General requirements

Organisations need a legal basis to process an employee's personal data. Article 6 of the GDPR on the Lawfulness of Processing details the different legal bases to be relied on. Articles 5 and 9 of the GDPR set out the principles relating to the processing of personal data, as well as the processing of special categories of personal data. Usually, employers rely on contract or legitimate interests as the legal basis for processing employee data.

Articles 13 and 14 of the GDPR outline the types of information that must be provided to data subjects at the time when their personal data is obtained, including but not limited to:

• the identity and contact details of the controller;

• the contact details of the data protection officer ('DPO');
• the purposes of the processing; and
• the recipients or categories of recipients of personal data.

A privacy notice is the primary way an organisation will notify employees, and which describes how the organisation collects, uses, retains, and discloses personal data. The principle of transparency requires that any of this information is given to the data subject in an intelligible and easily accessible form, is concise, and that clear and plain language be used.

The DPC's Guidance on the Right to be Informed (transparency) (Articles 13  & 14 GDPR)¹ states that individuals should also be made aware of risks, rules, safeguards, and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.

Retaining employee's data

Article 5(e) of the GDPR requires that personal data (including employment records) should only be kept for as long as is necessary for the purposes for which personal data are processed.

There are several Irish laws relating to the retention of employment records, including:

• the Parental Leave Act 1998 and the Parental Leave Act 2006, which require a record of dates and times of any parental or force majeure leave taken by employees to be kept for eight years from the date of the leave;
• the National Minimum Wage Act 2000, which provides that records relating to wage information must be kept for three years;
• the Protection of Young Persons (Employment) Act 1996, which provides that records relating to the employment of minors must also be kept for three years;
• the Organisation of Working Time Act 1997, which provides that records relating to hours worked must be kept for three years;
• the Protection of Employment Act 1977 and the Protection of Employment (Exceptional Collective Redundancies and Related Matters) Act 2007, which require that records relating to collective redundancies must be kept for three years;
• the Companies Act 2014 and the Taxes Consolidation Act 1997, requiring that tax records to be kept for six years; and
• the Safety, Health and Welfare at Work (General Applications) Regulations 1993, which require that records relating to health and safety must be kept for ten years.

Employees' rights to information

Employees have a right to information about the collection and processing of their personal data under Articles 13 and 14 of the GDPR. Under Article 15 of the GDPR, employees also have a right to request a copy of their personal data which is being processed. Article 23 of the GDPR provides that Member States may legislate for restrictions in relation to these rights, which are set out in the Act sections outlined below.

These rights to information can be restricted in certain circumstances outlined by the Act as follows:

• Section 60(3)(a)(iv) requires that right to access be restricted to the extent strictly necessary in contemplation or for the establishment of a legal claim.
• Section 60(3)(a)(v) requires that right to access be restricted to the extent strictly necessary for civil claim enforcement.
• Section 60(3)(a)(vi) requires that the right to access be restricted to the extent strictly necessary for liability estimation.
• Section 60(3)(b) requires that personal data consisting of an expression of opinion about the requester given by an individual in confidence not be released in response to a request.
• Section 162(a)(i) states that the right does not apply to personal data in respect of which legal advice privilege applies.
• Section 162(a)(ii) states that the right does not apply to personal data in respect of which litigation privilege applies.
• Section 162(a)(iii) states that the right does not apply to personal data whose release would give rise to a contempt of court.
• Regulation 4(1) of the Data Protection (Access Modification) (Health) Regulations, 1989 requires that health data be released only if they are not likely to cause serious harm to the requester's physical or mental health or emotional condition.
• Regulation 4(1) of the Data Protection (Access Modification) (Social Work) Regulations, 1989 requires that social work data be released only if they are not likely to cause serious harm to the requester's physical or mental health or emotional condition. Regulation 4(3) requires that social work data supplied by an individual be released in response to an access request only after they have been consulted.

Employee health data

Health data falls within the definition of special category data under the GDPR. The processing of special categories of personal data is prohibited except for limited circumstances, as set out in Article 9 of the GDPR. Such processing requires both a legal basis under Article 6 of the GDPR, as well as meeting one of the conditions of Article 9 (such as explicit consent or protection of vital interests) which allow such data to be processed. It is necessary to comply with both requirements when processing such special categories of personal data.

Section 46 of the Act provides that the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment and social welfare law. This processing is subject to 'suitable and specific measures' outlined in Section 36 being taken to safeguard the fundamental rights and freedoms of data subjects in respect of the processing of their personal data.

Certain sections of the Act are subject to 'suitable and specific measures' being taken to safeguard the fundamental rights and freedoms of data subjects in respect of the processing of their personal data in particular instances. Section 36 sets out a non-exhaustive list of what these 'suitable and specific measures' are, and the list includes:

• explicit consent;
• limitations on access to the personal data;
• strict time limits for the erasure of personal data;
• specific targeted training for those involved in processing operations; and
• the voluntary designation of a DPO.

Sections subject to suitable and specific measures include Section 46 (Processing of special categories of personal data for purposes of employment and social welfare law), Section 48 (Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission), Section 50 (Processing of special categories of personal data for insurance and pension purposes), Section 51 (Processing of special categories of personal data and Article 10 data for reasons of substantial public interest), Section 52 (Processing of special categories of personal data for purposes of Article 9(2)(h), Section 53 (Processing of special categories of personal data for purposes of public interest in the area of public health), and Section 54 (Processing of special categories of personal data for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes).

Employers have a legal obligation to protect their employees under the Safety, Health and Welfare at Work Act 2005. This obligation together with Article 9(2)(b) GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so.

Vaccination data

The Vaccination Data Guidance states that employers should only process COVID-19 vaccination data where necessary to achieve a specific, legitimate purpose in line with general and sector-specific public health advice. The principles of data minimisation and purpose limitation are important in this context and will also apply.

The processing of personal data in the context of employment is considered to be a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data, as this consent is not likely to be freely given. The processing of vaccine data will thus require a specific set of circumstances underpinned by a legitimate reason other than consent. At the time of publication, the Irish Government has not implemented legislation requiring the sharing of vaccine information with employers. It is left to each employer to balance the rights to health and safety at work with data protection principles and to develop its own process in this area.

When transmitting sensitive data online, the GDPR requires integrity and confidentiality of data collected as per Article 5(f). It should be processed in a manner that ensures appropriate security of the personal data, for example, an appropriate encrypted communication protocol should be used.

Kate Colleary Founder & Director
[email protected]
Pembroke Privacy Limited, Dublin

1. See: https://www.dataprotection.ie/en/individuals/know-your-rights/right-be-informed-transparency-article-13-14-gdpr