Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

3. Data protection in the workplace

 

3.1 What type of background checks can I carry out on potential employees?

 

The key to compliance with data protection is to inform the potential employee of any potential checks that may be undertaken and seek their specific consent for certain types of checks, e.g. qualification checks, character reference checks. 

Any information that is legitimately in the public domain can generally be accessed within the context of data protection requirements without giving rise to concerns. The person should be provided with any such information, however, in order that they can have an opportunity to provide comments on it.  

An employer is entitled to ask an employee to declare if they have any previous relevant criminal convictions which might impact of the desirability of them performing a particular task.  However, an employer should only be concerned about convictions that relate to the particular job on offer. For example, a job involving driving may justify the employer asking about previous driving convictions. This requirement may be updated shortly via a Spent Convictions Bill which was recently introduced by the Government which will allow potential employees (not where they are dealing with children or vulnerable adults or other sensitive positions) in certain situations the option not to provide such information.

Organisations/employers seeking to access information held by a credit referencing organisation about prospective or current employees could present data protection concerns.  Any forced requirement placed upon employees to seek credit history information from the Irish Credit Bureau, for example, for employment screening purposes could be considered a breach of the Data Protection Acts.
Certain sectors, for example where employees have contact with children or vulnerable adults, are permitted to make use of Garda Vetting checks which are carried out with the consent of the person.

 

 

3.2 How can I seek Garda vetting of a potential employee?

 

Under the Data Protection Acts information about the commission or the alleged commission of an offence by a person falls within the definition of sensitive personal data.

Currently, there is no comprehensive statutory basis which underpins the vetting process. The Vetting Bill currently before the Oireachtas will provide that basis when enacted. The Office of the Data Protection Commissioner supports the current procedure for managing requests for vetting in this jurisdiction. The procedure is based on the consent of the person to the release of certain types of information held by An Garda Síochána in respect of that person.

At present the only garda vetting services on offer concern the vetting of persons in contact with children or vulnerable adults.  Vetting also takes place in relation to certain State employees working in sensitive areas.  Vetting has also been extended to employees covered by the Private Security Services Act 2004 (bouncers, nightclub security staff etc).

More information is available here.


3.3 What is the position in relation to enforced subject access requests?

An 'enforced access request' is where an applicant is obliged by a potential employer or organisation they are dealing with to make an access request under Section 4 of the Data Protection Acts to a data controller. The individual would typically then be asked to subsequently provide this information to their employer/prospective employer/organisation they are dealing with.

An employer who requires an employee or prospective employee to make such an access request commits an offence under the Data Protection Acts.

In the case of An Garda Síochána, it advises that the information released under an access request should not be considered as a formal vetting procedure for employment or other purposes.

 

3.4 When applying for a new job, can a prospective employer seek the PPSN of candidates as part of the application process?

 

An employer should only seek your PPSN if you are successful at the recruitment process and are actually taking up employment with the organisation. An employer requires the PPSN of each employee for Revenue purposes. There is no basis for a prospective employer to capture a candidate's PPSN at the application stage.

 

 

3.5 How long can an organisation retain employee data?

 

The Data Protection Acts state that personal information held by Data Controllers (an organisation) should be retained for no longer than is necessary for the purpose or purposes for which it was obtained.  If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. However, the Acts do not stipulate specific retention periods for different types of data, and so organisations must have regard for any statutory obligations imposed on them as a data controller when determining appropriate retention periods.

In relation to HR records, it is our understanding that, in accordance with the Organisation of Working Time Act 1997, employers are required to keep records of holidays, public holidays, special leave, rest breaks, start and finish times of each employee for each day and sick leave for a period of 3 years.

There are also requirements in relation to the retention of financial/tax records, as well as obligations to retain certain categories of information for superannuation/pension purposes. 

In relation to the retention of recruitment records for unsuccessful candidates, we would consider a retention period of 12 months to be appropriate.

 

3.6 Can my employer keep a copy of my passport?

An employer may ask to see your passport at recruitment stage if this is necessary to show that you are entitled to work in Ireland.  An employer may note such passport details on your personnel file.  It should not be necessary for an employer to retain a copy of your passport and such action could be a breach of the Data Protection Acts.

 

3.7 Can my employer access my email or internet usage?

Please see our guidance note on staff monitoring available here

 

3.8 Can my employer post my photograph on the internet / intranet without my consent?

A photograph of a person constitutes their personal data and therefore any use of that photograph must be in accordance with the Data Protection Acts.

Staff should be informed of all such uses that will be made of their image and given an opportunity to object to such use.

 

3.9 Can my employer use GPS / Vehicle Tracking Systems? 

The use of tracking systems in general can give rise to data protection issues if not deployed in a manner that takes account of the legitimate privacy expectations of individuals. 

Staff monitoring, including a GPS system, must comply with the transparency requirements of data protection law.  Staff must be informed of the existence of the surveillance and also clearly informed of all the purposes for which the personal data will be used.

We expect any organisation deploying vehicle tracking devices to abide by the following rules:
· The data controller must inform drivers of the purpose(s) for which the personal information processed by the tracking device will be used.
· The personal information processed by the tracking device may not be used for a purpose other than the stated purpose(s).
· Data controllers should devise and make available to drivers a policy on the use of tracking devices. This document should also set out the data controller's policy on the use of company vehicles for private use.
· If a company vehicle is permitted to be driven for personal use outside of working hours, a privacy switch must be fitted and should be trained on its operation.
· New employees should be made aware of the existence of tracking devices on company vehicles and should be trained on the operation of the privacy switch.

 

3.10 Can a sales representative take a list of clients when leaving the employment?

A fundamental principle of data protection is 'fair obtaining and processing'. Under Section 2(1)(a) of the Data Protection Acts, 1988 and 2003 "the data, or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly". In general, the fair obtaining principle requires that every individual about whom information is collected is aware of what is happening.

Accordingly the list cannot be brought from one company to another as the clients consent would be required in order to comply with the fair processing principle.

 

3.11 A Company is being taken over by another company.  Does the new organisation need consent before medical files are transferred?

As part of a due diligence process, it is understood that certain personal data may be transferred.  Ideally the possibility of this should be envisaged in the company data protection policy.  In so far as possible aggregate data should be provided.  Sensitive personal data should never be transferred in advance of a formal legal take-over.  Once the take-over is completed the new legal entity will take on the obligations of the data controller and will be responsible for all data.


3.12   I have supplied my CV and other personal information in response to a job advertisement which I now suspect was a bogus advertisement, is there anything I can do to minimise the risk of fraudulent activity?

If you have provided details of your bank account in your reply to the advertisement, you should  contact your bank  to tell them what has happened.   This will allow your bank to apply special checks to your account in case the people behind the bogus ad tried to get access to it.

You should also consider applying to the Irish Credit Bureau to have a protective registration recorded on your ICB Credit Report. This will alert banks and financial institutions if an attempt is made to open a bank or credit card account in your name.  You should write to the Irish Credit Bureau, ICB House, Clonskeagh road, Dublin 14 requesting that a protective registration be appended to your credit report.  You should include your full name, address, date of birth, telephone number and a copy of a utility bill (to help verify your identity).  This protective registration will be held on record for a period of 12 months, after which it will automatically be purged.


3.13 Requests for Presentations and Training

The Office of the Data Protection Commissioner aims to assist organisations in so far as possible in understanding and meeting their responsibilities under the Data Protection Acts.  Equally we seek to better educate the public in relation to their rights under the Acts.

In this respect, the Office receives a large number of requests to give presentations/training but, given our limited resources we can only respond positively to a limited number of them.  We typically try to respond positively to requests where the "spread" of the audience is such that there is likely to be a significant multiplier effect from the presentation to a large number of organisations or people.

To assist all organisations seeking assistance in relation to data protection rights and responsibilities, we have developed a range of resources that we hope are helpful.

One key resource is our DVD "My Data - Your Business?" which illustrates how data protection principles apply in a normal business environment (public or private).  It is accompanied by a "Facilitators Guide" which encourages group-discussion on how the data protection principles apply in practice in a particular setting.   The DVD can be viewed and downloaded on our website (www.dataprotection.ie, under "Publications and Forms") and copies can be obtained for free from our Office.

We also have on our website some generic PowerPoint presentations which can be downloaded and adapted for use within a specific organisation (these are at www.dataprotection.ie under "Presentations").

Finally, we have some printed booklets "Guide for Data Controllers" which spell out  the data protection obligations on organisations and "Guide to Your Rights" which outlines the rights which individuals have under the Acts.  These are also available from our website, www.dataprotection.ie, under "Your Responsibilities" and "Your Rights" respectively.  Hard copies are also available free of charge from our Office.

If there are particular questions that arise and that are not answered having reviewed the material available, we would be more than happy to try to answer them to the best of our ability by e-mail or phone.