The Minister for Justice recently commenced three previously inactive sections of the Irish Data Protection Acts 1988 and 2003 (“DPA”). The newly-commenced provisions mean that data controllers are now under a wider obligation to notify third party recipients of personal data when that data has been changed or deleted. Employers are also restricted from requiring various individuals in the employment context to make an access request for their personal data.
1. Notification to third parties – Statutory Instrument 337 of 2014
The DPA now provides specific situations where data controllers must notify certain third parties of changes to data. Previously, only the data subject had to be notified of any such changes. Now, if personal data has been “materially modified”, the data controller must notify anyone to whom the controller disclosed the data in the past 12 months.
There are two circumstances where data controllers are obliged to notify the relevant third parties. These are if the changes to data have been made:
i.where the data subject has used their right to request for their data to be corrected or deleted, such as where the data was incorrect or excessive (section 6(2)(b)); or
ii.where the Data Protection Commissioner (“DPC”) has issued an enforcement notice to the data controller that has resulted in personal data being changed or deleted (section 10(7)(b)).
The notification must be made within 40 days of either the sending of the access request or compliance with the enforcement notice. However, the responsibility to notify is limited in situations where it “proves impossible or involves disproportionate effort” for the data controller to notify the relevant third parties.
2. Access requests by employees - Statutory Instrument 338 of 2014
Access requests made in connection with employment have also been affected by these changes. Section 4(13) appears aimed at preventing employers from exploiting an individual’s right to make an access request for personal data. Specifically, it prevents anyone from“requiring” an individual, in connection with their role as an employee, potential employee or contractor, to make a subject access request or to provide any data received in response to such a request.
What is the effect?
Data controllers must now be wary of additional requirements where they are changing or erasing personal data. Where amendments or deletions are made at the request of the individual (under section 6) or from the DPC (under section 10), it will be necessary to check who may have received the data in the past 12 months. This means that the controller should keep accurate records of anyone it has disclosed data to and when the disclosure took place.
The changes introduced around access requests in certain employment situations may be targeting employers who use the right of access as a tool to vet the person’s background. The law is now clear, meaning that employer must take extra care if suggesting an individual use their right of access. It is worth noting that a breach of this section incurs criminal penalties, meaning fines of up to €100,000 depending on the seriousness of the offence.