Archive for June, 2015

Ireland: Irish Data Protection Commissioner Investigates Alternative Methods Of Employee Vetting

Ireland_Data_protection_Commissioner_logo_webThe Irish Data Protection Commissioner (“DPC”) recently announced a plan to assess employers’ compliance with the newly-commenced rules on “enforced subject access requests“. The DPC has written to 40 organisations, including banks, energy suppliers, recruitment companies and large retail stores. Since 2014, it is an offence for employers and prospective employers to require an individual to make an access request or to supply information received in response to the request.  According to the DPC, this initiative is to prevent organisations from “vetting by the back-door”.

What is an enforced subject access request?

One of the core rights under Irish data protection law is the right of an individual to request a copy of any information relating to him/her held by an individual or organisation controlling the data. This is often termed a subject access request.

An “enforced” subject access request occurs where an employer or prospective employer forces an individual to exercise his/her right of access and provide any information obtained as a result of the request. These requests are usually made to the Irish police as part of a background screening process.

A criminal offence

In July 2014, access requests of this nature became an offence under the Irish Data Protection Acts. Specifically, section 4(13) prevents anyone from “requiring” an individual, in connection with their role as an employee, potential employee or contractor, to make a subject access request or to provide any data received in response to such a request.

gardaGarda Vetting vs. Access Requests

A subject access request differs from the mandatory vetting of individuals for certain roles, such as teaching, childcare and for those working in the private security industry. The Irish police (Garda) receive numerous vetting applications on an annual basis as part of this formal vetting process.

The DPC’s concerns stem from the particularly high number of subject access requests received by the Garda Vetting Unit in 2014. While vetting applications are regularly processed by the same unit, those checks have always been subject to certain restrictions on what is disclosed. In contrast, individuals’ access requests could result in everything about that person held on Garda records being disclosed. As a result, the DPC considers that there may be an abuse of the access right by organisations which would not otherwise qualify to conduct a vetting check.

What happens next?

Companies contacted as part of this initiative have been given three weeks to provide a response to the DPC. Follow-up inspections will be carried out by the DPC to ensure compliance.

Improvement in compliance with section 4(13) will be important for those companies targeted. Any organisation that is found guilty of an offence under this section may be faced with a maximum penalty of €100,000.

What does this mean?

Employers based in Ireland need to review their hiring and staff vetting process to ensure that they are not engaging in enforced subject access requests. This is likely to be an area of significant regulatory scrutiny in the near future.

Article by Philip Nolan and Oisin Tobin

Categories: Uncategorized

New proposed EU General Data Protection (Privacy) Regulation – How will it impact Global HR?

EUflag2On June 15, 2015, the Article 29 Working Party published proposed new EU General Data Protection Regulations addressed to representatives of the Council of the European Union and the European Commission detailing the Working Party’s position on a range of core issues in the Regulation in efforts to ensure the Working Party’s views are taken into account to negotiate and agree on a final test of the revised Regulation later this week with the intent to finalize the Regulation by the end of 2015.

The proposed new Regulation may have broad ramifications for employers that operate both within the EU as well as around the globe including those that operate within the U.S but recruit and employ both Expats as well as local nationals within the European Union.

Key points for employers to consider include:

One Jurisdiction, One Law: In addition to the existing broad territorial scope of the Regulation, the Working Party is of the view that the Regulation should also apply to non-EU processors, where they act on behalf of controllers (such as background screening providers) that are subject to the Regulation (in line with the Parliament’s views on this issue). The Regulation would establish a single, pan-European data protection law replacing the current inconsistent patchwork of national laws. In the future, your company will only have to deal with one law, not 28. Similarly, individuals will only have to deal with their national data protection authority—in their own language—even if their personal data is processed outside their home country.

Enhanced Individual Rights:  Employers will have to inform individuals in a clear and understandable way about the collection, processing and transfer of their personal data. When there are no longer legitimate grounds for retaining data, an individual will be able to ask for the data to be deleted (right to be forgotten).

Right to Know if Hacked: Employers will have to notify the national data protection authority as soon as possible (not later than 72 hours) about data breaches and will also have to notify affected employees without undue delay.

penpaperData Protection Impact Assessment: An assessment will be required when processing is likely to result in a high risk for individuals, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorized reversal of pseudonym techniques or significant economic or social disadvantage. This directly speaks to the employer employee relationship.

Mandatory Data Protection Officers: The Working Party is in favor of imposing a mandatory obligation to appoint a Data Protection Officer upon data controllers, if they meet certain thresholds in terms of the type, volume or nature of the data being processed (although the Working Party has not specified what those thresholds should be). Since employers generally deal with sensitive data it is expected they will fall within this category.

Information Notices: The Working Party supports the use of layered privacy notices, and the proposal that data subjects (candidates/employees) should also be provided with information relating to further processing, data retention periods, international transfers and security measures.

Data Portability: The Working Party supports the proposed broad scope of the right to data portability, and suggests that this right should be separate to the right of access.

Right to Object: The Working Party is of the view that the right of data subjects to object to processing should apply widely, and should not be limited to processing performed on the basis of: (1) the legitimate interests of a data controller; (2) the public interest; or (3) the exercise of an official authority.

Codes of Conduct: The proposed regulation will encourage codes of conduct to be drawn up for specific sectors and for specific needs.

European Rules on European Soil: If your organization is based outside the EU, it will have to apply the same rules and guarantee the same level of protection for personal data when offering services in the European market.

Profiling: The Working Party highlights that the proposals in the Regulation relating to data subject profiling are unclear and do not ensure sufficient safeguards to protect data subjects. The Working Party recommends that the creation of profiles should be limited to particular purposes (although the Working Party does not specify those purposes), and that specific obligations should be imposed on data controllers to inform data subjects of: (1) the relevant profiling measures that will apply to their data; and (2) the right to object.

Risk-Based Approach: While the Working Party does not directly oppose the risk-based approach in general, it considers that risk should not be a determining factor in relation to a controller’s accountability obligations.

Access by Public Authorities: In the event that a court, tribunal or public authority in a non-EU jurisdiction demands access to personal data that are subject to the Regulation, the Working Party recommends that such matters be dealt with under a Mutual Legal Assistance Treaty, where one exists. Where no such treaty is in place, the relevant controller should report the matter to the competent Supervisory Authority. The Working Party’s previous guidance on this point in the context of Binding Corporate Rules (“BCRs”) for processors provides some helpful context.

Binding Corporate Rules: The Working Party considers it essential that BCRs for processors continue to be recognized as a valid mechanism for cross-border data transfers.

Fines: The Working Party welcomes the introduction of significant fines for breaches of the Regulation, and also considers that the imposition of fines where a data controller or processor violates the Regulation as well as fails to cooperate with Supervisory Authorities. In order to effectively enforce the rules, national data protection authorities will be empowered to fine companies that violate EU data protection rules. The fine may be up to €1 million or 2% of the global annual turnover of the offending company.

Aletheia Consulting Group provides expert cost-effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at

Categories: Uncategorized
%d bloggers like this: