Accessing Employee Personal Data under the New Data Protection Act

Accessing Employee Personal Data under the New Data Protection Act

This right is set out in section 91 of the 2018 Act

The right of access in the 2018 Act is similar to the right of access in the 1988 Act (‘the old Act’). The two notable differences are (1) there is no longer any upfront fee and (2) the employer has one month in which to supply the data as opposed to 40 days.

What does the right of access mean?

It means an employee has the right to ask their employer to confirm whether or not their personal data is or has been processed and where that is the case, be provided with the following information:

• the description, purpose of and legal basis of the processing;
• the recipients of the personal data;
• the period or the criteria used to determine how long the data is to be retained for.

The employer is also required to tell the employee of their right to:

• correct/erase their data;
• make a complaint to the Data Protection Commission (formerly the Data Protection Commissioner);
• the data itself;
• information on the origin of the personal data.

This must be provided to the employee as soon as possible and in any event within a month of the request.

What the employee needs to do

The employee when making a request is required to provide the employer with sufficient information that the employer is satisfied that the employee is who they say they are, and sufficient information to enable the employer to locate the information/personal data.

Where an employer has reasonable doubts as to the identity of the requester or reasonably requires additional information to locate the information/data requested, it can ask for this information from the employee and the clock is stopped on the one-month period to enable this to happen.

Extending the time in which to respond to a request

Where the request is complicated the employer can ask that the one-month period be extended by up to two months.  In such circumstances the employer has to notify the employee of the extension in writing, and the reason for the extension within the one-month period. An employer is allowed one extension only.

What is the situation where the employee’s data also includes data belong to someone else?

Where the employee data includes another person’s data, the employer is required to provide the employee with a summary of that data in such a format that it does not reveal the personal data of the other person unless that other person consents to its release. Under the old Act this was dealt with by way of redacting (i.e. blocking out) the other person’s data.  That practice was reflected in the language of the old Act which specifically provided for redacting in circumstances where it was reasonable to conclude that such a process achieved the desired result. This doesn’t seem to be the case under the new Act. Now the employer is required to provide the employee with a summary rather than a redacted version. How much of an issue this becomes is hard to determine at this stage. The important thing from the perspective of the employer is that there is no inadvertent leakage of someone else’s data.

Exceptions to the employee’s right to their personal data

An employee is not entitled to an opinion given about them if the opinion was given in confidence or on the understanding that it would be treated as confidential and given only on the basis that it is not to be disclosed. This same exception was included in the old Act and the DPC gave guidance on what opinions it viewed as coming within the exception. The guidance can be viewed at  https://dataprotection.ie/docs/Data-Protection-Access-Requests-for-Personnel-Records/m/206.htm

An employee is not entitled to information where the recipient is a public authority and the information is received in the context of an inquiry in accordance with the law of the State.

Restrictions on the right of access

Section 94 sets out a number of restrictions on an employee’s right to access all or part of their data. These include:

• ensuring the safety of the public and the safety/security of individuals and property;
• protecting the life and well-being of any person;
• avoiding the obstruction or impairment of an investigation or;
• the operation of legal privilege.

Where an employer decides to restrict access to data it must inform the employee of this and the reason why.  It must also tell the employee of their right to ask the Commission to verify the lawfulness of the employer’s action, and of their right to seek a judicial remedy in relation to the restriction.  The employer is required to create and maintain a record of the restriction, and the legal basis for this, and to furnish this to the Commission on request.

The format in which the data needs to be supplied to the employee

Section 93 provides that the data is supplied in the same format as the initial request, in so far as possible.

What’s new about data access requests?

Not a huge amount, but the environment in which such requests are made has changed.  Employees have a heightened awareness of their rights in general, including their right to make a complaint to the Commission and or/take a data protection action for damages for breach, including non-monetary damage. In those circumstances employers can expect to see more such requests. Until employers streamline how they respond to data access requests, they will be playing catch-up and risk becoming enmeshed in long drawn out data access disputes with disaffected employees about what data they have or haven’t got.