Student Privacy Statement

How GMIT uses the personal data of students


GMIT (“the Institute”) processes your personal data in order to carry out its functions.  Your personal data is processed in line with data protection legislation and GMIT’s Data Protection Policy.  The Institute is a Data Controller for personal data we process about you. The purpose of this privacy statement is to explain how your personal data is used and shared by GMIT.

The information we process about you

The types of personal data we process about you include, inter alia:

  • Personal details: Name, date of birth, country of birth, nationality, telephone numbers, addresses, PPSN, gender, GMIT ID number, email addresses and car registration number.

  • Financial information: Bank details including IBAN, BIC, name of bank/building society credit card details (processed in real time but not stored by GMIT), grants/payments received, fees paid and outstanding.

  • Academic information: Academic history, programme details, academic marks & grades, relevant work experience, exam scripts, continuous assessments, qualifications awarded, attendance record, library information etc.

  • Special category (sensitive) personal data: Health and disability information, medical assessments, religion, ethnic origin, criminal convictions (for certain programmes which involve contact with minors).

  • Interaction details: Engagement with IT system, LearnOnline/Moodle activity and use of facilities such as the library. Texts, emails and hard copy correspondence.

  • Online services: IP address, and other personal information when you visit the GMIT website – more information available on the GMIT Website Privacy & Cookies Policy

  • Other personal information: Disciplinary information, image, voice (in lecture & proctoring recordings), CV, visa information (international students).

You will be required to provide Next of Kin/Emergency Contact Details for use only in emergency situations.

How we obtain your personal data

We process your personal data at various points in your relationship with GMIT. This information is provided by you, either directly or indirectly. It may also be provided by third parties like the CAO, SOLAS, PAC, Springboard, SUSI, Department of Employment Affairs and Social Protection, INIS, etc.

​Legal basis for processing your personal information 

We process your personal data because it’s necessary in order to:

  • Fulfil our contractual obligations with you;

  • Comply with legal obligations that apply to us;

  • Perform functions conferred on us by law and which are carried out in the public interest;

  • Perform tasks to which you have consented;

  • Protect your legitimate interests and the legitimate interests of GMIT and third parties (limited scenarios).

Where sensitive personal data is concerned, we process it where:

  • You have provided your explicit consent;

  • It’s necessary for the purposes of preventative or occupational medicine, for the general provision of medical care and, in some instances, for medical diagnosis;

  • It's necessary for reasons of public interest in the area of public health (COVID-19);

  • It’s necessary for employment/social security purposes;

  • It’s necessary for research or statistical purposes e.g. to meet Government requirements, to monitor whether our equal opportunities policies are working and to ensure that disabled students and other under-represented groups receive appropriate support.


Purposes for which your personal data are used

  • Admission and Registration

  • Academic purposes – teaching and learning, assessment, examination, remote proctoring, graduation, attendance, withdrawal, grievance and disciplinary issues

  • Financial purposes – grants, fee collection, scholarships, prizes, bursaries

  • Provision of IT services

  • Provision of Library services

  • Provision of Student Support services – Access, Disability, Learning Support, Chaplaincy, Counselling, Medical, Careers

  • Identification e.g ID cards, Moodle, class lists

  • Mentorship

  • Parking permits

  • Visas (international students)

  • Health & Safety

  • Room occupancy tracking & contact tracing to prevent the spread of COVID-19

  • To communicate effectively with you by post, email and phone.

  • CCTV purposes (as per CCTV policy)

  • To support you in your studies by using information processed via Moodle to present a picture of your engagement and identify those who require additional support/specific services

  • To enable placements and apprenticeships

  • To ensure academic standards are maintained

  • Recruitment and Selection for paid positions e.g. Student Ambassador

  • To comply with statutory reporting requirements and to provide information to organisations such as the HEA in line with legal and government requirements

  • To track progress in achieving the criteria for designation as a Technological University via the Connacht-Ulster Alliance (CUA)

  • To enable the preparation and analysis of student statistics relating to registration, performance, progression and retention at sectoral level via THEA

  • To administer voluntary surveys of student opinion about your experience and the performance of the Institute

  • To enable research and archiving

  • To facilitate elections by the Students' Union

  • To promote the Institute in print & electronic media

  • To assist in the control and investigation of entitlements to any Social Welfare benefit or schemes

  • To assist the Gardai or where required by law

  • To enable our continued contact with you after you complete your studies (e.g. survey of graduate work destinations, alumni networks, marketing, etc)

  • To respond to requests for information made under Data Protection legislation or Freedom of Information legislation.

Additional processing may be required for students registered on specific programmes (e.g. teaching and social work) or with certain funding requirements or for students who choose to pursue studies abroad.


Third parties with whom we share your data

The Institute will share your personal data with third parties (outside GMIT) in the following circumstances:

Where we contract a third party to process data on our behalf, for example software service providers (e.g. Microsoft 365), plagiarism detection service provider (Urkund), online proctoring provider (ProctorExam), CCTV companies, etc., and

Where the data is required to be shared as part of the normal course of performing the Institute’s functions e.g.

  • Higher Education Authority (HEA)* - please refer to the HEA collection notice below

  • Quality and Qualifications Ireland (QQI)

  • Student Universal Support Ireland (SUSI)

  • Department of Employment Affairs and Social Protection (DEASP)

  • Department of Justice & Equality/INIS (international students)

  • Revenue Commissioners

  • Professional/Accreditation/Regulatory bodies

  • CUA Data Analyst, GMIT CUA Project Manager & Administrator and CUA Project Teams

  • THEA

  • Work placement providers

  • Research funding bodies

  • Employers (students funded by employers) and Employers/Ibec Consortium Lead/Solas (Manufacturing Apprentices)

  • Partner institutions/organisations for student transfers/exchanges/joint programmes

  • Garda Vetting Bureau

  • GMIT Students’ Union to facilitate student elections

  • Direct mail agencies/printing companies to facilitate the delivery of mailshots

  • Sponsors funding student prizes and awards

  • Prospective employers/recruitment companies for verification of qualifications

  • (the Irish Survey of Student Engagement)

  • Insurance companies in respect of accidents occurring within the Institute

  • HSE (contact tracing)

  • An Garda Síochána to assist in the prevention or detection of crime

  • Auditors

  • Realex (credit card payment provider)

  • Press/media

In preparation of the legal merger of the CUA Members (GMIT, LYIT, IT Sligo) the sharing of certain personal data is required.  The CUA have ensured a Data Sharing Agreement is in place which sets this out.

This is not an exhaustive list and any other disclosures to third parties not listed here are made only where there is legitimate reason to do so and in accordance with the law.

Parents, guardians and other relatives

It is your responsibility as a student to communicate and engage with the Institute. GMIT will not disclose your data to parents or relatives without your consent (even if you’re under 18 years), other than in exceptional circumstances, for example where there is potential danger to your health or well-being.  If you wish to provide consent for matters to be discussed with your parent, you must send an email to this effect to the relevant GMIT staff member.  Exceptionally, where urgent communication with you has proved unfruitful, contact may be made with your next of kin/emergency contact using the details provided by you at registration.


All graduating students, including those graduating in absentia, will have their name, home town, award and classification listed in the graduation booklet.  The graduation ceremonies are streamed live on the internet and are recorded for publication on the internet and for archival purposes.

Many GMIT events are recorded and streamed/published on the GMIT website.


Transfers outside the European Economic Area (EEA)

In so far as is practicable, GMIT endeavours to hold all personal data within the EEA.  Where we transfer data outside the EEA, we ensure that there is an appropriate mechanism for doing so that complies with all relevant legislation and also ensure that your data receives the same level of protection as it is afforded within the EEA.


Data Retention

GMIT retains your personal data for the purposes described in this notice. The Institute will not hold your data for any longer than is necessary, but some data will be held indefinitely in order, for example, to verify your award, provide transcripts of your marks, provide opportunities for further study, careers support, alumni and networking services. More information on our retention schedule is available on request.



We are committed to ensuring that your personal data is secure with us and with the data processors who act on our behalf.


Individual data subject rights

You have the following rights under data protection law, although your ability to exercise these rights may be subject to certain conditions:

  • The right to receive a copy of and/or access the personal data that GMIT holds about you, together with other information about our processing of that data;

  • The right to request that any inaccurate data that is held about you is corrected and incomplete data updated;

  • The right, in certain circumstances, to request that we erase your personal data;

  • The right, in certain circumstances, to request that we no longer process your personal data for particular purposes, or to object to our use of your personal data or the way in which we process it;

  • The right, in certain circumstances, to transfer your personal data to another organisation;

  • The right to object to automated decision making and/or profiling; and

  • the right to complain to the Data Protection Commissioner.

In order to exercise any of the above rights please contact us using the contact details set out below.


Your Responsibilities

You must inform the Institute if your contact details change so that your data is accurate at all times.

You must comply with GMIT’s Data Protection Policy which is available on the Student Portal.


Website Privacy Policy

The GMIT website privacy policy explains how data is gathered through use of the GMIT website.


How GMIT will contact you

You may be contacted by telephone, email or post.  In addition, we may text you with information related to your studies e.g. exam information, room changes, rescheduled classes, appointment reminders, placement arrangements, etc. This contact is to enable us to fulfil our contractual obligations to you.


Questions & Complaints

If you are not satisfied with the Institute’s handling of your personal data or believe that the requirements of data protection legislation may not be fully complied with, you should contact the Institute’s Data Protection Office in the first instance.  You also have the right to submit a complaint to the Data Protection Commission.


Data Protection Officer (DPO)

Please contact us if you have any questions about the data we hold about you or if you wish to exercise any of your rights:

Data Protection Officer, Email:


Data Controller

Galway-Mayo Institute of Technology, Galway Campus, Dublin Road, Galway

Tel: +353 91 742747


Changes to this Privacy Statement

We will update this privacy statement from time to time.  Please visit this page periodically for updates.

Updated on 20th January 2022

*HEA Student Collection Notice 2021/2022

Who we are (data controllers)

The HEA has a statutory responsibility for the effective governance and regulation of the higher education system pursuant to the Higher Education Authority Act 1971 and subsequent amending legislation which has extended its remit to encompass Institutes of Technology and more recently Technological Universities. In order to discharge its functions effectively it must process certain categories of personal information. The relevant legislation in relation to the data processing that involves the work of the HEA are the following:

  • The Higher Education Authority Act 1971

  • Social Welfare Act 2005

  • Social Welfare (Consolidated Claims, Payments and Control) Regulations 2007 (142/2007)

  • Social Welfare (Consolidated Claims, Payments and Control) (Amendment) (No. 4) (Sharing of Information) Regulations 2015 (SI 317 of 2015)

  • Universities Act 1997

  • Institutes of Technology Act 2006

  • Technological Universities Act 2018.

This notice sets out the basis on which any personal data collected from you, or from others, will be processed by the HEA.  Please read the following carefully to understand HEA practices regarding your personal data and how the HEA will treat these data.

The HEA Data Protection Officer (“DPO”) may be contacted at

What personal information does the HEA collect from you or obtain from others?

The HEA does not, except in limited circumstances, collect data directly from individuals. It is collected by Higher Education Institutions (HEIs) and passed to the HEA so as that the HEA can process the data so as to perform its statutory functions under the 1971 Act. The HEA processes the following personal data:

The Student Records System (SRS)
At registration for the HEI you will be attending, you will give data to your Institution.  That data forms the basis of the SRS dataset. The data collected for the SRS is set out in Schedule 1 of this notice.

Graduate Outcomes Survey (GOS)
In respect of this survey, you will be contacted approximately 9 months post-graduation by your Institution to fill out the survey. It is conducted on a voluntary basis, although not on the basis of consent; that is to say that while it is voluntary to partake in the Survey, the HEA does not rely upon Article 6(1)(a), but relies upon the fact the processing is necessary for the performance of a statutory function or Article 6(1)(e). The details collected are set out in Schedule 1 of this notice.

The Equal Access Survey (EAS)
The EAS is conducted by the individual HEI on a voluntary basis. The objective of the EAS is to ask higher education new entrants to answer a set of access related questions as part of the normal registration procedure. Registration in the main occurs in institutions between August and late October each new academic year. The questions relate to students facing social and/or financial barriers to higher education. Like the Graduate Outcomes Survey, the HEA does not rely upon consent as the basis for operating the survey, but upon the necessity to carry out the survey for the performance of its statutory functions and reasons of substantial public interest. The details collected are set out in Schedule 1 of this notice.

What other information does the HEA collect from you or obtain from others?
During your studies, you will be invited to participate in (Irish Survey of Student Engagement) or PGR (Irish Survey of Student Engagement for Postgraduate Research Students). Some of your information will be sent by your higher education institution directly to the survey company to ensure that the survey is offered only to relevant target groups. Your information will be used to collect your responses to the survey and make further anonymous analysis of results possible, for example, by gender or full-time/ part-time. This anonymised information will be shared with the HEA; your responses will be treated confidentially, and no individual student will be identifiable in any reports or results generated as a result of this survey (and so the information is not ‘personal data’ for the purposes of the GDPR).

Why does the HEA collect this information?
To fulfil its legislative obligations the Higher Education Authority (HEA) requires an evidence base. This evidence base is provided by gathering individual student level data from the Higher Education Institutions. The primary database maintained in this respect is the Student Records System (SRS).  Other datasets maintained by the HEA include the Equal Access Survey (EAS) and the Graduate Outcomes Survey.

Currently data is required for the following purposes:

  • Trend analysis for annual publications on enrolments and graduates, by student and institute characteristics

  • Annual progression analysis of new entrants, by student and institute characteristics

  • Annual graduate outcomes analysis, by student and institute characteristics

  • To inform funding allocation to HEA-funded higher education institutions

  • Annual analysis of equity of access metrics of our Higher Education cohort

  • Forecasting future enrolment and graduate numbers

  • Reporting higher education data to international agencies such as the OECD, UNESCO and Eurostat

  • Providing data to the Department of Education and Skills to inform their decision-making processes and forecasting analysis

  • Provide SUSI with data to inform grant application decisions

  • To provide data to the CSO under the Statistics Act 1993

  • To measure degree outcomes for students

  • To track students for completion rate analysis

Who the HEA shares your data with:
The primary purpose the HEA has for collecting data is for statistical analysis in furtherance of its statutory obligations and to inform funding and other decisions made by the HEA.  The HEA via its portal system shares personal data relevant to a HEI, with that HEI. The HEA also shares personal data with the following Government departments and public bodies.   The HEA ensures that there are data sharing agreements in place with organisation with which data is shared.  The table below provides more information regarding what is shared and the reasons for sharing. 

List of who the HEA share your date with is available here - HEA Data Sharing

Data processors
The HEA shares certain personal data with other organisations acting as processors, subject to appropriate data processing agreements and due diligence.

Anonymised sharing
The HEA also shares statistical data with other Government departments who may benefit from same. This data is not personal data within the definition of Regulation 2016/679.  Such aggregated data is shared in a form where the data subject is not identifiable and is shared from the SRS, EAS and GO databases.

How long does the HEA keep hold of your information?
The time periods for which the HEA retain your information depends on the type of information and the purposes for which it is used. The HEA will keep your information for no longer than is required or permitted.

Student level data collected in the Student Records System and via the Graduate Outcomes Survey and the Equal Access Survey are required to fulfil the statutory functions of the HEA. Student level data, including PPSN, is required to verify eligibility under the free fees scheme and for SUSI grant eligibility. PPSN is also required to link HEA data to other administrative Government datasets both within the HEA and in the CSO. Longitudinal analysis of these linked datasets allows the HEA and the Department of Education to formulate more effective education policy, measure the societal value and impact of the education system, measure outcomes – including for disadvantaged cohorts, and direct investment appropriately. For these purposes, student level data will be retained by the HEA from return year 2004 data currently in the system for a period of forty years – the majority of the active labour market years for students/graduates. Please note that student level data is stored securely in the HEA and is only shared with authorised bodies specified in legislation and/or the student data collection notice presented to students at registration. The identity of students is never disclosed to unauthorised third parties.

For further details on the applicable retention periods, please contact the HEA Data Protection Officer at

Does the HEA transfer your information outside The European Union or European Economic Area?
Not at present. Any processing which may take place outside the EU or EEA will only be carried out with all necessary safeguards and in accordance with the GDPR.

What are your rights with respect to your personal data?
You have the following rights:

  • The right to access the personal data the HEA holds about you.

  • The right to require the HEA to rectify any inaccurate personal data about you without undue delay.

  • The right to object to processing in the context of Article 21 GDPR

You may exercise any of the above rights by contacting the HEA Data Protection Officer at
You may lodge a complaint with the Office of the Data Protection Commission in respect to our processing of your personal data. The website is
To ensure your privacy and to protect the integrity of your data, the HEA will require you to verify your identity with a photographic ID before releasing or correcting your information.

What will happen if the HEA change the data collection notice?
This notice may change each year. This notice is applicable to the 2021/2022 academic year. A revised notice will issue in the event of any future changes.

How can you contact the HEA?
The HEA Data Protection Officer can be contacted by email at
By phone: 01 2317100
Address: 3 Shelbourne Buildings, Shelbourne Road, Ballsbridge, Dublin 4.

More detail on the HEA’s data processing activities can be found via the Data Privacy Notice


Schedule 1

List of data items the HEA collect or obtain from higher education institutions, 2021/2022 Academic Year

The data higher education institutions send to the HEA include, student records:

Return year
Institute code
Academic year
Programme name
Programme code
Programme type
Anticipated length of programme in years
Faculty title & code
NFQ level
Course name
Course code
Subject indicator
CAO code
Co-ordinating institutions
Outreach, off campus marker
Awarding body
Funding indicator
Add-on indicator to mark add-on courses recognising previous credit for entry
Course completion credits
Full time credits per year
Course class indicator
Teacher training marker
Student ID
CAO number
PPS number
Enrol status, student or graduate
Course code
Course year
Mode of study
ISCED code – field of study
Subject 1
Subject 2
Subject 3
Subject 4
Non-Standard award code
Grade for award
PhD structure indicator
Student code to indicate type of student, e.g. new entrant
Non-Standard attendance tag
Exchange indicator
Date of birth
First name
Domiciliary of origin
Address 1
Address 2
Address 3
Address 4
Address 5
Postal code for Dublin students
Non-EU fee indicator
Residence type during term-time
Fees – free fees indicator
Post-Primary school number
Leaving Cert points
Leaving Cert year
Leaving Cert exam results
Last Institution attended
Year left last institution
Highest qualification
Accumulated credits
Current year credits
Up-skilling initiative indicator, e.g. Springboard
Fund indicator for students funded through the Fund for Students with a Disability
Basis of entry to course

These data form part of the HEA Student Record System (SRS) database.

Equal Access Survey:
Data collected as part of the Equal Access Survey is also returned to the HEA. Data sent to the HEA as part of this process include:

Return year
Institution code
Academic year
Student ID
Course code
Blind or deaf indicator
Physical disability indicator
Learning disability indicator
Psychological, emotional, or mental health indicator
Other condition indicator
Support requirement
Parental status
One parent allowance status
Ethnic culture
Home or term accommodation
Commuting time

Graduate Outcomes Survey:
The following Graduate Outcomes Survey data will be sent to the HEA:

PPS number
Student ID
Date of birth
County code
Domiciliary of origin code
Mode of study
Grade of award
Institute name
Course code
Course name
ISCED field of study information
NFQ Level
Programme type code
Year of graduation
Return year
Response – yes, no or continuing graduate
Principal economic status – main
Principal economic status – all
Job title
Occupation (broad)
Employment (where)
Employment Ireland
Employment overseas
Sector (broad)
Employment type
Contract type
Placement/work experience/internship
Placement/work experience/internship (time)
Relevance of course
Need for qualification indicator
Find out about job indicator
Institution (where)
Institution Ireland
Institution overseas
Further institution indicator
Further course name
Further ISCED field of study
Award sought in further study
Further mode of study
Why do further study indicator
Other activity A – unemployment status
Other activity B – other activities
Barriers to employment/further study
Same course again indicator
Follow up willingness indicator

HEA SRS data, Equal Access Survey data and Graduate Outcomes Survey data are linked in the HEA for analysis purposes via Student ID and/or PPSN.