What you need to know: Data protection
With an increasingly large amount of knowledge about individuals stored on computers, Caroline McEnery of The HR Suite outlines how employers can ensure they meet their responsibilities and obligations to staff members under the current data protection provisions
18 February 2016 | 0
As organisations increase their reliance on information and communications technology in the workplace, various matters surrounding the use of technology and data protection arise. The Data Protection Acts 1988 and 2003 aim to address the privacy issues surrounding the amount of information about individuals held on computers. Data Protection Acts 1988 and 2003 regulate the collection, processing, keeping, use and disclosure of personal information relating to individuals. Data protection laws ensure that personal details given to organisations are kept private and safe by placing responsibility to do so on a ‘data controller’ who polices the content and use of these details.
What is personal data?
Under Section 1 of the 1988 act, personal data is defined as: “Data relating to a living individual who is or can be identified either from the data or in conjunction with other information that is in, or is likely to come into, the possession of a data controller.” Recognisable images captured by CCTV systems are personal data. They are therefore subject to the provisions of the Data Protection Acts.
What is sensitive personal data?
Under the acts, this means personal data about the person’s:
- Racial or ethnic origins; political opinions; religious or philosophical beliefs
- Membership of a trade union
- Physical or mental health or condition; or sexual life
- Commission or alleged commission of any offence
- Involvement in proceedings for an offence committed or alleged to have been committed by him or her; and the disposal of such proceedings or the sentence of any court in such proceedings
What is a data controller?
A data controller is a person who, either alone or with others, controls the contents and use of personal data. Data controllers have an obligation to follow the eight principles of data protection as below:
- Obtain and process fairly
- Keep it only for one or more specified and lawful purpose
- Process it only in ways compatible with the purpose for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary
- Give a copy of his/her personal date on request
What obligations do I have as an employer?
The data protection provisions place obligations and responsibilities on companies and their agents i.e. employees in relation to information under their care. For example:
- To be aware that that anything you write in the course of your work could be released under the Freedom of Information Acts 1997 and 2003
- To document reasons for decisions that they make – write clearly and objectively
- Ensure that an individual’s personal details are accurate and factual – where it is necessary to express an opinion, ensure that it is reasonable and supported by facts
- Files are updated with relevant information where necessary
Section 2(1) (c) (iii) of the acts require that data are “adequate, relevant and not excessive” for the purpose for which they are collected. It is advised that employee files for those who have left your employment are retained for three years. In addition, it is important for every organisation to limit the amount of data held by any employee.
- Name, address, PPSN, visa information, next of kin information, medical information, signed contract, handbook/policies, CV, interview notes, leave forms including annual leave/parental leave/maternity leave etc, medical certificates, disciplinary/grievance letters and reports
Please note bank details should not be kept on the employee file once given to payroll to process.
Data subject access request
The Data Protection Acts 1988 and 2003 permit an individual to request and receive, copies of certain information and documents an organisation has relating to him/her. According to the data commissioner, data subject access request are “fundamental rights” of individuals. Once an employee has submitted a request in writing under the acts, the data controller must respond within 40 days. The date controller may charge up to €6.35 for responding to such a request.
In relation to CCTV held, a person or employee requesting information should provide necessary information to a data controller, such as the date, time and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data. In giving a person a copy of his/her data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people’s images should be obscured before the data are released.
Data Protection Commissioner
The Data Protection Commissioner aims to make sure that everyone’s rights as individuals are being upheld and that data controllers adhere to data protection rules. If an employee believes these rules have been breached and is not satisfied with the company’s response they can then complain to the commissioner. The commissioner will investigate the complaint and try to resolve the matter in the best way possible. If this is not possible, the employee may ask the commissioner to make a formal decision on whether the data controller has violated his/her rights.
The HR Suite can advise you and your organisation how to be proactive in managing your HR data. If you require further information, please do not hesitate to contact us on 066 7102887.