Data Protection Commissioner
Data Protection Commissioner

5 June 2015

Data Protection Commissioner Investigates
Enforced Subject Access Requests
 
The Office of the Data Protection Commissioner has written to 40 organisations (see Appendices) across a range of sectors to assess compliance with legislation on ‘Enforced Subject Access Requests’ by employers. The letters were dated 2 June 2015.
 
 
An 'Enforced Subject Access Request' is where someone is obliged by a potential employer or organisation to make an access request to a data controller under Section 4 of the Data Protection Acts. Section 4 gives individuals the right to obtain a copy of any information relating to them held by any entity or organisation and in an Enforced Subject Access Request the individual is then required by the potential employer or organisation to provide this information to them. On 18 July 2014, Statutory Instruments Nos. 337 and 338 came into law in Ireland, making it unlawful for an employer to require this. This provision also applies to any person engaging a recruitment agency or pre-employment screening service.
 
 
This procedure is wholly different to the legitimate vetting of individuals for certain roles. Vetting of individuals for employment purposes is mandatory under legislation such as the Child Care Act 1991, the Child Care Regulations 2006 and the Teaching Council Act 2001. Vetting also takes place for certain state employees under the Public Service Management (Recruitment and Appointments) Act 2004 areas and to those working in the private security industry. In 2014, there were over 320,000 vetting applications processed by the Garda Central Vetting Unit.
 
In the same year, 11,219 access requests were made by individuals under section 4 of the Data Protection Acts to the Data Protection Processing Unit in the Garda Central Vetting Unit in Thurles.  The Office of the Data Protection Commissioner considers these access request figures to be questionably high and is concerned that organisations who would not legitimately qualify to conduct a vetting check are instead turning to Section 4 of the Data Protection Acts to engage in “vetting by the back-door”.  Worryingly, this request could potentially reveal a lot more sensitive data than a legitimate vetting check. A Section 4 access request could result in everything held on Garda records about a person being disclosed (subject to certain exemptions), chiefly because the data disclosed is intended to be for the information of the person making the request only.  In contrast, a vetting check has always been subject to certain restrictions on what would be disclosed.
 
 
Helen Dixon, Data Protection Commissioner, said: “It is a clear abuse of the right of access for an employer to force a prospective employee to make an access request under Section 4 of the Data Protection Acts and to disclose the entire result. Such practices constitute a breach of the Acts as the consent given cannot be considered to be free. Enforced subject access has been an offence since last July, and in 2015 and onwards, I intend to vigorously pursue and prosecute any abuse detected in this area. In this regard, I will liaise with An Garda Síochána to identify any trends of concern in terms of the access requests made via the Data Protection Processing Unit in the Garda Central Vetting Unit. ”
                                               
The advisory letter issued by the Office to 40 organisations also includes a number of questions in relation to what personal information on prospective employees is being required by employers. The companies contacted have been given three weeks to provide a response to the Commissioner and follow-up inspections will be carried out to ensure compliance with the legislation.
 
For more information, please contact:
Press Officer, Office of the Data Protection Commissioner at +353 (0)57 868 4800
 
Appendix 1:     List of Organisations
Appendix 2:     Copy of letter issued
Appendix 3:     Copy of letter issued to recruitment companies*
* (A separate, differently worded letter issued to recruitment companies)
 
 
 
Appendix 1 – Target Organisations
 
ABC Contract Cleaning Services
Abtran
Allied Irish Banks
Argos
Awear Ireland
Bank Of Ireland
Bord Gais
Brightwater Recruitment Specialists
Cpl Resources
Dalata Hotel Group
Dalmac Recruitment & Aviation
Debenhams
Diageo
Dunnes Stores
Easons
ECO Group Services
Eflow
Eircom
Electric Ireland
Harvey Norman
FMI
LIDL
Littlewoods
Marks and Spencer
Masonite Ireland
Noonan Services Group Limited
Oracle
Paddy Power
PC World (DSG Retail Irl)
Rigney Dolphin
Sigmar Recruitment
Sky
Smyths Toys
Synergy Solutions
Musgrave Group
Tesco
Three
Uniphar Group
UPC
Vodafone
 
 
 
Appendix 2 – Copy of Letter issued
 
Dear Sir / Madam,
 
On 18 July 2014, Statutory Instruments Nos. 337 and 338 came into law in Ireland. These regulations brought into force Section 4(13) of the Data Protection Acts 1988 & 2003 which states:
 
(a)   A person shall not, in connection with –
 
(i)                  The recruitment of another person as an employee,
(ii)                The continued employment of another person,
(iii)               A contract for the provision to him or her by another person require that other person –
 
(I)                 To make a request under subsection (1) of this section, or (II) to supply him or her with data relating to that other person obtained as a result of such a request.
 
(b)   A person who contravenes paragraph (a) of this subsection shall be guilty of an offence.
 
Section 4(13) of the Acts makes it unlawful for an employer to require an employee or an applicant for employment to make an access request under Section 4 of the Data Protection Acts seeking copies of personal data which are then made available to the employer or prospective employer. This practice is commonly referred to as an ‘Enforced Subject Access Request’. This provision also applies to any person who engages another person to provide a service such as a recruitment agency or pre-employment screening service. In the case of An Garda Síochána, any information released by An Garda to an individual in response to a request made under section 4 of the Data Protection Acts should not used as part of any clearance procedure for employment.
 
The purpose of this letter is to raise awareness in relation to this new provision under which enforced subject access is now an offence and to ensure that organisations have taken the appropriate measures to ensure compliance. The Data Protection Commissioner wishes to obtain an understanding of organisations’ level of compliance with the above Section of the Acts. Accordingly, I would be grateful if you would complete the following questions:
 
  1. Do you require your employees or prospective employees to be Garda cleared?
  2. If so, please state why they are required to be cleared?
  3. If Garda clearance is required, please outline the procedure for obtaining Garda clearance
  4. Would your organisation ever request a prospective employee to make a subject access request to An Garda Síochána under Section 4 of the Data Protection Acts?
  5. If so, would your organisation subsequently request a prospective employee to make this information available to you?
  6. Does your organisation request a prospective employee to make a self declaration in relation to any previous convictions/prosecutions, successful or not, pending or completed?
  7. What other type of background checks, if any, does your organisation carry out on a prospective employee?
 
The Data Protection Commissioner’s aim is to ensure that organisations are compliant with the legislation. In this regard, the Commissioner may carry out random follow up inspections in order to assess compliance with Section 4(13) of the Data Protection Acts 1988 & 2003. In cases where organisations are found to be not compliant and subsequently refuse or fail to comply voluntarily, the Commissioner may use the enforcement powers available to her.
 
The Commissioner requests that you respond to the questions set out above and revert to me by email (jrogers@dataprotection.ie) within three weeks of the date of this letter.
 
Thank you for your cooperation in this matter.
 
 
 
Appendix 3 – Copy of Letter issued to recruitment companies
 
 
Dear Sir / Madam,
 
On 18 July 2014, Statutory Instruments Nos. 337 and 338 came into law in Ireland. These regulations brought into force Section 4(13) of the Data Protection Acts 1988 & 2003 which states:
 
(a)   A person shall not, in connection with –
 
(i)                  The recruitment of another person as an employee,
(ii)                The continued employment of another person,
(iii)               A contract for the provision to him or her by another person require that other person –
 
(I)                 To make a request under subsection (1) of this section, or (II) to supply him or her with data relating to that other person obtained as a result of such a request.
 
(b)   A person who contravenes paragraph (a) of this subsection shall be guilty of an offence.
 
Section 4(13) of the Acts makes it unlawful for an employer to require an employee or an applicant for employment to make an access request under Section 4 of the Data Protection Acts seeking copies of personal data which are then made available to the employer or prospective employer. This practice is commonly referred to as an ‘Enforced Subject Access Request’. This provision also applies to any person who engages another person to provide a service such as a recruitment agency or pre-employment screening service. In the case of An Garda Síochána, any information released by An Garda to an individual in response to a request made under section 4 of the Data Protection Acts should not used as part of any clearance procedure for employment.
 
The purpose of this letter is to raise awareness in relation to this new provision under which enforced subject access is now an offence and to ensure that organisations have taken the appropriate measures to ensure compliance. The Data Protection Commissioner wishes to obtain an understanding of organisations’ level of compliance with the above Section of the Acts. Accordingly, I would be grateful if you would complete the following questions:
 
  1. Is there a Garda clearance process in place for prospective employees?
  2. If so, is this a service offered by you or requested by your clients?
  3. If Garda clearance is required, please outline the procedures in place for obtaining Garda clearance.
  4. Would a prospective employee ever be asked to make a subject access request to An Garda Síochána under Section 4 of the Data Protection Acts?
  5. If so, does he/she make this information available to you or your client?
  6. Is a prospective employee asked to make a self declaration in relation to any previous convictions/prosecutions, successful or not, pending or completed?
  7. What other type of background checks, if any, are carried out on a prospective employee?
 
The Data Protection Commissioner’s aim is to ensure that organisations are compliant with the legislation. In this regard, the Commissioner may carry out random follow up inspections in order to assess compliance with Section 4(13) of the Data Protection Acts 1988 & 2003. In cases where organisations are found to be not compliant and subsequently refuse or fail to comply voluntarily, the Commissioner may use the enforcement powers available to her.
 
The Commissioner requests that you respond to the questions set out above and revert to me by email (jrogers@dataprotection.ie) within three weeks of the date of this letter.
 
Thank you for your cooperation in this matter.