SUSI Data Protection Statement

SUSI Data Protection Statement

SUSI Data Protection Statement

SUSI respects individuals’ right to privacy and processes personal data securely and confidentially in accordance with data protection legislation.

When submitting a grant application, applicants and other parties to their applications are required to confirm that they have read and understood this SUSI Data Protection Statement.

Who we are

The Student Grant Schemes and the PLC Bursary for Displaced Persons (Ukraine) Scheme 2024 and the Student Part-Time Fee Scheme for Specified Undergraduate Courses 2024  are administered by the SUSI Unit of City of Dublin Education and Training Board (City of Dublin ETB) as the student grant awarding authority designated by the Minister for Further and Higher Education, Research, Innovation and Science under the Student Support Act 2011 and the Student Part-Time Fee Scheme for Specified Undergraduate Courses 2024 .

SUSI also administers two non-statutory schemes (“the administrative schemes”) on behalf of the Minister for Further and Higher Education, Research, Innovation and Science: the PLC Bursary for Displaced Persons (Ukraine) Scheme 2022 established in response to the emergency situation in Ukraine, and the International Protection Student Scheme (for FE/HE Students) 2023/2024 for students who are in the international protection system or at the leave to remain (but not deportation order) stage. SUSI also acts as a data processer for the 1916 Bursary Scheme.

References in this data protection statement to “applicant”, “student” or “grant” for the purposes of the Student Grant Schemes include references to equivalent terms for the purposes of the administrative schemes to the extent that may be necessary and appropriate.

For the purposes of the EU General Data Protection Regulation (EU Regulation 2016/679) (GDPR), City of Dublin ETB is a joint data controller with the Department of Further and Higher Education, Research, Innovation and Science (DFHERIS) for student grant applications under the Student Grant Schemes and and the administrative schemes.

“Data controllers” are people or organisations that determine the purposes and manner of processing of personal data that make independent decisions in relation to the personal data or that otherwise control that personal data.

Where two or more controllers jointly determine the purposes and manner of the processing of personal data, they will be “joint controllers”. In such cases, the GDPR requires them to determine in a transparent manner their respective responsibilities for compliance with the obligations under the GDPR. This must be done by means of an arrangement between them.

City of Dublin ETB and the DFHERIS have put in place a Joint Data Controller Agreement whereby City of Dublin ETB takes on responsibility for dealing with all requests received from individuals regarding the processing of their personal data by City of Dublin ETB and the DFHERIS. City of Dublin ETB is accountable to the DFHERIS for the performance of all functions in respect of the administration of student grants under the Student Support Act 2011 and is responsible for ensuring compliance of the administration of student grants with the GDPR and other applicable data protection legislation. The DFHERIS’s role is to determine the type of information that individuals should furnish to the student grant awarding authority under the Student Grant Schemes. As part of its oversight and governance role, the DFHERIS also carries out random transaction testing of a limited number of SUSI applications each year to check compliance with the statutory provisions of the scheme and to enhance the quality assurance procedures for the scheme. For more information about the Joint Data Controller Agreement between City of Dublin ETB and the DFHERIS, please contact us at the below details.

The information you provide: what we use it for

“Personal data” means any information relating to an identified or identifiable natural person. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and/or behaviour.

SUSI processes information, including personal data that grant applicants provide about themselves and other parties and persons relevant to their applications (including parents, legal guardians, spouses, civil partners, cohabitants, siblings, dependent children and other relevant persons) for the purpose of assessing applicants’ eligibility to receive student grant funding.

The personal data processed by SUSI for this purpose is as follows:

  • name
  • address
  • e-mail address
  • telephone number
  • date of birth
  • mother’s maiden name
  • PPS number
  • marital, personal and family status
  • citizenship
  • nationality
  • residency
  • previous/current/future education
  • residential occupancy/utilities
  • income
  • employment
  • social welfare and other government supports
  • medical/health/personal circumstances
  • death records
  • bank account details and records.

Personal data relating to medical/health/personal circumstances, as noted above, may include “special category” data in relation to health where it is necessary in the processing of grant applications by students repeating a year due to exceptional circumstances or for other reasons on a case-by-case basis.

The information you provide: who we share it with

SUSI exchanges data with other Government bodies and agencies subject to data processing agreements. This data is processed for the purposes of –

  • verifying and validating grant applications,
  • administering grant applications and payments,
  • confirming students’ registration and attendance at approved institutions,
  • reviews on appeal,
  • audit and verification of the grant administration process,
  • the prevention and detection of fraud and supporting criminal investigations or prosecutions.

SUSI may also share personal data with authorised agents or third parties as data processors or sub-processors who act on behalf of SUSI for the purposes of grant administration and who process data securely pursuant to its instruction under a contractual relationship and subject to data processing agreements. City of Dublin ETB continues to be the data controller of this data.

SUSI may also share an individual’s personal data if it is under a duty to disclose or share such personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with such individual or other agreements, or to protect its rights, property, or safety of its employees or others. This includes reporting information about incidents (as appropriate) to the Gardaí and responding to any requirements from the Gardaí to provide information or personal data to them for the purposes of them detecting, investigating or prosecuting offences or in connection with crime sentencing.

The below table outlines how the information you provide is being exchanged by SUSI with other Government bodies and agencies:

Agency / Body

Purpose

Information exchanged

Format

Approved Further and Higher Education Institutions

Verification that the student has registered on and is continuing to attend an approved course in an approved institution

Verification and validation of previous academic history

SUSI Reference

College Code

CAO number

PPSN

Surname

Forename

DOB

Graduate Type

Student ID

Course details

Fee details

Attendance and progression details

Previous Course Credits

Batch

Universities (UCC, UCD, DCU, ATU, UL and TUD) administering the Regional Clusters of the 1916 Bursary Fund

Consent-based provision of indicators of student applicant status and grant eligibility to inform determination by clusters of eligibility for the 1916 Bursary Fund

First time new entrant

First time mature student

Recipient of Special Rate of SUSI Grant

SUSI reference number

Bursary application number

Name

Batch

CAO- Central Applications Office

Notification of accepted college places

CAO application no.

Surname of Applicant

First name of Applicant

Date of Birth of Applicant

CAO Course code

Level of course

Name of course

Name of Institution

Batch

Department of Agriculture, Food and the Marine

Validation of information where applicants are in receipt of grant payments for farming

Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions

Business Identifier number

PPSN

Year

Details of payments

Batch

Department of Education

Validation of residency (Post Primary Pupil Database)

PPSN

SUSI Reference Number

Date of Birth

Number of years as/if recorded on the Post Primary Pupil database for the previous 5 years

Batch

Department of Further and Higher Education, Research, Innovation and Science

Clarify eligibility for a grant.

Ensure accurate interpretation and operation of grant scheme

Ensure provision of the appropriate financial support

Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions

Facilitate audits

Research and analysis to inform the formulation of national policy on student support funding

All information pertaining to the application

Statistical reports of application processing, decision outcomes and grant payments.

Anonymised personal data

Direct Access, Specified Case Files, Batch

Defined or ad hoc statistical reports,

Specified bulk data files (anonymised)

Department of Social Protection

Verification of Income

Prevention and detection of fraud, including the provision of information to support criminal investigations of prosecutions

PPSN

Name

Year

Details of benefits and allowances

Direct Access and real time Application Programming Interface (API)

Department of Social Protection – MyGovID

Verification of identity

Facilitating registration and login to online SUSI account

Contacting applicant in order to process application for a student grant

PPSN

DOB

First name

Last name

Email address

Telephone number

Secure Token Service (STS)

Department of Justice

Validation of citizenship and nationality

Person ID

SUSI Reference

Application ID

Legacy No

Permission to remain in the State

Date permission valid until

Case by case requests

Education and Training Boards

Verification and validation of receipt of VTOS payments

Name

Date of Birth

PPSN

Payment amount

Batch and Case by Case requests

General Register Office (GRO)

Validation of information provided to SUSI during the application process on Nationality, Date of Birth, Death Records (parents/spouse/civil partner), Marriage Records of both applicants and parties to the application and the  validation of the number of Dependent Children in a household

Information Exchanged

Applicant:

PPSN

Forename and Surname

DOB

Date of Marriage

 

Parents 1 & 2:

PPSN

Forename and Surname

DOB

Date of Marriage

Date of Death

Civil Status

 

Spouse/Civil Partner: (where applicant is Independent)

PPSN

Forename and Surname

DOB

Date of Death

Civil Status

 

Siblings/Dependent Children:

PPSN

Forename and Surname

DOB

Direct Access and real time Application Programming Interface (API)

Higher Education Authority (HEA)

Verification and validation of previous academic history

PPSN SUSI

SUSI Reference

DOB

NFQ level of course

Course Title

Return year

Year of graduation

Graduating Institution

Batch

TUSLA – The Child and Family Agency)

Validation of certain State payments

Verification of applicant status or circumstances

Name

DOB

SUSI Reference

Information on documents required

Batch

Other grant awarding authorities (Local Authorities and Education and Training Boards)

Verification and validation of previous grant support history

Name

Date of Birth

PPSN

Payment amount and name

Batch and Case by Case requests

QQI (Quality and Qualifications Ireland)

Verification of qualifications and/or equivalence of qualifications from other jurisdictions

Application no.

Full title of course

Name of Relevant Awarding Institution

Year of Award

Copy of qualification

NFQ level

Case by Case requests

Office of the Revenue Commissioners

Validation of income

Prevention and detection of fraud, including the provision of information to support criminal investigations or prosecutions

PPSN

Name

Year

Income details

Batch

SOLAS

Verification and validation of previous academic history of a student

PPSN

First Name

Last Name

Date of Birth

Provider Name

Local Course Title

Target Award level

Awarding Body

Course Type Fulltime/Part-time

Learner Start Date

Learner End Date

Batch

Student Grants Appeals Board

Processing and adjudication of any appeal to the Student Grants Appeals Board

All information pertaining to the application.

Batch and Case by Case requests

Contact and identification information

SUSI uses contact and identification information of grant applicants and other parties to their applications for the following purposes:

  • to request from applicants any information about themselves and other parties to their applications that is required to process their applications,
  • to inform applicants of decisions on their applications and of the basis for those decisions,
  • to discuss with applicants, with other parties to their applications and with other third parties whom those applicants and other parties may authorise, the status of the application and any documentary evidence or actions required to progress it,
  • to administer an application, and
  • to administer grant payments.

Applicants and other parties to their applications may contact SUSI, or agents acting on its behalf, by telephone. To ensure that SUSI provides a high-quality customer service, telephone conversations are recorded for staff training and quality control purposes and for reviewing and confirming details of conversations with SUSI, where necessary.

Consent and our legal basis for processing

The consent of grant applicants and other parties to their applications is not generally required for SUSI to process their personal data for the purposes of the statutory basis on which grant applications are administered, namely the Student Support Act 2011 (as amended from time to time together with any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated), the Student Grant Schemes (as amended from time to time) and the Student Part-Time Fee Regulations for Specified Undergraduate Courses 2024.

Consent to process personal data must, however, be sought by SUSI and received for applicants applying under the administrative schemes in order for SUSI to assess eligibility under the Scheme. In addition, SUSI can also rely on Article 6(1)(e) of the GDPR to process personal data under the PLC Bursary Scheme as it is in pursuance of a legitimate official function.

SUSI communicates directly with grant applicants for these purposes in line with the specific requirement of the Student Grant Schemes that an applicant shall furnish such information and evidence to an awarding authority as it requests in order to determine if they are eligible to receive a grant.

Where it is necessary for another party to an application, or a third party outside the application, to communicate with SUSI about this personal data on behalf of any party to the application, each party to the application can authorise this as described below in relation to enquiry handling.

Where an applicant provides information that any person relevant to their application is also an applicant, and where both applicants authorise the cross-referencing of their applications in this context, SUSI will cross-reference both applications in order to ensure that any increased entitlement to grant funding can be applied and to ensure efficiency and consistency in the processing of grant applications.

SUSI may otherwise cross-reference grant applications generally and without consent for the purposes of audit and for the prevention and detection of fraud where it has a legitimate interest to do so.

Enquiry handling

Discussing Grant Applications

Applicants and other parties to their applications can contact the SUSI Support Desk to make enquiries about the status of an application and about any documents or actions required to progress it.

In order to facilitate such enquiries, SUSI will discuss, with all parties to an application, information about the status of the application and any documents or actions required to progress it.

Where disclosure of such information to another party to an application is not desired, applicants should inform SUSI of this so that appropriate controls can be put in place on a case by case basis.

SUSI Support Desk staff will ask verification questions to ensure that SUSI only shares this information with a party to the application.

Discussing Personal Data

SUSI will not discuss personal data of a party to an application with other parties to the application, or with a third party outside the application, without their authority.

Applicants and other parties to grant applications can cross-authorise each other, and can also authorise third parties outside the application, to discuss their personal data with SUSI on their behalf by-

  • cross-authorising each other when submitting an online grant application form,
  • amending their cross-authorisations, or authorising third parties, through the applicant’s online SUSI account after submitting an online grant application form.

Authorisations may be withdrawn at any time by applicants and other parties to grant applications.

Data protection rights

Individuals have certain rights in relation to personal information that is processed by SUSI. These rights are listed below. These rights are not absolute and apply subject to certain conditions. Under certain circumstances, by law individuals have the right to:

  • request information about whether SUSI holds personal information about them, and, if so, what that information is and why SUSI is holding/using it,
  • request access to their personal information (commonly known as a “data subject access request”). This enables an individual to receive a copy of the personal information SUSI holds about him/her and to check that SUSI is lawfully processing it,
  • request correction of the personal information that SUSI holds about them. This enables an individual to have any incomplete or inaccurate information SUSI holds about him/her corrected,
  • request erasure of their personal information (subject to data retention requirements). This enables an individual to ask SUSI to delete or remove personal information where there is no good reason for SUSI continuing to process it. Individuals also have the right to ask SUSI to delete or remove their personal information where they have exercised their right to object to processing (see below),
  • request the restriction of processing of their personal information. This enables an individual to ask SUSI to suspend the processing of personal information about him/her, for example if the individual wants SUSI to establish its accuracy or the reason for processing it,
  • request transfer of their personal information in an electronic and structured form to them or to another party (commonly known as a right to “data portability”). This enables an individual to take his/her data from SUSI in an electronically useable format and to be able to transfer such data to another party in an electronically useable format,
  • object to processing of their personal information where SUSI is relying on a legitimate interest (or those of a third party) and there is something about the individual’s particular situation which makes him/her want to object to processing on this ground,
  • object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by SUSI using their personal information or profiling of them: SUSI does not engage in any automated decision making, and
  • withdraw their consent, where SUSI is relying on it to use their personal data (the exercise of this right will not affect the lawfulness of processing based on consent before its withdrawal).

Individuals may access or request a copy of their personal data held by SUSI, or they may request its rectification, by downloading, completing and submitting a Subject Access Request Form Download PDF  available at www.susi.ie

Otherwise, individuals can exercise their rights by contacting City of Dublin ETB at the below details.

No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaint handling. In the event that an individual wishes to make a complaint about how their personal data is being processed by SUSI, or how their complaint has been handled, such individual has the right to lodge a complaint directly with the supervisory authority who can be contacted as follows. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance:

Contact

Data Protection Commission

Telephone

+353 1 7650100/1800 437 737

Website

dataprotection.ie or contact us online

Post

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2

D02 RD28

Ireland

Data retention

SUSI retains data securely for the purposes of grant administration, audit and case reviews and does not retain personal data for longer than is necessary and/or as required by law. In determining its retention period for categories of personal data, SUSI, at all times, will consider its obligations under the data protection legislation, guidance from the Data Protection Commission, any other specific legislative requirements as well as the amount and nature of the data itself.

Transferring personal data out of the European Economic Area

There are circumstances in which SUSI may have to transfer an individual’s personal data out of the European Economic Area for the purposes of grant or grant application administration. Where the need for such a transfer arises SUSI will always ensure that there are appropriate safeguards in place to protect personal data such as:

  • the European Commission has issued a decision confirming that the country to which SUSI transfers the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
  • appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from SUSI on request;
  • the individual has provided explicit consent to the proposed transfer after being informed of any potential risks; or
  • the personal data is being transferred to a company in the US which has self-certified its compliance with the EU-US Privacy Shield which has been found by the European Commission to provide an adequate level of protection to the personal data of EU citizens.

Security

Data retained by SUSI, including computer and paper records, is stored in secure facilities. SUSI takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, data and against accidental loss or destruction. Data processing agreements entered into between SUSI and those persons or bodies with whom it exchanges data take account of the security requirements and measures necessary to protect the data that is exchanged.

Where applicants or other parties to their applications agree, accept or request that SUSI communicates with them by e-mail, they are solely responsible for ensuring the availability, security and integrity of their own email account. The transmission of information via the internet is not completely secure and, consequently, while SUSI takes all reasonable security measures, it cannot guarantee the privacy or confidentiality of information transmitted by e-mail.

SUSI maintains data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

  • “confidentiality” means that only people who are authorised to use the data can access it,
  • “integrity” means that personal data should be accurate and suitable for the purpose for which it is processed,
  • “availability” means that authorised users should be able to access the data if they need it for authorised purposes.

Use of Cookies

The SUSI website and the SUSI online grant application system make use of cookies. For more information about our use of cookies, please see our Cookie Policy.

Contact us

You can contact City of Dublin ETB regarding any matter concerning your data protection rights using the details below:

Contact:

Data Protection Officer

Telephone:

+ 353 1 668 0614

Email:

dataprotection@cdetb.ie 

Post:

City of Dublin ETB Administrative Offices

Town Hall,

1-4 Merrion Road,

Ballsbridge,

Dublin 4

Ireland

Changes to this policy

SUSI reserves the right to modify this Data Protection Statement at any stage. If and when changes are made to this Data Protection Statement, any changes will be posted on the SUSI website and will be effective when posted. Please continue to check this page to ensure that you are always aware of any changes.

 

Last updated July 2024