The Irish Data Protection Commissioner (“DPC”) recently announced a plan to assess employers’ compliance with the newly-commenced rules on “enforced subject access requests”. The DPC has written to 40 organisations, including banks, energy suppliers, recruitment companies and large retail stores. Since 2014, it is an offence for employers and prospective employers to require an individual to make an access request or to supply information received in response to the request. According to the DPC, this initiative is to prevent organisations from “vetting by the back-door”.
What is an enforced subject access request?
One of the core rights under Irish data protection law is the right of an individual to request a copy of any information relating to him/her held by an individual or organisation controlling the data. This is often termed a subject access request.
An “enforced” subject access request occurs where an employer or prospective employer forces an individual to exercise his/her right of access and provide any information obtained as a result of the request. These requests are usually made to the Irish police as part of a background screening process.
A criminal offence
In July 2014, access requests of this nature became an offence under the Irish Data Protection Acts. Specifically, section 4(13) prevents anyone from “requiring” an individual, in connection with their role as an employee, potential employee or contractor, to make a subject access request or to provide any data received in response to such a request.
Garda Vetting vs. Access Requests
A subject access request differs from the mandatory vetting of individuals for certain roles, such as teaching, childcare and for those working in the private security industry. The Irish police (Garda) receive numerous vetting applications on an annual basis as part of this formal vetting process.
The DPC’s concerns stem from the particularly high number of subject access requests received by the Garda Vetting Unit in 2014. While vetting applications are regularly processed by the same unit, those checks have always been subject to certain restrictions on what is disclosed. In contrast, individuals’ access requests could result in everything about that person held on Garda records being disclosed. As a result, the DPC considers that there may be an abuse of the access right by organisations which would not otherwise qualify to conduct a vetting check.
What happens next?
Companies contacted as part of this initiative have been given three weeks to provide a response to the DPC. Follow-up inspections will be carried out by the DPC to ensure compliance.
Improvement in compliance with section 4(13) will be important for those companies targeted. Any organisation that is found guilty of an offence under this section may be faced with a maximum penalty of €100,000.
What does this mean?
Employers based in Ireland need to review their hiring and staff vetting process to ensure that they are not engaging in enforced subject access requests. This is likely to be an area of significant regulatory scrutiny in the near future.