The Data Protection Commissioner (DPC) has written to a random selection of 40 organisations to raise awareness of, and ensure compliance with, legislation introduced last year prohibiting ‘enforced access requests’ by employers.
Section 4 of the Data Protection Acts (DPAs) 1988 and 2003 enables individuals to obtain a copy of any personal information held about them by any organisation. Section 4(13) (commenced via S.I. No. 338 of 2014) makes it an offence for employers to require potential employees to make an access request seeking copies of personal data from an organisation, and to make same available to the prospective employer. The provision also applies to any person engaging a recruitment agency or pre-employment screening service.
The Garda Central Vetting Unit (GCVU) only conducts vetting in respect of persons working with children or vulnerable adults, certain state employees and those working in the private security sector. If other employers wish to check the criminal background of potential employees they must ask the employees to declare any past criminal convictions. Employers cannot require potential employees to make a data access request to the GCVU and to reveal the result of same.
The DPC noted that in 2014, there were over 320,000 vetting applications processed by the GCVU. In the same year, 11,219 access requests were made by individuals under section 4 of the DPAs to the GCVU. The DPC has stated that this access request figure is "questionably high" and is concerned that organisations are engaging in "vetting by the back-door".
The DPC has warned that her office will prosecute any abuse detected in this area, and will be liaising with An Garda Síochána to identify any concerning trends in relation to access requests made via the Data Protection Processing Unit in the GCVU.
Guidance on the methods available to employers to screen prospective employees in compliance with the Data Protection Acts 1988 and 2003 is available here.