Data access requests under GDPR
Employers will need to be familiar with how GDPR will affect their normal business operations and start updating their HR and data protection policies and notices to ensure compliance with the Regulation come May next year. This article deals with one particular aspect of GDPR –an employer’s obligation when dealing with data access requests from a data subject (in this context, a potential, current or former employee).
Under Section 4 of the Data Protection Acts 1988 and 2003, data subjects have a right to obtain a copy, clearly explained, of any information relating to them that is kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation.
The definitions of personal data and sensitive personal data have been updated under GDPR. It is important for employers to realise what the new definitions are before attempting to comply with a data access request.
Personal data
Personal data means any information related to an identified or identifiable natural person (the data subject). The data subject can be identified directly or indirectly by: name, identification number, location data, online identifiers, factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.
Personal data may be held in physical or electronic format. It includes physical files, e-mails, customer relations management systems, images or recordings. The definition does not apply to deceased persons, body corporates or anonymous information (but it does apply to pseudonymised data).
Special categories of personal data (currently defined as “sensitive personal data”)
This category of data relates to a person’s race or ethnicity, political, religious or philosophical beliefs, sexual life or sexual orientation, physical or mental health, genetic or biometric data, a criminal record or trade union membership.
Employers will have a shorter timeframe within which to complete a data access request under GDPR. The request must be dealt with in one month, as opposed to the 40 day window that exists under the current Acts. There is scope under GDPR to increase this timeframe by a further two months in some cases, where the request is particularly complex, or where many requests have been received at the same time.
Employers will no longer have the option to charge €6.35 per data access request when GDPR comes into effect. However in certain circumstances, it will be possible to charge a “reasonable fee” to the data subject to cover administrative charges where the request involves the gathering of large amounts of data. The data subject will be entitled to receive a copy of their personal data in printed, oral or electronic format as per their own specific preference.
Back up data is currently not included in the scope of a data access request under the Data Protection Acts, however this type of data will be in scope after the GDPR commencement date. It is possible that the removal of the nominal fee (€6.35) associated with making a data access request may mean that data subjects are more inclined to make an access request from 25 May next year.
Under the current Acts, data controllers can refuse to comply with a data access request if they are of a vexatious or repeated nature. Under GDPR, data controllers will have some grounds for refusing to grant an access request, such as where a request is manifestly unfounded or excessive. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
Sections 4 and 5 of the current Data Protection Acts set out a small number of circumstances in which a data subject’s right to see their own personal records can be limited. GDPR provides for exemptions to the right of access in a largely similar manner. However, our new national data protection legislation will clarify this provision for data controllers and data processors, when it is enacted.
A new provision under GDPR is the data subject’s right to a broader scope of information from the data controller when a data access request is made. Data controllers must now provide the following information to the data subject, along with the actual personal data that is being sought under the access request:
1. The purposes for processing the data.
2. The categories of personal data concerned.
3. To whom the data has been or will be disclosed.
4. Whether the data has been or will be transferred outside of the EU.
5. The period for which the data will be stored, or the criteria to be used to determine retention periods.
6. The right to make a complaint to the Data Protection Commissioner.
7. The right to request rectification or deletion of the data.
8. Whether the individual has been subject to automated decision making.
The GDPR also includes the right to data portability. In particular, this new right enables an individual to require an organisation to transmit their data to another organisation.
If an organisation handles a large number of access requests, the impact of the changes could be considerable. The logistical implications of having to deal with requests in a shorter timeframe and provide additional information should be factored into future planning for organisations. Ireland's Data Protection Commissioner is of the view that it could ultimately save the organisation a great deal of administrative cost if they develop systems that allow people access their data easily online.
In the October 2017 issue of HRlink we will continue to explore areas of GDPR that are of particular interest to HR practitioners.
Sarah McSharry
Ibec Knowledge Centre
Thursday, 21 September 2017