The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission
Data Protection Access Requests for Personnel Records

Under section 4 of the Data Protection Acts, 1988 and 2003, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system, by any person or organization, regardless of when the data was created. The procedure for making an access request is explained in the section "Accessing Personal Information".

The Acts apply to data held on computer and manual data in a "relevant filing system" and, as such, personnel records will, therefore, normally come within the terms of the Acts. No issues should generally arise in respect of access requests made for most personnel records. This note seeks to address access requests for data relating to:

  • discipline, grievance and dismissal
  • appraisal and performance reports
  • medical reports

1. Discipline, grievance and dismissal

It is not the purpose of this note to provide guidance as to how disciplinary, grievance or dismissal procedures should be conducted. However, in relation to creating and keeping records, HR staff should be conscious of the accuracy requirement and that data kept should be "adequate, relevant and not excessive". The right of access supports fair procedures and natural justice which provide that an individual be made aware of the case s/he has to answer.

The general rule is that an employee has a right of access to personal data relating to him/her in connection with discipline, grievance and dismissal procedures, even if the disciplinary procedure is on-going or the subject of legal proceedings such as an unfair dismissals claim. There are however some limitations and exemptions to this right which are provided in Sections 4 & 5 of the Acts. These limitations and exemptions include:

(i) Opinions given in confidence

Section 4(4A) provides that personal data containing expressions of opinion about the data subject may be given to the data subject without the permission of the person who expressed that opinion but this does not include opinions "given in confidence or on the understanding that it would be treated as confidential"

An opinion given in confidence on the understanding that it will be kept confidential must satisfy a high threshold of confidentiality. Simply placing the word "confidential" at the top of a page will not automatically render the data confidential. The Commissioner will look at the data and its context and will need to be satisfied that the data would not otherwise have been given but for this understanding. Supervisors and managers will not normally be able to rely on the provision as it is an expected part of their role to give opinions on staff which they should be capable of standing over. On the other hand, a colleague who reports a matter relating to an individual in confidence to a supervisor could be expected to be protected by the confidentiality provision.

(ii) Professional legal privilege

The right of access does not apply to data - "in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers."" (Section 5(g))

Accordingly, the subject access provisions in section 4 of the Acts do not apply to personal data where the circumstances are such that a claim of privilege could be maintained in court proceedings in relation to communications between a client and his professional legal advisers or between those advisers. This is a very limited exemption which only applies in connection with the provision of legal advice or in anticipation or furtherance of litigation.

(iii) Protecting the source of data

Section 4(1)(a)(iii)(II) provides that the source of the data does not have to be provided if to do so would be contrary to the public interest. This would apply in situations where revealing the source of the information would be a disincentive to others providing similar information in the future. Examples would be "whistleblowers" or the reporting of child abuse.

(iv) Investigation of an offence

If access would or potentially could prejudice a criminal investigation, access may be refused pursuant to section 5(1)(a) of the Acts. This provides that "this Act does not apply to personal data kept for the purpose of preventing, detecting or investigating offences?in any case in which the application of that section (viz. section 4) to the data would be likely to prejudice any of the matters aforesaid".

(v) Other exemptions under Section 5

Section 5 also provides exemptions from access in other circumstances including:

  • estimates of liability in respect of a compensation claim
  • back-up data

2. Appraisal, Performance Reports and References

The right of access applies to Appraisal and Performance Reports and the Commissioner considers that the confidentiality provision of section 4(4A)(b)(ii) cannot reasonably be applied to them.

In regard to references, it is often said that these are given in confidence. Notwithstanding this, the Commissioner considers generally that the right of access applies to them. There would need to be particular exceptional circumstances which would cause the Commissioner to be satisfied that the data would not otherwise have been given but for this understanding

3. Medical reports

The Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. No. 82 of 1989) provide that health data relating to an individual should not be made available to that individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the data subject. A person who is not a health professional should not disclose health data to an individual without first consulting the individual's own doctor or some other suitably qualified health professional.

An employee has a right of access to medical data held by the organisation's company doctor or medical officer, unless the "harm" exemption, detailed above, applies. Experience is that such situations are rare.

Organisations should have a procedure in place so that when HR data is requested, clarification is sought as to whether the request includes medical data. If medical data is being sought, HR should advise the Company Doctor/Medical Officer who should make the data available to the employee directly.