The Data Protection Commissioner (DPC) has contacted more than 40 of Ireland’s biggest organisations, across a variety of sectors, in order to assess compliance with legislation concerning “Enforced Subject Access Requests”. Organisations were selected at random and include prominent banks, energy suppliers, recruitment companies and major chain stores.
Individuals have the right to request access to personal information about them held by certain organisations. “Enforced Subject Data Requests” occur where an individual is required by a potential employer to make a data access request from an entity (such as the Gardaí) and deliver the information provided under such a request to the potential employer. Requests of this nature have been an offence under data protection legislation since July of last year.
While Garda vetting is permitted in certain distinct roles, for example those relating to childcare and vulnerable adults, the Garda Vetting Unit received a “questionably high” number of data access requests from individuals last year, leading to suspicion on behalf of the DPC that organisations have been using such requests as a means of “vetting by the back-door”. Further, data access requests may reveal more sensitive data than may be disclosed by a simple Garda vetting check.
The DPC has warned that she intends to “vigorously pursue and prosecute any abuse detected”. The organisations contacted have been given three weeks to respond to the DPC and follow up inspections will be carried out. This represents yet another example of the DPC’s proactive approach to regulation. For organisations engaged in this type of activity, now is the time to take remedial action.