Limits to Protection
General Limitations
Data is not personal data, simply because the person’s name is mentioned. This limitation is particularly important in the context of employment. Most data in an employment context will relate to the employer. An incidental reference to an employee will not, in most such cases, make it personal data in relation to the employee.
The EU Directives recite that the data disclosure should not adversely affect trade secrets, intellectual property or copyright. Elements of data protected by intellectual property may be removed. Data given in confidence need not be released but may have to be summarised, removing and redacting confidential elements.
A data controller is not obliged to disclose personal data relating to another individual unless that other person has also consented. If the personal data of the requesting party can be given without disclosing that other information, it must be disclosed. Where it is reasonable for the data controller to conclude, that the data can be disclosed without the other party being identified, he is obliged to disclose the data with the omission of those particulars.
Where personal data relating to an individual consists of an opinion about that individual by another person, the data may be withheld, (absent the consent of that other person), where the opinion in question was given in confidence or on the understanding that it would be confidential. There are other public interest type exceptions.
Restrictions on Access I
There are a number of permitted restrictions on the right of access, some of which may be relevant. They include
- national security, defence, public security issues;
- the prevention, investigation, protection, prosecution of criminal offences and breaches of ethics for regulated professions;
- important economic and financial interests of the State or the EU including monetary, budgetary and taxation matters;
- monitoring, inspection and regulatory functions in connection with the exercise of official authority;
- in some limited cases, the protection of the data subject; and
- the protection of the rights and freedom of others.
Restrictions on Access II
There is an exception to the right of access in respect of data kept for the purpose of performing functions conferred by law or regulations, which in the opinion of the Minister are designed to protect members of the public against financial loss caused by incompetence, dishonesty, malpractice in banking, insurance and other financial services or the conduct of persons who have been adjudicated bankrupt, where the exercise of the right of access would be likely to prejudice the proper performance of these functions.
The right of access does not apply to backup data. This is generally understood to refer to backup systems for information technology. Issues of interpretation may arise in the context of the architecture of modern computer systems.
A provision of the 2003 Act (not yet commenced), provides that it is not permissible (and that it is an offence) to recruit a person or to make it a condition of employment or a contract for services, that the other makes a data access request or supplies information as a result of such request.
Objection Not Permitted
An objection to data processing may not be made where:
- the data individual has given his explicit consent to the processing;
- the processing is necessary in the performance of a contract to which the data subject is a party,
- the processing is necessary in order to take steps at the request of that individual, prior to entering a contract
- the processing in necessary for the purpose of compliance with legal obligations to which the data controller or data subject is subject other than obligations imposed by contract, or
- the processing in necessary in order to protect the vital interests of the data subject.
Where a notice of objection is sent to a data controller, he must, as soon as practicable but within 20 days, serve a notice on the individual, stating that either that he intends to comply with the request, has complied with it, or stating that in his opinion, the request is unjustified. It may be objected to, either completely, or to an extent specified, and that the data controller has complied with it to the extent, it is justified.
The Data Protection Commissioner may be requested to determine the extent to which the objection is justified. He may make an order to enforce compliance. The orders may require that steps be taken to comply to the extent that the Commissioner determines.
Permitted Processing
The processing (use) of personal data is permitted, provided that the processor complies with one or more of the following conditions;
- the data subject (the person whose personal information it is) has unambiguously given his consent;
- the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject, prior to entering a contract;
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary to protect the vital interests of the data subject;
- the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller (data holder) or in a third party to whom the data is disclosed;
- the processing is necessary for the purpose of the legitimate interests pursued by a controller or the third party to whom they are disclosed, except where such interests or overridden by the fundamental rights and freedoms of the data subject.
The above criteria are set out in the EU Directive. The Irish legislation provides the following additional grounds for the legitimate use of personal data;
- the processing is necessary for to prevent injury or other damage to the health of the data subject, a serious loss to the property of the data subject or is otherwise necessary to protect his vital interests, in circumstances where the seeking of the consent is likely to result in those interests being damaged. (The above principle also applies to the consent of a guardian, parent, etc.);
- the processing is necessary for the administration of justice, the performance of a statutory or governmental duty or the performance of any function of a public nature;
- processing which is necessary for the purpose of the legitimate interests pursued by the data controller, or a third-party to whom the data are disclosed, except where the processing is unwarranted in the circumstances by reason of prejudice to the fundamental rights and legitimate interest of the data subject.
All processing must comply with the data protection principles. See the separate section on these principles.
Consent
Consent must be unambiguous, freely given and informed. A positive consent, as opposed to a consent by inertia is required. It cannot be inferred or implied. Explicit consent is preferable in all cases. If a person has not realised that he is consenting, it is unlikely to be sufficiently unambiguous and free for the purposes of the legislation.
Consent given way by fraud, duress, misrepresentation, pressure or violence is not valid consent. The consent must be genuine and free. Consent obtained by deception or misstatement is invalid. Consent, induced by mistake, may be invalid.
The requirement the consent be specific means that a general sweeping consent will not suffice. Consent may not be implied, subject to some necessary exceptions. Consent must be informed. The embodiment of consent in small print, where it does not come to the attention of the data subject, may not be sufficient. The extent to which the consent is required to be informed or explicit depends on the whether the processing is unusual, invasive or affects the date subject’s fundamental rights. More explicit consent will be required where the processing is unusual of affects fundamental rights.
In some cases, consent may be withdrawn. The legislation provides that the data subject may object to the processing of data, which would cause him unwarranted damage and distress to him. It is provided that a person may not withdraw a consent where he has, or she has given explicit consent and certain other types of forms of consent.
Contractual Necessity
The extent to which data processing is necessitated for the performance of a contract, or in order to take steps at the request of data subject to enter the contract, may be a question of interpretation in the circumstances. Employment contracts raise sensitive issues. The processing must be necessary pursuant to the contract. Unambiguous consent is required.
Pre-contract consent must relate to steps taken by the other party at the data subject’s request. This, for example, may involve the use of personal data in the preparing a quotation for a job.
Data processing is permissible in relation to obligations imposed other than by contract. This may arise from a legal obligation or duty.
The data controller may process the personal data of another, to the extent that it is necessary for the purpose of the protection of his legitimate interests. This does not apply where it would infringe the fundamental freedoms of the data subject. Legitimate interests embrace a broad range of considerations.
Processing Sensitive Data
The processing of sensitive personal data is allowed in a number of cases
- the data subject has given explicit consent;
- the processing is necessary for the purpose of exercising any rights or obligation imposed by law on the data controller (employer) in connection with employment;
- the processing is necessary to prevent injury or damage to the health of the data subject or another person, or to prevent serious loss of or damage to the property or otherwise protect the vital interest of the data subject, where consent cannot be given, by or on behalf of the data subject, where the data controller cannot reasonably be expected to obtain such consent or where the processing is necessary for such purpose, or where in such a case, consent has been unreasonably withheld;
- the processing is carried on in the course of legitimate activities of certain non-commercial bodies. The activities must not be carried on for profit, and the body must exist for political, philosophical, religious, or trade union purposes. The processing must be carried out with appropriate safeguards for the fundamental right and freedoms of the person concerned. It must relate only to persons who are members of the body or have regular contact with it, in connection with its purposes. There can be no disclosure to third parties without consent;
- the information contained in the data has been made public as a result of steps deliberately taken by the data subject;
- the processing is necessary for the administration of justice or the performance of governmental functions;
- the processing is required for the purpose of obtaining legal advice or in connection with legal proceedings, prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising and defending legal rights;
- the processing is necessary for medical purposes and is undertaken by a health professional or a person, who in the circumstance owes a duty of confidentiality to the data subject, equivalent to that which would exist if the person was a health professional;
- the processing is necessary for the purpose of gathering statistics;
- the processing is carried out by political parties or candidates for the purpose of ascertaining political opinions, provided it complies with their fundamental rights and freedoms;
- the processing is authorised by regulations made by the Minister;
- the processing is necessary for the purpose of the assessment, collection or payment of any tax, duty or levy or other monies payable to the State and the data has been provided only for that purpose; or
- it is necessary for the purpose of determining entitlement to any social protection or social security scheme.
Security Processing
There is an exemption from the Data Protection Act for the processing of data required for the purpose of detecting, preventing and investigating offences. There is an exception in respect of processing required by statute. Issues may arise under human rights law. Most data processing by the Gardai is be exempt from the Data Protection Act, by reason of the above-mentioned exemption.
Particular considerations arise where allegations of sexual misconduct affect an existing employee or office holder. Where serious allegations are raised, the requirements of constitutional justice will generally require that an opportunity be given to meet the allegations and rebut them. Fair procedures will be required in relation to a determination, which adversely affects a person’s constitutional right, such as his reputation.
References and Sources
Primary References
Employment Law Meenan 2014 Ch.24
Employment Law Supplement Meenan 2016
Employment Law Regan & Murphy 2009 ( 2nd Ed 2017) Ch. 13
Employment Law in Ireland Cox & Ryan 2009 Ch 15
Practical Guide to Data Protection Law in Ireland 2003 A& L Goodbody
Data Protection: a Practical Guide to Irish & EU Law 2010 Carey
Privacy & Data Protection Law in Ireland 2015 2nd Ed Kelleher
Data Protection Law in Ireland: Sources & Issues 2016 2nd Ed Lamber
Other Irish Books
Employment Law Forde & Byrne 2009
Principles of Irish Employment Law Daly & Doherty 2010
Statutes
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Legislation
Dismissal & Redundancy Consolidated Legislation Barrett, G 2007
Irish Employment legislation (Looseleaf) Kerr 1999-
Employment Rights Legislation (IEL offprint) Kerr 2006
UK Texts
Textbook on Employment Law, Honeyball, et al. 13th Ed. 2014
Labour Law, Deakin and Morris 5th Ed. 2012
Employment Law, Smith and Wood 13th Ed 2017
Selwyn’s law of Employment Emir A 19 Ed. 2016
Employment law : the essentials. Lewis D Sargeant M and Schwab M 11 Ed.2011
Labour Law Collins H, Ewing K D and McColgan 2012
Industrial relations law reports. (IRLR): Law Section,
Employment law Benny R Jefferson M and Sargent 5th Ed. 2012
Pitt’s Employment Law 10th Ed. Gwyneth Pitt 2016
CLP Legal Practice Guides: Employment Law 2016 Gillian Phillips, Karen Scott
Cases and Materials on Employment Law 10th Ed. Richard Painter, Ann E. M. Holmes 2015
Blackstone’s Statutes on Employment Law 2015 – 2016 Richard Kidner
Drafting Employment Contracts 3rd Ed. Gillian Howard 2017
The Contract of Employment Edited by Mark Freedland, Alan Bogg, David Cabrelli, Hugh Collins, Nicola Countouris, A.C.L. Davies, Simon Deakin, Jeremias Prassl 2016
UK Practitioner Services
Tolley’s Employment Handbook 2017 Mrs Justice Slade 2017
Butterworths Employment Law Handbook 2017 Peter Wallington 2017
Blackstone’s Employment Law Practice 2017 Edited by Gavin Mansfield, John Bowers, John Macmillan 2017