The Data Protection Commissioner (the “DPC”) has contacted more than 40 of Ireland’s biggest organisations, across a variety of sectors, in order to assess compliance with legislation concerning “Enforced Subject Access Requests”. Organisations were selected at random and include prominent banks, energy suppliers, recruitment companies and major chain stores.
The letters sent to these organisations were the result of a concern on the part of the DPC that some organisations may be requesting sensitive personal data relating to potential employees. “Enforced Subject Data Requests” occur where an individual is required to make a data access request and deliver the information provided under such a request to a potential employer. Requests of this nature have been an offence under data protection legislation since July of last year.
While vetting is permitted in certain distinct roles, for example those relating to childcare and vulnerable adults, the Garda Vetting Unit received a “questionably high” number of requests last year, leading to suspicion on behalf of the DPC that organisations have been using such requests as a means of “vetting by the back-door”. Further, these access requests may reveal more sensitive data than may be disclosed by a simple vetting check.
The DPC has warned that she intends to “vigorously pursue and prosecute any abuse detected”. The organisations contacted have been given three weeks to respond to the DPC and follow up inspections will be carried out. This represents yet another example of the DPC’s proactive approach to regulation. For organisations engaged in this type of activity, now is the time to take remedial action.