The Data Protection Acts 1988 and 2003 impose stringent requirements on the data kept by employers about employees and in particular in respect of sensitive personal data.
Employers are considered to be data controllers and processors within the legislation.
The Data Protection Commissioner can impose fines of up to €100,000 and employees can succeed in claims in relation to breaches of data protection law.
The principle obligations on the employer in respect of sensitive personal data is to collect and process it fairly, is accurate and up to date, and is kept no longer than necessary. For this reason employers should ensure that they have a data protection policy in the workplace.
Employee as Data Subject
The employee, as a data subject, has a general right to know what personal data is held about him/her, to whom it is disclosed, and to have it deleted or amended if incorrect. A written data request from an employee should be responded to within 40 days.
The Data Protection Acts, section 8 in particular, set out the circumstances where the employer may disclose the employee’s data to a third party. Whether the 3rd party is a member of the EEA (European Economic Area) or not will determine whether the request can be complied with or not by the employer. If the data is being disclosed to a 3rd party within the EEA then a written contract is required.
If not, the transfer of data is prohibited (subject to exceptional safeguards).
Registration with the Data Protection Commissioner
Data controllers fall into 3 categories for the purpose of registration
- Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
- Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
- Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material
Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.
You might also want to read the 8 rules of data protection in Ireland.