The HR Suite on Data Protection

Posted in : HR Updates ROI on 6 April 2016
Mags Camody
The HR Suite
Issues covered:

As organisations increase their reliance on information and communications technology in the workplace, various matters surrounding the use of technology and data protection arise. The Data Protection Acts 1988 and 2003 aim to address the privacy issues surrounding the amount of information about individuals held on computers. Data Protection Acts 1988 and 2003 regulate the collection, processing, keeping, use and disclosure of personal information relating to individuals. Data protection laws ensure that personal details given to organisations are kept private and safe by placing responsibility to do so on a ‘data controller’ who police the content and use of these details.

What Is Personal Data?

Under Section 1 of the 1988 Act, personal data is defined as: “Data relating to a living individual who is or can be identified either from the data or in conjunction with other information that is in, or is likely to come into, the possession of a data controller”. Recognisable images captured by CCTV systems are personal data.  They are therefore subject to the provisions of the Data Protection Acts.

What Is Sensitive Personal Data?

Under the Acts means personal data as to the person’s:

⦁ Racial or ethnic origins; political opinions; religious or philosophical beliefs
⦁ Membership of a trade union
⦁ Physical or mental health or condition; or sexual life
⦁ Commission or alleged commission of any offence
⦁ Involvement in proceedings for an offence committed or alleged to have been committed by him or her; and the disposal of such proceedings or the sentence of any court in such proceedings.

What Is A Data Controller?

A data controller is a person who, either alone or with others, controls the contents and use of personal data. Data controllers have an obligation to follow the 8 principles of data protection as below:

1. Obtain and process fairly
2. Keep it only for one or more specified and lawful purpose
3. Process it only in ways compatible with the purpose for which it was given to you initially.
4. Keep it safe and secure
5. Keep it accurate and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it no longer than is necessary
8. Give a copy of his/her personal date on request

What Obligations Do I Have As An Employer?

The Data Protection provisions place obligations and responsibilities on Companies and their agents i.e. employees in relation to information under their care. For example:

⦁ To be aware that, if you work for a public body such as government department, the HSE or a local authority anything you write in the course of your work could be released under the Freedom of Information Acts 1997 and 2003.
⦁ To document reasons for decisions that they make – write clearly and objectively.
⦁ Ensure that individuals personal details are accurate and factual – where it is necessary to express an opinion, ensure that it is reasonable and supported by facts.
⦁ Files are updated with relevant information where necessary.

HR Files:

Section 2(1) (c) (iii) of the Acts require that data are "adequate, relevant and not excessive" for the purpose for which they are collected. It is advised that employee files for those who have left your employment are retained for 3 years. In addition, it is important for every organisation to limit the amount of data held by any employee.

⦁ Name, address, PPSN, visa information, next of kin information, medical information, signed contract, handbook / policies, CV, interview notes, leave forms including annual leave/parental leave/maternity leave etc., medical certificates, disciplinary / grievance letters and reports.

Please note bank details should not be kept on the employee file once given to payroll to process.

Data Subject Access Request:

The Data Protection Acts 1988 and 2003 permits an individual to request and receive, copies of certain information and documents an organisation has relating to him/her. According to the Data Commissioner, data subject access request are “fundamental rights” of individuals. Once an employee has submitted a request in writing under the Acts the data controller must respond within 40 days. The date controller may charge up to €6.35 for responding to such a request.

In relation to CCTV held, a person or employee requesting information should provide necessary information to a data controller, such as the date, time and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data. In giving a person a copy of his/her data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people's images should be obscured before the data are released.

Data Protection Commissioner:

The Data Protection Commissioner aims to make sure that everyone’s rights as individuals are being upheld and that data controllers adhere to data protection rules. If an employee believes these rules have been breached and is not satisfied with the Company’s response they can then complain to the Commissioner. The Commissioner will investigate the complaint and try to resolve the matter in the best way possible. If this is not possible, the employee may ask the Commissioner to make a formal decision on whether the data controller has violated his/her rights. 

This article is correct at 06/04/2016

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

Mags Camody
The HR Suite

The main content of this article was provided by Mags Camody. Contact telephone number is +353 66 710 2887 or email

View all articles by Mags Camody