The HEA leads the strategic development of the Irish higher education and research system with the objective of creating a coherent system of diverse institutions with distinct missions, which is responsive to the social, cultural and economic development of Ireland and its people and supports the achievement of national objectives.
The HEA has a statutory responsibility, at central government level, for the effective governance and regulation of higher education institutions and the higher education system.
This privacy notice is designed to provide you with information as to how the HEA as data controller processes personal data, by providing detail in relation to the processing activities of the HEA in carrying out its statutory functions.
We are the Higher Education Authority, a public body created by the Higher Education Authority Act 1971, and once commenced, the Higher Education Authority Act 2022 and are under the responsibility of the Minister for Further and Higher Education, Research, Innovation and Science.
We process your data in order for us to carry out our statutory functions as outlined in the Higher Education Act, 2022. These include in general:
- Furthering the development of higher education
- Assisting in the co-ordination of State investment in higher education
- Promoting an appreciation for higher education and research
- Promoting the attainment of equality of opportunity in higher education
We process a range of personal data such as name, address, education status and history, PPSN, and other such information which is required for us to carry out our functions.
We share your personal data with course providers and the Department of Further and Higher Education, Research, Innovation and Science, the Department of Education and Skills, the Central Statistics Office, Student Universal Support Ireland, SOLAS, and other data processors and controllers as necessary. We ensure that we have a lawful basis for sharing this data and that necessary protections have been afforded to the data at all times.
In general, we do not transfer data outside of the EEA, however, if data is transferred outside the EEA, measures will be put in place to ensure adequate protection of that data.
We will not retain your data for longer than is necessary in order to meet the purpose for which we collect it, in accordance with our Records Retention Schedule. For example, for some processing activities in relation to our Student Records System, we may retain some personal data for a period of 40 years, in order to carry out longitudinal studies on the effectiveness of the higher education system in Ireland in accordance with our functions.
You can exercise your data protection rights, where appropriate, by contacting dataprotection@HEA.ie.
In general, we do not rely on consent to process data, however, where we are processing your data based on consent, you can remove that consent at any time by emailing firstname.lastname@example.org.
You have the right to make a complaint to the DPC by logging it on https://forms.dataprotection.ie/contact.
Nature and Scope of this Notice
Data Protection Law includes the General Data Protection Regulation EU regulation 679/2016 (GDPR) and the Data Protection Act 2018 (DPA 2018), which transposed the GDPR into Irish Law, and the E-Privacy Directive (S.I. 336/2011) and they each apply to the processing of your personal data. The HEA is a data controller pursuant to these laws and as such we are required to provide you as a data subject with certain information to ensure you are aware that we are taking due care when processing your personal data, and are doing so in a compliant manner. This Notice covers data processed on this website, and by the HEA in carrying out its functions. It does not cover how your data is processed by a higher education institute (HEI) operating under the aegis of the HEA Act 2022, for more specific information please refer to the individual HEI.
Who are we?
The Higher Education Authority (An tÚdarás um Ard-Oideachas) is a statutory body created by the Higher Education Act 1971. The HEA is accountable to the Minister for Further and Higher Education, Research, Innovation and Science. We are located at:
3 Shelbourne Buildings, Crampton Avenue,
Shelbourne Road, Ballsbridge,
Dublin 4, Ireland
And you can contact us using any of the following details:
Phone: +353 1 231 7100
Lo-Call Number: 1890 200 637
Fax: +353 1 231 7172
Our Data Protection Officer can be reached at the above postal address by labelling communications for the attention of the Data Protection Officer or by emailing email@example.com.
The HEA was established in 1971 to lead the strategic development of the Irish higher education and research system with the objective of creating a coherent system of diverse institutions with distinct missions, which is responsive to the social, cultural and economic development of Ireland and its people and supports the achievement of national objectives.
Why do we Process your Personal Data?
The HEA was established in the Higher Education Act, 1971 and this legislation, along with d our updated Higher Education Authority Act 2022 (once commenced), provide us with a number of general functions such as:
(a) furthering the development of higher education,
(b) assisting in the co-ordination of State investment in higher education and preparing proposals for such investment,
(c) promoting an appreciation of the value of higher education and research,
(d) promoting the attainment of equality of opportunity in higher education,
(e) promoting the democratisation of the structure of higher education.
In order to satisfy these functions the HEA engages in a number of activities, all with the aim of further higher education in Ireland.
The provision of funding to HEIs in a strategic manner which best serves the current and future needs of the state as well as funding at an individual level for students such as those eligible for free fees, the Student Assistance Fund, or the Fund for Students with Disabilities, is one of the core legislative functions of the HEA.
In order to provide the correct levels of funding to the HEIs, it is important the HEA receives particular information. For “core funding” the HEA relies, in the main, on the Student Record System (SRS). The information gathered in this system gives the HEA the ability to determine the exact number and nature of study of students in each HEI, see below for more information. A Data Protection Impact Assessment has been carried out on the SRS.
For other funding the HEA relies on separate returns from the HEIs. These may be for the Fund for Students with Disabilities (FSD) funding for example, where the level of funding depends on costs of supports provided by individual HEIs to students with disabilities. The HEA is required to gather certain information regarding this fund to ensure that the correct level of funding is given to the HEI. A Data Protection Impact Assessment has been carried out on the Fund for Students with Disabilities.
Student Record System
The Student Record System (SRS) is the main system which is used by the HEA to gather information from the HEIs regarding students. The data held within the SRS is used by the HEA to carry out many of its statutory functions, such as assisting in the co-ordination of State investment in higher education and informing key decision making. Due to the number of students in third level education in Ireland it is important that there is a centralised and standardised system for collecting information. The information is uploaded by the HEIs to the system where it can then be analysed by the statistics team. Some aggregated and disaggregated data is then shared internally to allow the HEA to carry out its statutory functions. For example, some disaggregated student data is shared with the System Funding team as part of the process of allocating the annual core grant. Disaggregated student data is required to calculate funding using the RGAM model and to reconcile student numbers for funding purposes. Some disaggregated socio-economic data is shared with the Access Policy section to allow for monitoring of the Access Plan targets. Aggregated data is shared with many sections in the HEA, including the above sections and also the International Section, Capital Programmes and Skills & Engagement. For the purposes of SRS data, the difference between aggregated and disaggregated data is the number of results per analysis result. For example, aggregated data may be a result of combining all new entrant, female students in the school of Arts and Humanities. This will result in a large number of results, in the thousands, which are anonymous so can be reported on and published. Disaggregated data may be a result of combining more specific course level data with other specific attributes, such as male students studying a particular course (with a low number of registered students) in a particular HEI who receive a grant. This may give 4 results, which is regarded as disaggregated data. This level data is not published by the HEA but may be shared internally for the purposes listed above.
The statistics team carry out research and analysis on the information which is gathered in the SRS in order to provide information and reports. These are available on the website. These reports are used to display the state of higher education in Ireland and are invaluable for policy analysis to decision makers but they do not contain any personal data. They are also very useful to members of the public as they may be used to decide which HEI to attend or which career to pursue.
There are a number of surveys carried out by the HEA such as the Graduate Outcome Survey (GOS), the Equal Access Survey (EAS) and surveys carried out in conjunction with out partners such as Student Survey.
The GOS is vital to the HEA as it enables the analysis of the success factors for academic courses. The EAS informs the HEA on the level of funding which HEIs require for certain students, such as those with disabilities, on an institution level as opposed to on a student level.
For surveys which are carried out with our partners, we do not receive any personal data but instead we receive aggregated data which cannot be used to identify someone. For the categories of personal data collected in this process, please see Appendix 1.
The HEA assists in the running and management of international programmes such as Erasmus and Government of Ireland Scholarships.
For Erasmus programmes the HEA has access to an online portal which contains data that has been uploaded by HEIs concerning relevant individuals. This tool was introduced by the EU in the Erasmus+ programme as the funding body for Erasmus activities.
For Government of Ireland Scholarships and other programmes which require and application and assessment, the data is uploaded to and stored in an online system which allows for the assessment of the application. This is to ensure that the funding is properly administered to applicants who are successful in the process.
The majority of data collected by the website concerns technical details in connection with visits to this website, these may be logged on the hea.ie server for analytical purposes (e.g. Computer IP number). The HEA will not disclose such technical information in respect of individual website visitors to any third party unless obliged to disclose such information by a rule of law. The technical information will be used only for statistical and other administrative purposes.
The technical details logged are confined to the following items:
- the IP address of the visitor’s web server (while this may be used to identify someone, it is not used for this purpose by the HEA)
- the type of web browser used by the website visitor.
- the top-level domain name used (for example .ie., .com, .org, .net)
- clickstream data which shows the traffic of visitors around this web site (for example pages accessed and documents downloaded)
- the previous website address from which the visitor reached us, including any search terms used
What do we Process?
We process the information that is shared with us by the relevant HEI for the various activities which have been outlined in brief above.
While we may process some special categories of personal data in order to provide accurate funding, we endeavour to ensure that this data is not used to identify anyone. In most cases the data is anonymised by requesting the data in aggregate form to ensure that no individual can be identified, however, this is not possible in all circumstances due to the nature of the data collected. It may not be possible when the data relates to a small number of individuals who may be identified based on their particular circumstances Strict controls are in place to ensure that this data is not further processed for any reasons, and access to the data is strictly limited. For more information please see Appendix 1.
Who do we Share your Data with?
We are mandated to share certain information with Government Departments and other statutory bodies. These include:
There is a data sharing agreement in being between the HEA and the City of Dublin Education and Training Board (CDETB), who operate the Student Support Scheme in accordance with the Student Support Act 2011. The SUSI data sharing agreement has its lawful basis under section 28 of the SSA 2011. Data controllers may process personal data for the relevant purposes of that Act. The HEA and SUSI are bodies listed in Schedule 2 of the SSA 2011 and as such may process and share the required data. Only data which is necessary and proportional has been shared.
Data is shared with the CSO pursuant to the Statistics Act 1993 and a memorandum of understanding is available on request.
Department of Further and Higher Education, Research, Innovation and Science, and the Department of Education and Skills & Relevant Agencies (SOLAS)
We are required to share some personal data with DFHERIS and DoE, as necessary and proportionate. As an agency of the Department of Education and Skills we are requested to share some data with SOLAS to allow for transitions rates analysis. A data sharing agreement between the HEA and SOLAS is now in effect and sets out the data to be shared and the conditions under which the data will be shared.
Do we Transfer your Data Outside the EEA?
In general, we do not transfer any personal data outside the EEA. If we do transfer data outside the EEA, we will ensure that there is an appropriate mechanism for doing so that complies with all relevant legislation and will also ensure that your data receives the same level of protection as it is afforded within the EEA.
How long do we Store your Data for?
The HEA will store your data for no longer than is necessary for the purposes of the processing activity. Different processing activities require different retention periods. For example, SRS data is maintained for 40 years after it is first received by the HEA, this is to enable the HEA to carry out longitudinal studies for which the data is necessary. For other processes, such as the FSD, once the data has been verified, efforts are made to anonymise the data such as removing unique identifiers and aggregating the data further. However, it may be possible to reidentify the data based on the particular circumstances of the data subjects concerned. For example, some of the data may relate to a small group of individuals who may, by virtue of their circumstances, be identifiable. Access to this data is strictly controlled and additional security has been put in place.
Your Rights as a Data Subject
You have a number of rights under the Data Protection Law. These rights can be applied by making the appropriate request to the HEA by contacting us on firstname.lastname@example.org. Forms are available on the data protection pages on the HEA website.
In processing a Data Subject request, the HEA will:
- Check whether we or any of our processors hold your personal data
- Check the validity of the request by confirming your identity if we have reasonable doubts as to your identity,
- Decide if the request is excessive or manifestly unfounded or if the request will be refused based on restrictions and guidance
- Determine if a charge may be applied if the request is deemed to be unjustified or excessive
- Determine if additional information or clarification is required from you in order to process the request
- Determine if the request can be answered within one month or if an extension is required
- Determine if the request complies with the specific requirements of the Data Protection Law
- Determine if any exemptions are to be applied to the request
While we will always endeavour to fully comply with access requests, in certain circumstances we may need to decline your request (where we are legally permitted to do so).. Such a refusal will be explained to you in writing. Please note that your rights are not absolute.
Right of Access
You have a right to request access to a copy of your personal data. In addition, other information relating to the processing, sharing and retention of your personal data must also be provided to you when processing a Subject Access Request.
Right to Rectification
You have a right to have your personal data rectified if it is inaccurate or incomplete. If this personal data has been shared with third parties, the HEA will notify such third parties about the rectification request from you unless this is impossible or involves disproportionate effort. Where it is deemed reasonable for the HEA not to comply with a request for rectification, this decision will be explained to you in writing. Where the error relates to data submitted to the HEA by another data controller, the HEA will refer the matter to the relevant data controller for appropriate action.
Right to Erasure
You have a right to erasure, also known as the right to be forgotten, of your personal data where one of the following grounds apply:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- You withdraw your consent and there is no other legal basis for the processing
- You object to the processing pursuant to article 21(1) of the GDPR
- The personal data have been unlawfully processed
- The personal data have to be erased for compliance with a legal obligation
- The personal data have been collected in relation to the offer of information society services of a child.
A request for Erasure of personal data can be refused where processing is necessary:
- For exercising the right to freedom of expression and information
- For compliance with legal obligation or for the performance of a public interest task or exercise of official authority, which the HEA will be relying on in many cases
- For Public health reasons
- For archiving interests in the public interest, scientific, historical research or statistical purposes
- For the exercise or defence of legal claims
Right to Restriction of Processing
You have a right to Restrict the Processing of your personal data where one of the following grounds apply:
- Where you contest the accuracy of your personal data (processing should be restricted for a period enabling the HEA to verify the data’s accuracy)
- Where the processing is unlawful, and you oppose erasure and requests restriction instead
- Where the HEA no longer needs the personal data but you require the HEA to continue to process the personal data to exercise or defend a legal claim
When you exercise your right to restrict processing, the HEA will only continue to process the personal data if:
- You consent
- The processing is necessary for the exercise or defence of legal claims
- The processing is necessary for the protection of the rights of other individuals or legal persons
- The processing is necessary for Public Interest reasons under EU/Member State law, which the HEA will be relying on in many cases
The HEA will inform you before the processing restriction is lifted/enforced.
Right to Data Portability
You have a right to receive the personal data you have provided to the HEA in a structured, commonly used and machine-readable format. You have the right to have your personal data transmitted to another controller. The right applies to personal data you have provided to the HEA and to personal data generated by an individual’s activity but does not extend to data generated by the HEA. The right to Data Portability only applies if:
- The processing is based on your consent or for the performance of a contract and
- The processing is carried out by automated means
The right to Data Portability will not apply to processing necessary for the performance of a task carried out in the Public Interest, or in the exercise of official authority vested in the HEA. In addition, the right to Data Portability must not adversely affect the rights and freedoms of others. Data Portability does not automatically trigger the erasure of your personal data from the HEA systems/processes and does not affect the original retention period applying to the personal data.
Right to Object
You have a right to object to the processing of your personal data on the following grounds:
- Direct marketing; where personal data are processed for direct marketing purposes, you have the right to object at any time to such processing; there are no grounds to refuse to comply with such a request. When you object to processing for direct marketing purposes, the personal data can no longer be processed for that purpose.
- Processing based on public interest or legitimate interest grounds, including profiling.
- Processing for scientific, historical research or statistical purposes (unless the processing is necessary for the performance of a public interest).
When you object to the processing of your personal data, the HEA will stop processing the personal data unless the HEA can demonstrate that there are compelling legitimate grounds for the processing which override your rights; the processing is necessary for the exercise or defence of legal claims or the personal data is processed for scientific, historical research or statistical purposes, the processing of which is necessary for the performance of a public interest/task.
The HEA does not make any decisions based on automated processing. Limited profiling is carried out by the statistics unit in order to ascertain the socio economic back ground of students attending higher level education. This allows the HEA to achieve its legislative goals of ensuring the equality of attainment of opportunity in higher education.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effect concerning you.
Right to Withdraw Consent
Where we process your data based on consent, you have the right to withdraw consent at any time without suffering any adverse effects. We only require your consent to gather certain data sets prior to accepting a place on a course, you can withdraw consent for this by emailing email@example.com at any time. Your HEI may request your consent to process your personal data, and to share that data with us. If you wish to withdraw this consent please contact your HEI.
Making a Complaint with the DPC
The Data Protection Commission is the Supervisory Authority in Ireland. If you are not happy with how we are processing your data or have any concerns with regards to this Privacy Notice you can contact the DPC. There are a number of ways to contact the DPC: using an online form on their website; https://forms.dataprotection.ie/contact, phone; +353 (0)761 104 800 or +353 (0)57 868 4800, or by post;
Data Protection Commission
21 Fitzwilliam Square South
Appendix 1 – Categories of Personal Data
|Data Processing activity||Categories of personal data||Lawful Basis||Retention Periods|
|Student Record System (SRS)||For a full list of the data sets being gathered please click here||task carried out in the public interest or in the exercise of official authority vested in the HEA||40 years|
|Equal Access Survey (EAS)||For a full list of the data sets being gathered please click here||task carried out in the public interest or in the exercise of official authority vested in the HEA||40 years|
|Graduate Outcome Survey (GOS)||For a full list of the data sets being gathered please click here||task carried out in the public interest or in the exercise of official authority vested in the HEA||40 years|
|Fund for Students with Disabilities (FSD)||Identifying data, educational information, health related data
|task carried out in the public interest or in the exercise of official authority vested in the HEA||7 years|
|Website analytics (for more information please see our cookies policy||IP address||Consent||2 years|
|Recruitment||Identifying, contact, work and educational experience||Legitimate interest of the HEA, task carried out in the public interest or in the exercise of official authority vested in the HEA||1 year for unsuccessful candidates.|
|General administration of tasks and duties of HEA, such as working with HEIs, dealing with queries||Identifying, contact||task carried out in the public interest or in the exercise of official authority vested in the HEA||Once the data is no longer needed it is deleted|
Relevant Legislation: Higher Education Act 2022, Universities Act 1997, Institute of Technologies Act 2006, Technological Universities Act 2018.
For further detailed privacy notices on the HEA’s programmes, please see the following links:
Irish Research Council- https://research.ie/privacy-and-data-protection/
National Forum for Teaching & Learning- https://www.teachingandlearning.ie/privacy-policy/”