Category: Data Protection

Data Protection

Accessing Employee Personal Data under the New Data Protection Act

Accessing Employee Personal Data under the New Data Protection Act

This right is set out in section 91 of the 2018 Act

The right of access in the 2018 Act is similar to the right of access in the 1988 Act (‘the old Act’). The two notable differences are (1) there is no longer any upfront fee and (2) the employer has one month in which to supply the data as opposed to 40 days.

What does the right of access mean?

It means an employee has the right to ask their employer to confirm whether or not their personal data is or has been processed and where that is the case, be provided with the following information:

  • the description, purpose of and legal basis of the processing;
  • the recipients of the personal data;
  • the period or the criteria used to determine how long the data is to be retained for.

The employer is also required to tell the employee of their right to:

  • correct/erase their data;
  • make a complaint to the Data Protection Commission (formerly the Data Protection Commissioner);
  • the data itself;
  • information on the origin of the personal data.

This must be provided to the employee as soon as possible and in any event within a month of the request.

What the employee needs to do

The employee when making a request is required to provide the employer with sufficient information that the employer is satisfied that the employee is who they say they are, and sufficient information to enable the employer to locate the information/personal data.

Where an employer has reasonable doubts as to the identity of the requester or reasonably requires additional information to locate the information/data requested, it can ask for this information from the employee and the clock is stopped on the one-month period to enable this to happen.

Extending the time in which to respond to a request

Where the request is complicated the employer can ask that the one-month period be extended by up to two months.  In such circumstances the employer has to notify the employee of the extension in writing, and the reason for the extension within the one-month period. An employer is allowed one extension only.

What is the situation where the employee’s data also includes data belong to someone else?

Where the employee data includes another person’s data, the employer is required to provide the employee with a summary of that data in such a format that it does not reveal the personal data of the other person unless that other person consents to its release. Under the old Act this was dealt with by way of redacting (i.e. blocking out) the other person’s data.  That practice was reflected in the language of the old Act which specifically provided for redacting in circumstances where it was reasonable to conclude that such a process achieved the desired result. This doesn’t seem to be the case under the new Act. Now the employer is required to provide the employee with a summary rather than a redacted version. How much of an issue this becomes is hard to determine at this stage. The important thing from the perspective of the employer is that there is no inadvertent leakage of someone else’s data.

Exceptions to the employee’s right to their personal data

An employee is not entitled to an opinion given about them if the opinion was given in confidence or on the understanding that it would be treated as confidential and given only on the basis that it is not to be disclosed. This same exception was included in the old Act and the DPC gave guidance on what opinions it viewed as coming within the exception. The guidance can be viewed at  https://dataprotection.ie/docs/Data-Protection-Access-Requests-for-Personnel-Records/m/206.htm

An employee is not entitled to information where the recipient is a public authority and the information is received in the context of an inquiry in accordance with the law of the State.

Restrictions on the right of access

Section 94 sets out a number of restrictions on an employee’s right to access all or part of their data. These include:

  • ensuring the safety of the public and the safety/security of individuals and property;
  • protecting the life and well-being of any person;
  • avoiding the obstruction or impairment of an investigation or;
  • the operation of legal privilege.

Where an employer decides to restrict access to data it must inform the employee of this and the reason why.  It must also tell the employee of their right to ask the Commission to verify the lawfulness of the employer’s action, and of their right to seek a judicial remedy in relation to the restriction.  The employer is required to create and maintain a record of the restriction, and the legal basis for this, and to furnish this to the Commission on request.

The format in which the data needs to be supplied to the employee

Section 93 provides that the data is supplied in the same format as the initial request, in so far as possible.

What’s new about data access requests?

Not a huge amount, but the environment in which such requests are made has changed.  Employees have a heightened awareness of their rights in general, including their right to make a complaint to the Commission and or/take a data protection action for damages for breach, including non-monetary damage. In those circumstances employers can expect to see more such requests. Until employers streamline how they respond to data access requests, they will be playing catch-up and risk becoming enmeshed in long drawn out data access disputes with disaffected employees about what data they have or haven’t got.

Data Protection

Data Protection and Employment

As Karlin Lillington of the Irish Times (26 April 2018) remarked, everyone is talking about GDPR but things aren’t necessarily getting any clearer.  There is a lot of noise out there and attempts to scare the bejaysus out of people by pointing to the astronomical fines that non-compliance can potentially expose a company to, without providing solutions.

To understand what you have to do, you need to have an understanding of the principles underlying GDPR.  The principles are straightforward. They are about transparency and accountability. If you, as an employer, collect data on someone – be it an employee, a worker or a contractor – you need to tell them what information you hold; why you are holding it; how long you intend to hold it for; what security measures you have put in place to make sure that their data is safe and; how they can access, amend, transport or erase it.

An employer will do this through the medium of three documents – a privacy statement, a data protection policy and a data retention policy.

Privacy statement

The privacy statement should set out information on the nature of the data collected/to be collected; the purpose for which it may be used; to whom it may be disclosed; the reason for the processing; if the information is to be transferred outside the country, where and why; how long their data will be retained; their right to correct/erase/move their data; their right to complain to the Data Protection Commissioner and, if there is a Data Protection Officer in place, their contact details.

Data Protection Policy

The Data Protection Policy will elaborate on some of the issues referenced in the privacy statement.  In addition, it should address the issue of  where the data is to be held; the security measures that are in place to ensure the safety of the data; the rules around sensitive data; how data access requests will be dealt with; what the process it in the event there is a security breach; the individual’s obligation to process other individuals’ personal data in accordance with the policy and the consequences for failing to comply with the policy.

Data Retention Policy

The data retention policy should set out the how long  a data subject’s data will be retained for and the reason for the retention.

Summary

It is of course more complex and more nuanced than just having a privacy statement, a data protection and retention policy but this is a good starting-out position. It will help bring clarity to how an employer deals with personal data and, who, within the organisation needs to have it.  It might also make people think twice about cc’ing the “whole world” when it comes to discussing an individual or, consider having a meeting, rather than a myriad of emails that will be subject to data access requests.  The Cambridge Analytica scandal; the ongoing litigation before the European Court of Justice relating to the transfer of data; the increased fines and enhanced individual rights to sue for breaches relating to their personal data, is going to put data protection “front and centre” for the foreseeable future.   Employers will probably find themselves in the cross-hairs, where any advisor worth their salt will be telling disgruntled employers to put in a data access request and see how much of a “stir”  that causes an organisation.  Finally, it goes without saying, make sure that the data protection clause in the contract of employment is consistent with the privacy statement, data protection and data retention policy.