SUSI Data Protection Statement

SUSI respects individuals’ right to privacy and processes personal data securely and confidentially in accordance with data protection legislation.

When submitting a grant application, applicants and other parties to their applications are required to confirm that they have read and understood this SUSI Data Protection Statement.

Who we are

The Student Grant Schemes and the PLC Bursary for Displaced Persons (Ukraine) Scheme in the relevant year and the Student Part-Time Fee Scheme for Specified Undergraduate Courses in the relevant year are administered by the SUSI Unit of City of Dublin Education and Training Board (City of Dublin ETB) as the student grant awarding authority designated by the Minister for Further and Higher Education, Research, Innovation and Science under the Student Support Act 2011 and the Student Part-Time Fee Scheme for Specified Undergraduate Courses in the relevant year.

SUSI also administers two non-statutory schemes (“the administrative schemes”) on behalf of the Minister for Further and Higher Education, Research, Innovation and Science: the PLC Bursary for Displaced Persons (Ukraine) Scheme in the relevant year, established in 2022 in response to the emergency situation in Ukraine, and the International Protection Student Scheme (for FE/HE Students) in the relevant year for students who are in the international protection system or at the leave to remain (but not deportation order) stage. SUSI also acts as a data processer for the 1916 Bursary Scheme.

References in this data protection statement to “applicant”, “student” or “grant” for the purposes of the Student Grant Schemes include references to equivalent terms for the purposes of the administrative schemes to the extent that may be necessary and appropriate.

For the purposes of the EU General Data Protection Regulation (EU Regulation 2016/679) (GDPR), City of Dublin ETB is a joint data controller with the Department of Further and Higher Education, Research, Innovation and Science (DFHERIS) for student grant applications under the Student Grant Schemes and the administrative schemes.

“Data controllers” are people or organisations that determine the purposes and manner of processing of personal data that make independent decisions in relation to the personal data or that otherwise control that personal data.

Where two or more controllers jointly determine the purposes and manner of the processing of personal data, they will be “joint controllers”. In such cases, the GDPR requires them to determine in a transparent manner their respective responsibilities for compliance with the obligations under the GDPR. This must be done by means of an arrangement between them.

City of Dublin ETB and the DFHERIS have put in place a Joint Data Controller Agreement whereby City of Dublin ETB takes on responsibility for dealing with all requests received from individuals regarding the processing of their personal data by City of Dublin ETB and the DFHERIS. City of Dublin ETB is accountable to the DFHERIS for the performance of all functions in respect of the administration of student grants under the Student Support Act 2011 and is responsible for ensuring compliance of the administration of student grants with the GDPR and other applicable data protection legislation. The DFHERIS’s role is to determine the type of information that individuals should furnish to the student grant awarding authority under the Student Grant Schemes. As part of its oversight and governance role, the DFHERIS also carries out random transaction testing of a limited number of SUSI applications each year to check compliance with the statutory provisions of the scheme and to enhance the quality assurance procedures for the scheme. For more information about the Joint Data Controller Agreement between City of Dublin ETB and the DFHERIS, please contact us at the below details.

The information you provide: what we use it for

“Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and/or behaviour.

SUSI processes information, including personal data that grant applicants provide about themselves and other parties and persons relevant to their applications (including parents, legal guardians, spouses, civil partners, cohabitants, siblings, dependent children and other relevant persons) for the purpose of assessing applicants’ eligibility to receive student grant funding.

The personal data processed by SUSI for this purpose is as follows:

• name
• address
• e-mail address
• telephone number
• date of birth
• mother’s maiden name
• PPS number
• marital, personal and family status
• citizenship
• nationality
• residency
• previous/current/future education
• residential occupancy/utilities
• income
• employment
• social welfare and other government supports
• medical/health/personal circumstances
• death records
• bank account details and records.

Personal data relating to medical/health/personal circumstances, as noted above, may include “special category” data in relation to health where it is necessary in the processing of grant applications by students repeating a year due to exceptional circumstances or for other reasons on a case-by-case basis.

The information you provide: who we share it with

SUSI exchanges data with other Government bodies and agencies subject to data processing agreements. This data is processed for the purposes of –

• verifying and validating grant applications,
• administering grant applications and payments,
• confirming students’ registration and attendance at approved institutions,
• reviews on appeal,
• audit and verification of the grant administration process,
• the prevention and detection of fraud and supporting criminal investigations or prosecutions.

SUSI may also share personal data with authorised agents or third parties as data processors or sub-processors who act on behalf of SUSI for the purposes of grant administration and who process data securely pursuant to its instruction under a contractual relationship and subject to data processing agreements. City of Dublin ETB continues to be the data controller of this data.

SUSI may also share an individual’s personal data if it is under a duty to disclose or share such personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with such individual or other agreements, or to protect its rights, property, or safety of its employees or others. This includes reporting information about incidents (as appropriate) to the Gardaí and responding to any requirements from the Gardaí to provide information or personal data to them for the purposes of them detecting, investigating or prosecuting offences or in connection with crime sentencing.

The below table outlines how the information you provide is being exchanged by SUSI with other Government bodies and agencies:

Contact and identification information

SUSI uses contact and identification information of grant applicants and other parties to their applications for the following purposes:

• to request from applicants any information about themselves and other parties to their applications that is required to process their applications,
• to inform applicants of decisions on their applications and of the basis for those decisions,
• to discuss with applicants, with other parties to their applications and with other third parties whom those applicants and other parties may authorise, the status of the application and any documentary evidence or actions required to progress it,
• to administer an application, and
• to administer grant payments.

Applicants and other parties to their applications may contact SUSI, or agents acting on its behalf, by telephone. To ensure that SUSI provides a high-quality customer service, telephone conversations are recorded for staff training and quality control purposes and for reviewing and confirming details of conversations with SUSI, where necessary.

Consent and our legal basis for processing

The consent of grant applicants and other parties to their applications is not generally required for SUSI to process their personal data for the purposes of the statutory basis on which grant applications are administered, namely the Student Support Act 2011 (as amended from time to time together with any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated), the Student Grant Schemes (as amended from time to time) and the Student Part-Time Fee Regulations for Specified Undergraduate Courses in the relevant year.

Consent to process personal data must, however, be sought by SUSI and received for applicants applying under the administrative schemes in order for SUSI to assess eligibility under the Scheme. In addition, SUSI can also rely on Article 6(1)(e) of the GDPR to process personal data under the PLC Bursary Scheme as it is in pursuance of a legitimate official function.

SUSI communicates directly with grant applicants for these purposes in line with the specific requirement of the Student Grant Schemes that an applicant shall furnish such information and evidence to an awarding authority as it requests in order to determine if they are eligible to receive a grant.

Where it is necessary for another party to an application, or a third party outside the application, to communicate with SUSI about this personal data on behalf of any party to the application, each party to the application can authorise this as described below in relation to enquiry handling.

Where an applicant provides information that any person relevant to their application is also an applicant, and where both applicants authorise the cross-referencing of their applications in this context, SUSI will cross-reference both applications in order to ensure that any increased entitlement to grant funding can be applied and to ensure efficiency and consistency in the processing of grant applications.

SUSI may otherwise cross-reference grant applications generally and without consent for the purposes of audit and for the prevention and detection of fraud where it has a legitimate interest to do so.

Enquiry handling

Discussing Grant Applications

Applicants and other parties to their applications can contact the SUSI Support Desk to make enquiries about the status of an application and about any documents or actions required to progress it.

In order to facilitate such enquiries, SUSI will discuss, with all parties to an application, information about the status of the application and any documents or actions required to progress it.

Where disclosure of such information to another party to an application is not desired, applicants should inform SUSI of this so that appropriate controls can be put in place on a case by case basis.

SUSI Support Desk staff will ask verification questions to ensure that SUSI only shares this information with a party to the application.

Discussing Personal Data

SUSI will not discuss personal data of a party to an application with other parties to the application, or with a third party outside the application, without their authority.

Applicants and other parties to grant applications can cross-authorise each other, and can also authorise third parties outside the application, to discuss their personal data with SUSI on their behalf by-

• cross-authorising each other when submitting an online grant application form,
• amending their cross-authorisations, or authorising third parties, through the applicant’s online SUSI account after submitting an online grant application form.

Authorisations may be withdrawn at any time by applicants and other parties to grant applications.

Data protection rights

Individuals have certain rights in relation to personal information that is processed by SUSI. These rights are listed below. These rights are not absolute and apply subject to certain conditions. Under certain circumstances, by law individuals have the right to:

• request information about whether SUSI holds personal information about them, and, if so, what that information is and why SUSI is holding/using it,
• request access to their personal information (commonly known as a “data subject access request”). This enables an individual to receive a copy of the personal information SUSI holds about him/her and to check that SUSI is lawfully processing it,
• request correction of the personal information that SUSI holds about them. This enables an individual to have any incomplete or inaccurate information SUSI holds about him/her corrected,
• request erasure of their personal information (subject to data retention requirements). This enables an individual to ask SUSI to delete or remove personal information where there is no good reason for SUSI continuing to process it. Individuals also have the right to ask SUSI to delete or remove their personal information where they have exercised their right to object to processing (see below),
• request the restriction of processing of their personal information. This enables an individual to ask SUSI to suspend the processing of personal information about him/her, for example if the individual wants SUSI to establish its accuracy or the reason for processing it,
• request transfer of their personal information in an electronic and structured form to them or to another party (commonly known as a right to “data portability”). This enables an individual to take his/her data from SUSI in an electronically useable format and to be able to transfer such data to another party in an electronically useable format,
• object to processing of their personal information where SUSI is relying on a legitimate interest (or those of a third party) and there is something about the individual’s particular situation which makes him/her want to object to processing on this ground,
• object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by SUSI using their personal information or profiling of them: SUSI does not engage in any automated decision making, and
• withdraw their consent, where SUSI is relying on it to use their personal data (the exercise of this right will not affect the lawfulness of processing based on consent before its withdrawal).

Individuals may access or request a copy of their personal data held by SUSI, or they may request its rectification, by downloading, completing and submitting a Subject Access Request Form Download PDF  available at www.susi.ie

Otherwise, individuals can exercise their rights by contacting City of Dublin ETB at the below details.

No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaint handling. In the event that an individual wishes to make a complaint about how their personal data is being processed by SUSI, or how their complaint has been handled, such individual has the right to lodge a complaint directly with the supervisory authority who can be contacted as follows. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance:

Data retention

SUSI retains data securely for the purposes of grant administration, audit and case reviews and does not retain personal data for longer than is necessary and/or as required by law. In determining its retention period for categories of personal data, SUSI, at all times, will consider its obligations under the data protection legislation, guidance from the Data Protection Commission, any other specific legislative requirements as well as the amount and nature of the data itself.

Transferring personal data out of the European Economic Area

There are circumstances in which SUSI may have to transfer an individual’s personal data out of the European Economic Area for the purposes of grant or grant application administration. Where the need for such a transfer arises SUSI will always ensure that there are appropriate safeguards in place to protect personal data such as:

• the European Commission has issued a decision confirming that the country to which SUSI transfers the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
• appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from SUSI on request;
• the individual has provided explicit consent to the proposed transfer after being informed of any potential risks; or
• the personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.

Security

Data retained by SUSI, including computer and paper records, is stored in secure facilities. SUSI takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, data and against accidental loss or destruction. Data processing agreements entered into between SUSI and those persons or bodies with whom it exchanges data take account of the security requirements and measures necessary to protect the data that is exchanged.

Where applicants or other parties to their applications agree, accept or request that SUSI communicates with them by e-mail, they are solely responsible for ensuring the availability, security and integrity of their own email account. The transmission of information via the internet is not completely secure and, consequently, while SUSI takes all reasonable security measures, it cannot guarantee the privacy or confidentiality of information transmitted by e-mail.

SUSI maintains data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

• “confidentiality” means that only people who are authorised to use the data can access it,
• “integrity” means that personal data should be accurate and suitable for the purpose for which it is processed,
• “availability” means that authorised users should be able to access the data if they need it for authorised purposes.

Use of Cookies

The SUSI website and the SUSI online grant application system make use of cookies. For more information about our use of cookies, please see our Cookie Policy.

Contact us

You can contact City of Dublin ETB regarding any matter concerning your data protection rights using the details below:

Changes to this policy

SUSI reserves the right to modify this Data Protection Statement at any stage. If and when changes are made to this Data Protection Statement, any changes will be posted on the SUSI website and will be effective when posted. Please continue to check this page to ensure that you are always aware of any changes.

Last updated April 2025