higher Education, Research, Innovation and Science under the Student Support Act 2011. For the purposes of the EU General Data Protection Regulation (EU Regulation 679/2016) (GDPR), CDETB is a joint data controller with the Department of Education and Skills (DES) for student grant applications under the Student Grant Schemes.

“Data controllers” are people or organisations that determine the purposes and manner of processing of personal data that make independent decisions in relation to the personal data or that otherwise control that personal data.

Where two or more controllers jointly determine the purposes and manner of the processing of personal data, they will be “joint controllers”. In such cases, the GDPR requires them to determine in a transparent manner their respective responsibilities for compliance with the obligations under the GDPR. This must be done by means of an arrangement between them.

CDETB and the DES have put in place a Joint Data Controller Agreement whereby CDETB takes on responsibility for dealing with all requests received from individuals regarding the processing of their personal data by CDETB and the DES. CDETB is accountable to the DES for the performance of all functions in respect of the administration of student grants under the Student Support Act 2011 and is responsible for ensuring compliance of the administration of student grants with the GDPR and other applicable data protection legislation. The DES’s role is to determine the type of information that individuals should furnish to the student grant awarding authority under the Student Grant Schemes. As part of its oversight and governance role, the DES also carries out random transaction testing of a limited number of SUSI applications each year to check compliance with the statutory provisions of the scheme and to enhance the quality assurance procedures for the scheme. For more information about the Joint Data Controller Agreement between CDETB and the DES, please contact us at the below details.

The information you provide: what we use it for

“Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and/or behaviour.

SUSI processes information, including personal data that grant applicants provide about themselves and other parties and persons relevant to their applications (including parents, legal guardians, spouses, civil partners, cohabitants, siblings, dependent children and other relevant persons) for the purpose of assessing applicants’ eligibility to receive student grant funding.

The personal data processed by SUSI for this purpose is as follows:

name
address
e-mail address
telephone number
date of birth
mother’s maiden name
PPS number
marital, personal and family status
citizenship
nationality
residency
previous/current/future education
residential occupancy/utilities
income
employment
social welfare and other government supports
medical/health/personal circumstances
death records
bank account details and records.
personal data relating to medical/health/personal circumstances may include “special category” data in relation to health where it is necessary in the processing of grant applications by students repeating a year due to exceptional circumstances.

The information you provide: who we share it with

SUSI exchanges data with other Government bodies and agencies subject to data processing agreements. This data is processed for the purposes of –

verifying and validating grant applications,
administering grant applications and payments,
confirming students’ registration and attendance at approved institutions,
reviews on appeal,
audit and verification of the grant administration process,
the prevention and detection of fraud and supporting criminal investigations or prosecutions.

SUSI may also share personal data with authorised agents or third parties as data processors or sub-processors who act on behalf of SUSI for the purposes of grant administration and who process data securely pursuant to its instruction under a contractual relationship and subject to data processing agreements. CDETB continues to be the data controller of this data.

SUSI may also share an individual’s personal data if it is under a duty to disclose or share such personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with such individual or other agreements, or to protect its rights, property, or safety of its employees or others. This includes reporting information about incidents (as appropriate) to the Gardaí and responding to any requirements from the Gardaí to provide information or personal data to them for the purposes of them detecting, investigating or prosecuting offences or in connection with crime sentencing.

The below table outlines how the information you provide is being exchanged by SUSI with other Government bodies and agencies:

Agency / Body	Purpose	Information exchanged	Format
Approved Further and Higher Education Institutions	Verification that the student has registered on and is continuing to attend an approved course in an approved institution Verification and validation of previous academic history	SUSI Reference College Code CAO number PPSN Surname Forename DOB Graduate Type Student ID Course details Fee details Attendance and progression details	Batch
CAO- Central Applications Office	Notification of accepted college places	CAO application no. Surname of Applicant First name of Applicant Date of Birth of Applicant CAO Course code Level of course Name of course Name of Institution	Batch
Department of Agriculture, Food and the Marine	Validation of information where applicants are in receipt of grant payments for farming Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions	Business Identifier number PPSN Year Details of payments	Batch
Department of Education and Skills	Validation of residency (Post Primary Pupil Database)	PPSN SUSI Reference Number Date of Birth Number of years as/if recorded on the Post Primary Pupil database for the previous 5 years	Batch
Department of Further and Higher Education, Research, Innovation and Science	Clarify eligibility for a grant. Ensure accurate interpretation and operation of grant scheme Ensure provision of the appropriate financial support Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions Facilitate audits Research and analysis to inform the formulation of national policy on student support funding	All information pertaining to the application Statistical reports of application processing, decision outcomes and grant payments. Anonymised personal data	Direct Access, Specified Case Files, Batch Defined or ad hoc statistical reports, Specified bulk data files (anonymised)
Department of Social Protection	Verification of Income Prevention and detection of fraud, including the provision of information to support criminal investigations of prosecutions	PPSN Name Year Details of benefits and allowances	Direct Access and real time Application Programming Interface (API)
Department of Social Protection – MyGovID	Verification of identity Facilitating registration and login to online SUSI account Contacting applicant in order to process application for a student grant	PPSN DOB First name Last name Email address Telephone number	Secure Token Service (STS)
Department of Justice	Validation of citizenship and nationality	Person ID SUSI Reference Application ID Legacy No Permission to remain in the State Date permission valid until	Case by case requests
Education and Training Boards	Verification and validation of receipt of VTOS payments	Name Date of Birth PPSN Payment amount	Batch and Case by Case requests
General Register Office (GRO)	Validation of nationality, date of birth and death records	SUSI Reference PPSN First name Last name DOB Mother’s maiden name	Batch
Higher Education Authority (HEA)	Verification and validation of previous academic history	PPSN SUSI SUSI Reference DOB NFQ level of course Course Title Return year Year of graduation Graduating Institution	Batch
TUSLA – The Child and Family Agency)	Validation of certain State payments Verification of applicant status or circumstances	Name DOB SUSI Reference Information on documents required	Batch
Other grant awarding authorities (Local Authorities and Education and Training Boards)	Verification and validation of previous grant support history	Name Date of Birth PPSN Payment amount and name	Batch and Case by Case requests
QQI (Quality and Qualifications Ireland)	Verification of qualifications and/or equivalence of qualifications from other jurisdictions	Application no. Full title of course Name of Relevant Awarding Institution Year of Award Copy of qualification NFQ level	Case by Case requests
Revenue Commissioners	Validation of income Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions	PPSN Name Year Income details	Batch
SOLAS	Verification and validation of previous academic history of a student	PPSN First Name Last Name Date of Birth Provider Name Local Course Title Target Award level Awarding Body Course Type Fulltime/Part-time Learner Start Date Learner End Date	Batch
Student Grants Appeals Board	Processing and adjudication of any appeal to the Student Grants Appeals Board	All information pertaining to the application.	Batch and Case by Case requests

Contact and identification information

SUSI uses contact and identification information of grant applicants and other parties to their applications for the following purposes:

to request from applicants any information about themselves and other parties to their applications that is required to process their applications,
to inform applicants of decisions on their applications and of the basis for those decisions,
to discuss with applicants, with other parties to their applications and with other third parties whom those applicants and other parties may authorise, the status of the application and any documentary evidence or actions required to progress it,
to administer an application, and
to administer grant payments.

Applicants and other parties to their applications may contact SUSI, or agents acting on its behalf, by telephone. To ensure that SUSI provides a high-quality customer service, telephone conversations are recorded for staff training and quality control purposes and for reviewing and confirming details of conversations with SUSI, where necessary.

Consent and our legal basis for processing

The consent of grant applicants and other parties to their applications is not generally required for SUSI to process their personal data for the purposes of the statutory basis on which grant applications are administered, namely the Student Support Act 2011 (as amended from time to time together with any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated) and the Student Grant Schemes (as amended from time to time).

SUSI communicates directly with grant applicants for these purposes in line with the specific requirement of the Student Grant Schemes that an applicant shall furnish such information and evidence to an awarding authority as it requests in order to determine if they are eligible to receive a grant.

Where it is necessary for another party to an application, or a third party outside the application, to communicate with SUSI about this personal data on behalf of any party to the application, each party to the application can authorise this as described below in relation to enquiry handling.

Where an applicant provides information that any person relevant to their application is also an applicant, and where both applicants authorise the cross-referencing of their applications in this context, SUSI will cross-reference both applications in order to ensure that any increased entitlement to grant funding can be applied and to ensure efficiency and consistency in the processing of grant applications.

SUSI may otherwise cross-reference grant applications generally and without consent for the purposes of audit and for the prevention and detection of fraud where it has a legitimate interest to do so.

Enquiry handling

Discussing Grant Applications

Applicants and other parties to their applications can contact the SUSI Support Desk to make enquiries about the status of an application and about any documents or actions required to progress it.

In order to facilitate such enquiries, SUSI will discuss, with all parties to an application, information about the status of the application and any documents or actions required to progress it.

Where disclosure of such information to another party to an application is not desired, applicants should inform SUSI of this so that appropriate controls can be put in place on a case by case basis.

SUSI Support Desk staff will ask verification questions to ensure that SUSI only shares this information with a party to the application.

Discussing Personal Data

SUSI will not discuss personal data of a party to an application with other parties to the application, or with a third party outside the application, without their authority.

Applicants and other parties to grant applications can cross-authorise each other, and can also authorise third parties outside the application, to discuss their personal data with SUSI on their behalf by-

cross-authorising each other when submitting an online grant application form,
amending their cross-authorisations, or authorising third parties, through the applicant’s online SUSI account after submitting an online grant application form.

Authorisations may be withdrawn at any time by applicants and other parties to grant applications.

Data protection rights

Individuals have certain rights in relation to personal information that is processed by SUSI. These rights are listed below. These rights are not absolute and apply subject to certain conditions. Under certain circumstances, by law individuals have the right to:

request information about whether SUSI holds personal information about them, and, if so, what that information is and why SUSI is holding/using it,
request access to their personal information (commonly known as a “data subject access request”). This enables an individual to receive a copy of the personal information SUSI holds about him/her and to check that SUSI is lawfully processing it,
request correction of the personal information that SUSI holds about them. This enables an individual to have any incomplete or inaccurate information SUSI holds about him/her corrected,
request erasure of their personal information (subject to data retention requirements). This enables an individual to ask SUSI to delete or remove personal information where there is no good reason for SUSI continuing to process it. Individuals also have the right to ask SUSI to delete or remove their personal information where they have exercised their right to object to processing (see below),
request the restriction of processing of their personal information. This enables an individual to ask SUSI to suspend the processing of personal information about him/her, for example if the individual wants SUSI to establish its accuracy or the reason for processing it,
request transfer of their personal information in an electronic and structured form to them or to another party (commonly known as a right to “data portability”). This enables an individual to take his/her data from SUSI in an electronically useable format and to be able to transfer such data to another party in an electronically useable format,
object to processing of their personal information where SUSI is relying on a legitimate interest (or those of a third party) and there is something about the individual’s particular situation which makes him/her want to object to processing on this ground,
object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by SUSI using their personal information or profiling of them: SUSI does not engage in any automated decision making, and
withdraw their consent, where SUSI is relying on it to use their personal data (the exercise of this right will not affect the lawfulness of processing based on consent before its withdrawal).

Individuals may access or request a copy of their personal data held by SUSI, or they may request its rectification, by downloading, completing and submitting a Subject Access Request Form available at www.susi.ie

Otherwise, individuals can exercise their rights by contacting CDETB at the below details.

No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaint handling. In the event that an individual wishes to make a complaint about how their personal data is being processed by SUSI, or how their complaint has been handled, such individual has the right to lodge a complaint directly with the supervisory authority who can be contacted as follows. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance:

Contact	Data Protection Commission
Telephone	+353 57 8684800/+353 (0)761 104 800
Website	www.dataprotection.ie
Post	Data Protection Commission 21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland

Data retention

SUSI retains data securely for the purposes of grant administration, audit and case reviews and does not retain personal data for longer than is necessary and/or as required by law. In determining its retention period for categories of personal data, SUSI, at all times, will consider its obligations under the data protection legislation, guidance from the Data Protection Commission, any other specific legislative requirements as well as the amount and nature of the data itself.

Transferring personal data out of the European Economic Area

There are circumstances in which SUSI may have to transfer an individual’s personal data out of the European Economic Area for the purposes of grant or grant application administration. Where the need for such a transfer arises SUSI will always ensure that there are appropriate safeguards in place to protect personal data such as:

the European Commission has issued a decision confirming that the country to which SUSI transfers the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from SUSI on request;
the individual has provided explicit consent to the proposed transfer after being informed of any potential risks; or
the personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.

Security

Data retained by SUSI, including computer and paper records, is stored in secure facilities. SUSI takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, data and against accidental loss or destruction. Data processing agreements entered into between SUSI and those persons or bodies with whom it exchanges data take account of the security requirements and measures necessary to protect the data that is exchanged.

Where applicants or other parties to their applications agree, accept or request that SUSI communicates with them by e-mail, they are solely responsible for ensuring the availability, security and integrity of their own email account. The transmission of information via the internet is not completely secure and, consequently, while SUSI takes all reasonable security measures, it cannot guarantee the privacy or confidentiality of information transmitted by e-mail.

SUSI maintains data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

“confidentiality” means that only people who are authorised to use the data can access it,
“integrity” means that personal data should be accurate and suitable for the purpose for which it is processed,
“availability” means that authorised users should be able to access the data if they need it for authorised purposes.

Use of Cookies

The SUSI website and the SUSI online grant application system make use of cookies. For more information about our use of cookies, please see our Cookie Policy.

You can contact CDETB regarding any matter concerning your data protection rights using the details below:

Contact:	Data Protection Officer
Telephone:	+ 353 1 668 0614
Email:	dataprotection@cdetb.ie
Post:	CDETB Town Hall, Merrion Road, Ballsbridge, Dublin 4 Ireland

Changes to this policy

SUSI reserves the right to modify this Data Protection Statement at any stage. If and when changes are made to this Data Protection Statement, any changes will be posted on the SUSI website and will be effective when posted. Please continue to check this page to ensure that you are always aware of any changes.