John Lahart (Dublin South West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

88. To ask the Minister for Education and Skills his views on the interpretation by SUSI in respect of GDPR regulations when making representations on behalf of students and their families with respect to grants; and if he will make a statement on the matter. [41427/18]

Richard Bruton (Dublin Bay North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

As a centralised national service, SUSI implements a process through which student grant applicants and other parties to their application can consent to the sharing of their personal data with each other and with third parties, including public representatives, for the purpose of responding to queries submitted on behalf of applicants and parties to applications.

This process seeks to reasonably balance the efficient handling of applicant queries and third party representations with SUSI’s parallel obligation to ensure that each individual’s personal data is processed fairly and lawfully.

A grant awarding authority processes personal data for the purposes laid down in the Student Support Act 2011and annual Student Grant Schemes and regulations made thereunder. This data includes information submitted as part of a grant application and other relevant data required for the purpose of assessing and reviewing applications in order to make decisions under the legislation.

In order to give a full response to a query from a public representative on behalf of a person who is a party to an application it may be necessary to release not only that person’s data, but also data relating to other persons named or identified in the application form i.e. the student applicant, their parents, partners, spouse, siblings, etc.

As a data controller under the Data Protection Acts the awarding authority is obliged to ensure the protection of the personal data which it collects and must decide on appropriate means of safeguarding that data, including in line with the requirements of the EU General Data Protection Regulation (GDPR).

Therefore, for SUSI to respond effectively to a representation from a public representative on an individual application in a manner that is fully compliant with data protection law, SUSI must be satisfied that all individuals concerned have consented to the release of their personal data to a third party.

Reflecting the enhanced rights of data subjects to be able to access and exercise control of their data under GDPR, SUSI has implemented a more streamlined process for the management of applicant party consent. A fully online consent process has been developed whereby applicant parties can give, withdraw and update their data sharing consents at any time through the applicant’s online SUSI account, both in respect of each other and in respect of third parties including public representatives.