Statutory Rights

Data Access Rights

The Data Protection Act gives significant rights to individuals in relation to data held by third parties about them.  These rights may be enforced directly against the person or entity who holds or controls the data. An employee may assert data protection rights against his employer in respect of personal information held in relation to him. Certain limits to these rights may apply.

Any individual who believes that any person or entity is keeping personal data about him, shall if he so requests in writing, be informed by the person or entity whether he holds such data. If he does keep such data, the person or entity must give a description of the data and the purposes for which it is kept. This must be given as soon as may be and in any event, not more than 21 days after the request has been made.  No fee is payable.

The right to discover whether the information is held is much broader than the right to obtain disclosure.  This latter right is subject to various exceptions which do not apply to the former right.


Data Request I

A data subject (i.e. a person about whom personal information is kept by another) may make a request in writing to that other (the data controller) about the following if data is held:

  • the categories of data being processed by or on behalf of the data controller;
  • the personal data about that individual;
  • the purpose of the processing; and
  • the recipients or categories of recipients, to which the data may be disclosed.

The data subject (in this case, the employee) is entitled to have information constituting the personal data, of which he is the subject, communicated to him in an intelligible form together with information known or available to the data controller in relation to its source, unless certain exceptions apply, which are broadly those in the public interest. The data controller must supply a copy of the information in a permanent form, unless this would be disproportionate, not possible or unless the data subject otherwise agrees.


Data Request II

There is no specified form for the data request.  It must be made in writing.  It must be complied with as soon as may be, but in any wait, within 40 days.  The individual who makes the request must give sufficient evidence to enable him to be identified and identify the information concerned.

Where there are separate entries in respect of data kept for different purposes, the request for information is assumed to be a separate request for each data.

Fees may be payable in relation to a data request.  The fee must be returned if the request is not complied with. The fee must also be returned, if the data is erased or rectified following the application of the individual or following enforcement.  The fee has been prescribed at €6.35 since 1988.


Data Request Response

Where the information is in terms that are not intelligible to an average person, the information must be accompanied by an explanation of the terms concerned. Where the data controller refuses a request, he must write and set out the reason for refusal.  He must indicate that the individual may complain to the Data Protection Commissioner in relation to the refusal.

Requests for the same information may not be made at repeatedly.  Where a request has been previously complied with, which is substantially identical or similar, the data controller need not, comply, if he is of the opinion that a reasonable interval has not lapsed between compliance with the previous request and making of the current request. This is primarily a matter for the data controller.

The Data Protection Act provides that the right of access shall be complied with by supplying the individual with a copy of the information concerned in a permanent form unless the supply of such a copy is not possible or would involve disproportionate efforts.  This is understood to mean that the supply should be in a permanent form. If this is not possible, some other type of access may be substituted.


Erasure or Correction

An individual may rectify, block and erase data if it is incomplete or inaccurate.  He may require that a third party to whom the data has been disclosed, be notified of the rectification, erasure or blocking unless this is disproportionate or impossible.  The data controller must comply with a valid request, within 40 days.

Where the data is incorrect, the data controller may supplement it with a statement agreed by the individual affected.  It must notify the individual as soon as may be, but not later than 40 days after the request has been made. Where the request materially modifies the data, if must notify third parties to whom it has been disclosed in the last 12 months within 40 days unless this would be disproportionate.


Acquisition

Data must be collected for a particular specified, explicit and legitimate purpose.  It must not be processed in a manner which is incompatible with that purposes.  The relevant purpose must be specified at the time of collection. The individuals must be told that they have a right to access to access the information and have it corrected if necessary.

Personal information must be acquired fairly, freely and lawfully. Individuals should be told what will be done with the personal information. The proposed use should be explained where it might be unexpected. Personal information should not be used for a purpose that would not be expected.


Processing Principles

The Data Protection Act provides certain principles, which are binding on data controllers. The Data Protection principles are as follows.  They require that personal information

  • be processed fairly and lawfully;
  • be processed for one or more specified lawful uses and not further processed in any way incompatible with that original purpose;
  • be adequate relative and not excessive;
  • be accurate and where necessary up to date;
  • be kept for no longer than is necessary for the purpose;
  • be processed in accordance with the rights of the individuals;
  • be kept secure with appropriate technological and organisational measures;
  • not be transferred outside the EEA (EU plus Norway, Iceland and Lichtenstein) unless there is adequate protection.

Processing

The data must be processed fairly and lawfully.  Fair processing requires that the data subject be given certain prior information. The employee should be given information about the identity of the data controller, to whom it may be disclosed to and the purposes for which it is to be used, in the limited cases where this may be legitimate.  The information should be furnished before the data controller first processes the data.

“Processing” covers keeping, collecting, storing, altering, adapting, retrieving, consulting, using, transmitting, disseminating or otherwise making available, the data.  It includes combining, blocking, erasing and destroying data.

Data must not be collected which is irrelevant to the purposes for which it is required.  The controller must assess the adequacy, relevance and nexus of the data in an objective way.  He must act fairly bearing in mind the purpose of the data collected and acquisition.

Data processing must be objectively necessary.  Data must not be retained for any longer than necessary. Data processing must be relevant to the purpose for which it is collected.  It must not be excessive in the context of the purposes for which it is collected.


Sensitive Data

Explicit consent is required for the processing of sensitive personal data. In the context of employment, the processing must be necessary for the purpose of exercising any right or obligation conferred on the data controller in connection with employment. In the medical context, the requirement compliments the doctor-patient duty of confidentiality.

Higher standards apply to the processing of certain categories of data.  “Sensitive data” are those relating to the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, the commission of an offence and the sentence of the court in such proceedings. The processing of sensitive data is permissible in more limited circumstances than applies to personal data generally.


Maintenance

Personal data must be accurate and kept up-to-date. It must be adequate, relevant and not excessive in relation to the purposes for which it is collected.  It must be accurate and where necessary, kept up to date.  Every reasonable step must be taken to ensure that data which is inaccurate or incomplete having regard to its purposes, is erased or corrected. Data is inaccurate if it is incorrect or misleading in relation to the factual position.

Data must be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which it is collected, or for which it is further processed.


Disclosure

Generally speaking, it is not permissible to disclose information to another person, business or organisation unless the individual concerned is aware that this is going to be done and permission has been given. Disclosure includes the disclosure of information extracted from data and the transfer of data.

Disclosure does not include disclosure made by a data controller or processor to his employee, for the purpose of carrying out his duties. Where the identification of the data subject depends partly on the data and partly on other information in the control or possession of the data controller, disclosure does not take place until the other connecting information is disclosed.

There will be very few cases where personal employee information may be disclosed to a third party.  Employee information may not be disclosed to a third party unless this is legitimate and is clearly agreed. Intergroup transfers of information may be legitimate in some cases.  Information may be required to be disclosed in the case of a proposed sale of the employer.

Employee information may be disclosed without consent in highly exceptional circumstances, only. Such circumstances may arise in relation to the reporting of crime and in pursuance of statutory obligations.


Data Security

Data controllers must keep personal data secure. The security must be appropriate.  What is appropriate will depend on the circumstances.  The Directive provides that regard may be had to state of the art and the cost of implementation of measures. The security must be appropriate to the risk represented by the processing and the nature of the data.

Measures must be taken against unauthorised access, alteration, disclosure, destruction of data.  Security measures must be taken to guard against unlawful forms of processing. The duty applies in particular, to the transmission of data over a network. The level of security required may take account of the state of technology and the cost of implementation.

The measures taken must be adequate to secure the data. They must be appropriate to the harm that might result from unauthorised or unlawful processing or from destruction or loss. The must be appropriate to the nature of the data concerned.  They must take account of the risk of deliberate attempts to hack, as well as accidental disclosure.

A data processor who processes data on behalf of a data controller must also implement the above security measures.  The relationship between the data processor and the data controller should be governed by a contract, which requires that processing be undertaken securely, in accordance with the instructions of the data controller.  The outsourcing controller must ensure that the processor provides sufficient assurance and guarantees in relation to the technical, security and organisational measures applicable to the processing.  It must take reasonable steps to ensure compliance with the measures.


Objection to Processing

An individual may object to the processing of data, where such processing is not permitted under the legislation or where it is incompatible with it.  It is not enough that the individual disagrees with the processing, there must be a substantive ground of objection based on the Act.

An individual may at any time notify a data controller in writing and request him not to begin processing data or processing data for a specified purpose or in the manner specified, which relates to him.  In broad terms, the right of objection does not apply to the processing of data which is necessary for the purposes of the legitimate interests pursued by the data controller, here the employer.
This exception does not apply if those interests are overridden by the interests of the objector in relation to his fundamental rights and freedoms and, in particular, his or her right to privacy in relation to the processing of personal data.
An objection may be made by the individual where the processing of data or the processing for the particular purpose or in a particular manner is causing or likely to cause him substantial and unwarranted damage or distress.

References and Sources

Primary References

Employment Law  Meenan  2014 Ch.24

Employment Law Supplement Meenan 2016

Employment Law Regan & Murphy  2009 ( 2nd Ed 2017) Ch. 13

Employment Law in Ireland Cox & Ryan 2009 Ch 15

Practical Guide to Data Protection Law in Ireland     2003 A& L Goodbody

Data Protection: a Practical Guide to Irish & EU Law 2010   Carey

Privacy & Data Protection Law in Ireland       2015   2nd Ed Kelleher

Data Protection Law in Ireland: Sources & Issues     2016   2nd Ed     Lamber

Other Irish Books

Employment Law Forde & Byrne 2009

Principles of Irish Employment Law   Daly & Doherty           2010

Statutes

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Legislation

Dismissal & Redundancy Consolidated Legislation   Barrett, G        2007

Irish Employment legislation (Looseleaf)       Kerr     1999-

Employment Rights Legislation (IEL offprint) Kerr     2006

UK Texts

Textbook on Employment Law, Honeyball, et al. 13th Ed. 2014

Labour Law, Deakin and Morris 5th Ed. 2012

Employment Law, Smith and Wood 13th Ed 2017

Selwyn’s law of Employment Emir A 19 Ed. 2016

Employment law : the essentials. Lewis D Sargeant M and Schwab M 11 Ed.2011

Labour Law Collins H, Ewing K D and McColgan  2012

Industrial relations law reports. (IRLR): Law Section,

Employment law Benny R Jefferson M and Sargent  5th Ed.  2012

Pitt’s Employment Law 10th  Ed. Gwyneth Pitt 2016

CLP Legal Practice Guides: Employment Law 2016 Gillian Phillips, Karen Scott

Cases and Materials on Employment Law 10th  Ed. Richard Painter, Ann E. M. Holmes 2015

Blackstone’s Statutes on Employment Law 2015 – 2016 Richard Kidner

Drafting Employment Contracts 3rd  Ed. Gillian Howard 2017

The Contract of Employment Edited by Mark Freedland, Alan Bogg, David Cabrelli, Hugh Collins, Nicola Countouris, A.C.L. Davies, Simon Deakin, Jeremias Prassl 2016

UK Practitioner Services

Tolley’s Employment Handbook 2017 Mrs Justice Slade 2017

Butterworths Employment Law Handbook 2017 Peter Wallington 2017

Blackstone’s Employment Law Practice 2017 Edited by Gavin Mansfield, John Bowers, John Macmillan 2017