Home Knowledge Data Protection Commissioner Investigates Enforced Subject Access Requests

Data Protection Commissioner Investigates Enforced Subject Access Requests

August 25, 2015
Partner
Catherine O’Flynn

 

The Data Protection Commissioner (the “DPC”) recently confirmed that she has contacted 40 organisations, across a variety of sectors, to assess compliance with recently enacted legislation on Enforced Subject Access Requests.

An Enforced Subject Access Request occurs when an employer or potential employer requires an employee or job applicant to make a data access request to an entity, usually the Gardaί Sίochána, and deliver the information provided to the employer/potential employer.  This procedure is different to legitimate Garda vetting which is required to be performed on individuals taking up certain roles such as those involving security, childcare and vulnerable adults.

Since July of last year, data protection legislation has rendered the use by employers and recruitment agencies of such Enforced Subject Access Requests unlawful. The DPC has stated, however, that despite the practice being unlawful, the Garda Vetting Unit received a “questionably high” number of data access requests from individuals post July 2014. This led the DPC to conclude that organisations which could not legitimately perform a vetting check were engaging in “vetting by the back door”.

In its communication of 5 June 2015, the DPC gave the organisations contacted three weeks to respond. It is understood that follow-up inspections are currently being carried out to ensure compliance with the legislation.

Notwithstanding that the use of Enforced Subject Access Requests has been unlawful for over a year; many employers and recruitment agencies persist with the practice. The DPC’s statement that she intends to “vigorously pursue and prosecute any abuse detected in the area” together with her recent actions demonstrate her intent to stop the practice that has developed.  Employers and recruitment agencies which use Enforced Subject Access Requests as a means of screening employees and job candidates should review their practice and be prepared to show compliance with data protection legislation in the event of an investigation by the DPC.

Contributed by Catherine O’Flynn and Nichola Harkin

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all