Data Processing at Work: The Right to Rectification and ErasurePosted in : Hot topics in Employment and Technology Law with Matheson on 11 January 2018 Issues covered:
We are very excited to confirm that the team at Crowley Solicitors led by Deirdre Crowley have agreed to write a series of articles dealing with the many different issues that arise when handling data at work. The first in the series published today, deals with the right of an employee to request that any personal data held by their employer is rectified or erased.
An employee’s right to rectification and erasure
On Tuesday 9 January 2018, a landmark legal action relating to the publication of an inappropriate photograph of a Northern Irish 14 year old girl, posted on a Facebook shame page, was settled. The case is believed to be the first in the world of its kind. While the facts and details of the case will never be known because the action was settled, it was said in open court that Facebook maintained the position that the picture was taken down as soon as notification of the data subject’s request to have the data erased was received. The victim’s right to have her personal data erased from the Facebook shame page would no doubt have featured as an important legal point in the case, in which the victim was seeking damages for the misuse of her personal data. Specifically, the victim sought damages for the misuse of her private information, negligence and breach of the Data Protection Acts against both Facebook and the man suspected of posting her photo.
The right of erasure and the right to be forgotten – Article 17 of the General Data Protection Regulation
The right of erasure, otherwise known as the right to be forgotten, is provided for by Article 17 of the General Data Protection Regulations (GDPR). The General Data Protection Regulations are due to come into effect on 25 May 2018.
An employee has a right pursuant to Article 17 of the GDPR to require his or her employer (the data controller) to erase his or her personal data without undue delay. An employer has an obligation to oblige where one of the following grounds applies:
a) The personal data is no longer necessary in relation to the (employment) purposes for which it was collected or otherwise processed
b) The employee withdraws his or her consent on which the processing is based and where there is no other legal ground for the processing
c) Employee data is unlawfully processed
d) That the employee’s personal data must be erased for compliance with a legal obligation in a union or member state to which the employer is subject
The right of an employee to require his or her personal data to be rectified – Article 16 GDPR
The right of rectification of personal data held by an employer in respect of an employee is not new. Under section 6 of the Data Protection Acts 1998 and 2003 (the 1998-2003 Acts), if a data subject is of the view that data processed by a data controller is factually inaccurate or is collected in an unfair manner, a data subject has the right to have the information rectified or in some cases to have the information erased. This right to data rectification persists and is further developed in Article 16 or the GDPR. The right to erasure or the right to be forgotten, is not an absolute and unlimited employee right.
Practical Guidance when dealing with requests from employees to have their data rectified or erased
Employers are advised to keep in mind the fact that it is the data subject who owns the data that the employer holds or processes in the workplace. Where an employee requests that personal data is rectified or erased, an employer is advised in the first instance to consider the veracity of the data subject’s rationale for saying that the data is in fact inaccurate. This analysis should be supported by an outcome report that is shared with the data subject setting out the reasons why the employer is either granting or refusing their request for data rectification or data erasure.
The Data Protection Commissioner, supports the practice where an employer annotates data to the effect that the employee believes is required in order to confirm the accuracy of the data. In fact, this solution is explicitly provided for in Section 6 (1)(a) of the 1998 – 2003 Acts.
A practical solution we consistently recommend to clients in these situations is to agree a supplementary statement to the data with the employee to reflect a common understanding of the data. In the event that the employee refuses to agree with the accuracy of the data held by an employer in relation to him or her, this objection and the reasons for it can be noted. In addition, the reasons why the employer in their capacity as data controller continue to hold personal data in a manner which is inconsistent with the data subject’s wishes should be noted and explained and a copy of this document should be shared with the employee.
Employers are advised that the Data Protection Commissioner demonstrates through case studies that an individual employee’s right to seek the rectification of their personal data is a right which is taken seriously. The Data Protection Commissioner notes the fact that this right is not absolute and in the case study referred to below, the right to rectification is not always appropriate. In the event that an employer is of the view following careful analysis that a request for data rectification is not a well founded request on the basis that the annotations proposed by an employee are subjective as distinct from objective, then an employer in their capacity as data controller is well placed to refuse to rectify the data as long as their position is reasonable and is carefully outlined to the employee. However, where the rectification request completes the picture of the data held such that it gives a fair and proportionate description of a particular set of circumstances, then an employee’s request for data rectification or indeed data erasure should be facilitated.
A case in point is case study 1, of the case studies of the offices of the Data Protection Commissioner 2007. In this case, the Data Protection Commissioner handled a complaint from an employee regarding the content of a medical report carried out by a medical practitioner at the request of her employer. The report was a physiological assessment dealing with her ability to return to work after a period of absence on sick leave.
The employee received a copy of the medical report from the medical practitioner directly. She considered the contents of the report to be inaccurate. The employee requested that the report be rectified by the medical practitioner to reflect what she considered to be an accurate description of her particular circumstances. However, the medical practitioner, a Consultant Psychiatrist, reverted to the employee stating that it was not possible to make the requested alterations to the independent medical assessment that had been sought by the employee. The employee referred the matter by way of complaint to the Data Protection Commissioner.
The Commissioner confirmed the position that the right to data rectification under the Data Protection Acts in not an absolute right and that it depends on the circumstances of each case. In noting the complexity of the analysis that must apply to these types of request, the Data Protection Commissioner noted that in this particular case because the matters at issue were medical in nature and therefore involve sensitive categories of data (described in the GDPR as special categories of data), that the data subject’s comments in respect of the accuracy of the data should be given careful consideration. The Data Protection Commissioner made it clear that in the interests of achieving an amicable resolution, it is appropriate for a data controller to annotate data to the effect that the data subject believes that the data is inaccurate to the extent that this belief is an objective and not a subjective belief.
In this case, this course of action was followed by the data controller. As part of the rectification process, the employee provided various annotations to be included in the medical report. Having examined the annotations, the offices of the Data Protection Commissioner was of the opinion that the proposed annotations supplemented the medical report without changing the report materially and therefore that they were well founded annotations which meant that the data required to be rectified.
Chapter 3 of the GDPR contains the rights of the data subject. Article 13 of the GDPR provides that information is to be provided where personal data is collected from a data subject. In particular rights such as the right to data rectification and the right of erasure are to be communicated. The following is a non exhaustive list of matters to be included in the privacy statement and each privacy statement should be varied depending on the type of business concerned:
a) The identity and the contact details of the controller and where applicable of the controller’s representatives
b) The contact details of the Data Protection Officer where applicable
c) The purposes of the processing for which the personal data is intended as well as the legal basis for the processing
d) The legitimate interests pursued by the controller or by a third party
e) The recipients or categories of recipients of the personal data if any
f) Information regarding international transfers of data
g) Employee specific data
h) Explanation of and information in relation to the following data subject rights
I. The right of access by the data subject
II. Right to rectification
III. Right to erasure
IV. The right to restrict processing
V. The right to data portability
VI. Right to object
VII.Automated individual decision making, including profiling
Legal-Island is running a Data Protection Update: Ensuring your HR Department is GDPR-Compliant conference at Radisson Blu Hotel, Dublin Airport on Tuesday 6th March 2018 in association with Business Legal. The event is designed specifically for HR professionals to enable you to get your own department in order by the implementation date of 25th May 2018. The event will help you understand how a data protection impact assessment or audit works and enable you to identify the actions you must take to ensure your organisation is GDPR-compliant. You will be in a position to provide a high-level understanding of actions required for your employer to be compliant with the legislation.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.