Data Protection and Privacy Policy

General Statement

• This statement is CMIT’s Data Protection and Privacy Policy learners, prospective learners, and visitors to our online services.
• The statement will be updated in line with changes in legislation, best practice, and enhancements by CMIT to improve data protection and privacy.

We will obtain and process information fairly

• CMIT fully respects the moral and legal rights of individuals to privacy and will not collect any personal information about you without your clear permission.
• Any personal information which you volunteer will be treated with the highest standards of security and confidentiality, under General Data Protection Regulation (2018).

Agreement with policies

• Before commencing a course with CMIT, learners must formally accept with our Terms and Conditions CMIT’s Data Protection and Privacy Policy.
• Prospective students and visitors to our websites must click on a ‘popup’ button to accept the use of cookies.

We will keep information only for specified purposes and use and disclose it only in ways compatible with these purposes

• Emails, messages, and form data: Emails, messages and form data is only used and stored by CMIT for completion of your course. We may collect personal data to assist you in completing your course. This data will be collected, stored, and communicated per the principles outlined in the Data Protection Acts. Emails, messages, and form data is deleted in line with our data retention policies
• Assessment documents: All assessment work is uploaded securely to the CMIT eLearning platform, which is password protected and fully encrypted. Assessment data is only used and stored by CMIT for completion of your course. We may collect personal data to assist you in completing your course. This data will be collected, stored, and communicated per the principles outlined in the Data Protection Acts. Assessment work is deleted in line with our data retention policies. Assessment data is only used and stored by CMIT for completion of your course, except for the following: (1) Learners agree that in the event of CMIT ceasing to provide a QQI programme, which is three months or longer in duration, that learner data (including registration data and assessments) may be transferred to QQI or QQI registered organisations to assist in the completion of your programme. You may request for this information not to be transferred. However, this may result in you not completing your course and not receiving your certificate, and (2) Where a course is paid for by a third party (such as an employer or funding body) on behalf of a learner, then learners agree that CMIT may provide information, if requested, by the third party, regarding participation on the course and submission of assessments, by the learner.
• Tutor feedback: Tutor feedback is stored for the purpose of assisting you complete your course and is not shared with any third parties. Grades are only used for certification purposes. CMIT will not provide grade information to any third party, except for the accreditation body, who require this information for certification purposed.
• Grades and programmes completed: We maintain learner records secure for current use (e.g., assessment records for certification purposes) and historical review (e.g., to record that a learner has completed a programme). We also generate data required for, and compatible with, external regulatory, professional, or national systems as appropriate, for example reports to meet internal and external information requirements, for example, on the QQI database of programmes and awards as prescribed by the legislation. Please note that accreditation bodies (such as QQI and ILM) will hold your details (name, PPS, date of birth) indefinitely.  Many award holders contact them for verification of their qualifications, for a variety of reasons, e.g., commencing new employment and proof of qualification to access a college programme. QQI provide additional guidance here. ILM provides additional guidance here.
• Statistical data: we also maintain aggregate statistical data which does not identify learners personally. Some examples include minimum and maximum learner numbers per programme; profile of the learner population; learner satisfaction rates; learner progression/ learner attrition or drop-out rates/completion rates; graduation/certification rates, including grade analysis; career paths of graduates.
• Website data: If we collect information on a form, we will explain the purpose of the form and only use the data collected for that purpose. Data may also be anonymised and used for statistical purposes.
• Cookies: Our websites use “cookie” technology. CMIT uses two different types of cookies. “Session” cookies help users to navigate through our website. They are deleted once you leave our website. Session cookies allows the webserver to “remember” where you are on the website. “Tracking” cookies: this website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media.

We will keep information accurate, complete, and up to date

• You have the right to obtain the rectification of inaccurate personal data held about you.

We will give you a copy of your data on request

• You have a right to obtain a copy of any data we hold, free of charge, in an electronic format.
• Any access request will be concluded within one month.

Your right to erasure

• You have the right to be forgotten, and we will erase any personal data held on request.
• Any queries concerning the above may be made through info@cmit.ie

Your right to object to direct marketing

• You have the right to object at any time to the use of personal data (e.g., email addresses) for marketing purposes
• All marketing communications are opt-in and will contain the ability to opt-out at any time.
• Any queries concerning the above may be made to info@cmit.ie

Who do we share personal data with?

• We may share your data with relevant third parties, where necessary, concerning the completion of your course, assessment, or certification; for example, QQI and ILM.
• We never share personal data with others for marketing purposes.
• Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation

We will retain only relevant information for no longer than necessary

• We regularly purge our databases of data that we no longer need, including personal data relating to learners or staff members.
• We have a systematic process in place for the deletion of data from all our systems.
• Data will be classified to indicate the sensitivity level.
• The purpose associated with holding all data has been defined. We will ensure that we retain only the minimum amount of personal data which we need to achieve our purpose.
• Responsibility has been assigned for maintaining/deleting data.
• We will retain personal data relating to your learning, assessment, and certification to enable us to provide information about your learning or a replacement certificate. We have clearly defined times for how various long types of data are to be retained. Retention times are based on: (1) the need to delete personal data as soon as the purpose for which we obtained the data has been completed. (2) the need to hold data to undertake our commercial function (i.e., training and education), and (3) the need to comply with regulatory requirements (e.g., tax, accounting, and accreditation body requirements).

We will keep your data safe and secure

• Staff training: the policies and procedures outlined here are incorporated into company practice maintaining a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors. Periodic security awareness meetings are undertaken to incorporate these procedures into day-to-day company practice.
• Payment processing: all sensitive cardholder data stored and handled by CMIT and its employees are always securely protected against unauthorised use. Detailed procedures and controls are in place for card processing.
• eLearning system security controls: our website makes use of HTTPS/TLS security to verify that users are communicating with the correct server. HTTPS/TLS encrypts and verifies the integrity of traffic between the client and our servers. We contract a certified Moodle Partner to manage our Moodle application. We use global Tier 3+ (99.982% uptime) data centres to host our sites. Security features deployed include penetration testing, firewalls, advanced fire/electrical/ mechanical monitoring, network redundancy, brute force defence mechanisms, daily backups, regular updates, and access monitoring.
• Open website security controls: Our website makes use of HTTPS/TLS security to verify that users are communicating with the correct server. HTTPS/TLS encrypts and verifies the integrity of traffic between the client and our servers. We use global Tier 3+ (99.982% uptime) data centres to host our websites. Security features deployed include penetration testing, firewalls, advanced fire/electrical/mechanical monitoring, network redundancy, brute force defence mechanisms, daily backups, regular updates, and access monitoring.
• Physical security: we have procedures for preventing unauthorised individuals from obtaining sensitive data in our physical locations, including alarm systems (sensor, contact, smoke, fire), CCTV, restricting visitor/contractor access, ensuring workstations and devices are encrypted, secure disposal of hardcopy paper documents and secure disposal of devices after use (including device shredding).
• Network and PC security: we use hardware and software firewalls to secure our resources. PC workstations/laptops/mobile devices and external drives are encrypted. Restrictions and controls are in place around software installation. Up to date enterprise-level anti-virus, malware and email scanning is in place.
• Passwords and system access permissions: Policies and procedures are in place to control each employee’s access to devices, networks, and systems. A range of protocols is in place to control access to including strong password design protocol, 2FA, forced password change, email verification, audit logs.

Records maintenance and retention policy

• We have a systematic process in place for the deletion of data from all our systems and regularly purge our databases of data that we no longer need, including assessment data, registration data and email contact.
• The purpose associated with holding all data has been defined. We ensure that we retain only the minimum amount of personal data which we need to achieve our purpose.
• Data is classified to indicate the sensitivity level and responsibility is assigned for maintaining/deleting data.
• We have clearly defined times for how various long types of data are to be retained. Retention times are based on: (1) the need to delete personal data as soon as the purpose for which we obtained the data has been completed. (2) the need to hold data to undertake our commercial function (i.e., training and education), and (3) the need to comply with regulatory requirements (e.g., tax, accounting, and accreditation body requirements).

Policy on use on online messaging

• Learners are provided with access to CMIT’s online learning platform.
• User Messages are monitored frequently for potential misuse and will be acted upon, following consultation between Quality Director and Tutor. Learners must comply with the following rules which govern the use of the system.
• Not to make inappropriate use of others’ personal information or post private information about another person.
• Not to distribute, disseminate, or store images, text or materials that might be considered indecent, pornographic, obscene, or illegal.
• Not to distribute, disseminate, or store images, text or materials that might be considered discriminatory, offensive, or abusive, in that the context is a personal attack, sexist or racist, or might be considered as harassment.

Contact Information

• If you have any questions about this privacy statement or how and why we process personal data, please contact us at: Data Protection Officer, CMIT, Southern Cross Business Park, Bray, Co. Wicklow. Email: info@cmit.ie

How to exercise your rights

• Access to personal data: you have a right of access to personal data held by us as a data controller. This right may be exercised by emailing us at info@cmit.ie. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (currently 30 days).
• Amendment of personal data: to update personal data submitted to us, you may email us at info@cmit.ie or, where appropriate, contact us via the relevant website registration page or by amending the personal details held on relevant applications with which you registered. Once we are informed that any personal data processed by us is no longer accurate, we will make corrections (where appropriate) based on your updated information.
• Withdrawal of consent: where we process personal data based on consent, individuals have a right to withdraw consent at any time. We do not process personal data based on consent (as we can usually rely on another legal basis). To withdraw consent to our processing of your personal data please email us at info@cmit.ie

Changes to this privacy statement

• We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.

Version 160221