The data protection expectations for employers are described in the Data Protection Acts 1988 and 2003 (‘the Acts’). The Data Protection (Amendment) Act, 2003 facilitates the European Data Protection Directive 95/46/EC. The Acts oversee the methods in which employers collect, keep and utilise personal data which they hold concerning employees (past, present and prospective). More stringent expectations are required regarding information of a personal nature specifically that relating to sensitive issues such as an individual’s race, religion, beliefs, health (physical and mental), sexual orientation, criminal record or membership of a trade union. A breach of these Acts can result in an investigation by the Data Protection Commissioner and the award of a fine or a compensation claim of up to €100,000 to aggrieved employees.
In their role as data collectors, employers, must make every effort to ensure that all sensitive data relating to their employees is controlled and processed in a fair manner. They must ensure that it is meticulous and updated and is not retained for any longer than is reasonably necessary. It is necessary for stringent security measures to be taken by employers to ensure that there is no unauthorised access to the data and that no alteration, exposure or unauthorised destruction of the data can occur. Employers undertake to publish a Data Protection Policy, which explains the data protection methods and articulate a specific data retention period. Staff training on the issues of data protection should also be a requirement.
Employee Access to Data
Employees have the right to request access to the information stored about them as data subjects and they can make a subject access request. This entitles them, subject to particular limited exceptions, to be told exactly what personal data exists about them and exactly who has access to it. They have the right to receive a copy of their personal data and to have elements of it changed or removed where there are errors. Employers are obliged to respond to written subject access requests as soon as reasonably possible or at least within 40 days from its receipt. Subject access requests cover personal information stored in both manual and electronic forms. Employers may make an administration charge of up to €6.35 for supplying employees with a copy of the relevant data.
Transmission of Data to Third Parties
Employers should not supply employees’ data to third parties in circumstances other than those which follow the principles and facilitating operations as defined in the Acts. It may be necessary to get specific agreement from the employee in circumstances where there is no legitimate business purpose for sharing information, depending on the nature of the data and the authenticity of the third party. Where the data is being referred to a third party within the European Economic Area (EEA) a written contract should be enacted, where the recipient agrees to use the data only in with the consent of instructions from the transferor and only with due regard to the security restrictions outlined in the Acts. In circumstance where the third party is outside the EEA, the Acts specifically ban any transfer of data unless that country can ensure it has a satisfactory level of protection for sensitive data or if one of a series of defined exceptions are applicable.
In circumstances where employee data is asked for relating to a commercial transaction, anonymous data should be supplied where possible. If this is not acceptable, the recipient must to agree in a written form that any personal data will only be used for the specific transaction, that it will be kept securely and be returned or destroyed at the conclusion of the business.
Please visit the website of the Data Protection Commissioner at https://www.dataprotection.ie for additional useful information.