What is data protection law and, as an employer, why should I care about it?

Employers established in Ireland are data controllers for the purposes of the Irish data protection legislation, as they collect and control personal data about their employees during the course of the employment relationship.

In Ireland data protection obligations are set out in the Data Protection Act, 1988, as amended by the Data Protection (Amendment) Act, 2003 (the DPA), and also in related secondary legislation. The DPA are enforced by the Irish Data Protection Commissioner and, in certain circumstances, may be enforced by the data subject.

The DPA apply to personal data. "Personal data" is very broadly defined in the DPA; it means any data "relating to a living individual who is or can be identified either from the data or the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller". The DPA apply to all data controllers that control personal data and to all data processors that process personal data on behalf of data controllers.

Have complaints against employers increased in the last couple of years?

In February 2011 the Data Protection Commissioner, Billy Hawkes, said that the top item for complaints to his office in 2010 was the failure of data controllers to respond adequately to requests for access to personal data.

The number of complaints from people seeking access to personal information held by their employers concerning them increased last year. The Irish Times (“Job concerns growing reason for data complaints, forum told” by Elaine Edwards 25 February 2011) reported Mr. Hawkes saying, “I think with the economic downturn we are currently suffering, we’ve seen increasing use of the right of access by people who are fearful that they are going to lose their jobs or who sometimes may have lost them. They are using the right of access to see what exactly is going on in relation to them within a particular organisation, or to see was it justified that they should have been picked out for dismissal from the company.”

What should an employer do if it receives a request from an employee for his or her personal data?

An employee is entitled to be provided with a copy of the "personal data" relating to the employee held by an employer where an employee issues a notice in writing to the data controller requesting the personal data. The data controller/employer is required to provide the information "as soon as may be and in any event not more than 40 days” after the request has been given or sent, or from the date statutory fee is paid if it is requested.

Are there any exceptions to the right of an employee to access their data?

There are a number of exceptions to the principle that an individual can access all personal data relating to them. These exemptions include data subject to legal professional privilege, an opinion given in confidence or on the understanding that it would be treated as confidential or where the data concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation.

Care must be taken by the employer when applying the exemptions. The employer must set out a description of the personal data withheld when responding to the employee making the request, and the reasons for withholding the data. An employee has the right to appeal against the application of the exemptions to the Data Protection Commissioner.

Does it make any difference if the employer is involved in a dispute with the employee making the request?

In short, the answer is “no”. Employers should remember that the making of a data subject access request is an entirely separate process to any employment issue that the parties may be involved in. Even if the employment matter/dispute resolves itself the data subject access request will remain “live” and must be responded to unless formally withdrawn.