Employers’ data protection obligations are set out in the pieces of legislation;
Data Protection Acts 1988 and 2003 (‘the Acts’);
The Data Protection (Amendment) Act, 2003, which implements the European Data Protection Directive 95/46/EC.
The Acts regulate how employers collect, store and use personal data held by them about their employees (past, prospective and current).
More onerous obligations are imposed in respect of sensitive personal data. Infringement of the Acts can lead to investigation by the Data Protection Commissioner, fines of up to €100,000 or compensation claims from affected employees.
Employers, as data controllers, must ensure that sensitive personal data about their employees is collected and processed fairly, is kept accurate and up to date and is not kept for any longer than necessary. Appropriate security measures must be taken by employers against unauthorised access to, or alteration, disclosure or destruction of, personal data. Employers should have a data protection policy in place including a data protection notice, a defined policy on retention periods for all items of personal data and provide appropriate staff training in data protection.
Employee Access to Data
Employees as data subjects have the right to make a subject access request. This entitles them subject to certain limited exceptions, to be informed what personal data is held about them and to whom it is disclosed, to obtain a copy of their personal data and have personal data amended or deleted where it is incorrect.
Employers should respond to subject access requests as soon as possible or within 40 days from receipt of the written request. Subject access requests cover personal data held in mutual and electronic form. Employers may charge up to €6.35 for supplying employees with a copy of their personal data.
Transmission of Data to Third Parties
Employers should not provide employees data to third parties otherwise than in accordance with the principles and processing conditions set out in the Data Protection Acts, 1988 and 2003.
It may be necessary to obtain express consent from the employee to such disclosure in the absence of a legitimate business purpose for the disclosure and depending on the nature of the information and the location of the third party.
Where the data is being transferred to a third party within the EEA a written contract should be entered into, in which the recipient agrees to process the data in accordance with the instructions of the transferor and comply with the security obligations set out in the Acts.
Where the third party is based outside the EEA the Acts prohibit the transfer of data unless that country ensures an adequate level of protection for personal data or one of a series of limited exceptions apply.
Where employee data is requested in the context of a commercial transaction anonymised data should be provided where possible. If this is not possible the recipient should be required to undertake in writing that it will only use the information in respect of the transaction in question, will keep it secure and will return or destroy it at the end of the transaction.