The Data Protection Commissioner (the “DPC”) recently confirmed that she has contacted 40 organisations, across a variety of sectors, to assess compliance with recently enacted legislation on Enforced Subject Access Requests.
An Enforced Subject Access Request occurs when an employer or potential employer requires an employee or job applicant to make a data access request to an entity, usually the Gardaί Sίochána, and deliver the information provided to the employer/potential employer. This procedure is different to legitimate Garda vetting which is required to be performed on individuals taking up certain roles such as those involving security, childcare and vulnerable adults.
Since July of last year, data protection legislation has rendered the use by employers and recruitment agencies of such Enforced Subject Access Requests unlawful. The DPC has stated, however, that despite the practice being unlawful, the Garda Vetting Unit received a “questionably high” number of data access requests from individuals post July 2014. This led the DPC to conclude that organisations which could not legitimately perform a vetting check were engaging in “vetting by the back door”.
In its communication of 5 June 2015, the DPC gave the organisations contacted three weeks to respond. It is understood that follow-up inspections are currently being carried out to ensure compliance with the legislation.
Notwithstanding that the use of Enforced Subject Access Requests has been unlawful for over a year; many employers and recruitment agencies persist with the practice. The DPC’s statement that she intends to “vigorously pursue and prosecute any abuse detected in the area” together with her recent actions demonstrate her intent to stop the practice that has developed. Employers and recruitment agencies which use Enforced Subject Access Requests as a means of screening employees and job candidates should review their practice and be prepared to show compliance with data protection legislation in the event of an investigation by the DPC.