Every employer has to manage employee records and data. Therefore, they should be aware of their obligations under the Data Protection Acts 1988-2003 (“Acts”) to safeguard such information.
Maureen Daly takes us through the key points all employers should be aware of under the Acts:
- An employer should check whether they are obliged to register with the Irish Data Protection Office.
- The purpose of personal data collection should be explained to staff. Employers should not request sensitive personal data (such as medical data) unless specific conditions under the Acts are met (including obtaining the employee’s explicit consent). Since July 2014, it is a criminal offence to require a job applicant to obtain a copy of their personal records.
- Certain employee legislation mandates that employee data is retained for stated periods. Otherwise under the Acts personal data should be held for no longer than is necessary for its particular use.
- Monitoring of staff should be transparent, proportionate and fair. Staff should be aware of what the employer is collecting on them and the purposes for which personal data is to be processed.
- Personal data should not be transferred outside of the European Economic Area unless the country ensures an adequate level of data protection. Some countries have been approved by the European Commission in this regard (e.g. Switzerland, Argentina, Israel and New Zealand). Otherwise the employer should use the ‘model contracts’ approved by the EU to ensure that personal data is safeguarded.
Employers should put in place the appropriate structures to ensure compliance with the Acts including having a clear internal procedure to deal with requests from staff or former employees for access to their personal data. Having a data protection policy will help them to ensure they are data protection compliance and provide a framework against which to review compliance.