Ireland: Data protection considerations in the employment context – Part one
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Data Protection Act 2018 ('the Act') are the main pieces of legislation regarding data protection in Ireland. The Act supplements the GDPR and includes provisions relating to GDPR derogations, as well as establishes the Data Protection Commission ('DPC'). In part one of this Insight series on data protection considerations in the employment context, Kate Colleary, Founder & Director of Pembroke Privacy Limited, provides some background to the DPC and its relevant guidance, as well as the requirements regarding data protection at the recruitment level.
The Act grants powers and functions to the DPC as the national independent authority responsible for upholding the fundamental rights of individuals in the EU to have their personal data protected under GDPR.
The DPC has issued several guidance notes relating to employment and employee monitoring as follows:
- Guidance on the Use of CCTV – For Data Controllers (2019)1;
- Guidance on the Principles of Data Protection (2019)2;
- Guidance Note on Employer Vehicle Tracking (2020)3; and
- Guidance on Processing COVID-19 Vaccination Data in the context of Employment and the Work Safely Protocol (2021)4 ('the Vaccination Data Guidance').
The DPC also publishes case studies5 in its annual report which include many relating to the employer/employee relationship, including the use of CCTV footage to monitor employees' performance and data subject access requests.
Data protection at the recruitment level
Article 5 of the GDPR details the principles relating to the processing of personal data, along with the processing of special categories of personal data, while Article 6 details the six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, legal requirement, and public interest.
The collection of data relating to CVs, tests, and evaluations must comply with the GDPR principles relating to the processing of personal data.
The excessive monitoring of employees may result in a breach of anti-discrimination legislation, in particular, the Employment Equality Act 1998 ('the Equality Act'). For example, if an employer collects data which reveals that the individual is a member of a protected ground class and if that employer chooses not to hire them on the basis of that ground, a claim could be brought by the employee/candidate under the Equality Act which prohibits this type of discrimination in the workplace. The Equality Act relates to discrimination and harassment based on nine grounds:
- civil status;
- family status;
- membership of the Traveller community;
- religion; and
- sexual orientation.
Most employment issues are dealt with by the Equality Act, including (but not limited to):
- job advertisements;
- equal pay;
- promotion; and
Anyone who works or volunteers with children and vulnerable adults must go through Garda vetting. Garda vetting is governed by the National Vetting Bureau (Children and Vulnerable Persons) Act 2012. This is a process to check whether a person has a criminal record, or if there is any specified reason why a person might pose a threat to vulnerable people. When someone is vetted by the National Vetting Bureau, any criminal record is disclosed to the authorised liaison person in the registered organisation. The liaison person will get a vetting disclosure about the individual, which will include:
- details of any convictions;
- details of pending prosecutions; and
- a statement of specified information (any information, other than criminal convictions, that leads to a genuine belief that a threat is posed to children or vulnerable people).
Personal data must be destroyed when the purpose for which it was sought has expired. According to the DPC's Garda Vetting – some data protection considerations6, vetting disclosures and all accompanying information, such as identity documentation submitted as part of the vetting application, should be routinely deleted, such as one year after they were received, unless the relevant organisation has a compatible lawful purpose for retaining the information.
An application for vetting disclosure in respect of a person shall be made by a liaison person for a relevant organisation. A relevant organisation means a person (including a body corporate or an unincorporated body of persons) who employs, enters into a contract for services, or permits any person to undertake relevant work or activities, a necessary and regular part of which consists mainly of the person having access to, or contact with, children or vulnerable persons.
If the data received from the Garda or vetting agency discloses information relating to criminal convictions or offences, the provisions of Section 55 of the Act and Article 10 of the GDPR will apply. Under Section 55(1) of the Act, personal data relating to criminal convictions and offences may be processed under the control of official authority, or where:
- the data subject has given explicit consent to the processing for one or more specified purposes;
- processing is necessary and proportionate for the performance of a contract;
- processing is necessary for the purpose of providing or obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
- processing is necessary to prevent injury or other damage to the data subject or another person; or
- processing is permitted in regulations made under subsection (3) or is otherwise authorised by the law of the State.
Article 10 of the GDPR on the processing of personal data relating to criminal convictions and offences states that this processing shall be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
Employer obligations during the interview process
Data collected and processed at the interview stage must comply with the GDPR and, in particular, the principles of data minimisation, transparency, purpose limitation, and data retention. The employer must also comply with general right to privacy as recognised in the Constitution of Ireland and the European Convention on Human Rights 1950.
Employers must not ask questions of candidates/employees that could be considered discriminatory. Grounds for discrimination under the Equality Act include gender, civil status, family status, sexual orientation, religion, age, membership of the Traveller community, disability, and race.
In line with the above, it is recommended for employers to follow the guidance issued by the DPC, as well as the provisions provided in the GDPR and the Act, among other laws. Part two of this Insight series will explore employment records and employee health data.
Kate Colleary Founder & Director
Pembroke Privacy Limited, Dublin
1. See: https://www.dataprotection.ie/sites/default/files/uploads/2019-10/CCTV%20Guidance%20Data%20Controllers_October19_For%20Publication_0.pdf
2. See: https://www.dataguidance.com/sites/default/files/guidance_on_the_principles_of_data_protection_oct19.pdf
3. See: https://www.dataprotection.ie/sites/default/files/uploads/2020-09/Employer%20Vehicle%20Tracking_September2020.pdf
4. See: https://www.dataprotection.ie/sites/default/files/uploads/2021-06/Processing%20COVID-19%20Vaccination%20Data%20in%20the%20context%20of%20Employment_0.pdf
5. See: https://www.dataprotection.ie/en/dpc-guidance/dpc-case-studies#2020012
6. See: https://www.dataprotection.ie/sites/default/files/uploads/2021-05/Garda%20Vetting%20April%202021..pdf