The following article was recently published in Data Protection Ireland, Volume 5, Issue 1.
In the first of a new six part series on data protection issues which arise in the context of handling employee information, Oisin Tobin and Philip Nolanfrom Mason Hayes & Curran consider staff subject access requests — what must be disclosed and what can be withheld.
Under Section 4 of the Data Protection Acts 1988 and 2003 (the 'Acts') an employee is entitled, subject to a number of explicit exemptions, to receive a copy of his or her personal data as held by their employer.
Effectively responding to such 'subject access requests' is a challenge for many organisations. This challenge flows from the somewhat complex drafting of the relevant provisions of the Acts, and is accentuated by the fact that such requests are often made in the context of litigation or some other dispute between employer and employee. In such circumstances, there is a natural tension between the employee's right to obtain a copy of their personal data, and the desire of an employer to withhold certain types of information to protect either their own interests, or those of another employee.
This article explains how employers can navigate this tension, and sets out a framework for thinking about, and responding to, subject access requests in an employment context.
Subsequent articles in this series (to be published in consecutive editions of this journal) will explain how data protection law applies to: monitoring staff activities and communications, including using line managers, private detectives, CCTV cameras and website monitoring technologies (Part II); disclosing staff information to outside third parties — the legal requirements that must be met before staff information can be sent outside the organisation (Part III); retaining staff records, including setting appropriate periods of time for keeping information (Part IV); data protection issues arising from mergers and acquisitions (Part V); and the role of the Data Protection Commissioner and what to do if he instigates an investigation (Part VI).
It is useful, when approaching subject access requests, to adopt a clear process. Such a process should involve the following steps:
reviewing the request; collating all relevant personal data; assessing that personal data in light of statutory exemptions; and responding to the request. At all stages it should be borne in mind that a subject access request...