Data Protection Responsibilities

  Do you know the legalities around Data Protection? Have you got the right processes in place? Our employment law expert  Niall Loughran advises on what you need to know. The Data Protection Acts 1988 and 2003 provide the legal responsibilities of companies to safely store and process information of their employees, but what exactly is the responsibility of the employer? Firstly an employer must be aware of what their obligations are in relation to data. In order to do this they must first understand whether they are a data controller or a data processor as they have different responsibilities. Data Controllers A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Basically interpreted as if you keep or process any information about living people you are deemed a data controller. This would form the definition with which most companies would fall under and as data controllers they must comply with certain important rules about how they collect and use personal information. Data Processor A data processor would be someone who holds or processes personal data, but do not exercise responsibility for or control over the personal data. Examples of which would be accountants, payroll companies or market research companies. Data processors have very little responsibility for the data they hold only to process the data on the instruction of the data controller and to keep that information secure. Compliance To ensure compliance with legislation there are 8 key rules under data protection legislation for data controllers to be aware of;

• Obtain and process information fairly
• Keep it only for one or more specified, explicit and lawful purposes
• Use and disclose it only in ways compatible with these purposes
• Keep it safe and secure
• Keep it accurate, complete and up-to-date
• Ensure that it is adequate, relevant and not excessive
• Retain it for no longer than is necessary for the purpose or purposes
• Give a copy of his/her personal data to an individual, on request

Broken down into simple terms the key points to take away from this is that the data subject (the person whose data we hold) must be aware of who keeps the data on them, for what purpose that data is kept and only use that data for those purposes, not keep unnecessary or irrelevant data on record and furnish a copy of that data to the subject if requested. Data Requests The most common area of concern for employers in relation to data protection legislation involves when an employee makes a request for their personal data. If an employee makes a written request for their personal data what must an employer do?

• Firstly an employer can seek clarity on what data the employee is requesting, secondly they can seek a processing fee to cover the costs of recovering the data (to a maximum of €6.35).
• Once this information and fee is received the employer has 40 calendar days to fulfil the request.

CCTV Requests If an employee makes a request for CCTV footage relating to them an employer must furnish this information too, in terms of keeping this information the guidelines would suggest that it would be difficult to justify keeping CCTV footage for longer than 1 month. You can as an employer request specific times and dates or incidents in regards to the request. This footage may need to be altered and amended to ensure that other individual’s personal data is secure this may mean that other persons on relevant CCTV footage would need their faces pixelated to protect their right to privacy. Fines/Penalties If an employer fails to comply with the request to furnish a copy of the data within the timeframe the employee should make a complaint or try to resolve the issue in the first instance, failing that the employee can raise a complaint with the Office of the Data Protection Commissioner. Should there be an investigation lodged and should a person be found in contravention of the Act they could be liable for a fine not exceeding €3,000 on summary conviction or a fine not exceeding €100,000 on a conviction of an indictment. Practical Advice for Employers A common issue with data requests for employers is that in the absence of clear policies on what information is retained and what is purged from systems, that when a request comes in from an employee it can mean a monstrous amount of information will have to be furnished to the employee. This can have knock on effects if the employer has to explain why information has been kept beyond its relevance. Having an effective policy for removing data when irrelevant is the best practice approach as it will remove unnecessary files from company storage. This in turn means that a request becomes easier to facilitate as unnecessary information has already been purged. If you have questions relating to data protection please call the Niall and the rest of our employment law experts on our 24 hour Advice Line on; 01 855 5050.