SUSI Data Protection Statement

SUSI respects individuals’ right to privacy and processes personal data securely and confidentially in accordance with data protection legislation.

When submitting a grant application, applicants and other parties to their applications are required to confirm that they have read and understood this SUSI Data Protection Statement.

Who we are

The Student Grant Schemes and the PLC Bursary for Displaced Persons (Ukraine) Scheme 2022 are administered by the SUSI Unit of City of Dublin Education and Training Board (CDETB) as the student grant awarding authority designated by the Minister for Further and Higher Education, Research, Innovation and Science under the Student Support Act 2011.

SUSI also administers two non-statutory schemes (“the administrative schemes”) on behalf of the Minister for Further and Higher Education, Research, Innovation and Science: the PLC Bursary for Displaced Persons (Ukraine) Scheme 2022 established in response to the emergency situation in Ukraine, and the International Protection Student Scheme (for FE/HE Students) 2022/2023 for students who are in the international protection system or at the leave to remain (but not deportation order) stage.

References in this data protection statement to “applicant”, “student” or “grant” for the purposes of the Student Grant Schemes include references to equivalent terms for the purposes of the administrative schemes to the extent that may be necessary and appropriate.

For the purposes of the EU General Data Protection Regulation (EU Regulation 2016/679) (GDPR), CDETB is a joint data controller with the Department of Further and Higher Education, Research, Innovation and Science (DFHERIS) for student grant applications under the Student Grant Schemes and and the administrative schemes.

“Data controllers” are people or organisations that determine the purposes and manner of processing of personal data that make independent decisions in relation to the personal data or that otherwise control that personal data.

Where two or more controllers jointly determine the purposes and manner of the processing of personal data, they will be “joint controllers”. In such cases, the GDPR requires them to determine in a transparent manner their respective responsibilities for compliance with the obligations under the GDPR. This must be done by means of an arrangement between them.

CDETB and the DFHERIS have put in place a Joint Data Controller Agreement whereby CDETB takes on responsibility for dealing with all requests received from individuals regarding the processing of their personal data by CDETB and the DFHERIS. CDETB is accountable to the DFHERIS for the performance of all functions in respect of the administration of student grants under the Student Support Act 2011 and is responsible for ensuring compliance of the administration of student grants with the GDPR and other applicable data protection legislation. The DFHERIS’s role is to determine the type of information that individuals should furnish to the student grant awarding authority under the Student Grant Schemes. As part of its oversight and governance role, the DFHERIS also carries out random transaction testing of a limited number of SUSI applications each year to check compliance with the statutory provisions of the scheme and to enhance the quality assurance procedures for the scheme. For more information about the Joint Data Controller Agreement between CDETB and the DFHERIS, please contact us at the below details.

The information you provide: what we use it for

“Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and/or behaviour.

SUSI processes information, including personal data that grant applicants provide about themselves and other parties and persons relevant to their applications (including parents, legal guardians, spouses, civil partners, cohabitants, siblings, dependent children and other relevant persons) for the purpose of assessing applicants’ eligibility to receive student grant funding.

The personal data processed by SUSI for this purpose is as follows:

  • name
  • address
  • e-mail address
  • telephone number
  • date of birth
  • mother’s maiden name
  • PPS number
  • marital, personal and family status
  • citizenship
  • nationality
  • residency
  • previous/current/future education
  • residential occupancy/utilities
  • income
  • employment
  • social welfare and other government supports
  • medical/health/personal circumstances
  • death records
  • bank account details and records.

Personal data relating to medical/health/personal circumstances, as noted above, may include “special category” data in relation to health where it is necessary in the processing of grant applications by students repeating a year due to exceptional circumstances or for other reasons on a case-by-case basis.

The information you provide: who we share it with

SUSI exchanges data with other Government bodies and agencies subject to data processing agreements. This data is processed for the purposes of –

  • verifying and validating grant applications,
  • administering grant applications and payments,
  • confirming students’ registration and attendance at approved institutions,
  • reviews on appeal,
  • audit and verification of the grant administration process,
  • the prevention and detection of fraud and supporting criminal investigations or prosecutions.
  • SUSI may also share personal data with authorised agents or third parties as data processors or sub-processors who act on behalf of SUSI for the purposes of grant administration and who process data securely pursuant to its instruction under a contractual relationship and subject to data processing agreements. CDETB continues to be the data controller of this data.

SUSI may also share an individual’s personal data if it is under a duty to disclose or share such personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with such individual or other agreements, or to protect its rights, property, or safety of its employees or others. This includes reporting information about incidents (as appropriate) to the Gardaí and responding to any requirements from the Gardaí to provide information or personal data to them for the purposes of them detecting, investigating or prosecuting offences or in connection with crime sentencing.

The below table outlines how the information you provide is being exchanged by SUSI with other Government bodies and agencies:

Agency / BodyPurposeInformation exchangedFormat
Approved Further and Higher Education InstitutionsVerification that the student has registered on and is continuing to attend an approved course in an approved institution
Verification and validation of previous academic history
SUSI Reference
College Code
CAO number
Graduate Type
Student ID
Course details
Fee details
Attendance and progression details
Universities (UCC, UCD, DCU, ATU, UL and TUD) administering the Regional Clusters of the 1916 Bursary FundConsent-based provision of indicators of student applicant status and grant eligibility to inform determination by clusters of eligibility for the 1916 Bursary FundFirst time new entrant
First time mature student
Recipient of Special Rate of SUSI Grant
SUSI reference number
Bursary application number
CAO- Central Applications OfficeNotification of accepted college placesCAO application no.
Surname of Applicant
First name of Applicant
Date of Birth of Applicant
CAO Course code
Level of course
Name of course
Name of Institution
Department of Agriculture, Food and the MarineValidation of information where applicants are in receipt of grant payments for farming
Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions
Business Identifier number
Details of payments
Department of Education Validation of residency (Post Primary Pupil Database)

SUSI Reference Number
Date of Birth
Number of years as/if recorded on the Post Primary Pupil database for the previous 5 years
Department of Further and Higher Education, Research, Innovation and ScienceClarify eligibility for a grant.
Ensure accurate interpretation and operation of grant scheme
Ensure provision of the appropriate financial support
Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions
Facilitate audits
Research and analysis to inform the formulation of national policy on student support funding
All information pertaining to the application
Statistical reports of application processing, decision outcomes and grant payments.
Anonymised personal data
Direct Access, Specified Case Files, Batch
Defined or ad hoc statistical reports,
Specified bulk data files (anonymised)
Department of Social ProtectionVerification of Income
Prevention and detection of fraud, including the provision of information to support criminal investigations of prosecutions
Details of benefits and allowances
Direct Access and real time Application Programming Interface (API)
Department of Social Protection – MyGovIDVerification of identity
Facilitating registration and login to online SUSI account
Contacting applicant in order to process application for a student grant
First name
Last name
Email address
Telephone number
Secure Token Service (STS)
Department of Justice Validation of citizenship and nationalityPerson ID
SUSI Reference
Application ID
Legacy No
Permission to remain in the State
Date permission valid until
Case by case requests
Education and Training BoardsVerification and validation of receipt of VTOS paymentsName
Date of Birth
Payment amount
Batch and Case by Case requests
General Register Office (GRO)Validation of nationality, date of birth and death records SUSI Reference
First name
Last name
Mother’s maiden name
Higher Education Authority (HEA)Verification and validation of previous academic history PPSN SUSI
SUSI Reference
NFQ level of course
Course Title
Return year
Year of graduation
Graduating Institution
TUSLA – The Child and Family Agency)Validation of certain State payments
Verification of applicant status or circumstances
SUSI Reference
Information on documents required
Other grant awarding authorities (Local Authorities and Education and Training Boards)Verification and validation of previous grant support historyName
Date of Birth
Payment amount and name
Batch and Case by Case requests
QQI (Quality and Qualifications Ireland)Verification of qualifications and/or equivalence of qualifications from other jurisdictionsApplication no.
Full title of course
Name of Relevant Awarding Institution
Year of Award
Copy of qualification
NFQ level
Case by Case requests
Office of the Revenue CommissionersValidation of income
Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions
Income details
SOLASVerification and validation of previous academic history of a student PPSN
First Name
Last Name
Date of Birth
Provider Name
Local Course Title
Target Award level
Awarding Body
Course Type Fulltime/Part-time
Learner Start Date
Learner End Date
Student Grants Appeals BoardProcessing and adjudication of any appeal to the Student Grants Appeals BoardAll information pertaining to the application. Batch and Case by Case requests

Contact and identification information

SUSI uses contact and identification information of grant applicants and other parties to their applications for the following purposes:

  • to request from applicants any information about themselves and other parties to their applications that is required to process their applications,
  • to inform applicants of decisions on their applications and of the basis for those decisions,
  • to discuss with applicants, with other parties to their applications and with other third parties whom those applicants and other parties may authorise, the status of the application and any documentary evidence or actions required to progress it,
  • to administer an application, and
  • to administer grant payments.

Applicants and other parties to their applications may contact SUSI, or agents acting on its behalf, by telephone. To ensure that SUSI provides a high-quality customer service, telephone conversations are recorded for staff training and quality control purposes and for reviewing and confirming details of conversations with SUSI, where necessary.

Consent and our legal basis for processing

The consent of grant applicants and other parties to their applications is not generally required for SUSI to process their personal data for the purposes of the statutory basis on which grant applications are administered, namely the Student Support Act 2011 (as amended from time to time together with any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated) and the Student Grant Schemes (as amended from time to time).

Consent to process personal data must, however, be sought by SUSI and received for applicants applying under the administrative schemes in order for SUSI to assess eligibility under the Scheme. In addition, SUSI can also rely on Article 6(1)(e) of the GDPR to process personal data under the PLC Bursary Scheme as it is in pursuance of a legitimate official function.

SUSI communicates directly with grant applicants for these purposes in line with the specific requirement of the Student Grant Schemes that an applicant shall furnish such information and evidence to an awarding authority as it requests in order to determine if they are eligible to receive a grant.

Where it is necessary for another party to an application, or a third party outside the application, to communicate with SUSI about this personal data on behalf of any party to the application, each party to the application can authorise this as described below in relation to enquiry handling.

Where an applicant provides information that any person relevant to their application is also an applicant, and where both applicants authorise the cross-referencing of their applications in this context, SUSI will cross-reference both applications in order to ensure that any increased entitlement to grant funding can be applied and to ensure efficiency and consistency in the processing of grant applications.

SUSI may otherwise cross-reference grant applications generally and without consent for the purposes of audit and for the prevention and detection of fraud where it has a legitimate interest to do so.

Enquiry handling

Discussing Grant Applications

Applicants and other parties to their applications can contact the SUSI Support Desk to make enquiries about the status of an application and about any documents or actions required to progress it.

In order to facilitate such enquiries, SUSI will discuss, with all parties to an application, information about the status of the application and any documents or actions required to progress it.

Where disclosure of such information to another party to an application is not desired, applicants should inform SUSI of this so that appropriate controls can be put in place on a case by case basis.

SUSI Support Desk staff will ask verification questions to ensure that SUSI only shares this information with a party to the application.

Discussing Personal Data

SUSI will not discuss personal data of a party to an application with other parties to the application, or with a third party outside the application, without their authority.

Applicants and other parties to grant applications can cross-authorise each other, and can also authorise third parties outside the application, to discuss their personal data with SUSI on their behalf by-

  • cross-authorising each other when submitting an online grant application form,
  • amending their cross-authorisations, or authorising third parties, through the applicant’s online SUSI account after submitting an online grant application form.

Authorisations may be withdrawn at any time by applicants and other parties to grant applications.

Data protection rights

Individuals have certain rights in relation to personal information that is processed by SUSI. These rights are listed below. These rights are not absolute and apply subject to certain conditions. Under certain circumstances, by law individuals have the right to:

  • request information about whether SUSI holds personal information about them, and, if so, what that information is and why SUSI is holding/using it,
  • request access to their personal information (commonly known as a “data subject access request”). This enables an individual to receive a copy of the personal information SUSI holds about him/her and to check that SUSI is lawfully processing it,
  • request correction of the personal information that SUSI holds about them. This enables an individual to have any incomplete or inaccurate information SUSI holds about him/her corrected,
  • request erasure of their personal information (subject to data retention requirements). This enables an individual to ask SUSI to delete or remove personal information where there is no good reason for SUSI continuing to process it. Individuals also have the right to ask SUSI to delete or remove their personal information where they have exercised their right to object to processing (see below),
  • request the restriction of processing of their personal information. This enables an individual to ask SUSI to suspend the processing of personal information about him/her, for example if the individual wants SUSI to establish its accuracy or the reason for processing it,
  • request transfer of their personal information in an electronic and structured form to them or to another party (commonly known as a right to “data portability”). This enables an individual to take his/her data from SUSI in an electronically useable format and to be able to transfer such data to another party in an electronically useable format,
  • object to processing of their personal information where SUSI is relying on a legitimate interest (or those of a third party) and there is something about the individual’s particular situation which makes him/her want to object to processing on this ground,
  • object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by SUSI using their personal information or profiling of them: SUSI does not engage in any automated decision making, and
  • withdraw their consent, where SUSI is relying on it to use their personal data (the exercise of this right will not affect the lawfulness of processing based on consent before its withdrawal).

Individuals may access or request a copy of their personal data held by SUSI, or they may request its rectification, by downloading, completing and submitting a Subject Access Request Form available at

Otherwise, individuals can exercise their rights by contacting CDETB at the below details.

No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaint handling. In the event that an individual wishes to make a complaint about how their personal data is being processed by SUSI, or how their complaint has been handled, such individual has the right to lodge a complaint directly with the supervisory authority who can be contacted as follows. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance:

Contact Data Protection Commission
Telephone +353 57 8684800/+353 (0)761 104 800
Post Data Protection Commission

21 Fitzwilliam Square South
Dublin 2
D02 RD28


Data retention

SUSI retains data securely for the purposes of grant administration, audit and case reviews and does not retain personal data for longer than is necessary and/or as required by law. In determining its retention period for categories of personal data, SUSI, at all times, will consider its obligations under the data protection legislation, guidance from the Data Protection Commission, any other specific legislative requirements as well as the amount and nature of the data itself.

Transferring personal data out of the European Economic Area

There are circumstances in which SUSI may have to transfer an individual’s personal data out of the European Economic Area for the purposes of grant or grant application administration. Where the need for such a transfer arises SUSI will always ensure that there are appropriate safeguards in place to protect personal data such as:

  • the European Commission has issued a decision confirming that the country to which SUSI transfers the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
  • appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from SUSI on request;
  • the individual has provided explicit consent to the proposed transfer after being informed of any potential risks; or
  • the personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.


Data retained by SUSI, including computer and paper records, is stored in secure facilities. SUSI takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, data and against accidental loss or destruction. Data processing agreements entered into between SUSI and those persons or bodies with whom it exchanges data take account of the security requirements and measures necessary to protect the data that is exchanged.

Where applicants or other parties to their applications agree, accept or request that SUSI communicates with them by e-mail, they are solely responsible for ensuring the availability, security and integrity of their own email account. The transmission of information via the internet is not completely secure and, consequently, while SUSI takes all reasonable security measures, it cannot guarantee the privacy or confidentiality of information transmitted by e-mail.

SUSI maintains data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

  • “confidentiality” means that only people who are authorised to use the data can access it,
  • “integrity” means that personal data should be accurate and suitable for the purpose for which it is processed,
  • “availability” means that authorised users should be able to access the data if they need it for authorised purposes.

Use of Cookies

The SUSI website and the SUSI online grant application system make use of cookies. For more information about our use of cookies, please see our Cookie Policy.

Contact us

You can contact CDETB regarding any matter concerning your data protection rights using the details below:

Contact: Data Protection Officer
Telephone: + 353 1 668 0614
Post: CDETB Administrative Offices

Town Hall,

1-4 Merrion Road,


Dublin 4


Changes to this policy

SUSI reserves the right to modify this Data Protection Statement at any stage. If and when changes are made to this Data Protection Statement, any changes will be posted on the SUSI website and will be effective when posted. Please continue to check this page to ensure that you are always aware of any changes.

Last updated 27 September 2022 at 15.39