Data Access Rights
The Data Protection Act gives significant rights to individuals in relation to data held by third parties about them. These rights may be enforced directly against the person or entity who holds or controls the data. An employee may assert data protection rights against his employer in respect of personal information held in relation to him. Certain limits to these rights may apply.
Any individual who believes that any person or entity is keeping personal data about him, shall if he so requests in writing, be informed by the person or entity whether he holds such data. If he does keep such data, the person or entity must give a description of the data and the purposes for which it is kept. This must be given as soon as may be and in any event, not more than 21 days after the request has been made. No fee is payable.
The right to discover whether the information is held is much broader than the right to obtain disclosure. This latter right is subject to various exceptions which do not apply to the former right.
Data Request I
A data subject (i.e. a person about whom personal information is kept by another) may make a request in writing to that other (the data controller) about the following if data is held:
- the categories of data being processed by or on behalf of the data controller;
- the personal data about that individual;
- the purpose of the processing; and
- the recipients or categories of recipients, to which the data may be disclosed.
The data subject (in this case, the employee) is entitled to have information constituting the personal data, of which he is the subject, communicated to him in an intelligible form together with information known or available to the data controller in relation to its source, unless certain exceptions apply, which are broadly those in the public interest. The data controller must supply a copy of the information in a permanent form, unless this would be disproportionate, not possible or unless the data subject otherwise agrees.
Data Request II
There is no specified form for the data request. It must be made in writing. It must be complied with as soon as may be, but in any wait, within 40 days. The individual who makes the request must give sufficient evidence to enable him to be identified and identify the information concerned.
Where there are separate entries in respect of data kept for different purposes, the request for information is assumed to be a separate request for each data.
Fees may be payable in relation to a data request. The fee must be returned if the request is not complied with. The fee must also be returned, if the data is erased or rectified following the application of the individual or following enforcement. The fee has been prescribed at €6.35 since 1988.
Data Request Response
Where the information is in terms that are not intelligible to an average person, the information must be accompanied by an explanation of the terms concerned. Where the data controller refuses a request, he must write and set out the reason for refusal. He must indicate that the individual may complain to the Data Protection Commissioner in relation to the refusal.
Requests for the same information may not be made at repeatedly. Where a request has been previously complied with, which is substantially identical or similar, the data controller need not, comply, if he is of the opinion that a reasonable interval has not lapsed between compliance with the previous request and making of the current request. This is primarily a matter for the data controller.
The Data Protection Act provides that the right of access shall be complied with by supplying the individual with a copy of the information concerned in a permanent form unless the supply of such a copy is not possible or would involve disproportionate efforts. This is understood to mean that the supply should be in a permanent form. If this is not possible, some other type of access may be substituted.
Erasure or Correction
An individual may rectify, block and erase data if it is incomplete or inaccurate. He may require that a third party to whom the data has been disclosed, be notified of the rectification, erasure or blocking unless this is disproportionate or impossible. The data controller must comply with a valid request, within 40 days.
Where the data is incorrect, the data controller may supplement it with a statement agreed by the individual affected. It must notify the individual as soon as may be, but not later than 40 days after the request has been made. Where the request materially modifies the data, if must notify third parties to whom it has been disclosed in the last 12 months within 40 days unless this would be disproportionate.
Data must be collected for a particular specified, explicit and legitimate purpose. It must not be processed in a manner which is incompatible with that purposes. The relevant purpose must be specified at the time of collection. The individuals must be told that they have a right to access to access the information and have it corrected if necessary.
Personal information must be acquired fairly, freely and lawfully. Individuals should be told what will be done with the personal information. The proposed use should be explained where it might be unexpected. Personal information should not be used for a purpose that would not be expected.
The Data Protection Act provides certain principles, which are binding on data controllers. The Data Protection principles are as follows. They require that personal information
- be processed fairly and lawfully;
- be processed for one or more specified lawful uses and not further processed in any way incompatible with that original purpose;
- be adequate relative and not excessive;
- be accurate and where necessary up to date;
- be kept for no longer than is necessary for the purpose;
- be processed in accordance with the rights of the individuals;
- be kept secure with appropriate technological and organisational measures;
- not be transferred outside the EEA (EU plus Norway, Iceland and Lichtenstein) unless there is adequate protection.
The data must be processed fairly and lawfully. Fair processing requires that the data subject be given certain prior information. The employee should be given information about the identity of the data controller, to whom it may be disclosed to and the purposes for which it is to be used, in the limited cases where this may be legitimate. The information should be furnished before the data controller first processes the data.
“Processing” covers keeping, collecting, storing, altering, adapting, retrieving, consulting, using, transmitting, disseminating or otherwise making available, the data. It includes combining, blocking, erasing and destroying data.
Data must not be collected which is irrelevant to the purposes for which it is required. The controller must assess the adequacy, relevance and nexus of the data in an objective way. He must act fairly bearing in mind the purpose of the data collected and acquisition.
Data processing must be objectively necessary. Data must not be retained for any longer than necessary. Data processing must be relevant to the purpose for which it is collected. It must not be excessive in the context of the purposes for which it is collected.
Explicit consent is required for the processing of sensitive personal data. In the context of employment, the processing must be necessary for the purpose of exercising any right or obligation conferred on the data controller in connection with employment. In the medical context, the requirement compliments the doctor-patient duty of confidentiality.
Higher standards apply to the processing of certain categories of data. “Sensitive data” are those relating to the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, the commission of an offence and the sentence of the court in such proceedings. The processing of sensitive data is permissible in more limited circumstances than applies to personal data generally.
Personal data must be accurate and kept up-to-date. It must be adequate, relevant and not excessive in relation to the purposes for which it is collected. It must be accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate or incomplete having regard to its purposes, is erased or corrected. Data is inaccurate if it is incorrect or misleading in relation to the factual position.
Data must be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which it is collected, or for which it is further processed.
Generally speaking, it is not permissible to disclose information to another person, business or organisation unless the individual concerned is aware that this is going to be done and permission has been given. Disclosure includes the disclosure of information extracted from data and the transfer of data.
Disclosure does not include disclosure made by a data controller or processor to his employee, for the purpose of carrying out his duties. Where the identification of the data subject depends partly on the data and partly on other information in the control or possession of the data controller, disclosure does not take place until the other connecting information is disclosed.
There will be very few cases where personal employee information may be disclosed to a third party. Employee information may not be disclosed to a third party unless this is legitimate and is clearly agreed. Intergroup transfers of information may be legitimate in some cases. Information may be required to be disclosed in the case of a proposed sale of the employer.
Employee information may be disclosed without consent in highly exceptional circumstances, only. Such circumstances may arise in relation to the reporting of crime and in pursuance of statutory obligations.
Data controllers must keep personal data secure. The security must be appropriate. What is appropriate will depend on the circumstances. The Directive provides that regard may be had to state of the art and the cost of implementation of measures. The security must be appropriate to the risk represented by the processing and the nature of the data.
Measures must be taken against unauthorised access, alteration, disclosure, destruction of data. Security measures must be taken to guard against unlawful forms of processing. The duty applies in particular, to the transmission of data over a network. The level of security required may take account of the state of technology and the cost of implementation.
The measures taken must be adequate to secure the data. They must be appropriate to the harm that might result from unauthorised or unlawful processing or from destruction or loss. The must be appropriate to the nature of the data concerned. They must take account of the risk of deliberate attempts to hack, as well as accidental disclosure.
A data processor who processes data on behalf of a data controller must also implement the above security measures. The relationship between the data processor and the data controller should be governed by a contract, which requires that processing be undertaken securely, in accordance with the instructions of the data controller. The outsourcing controller must ensure that the processor provides sufficient assurance and guarantees in relation to the technical, security and organisational measures applicable to the processing. It must take reasonable steps to ensure compliance with the measures.
Objection to Processing
An individual may object to the processing of data, where such processing is not permitted under the legislation or where it is incompatible with it. It is not enough that the individual disagrees with the processing, there must be a substantive ground of objection based on the Act.
References and Sources
Employment Law Meenan 2014 Ch.24
Employment Law Supplement Meenan 2016
Employment Law Regan & Murphy 2009 ( 2nd Ed 2017) Ch. 13
Employment Law in Ireland Cox & Ryan 2009 Ch 15
Practical Guide to Data Protection Law in Ireland 2003 A& L Goodbody
Data Protection: a Practical Guide to Irish & EU Law 2010 Carey
Privacy & Data Protection Law in Ireland 2015 2nd Ed Kelleher
Data Protection Law in Ireland: Sources & Issues 2016 2nd Ed Lamber
Other Irish Books
Employment Law Forde & Byrne 2009
Principles of Irish Employment Law Daly & Doherty 2010
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Dismissal & Redundancy Consolidated Legislation Barrett, G 2007
Irish Employment legislation (Looseleaf) Kerr 1999-
Employment Rights Legislation (IEL offprint) Kerr 2006
Textbook on Employment Law, Honeyball, et al. 13th Ed. 2014
Labour Law, Deakin and Morris 5th Ed. 2012
Employment Law, Smith and Wood 13th Ed 2017
Selwyn’s law of Employment Emir A 19 Ed. 2016
Employment law : the essentials. Lewis D Sargeant M and Schwab M 11 Ed.2011
Labour Law Collins H, Ewing K D and McColgan 2012
Industrial relations law reports. (IRLR): Law Section,
Employment law Benny R Jefferson M and Sargent 5th Ed. 2012
Pitt’s Employment Law 10th Ed. Gwyneth Pitt 2016
CLP Legal Practice Guides: Employment Law 2016 Gillian Phillips, Karen Scott
Cases and Materials on Employment Law 10th Ed. Richard Painter, Ann E. M. Holmes 2015
Blackstone’s Statutes on Employment Law 2015 – 2016 Richard Kidner
Drafting Employment Contracts 3rd Ed. Gillian Howard 2017
The Contract of Employment Edited by Mark Freedland, Alan Bogg, David Cabrelli, Hugh Collins, Nicola Countouris, A.C.L. Davies, Simon Deakin, Jeremias Prassl 2016
UK Practitioner Services
Tolley’s Employment Handbook 2017 Mrs Justice Slade 2017
Butterworths Employment Law Handbook 2017 Peter Wallington 2017
Blackstone’s Employment Law Practice 2017 Edited by Gavin Mansfield, John Bowers, John Macmillan 2017