The Office of the Data Protection Commissioner (DPC) issued its 2015 Annual Report over the summer. With data protection becoming an increasing issue for employers, here are the key issues from the Report that employers should be aware of:
1. Data Access Requests
Unsurprisingly, 60% of the 932 complaints received by the DPC in 2015 related to data access requests. In the employment context, examples are access requests by current or former employees seeking disclosures of all HR material related to them. These are most likely to arise in dispute situations. The DPC noted that data subjects are experiencing particular difficulties exercising their right of access. Accordingly, the DPC proposes to conduct an awareness campaign highlighting these issues in 2016. Employers need to be increasingly aware that any failure to properly comply with a data access request could lead to an investigation by the DPC. Failure to properly deal with data access requests may also attract significant penalties when the new EU General Data Protection Regulation (GDPR) is implemented in May 2018.
2. Enforced Subject Access Requests
Typically, an enforced subject access request entails an employer or prospective employer requiring a person to make a request about themselves from organisations such as An Garda Síochána or credit institutions. These requests have been prohibited since 2014. The DPC carried out an audit of 40 companies in 2015 to investigate whether they were complying with this restriction on enforced access requests. The DPC has stated that it will continue to monitor organisations’ compliance with this prohibition throughout 2016. As such, employers are advised to desist from making such requests. The temptation would most likely arise at recruitment stage. For more information on this topic see our previous blog here.
3. Increased Resources
The budget available to the DPC has increased from €3.65m in 2015 to €4.7m in 2016. This significant increase reflects the mounting importance of data protection across Europe and the expanding workload of the DPC. Utilising its increase resources, the DPC has set up a Special Investigations Unit which will carry out investigations on its own initiative (as opposed to commencing investigations only based on complaints received).
4. Privacy Audits
In 2015, the DPC carried out 52 audits and inspections, half of which were unscheduled. The common themes identified in these audits included: (i) lack of data-retention policies; (ii) lack of signage for CCTV policies; (ii) excessive use of CCTV systems; and (iv) excessive use of biometric time and attendance systems. It is clear from the Report that the use of CCTV is an issue which will be a focus of the DPC in the future. This is highly relevant for employers. In fact, the DPC has already issued an updated guidance note in December 2015 in relation to the use of CCTV. The guidance note provides that data controllers (including employers) are required to put in place a written CCTV policy. For further information on this see our previous blog here.
The Report signals the importance of the General Data Protection Regulation (GDPR) which will be implemented in May 2018. It notes that the GDPR will bring stricter breach-reporting obligations, the possibility of significant penalties in the case of compliance failures, more detailed recordkeeping requirements and formal obligations to have a data-retention policy in place. This will increase the compliance burden on many employers. For more details on the GDPR read our recent blog on this topic here.
6. Data Breaches
During 2015, the DPC received 2,376 data-breach notifications, most of which were made voluntarily under the Personal Data Security Breach Code of Practice. The breaches largely related to unauthorised disclosures such as postal and electronic disclosures. The Report notes that the reporting of data breaches will become mandatory under the GDPR and failure to notify the DPC may attract significant fines. Employers should always consider whether any data breaches should be notified to employees or the DPC under the Code of Practice.
7. Transfer of Personal Data Aboard
The Report noted that, following the invalidation of the EU-US Safe Harbour agreement by the ECJ in 2015, the DPC is investigating the issue of the lawful transfer of personal data outside of the EU/EEA. Since the publication of the report, the DPC has sought declaratory relief in the Irish High Court and a referral to the European courts regarding personal data transfers under standard contractual clauses or model clauses. The US has been joined as a notice party to these proceedings. Until such time as the matter if clarified, any transfers of personal data, and in particular, any HR data, outside of the EU/EEA should only be carried out with the consent of the data subjects. For more details on data transfers read our recent blog on this topic here.