The Irish Data Protection Commission (DPC) recently published its annual report for 2021 detailing the activities it undertook in 2021 and setting out its regulatory strategy and priorities for the next five years.

The DPC has been extremely busy since the commencement of the General Data Protection Regulation (GDPR) in May 2018. 2021 was no exception. While the report deals with the significant large-scale inquiries the DPC has been responsible for such as the WhatsApp decision, it also sets out case studies on matters reviewed by the DPC during 2021. Many of these provide good learning opportunities for employers in terms of how they should handle their employees’ personal data. In this article we have highlighted some of the key takeaways that will be useful for employers in managing their employee personal data and avoiding some of the mistakes that have befallen other employers.

The first point of interest for employers is that the DPC has committed, as part of its five year regulatory strategy, to publish more guidance and direction with the aim of giving more certainty to controllers, processers and data subjects on what is required to comply with data protection law. This will include publishing case studies and these case studies are always useful guides particularly for employers in terms of how to deal with (or not deal with) access requests and breach issues in the workplace context.

DPC contacts and complaints

From 1 January 2021 to 31 December 2021 the DPC received over 23,930 electronic contacts, 13,663 phone calls to the DPC helpline and 1,594 postal contacts demonstrating just how busy the DPC is on a day-to-day basis. 3,419 complaints were received, and 3,564 complaints were resolved (including 1,884 complaints received prior to 2021).

The DPC also spent a significant amount of time trying to bring old subject access request complaints to a resolution and managed to conclude 170% more access complaints than it received. This is a promising development as it means that the DPC will be able to focus on more recent access complaints rather than dealing with older complaints. Given that most employee complaints to the DPC about employers relate to subject access requests, this likely means that the DPC will be able to deal with those employee complaints more quickly and employers will have to respond more quickly to queries from the DPC following an employee subject access request.

As has been the trend for the last number of years, in 2021 one of the most frequent topics queried and raised as a complaint with the DPC was access requests. Unfortunately, for employers, this signals that employee subject access request complaints are only going to increase over the next 12 months as employees become even more aware of their access rights.

Amicable resolution process

The report reaffirms that the DPC continues to endeavour to resolve individual complaints amicably which will be of comfort to employers particularly in relation to employee subject access request complaints. A ‘fast track’ amicable resolution process can also be utilised by the DPC in dealing with individual complaints and of the 3,564 complaints concluded by the DPC in 2021, 463 were resolved by means of the ‘fast track’ process. One of the most common complaints closed out by amicable resolution related to data controllers not responding to subject access requests. Responding to employee access requests is a common challenge for employers and it is useful to see that amicable resolution may be an avenue under which such issues are resolved between employers and employees.

Subject access requests

The report highlights the importance of data controllers complying with the right of access set out in Article 15 of the GDPR and refers to it as ‘one of the fundamental rights conferred upon individuals by the GDPR’. It goes on to clarify that this right is not absolute and is subject to exceptions. Many of the exceptions provided for under the Irish Data Protection Act 2018 are very often relied upon by employers in responding to employee access requests (such as legal privilege). The DPC report highlights that it has had huge success in dealing with access complaints more quickly and the DPC has now reversed the historic trend where more complaints were received in each year than were concluded. By the end of 2021 the DPC had received 331 new access complaints and concluded 561.

The DPC has helpfully summarised what it finds to be the main issues when it reviews an access complaint. These are that the data controller has not:

  • carried out an adequate search for the personal data; and/or
  • advised the individual that they are withholding data and the exemption they are relying on for the withholding; and/or
  • responded within the required time frame.

These are common issues we see coming up time and time again when dealing with employee access requests and the DPC notes that, through reviewing access request complaints, it has built up a picture of how controllers are applying data protection principles in their organisations and in their policies and practices. Basically, when it comes to access requests the DPC has seen it all before and it’s unlikely that any employer would be able to argue their organisation is more complicated and needs more leeway than others when it comes to handling employee access requests. The DPC specifically highlights in the report that it ‘is concerned that it has identified a pattern where data controllers are not responding to subject access requests received from data subjects and/or not responding to complaint commencement correspondence by the DPC’.

The DPC also makes clear that in 2022 it intends to increase its enforcement activities in the area of subject access requests and will target non-responses and inadequate responses from data controllers. For employers this means it’s more important than ever to ensure they have a robust procedure in place for responding quickly and thoroughly to employee subject access requests. Employer responses should always be prepared with an eye to that correspondence ending up before the DPC. Staff need to be trained to recognise when a request is a subject access request and need to know where to escalate it to, as very often we see delays in employers replying to access requests where it has taken a few weeks for the request to be sent to the relevant department. The clock will still have started running and it appears from the DPC report that they won’t look favourably on such easy to resolve issues.

The case studies in the DPC report provide a really helpful learning tool for employers. We’ve picked out the most relevant from the employer perspective in relation to subject access requests:

Case study 1 – Something’s missing

The first case study deals with an individual involved in a dispute with a car park manager over the clamping of a vehicle. The individual submitted a request for all personal data relating to them. No response was received from the data controller initially. When the response was ultimately received the individual did not feel that sufficient searches had been carried out or that the data provided to them was complete. The DPC intervened, further searches were undertaken, and further personal data was disclosed to the individual. The individual was still not satisfied as they knew a specific email that they had sent was not included in the response. The data controller provided evidence to the DPC that the email had been caught in the organisation’s spam filter and had not actually been received or opened by anyone in the organisation. In line with the organisation’s email policy the email was automatically deleted after 14 days. The organisation also provided screen shots of the relevant inboxes the email was intended to reach showing that it was not contained within those mailboxes. The DPC ultimately found that the data controller had not complied with its obligations as it had not provided a complete response within the statutory time frame. In relation to the email in spam, the DPC found it was clear that the email was not in existence at the time the request was made. The DPC further stated that in this case no apparent right was interfered with through the initial quarantine and deletion of the email.

While not a workplace context, this case study deals with a common issue that arises when responding to workplace subject access requests – not all systems or custodian mailboxes are properly searched. Once the statutory deadline has been missed the GDPR has not been complied with and there is nothing an employer can do to be compliant at that point - opening up the potential for complaints to the DPC. This case study highlights the importance of a good process at the start of a subject request to make sure all relevant systems and mailboxes are searched on time.

Breaches

The DPC handled 187 complaints relating to notified and non-notified breaches in 2021. Most data breach complaints concerned the personal data of an individual inadvertently being disclosed to another third party in error. We commonly see this arise with employee HR personal data inadvertently stored on shared drives or emailed to the wrong person within the employer organisation. It’s important for those involved to recognise this as a data breach and report it to the relevant data protection person within the organisation.

The DPC gives some good guidance on what controllers are doing wrong when a breach occurs and states that very often the explanation given by the controller to the individual about the breach is not sufficient to put their mind at ease and this can lead to complaints. The DPC notes that organisations who properly inform affected people about the breach ultimately resolve the matter sooner without it needing to come before the DPC. This is an important take away for employers as very often employees can be given limited information when their personal data has been compromised. The report also includes several relevant case studies on breaches in the workplace context which provide key lessons for employers, including the following:

Case study 5 – Unauthorised disclosure

The complainant in this case was a former employee who brought a legal claim against his employer for unfair dismissal (sound familiar?). As would be expected, the company had prepared documents relating to the dismissal including an internal investigation report and a submission to the Workplace Relations Commission (WRC). One month before the complaint was lodged to the DPC, the company notified the DPC of a data breach that the WRC submission had been inadvertently saved on a shared folder accessible by all staff rather than on the drive that is just accessible by HR. This was corrected within two days and the DPC notified. The company was not able to tell from its systems whether the document had been viewed, copied, or printed while it was in the shared drive. The complainant alleged that both the WRC submission and the internal investigation had been disclosed on the shared drive (the investigation document contained a lot more personal data than the WRC submission). The complainant also alleged that the documents were available on the intranet which would have meant they could be accessed from any device by both employees and visitors to the premises. The complainant submitted statements from former colleagues stating they had access to the internal investigation document; however, these statements were vague. The company denied that the internal investigation document had ever been accessible by any unauthorised person. It also maintained that the WRC submission would not have been accessible by non-employees.

The main issues the DPC considered were the content and extent of the breach and whether the company’s security measures met the standards required by data protection legislation. Taking both sides submissions into account and the fact the DPC had been notified of the breach, the DPC found that there was insufficient evidence to support the claim that the internal investigation document had been disclosed or that personal data had been accessible by non-employees. In relation to security measures, the DPC found that the company had failed to anticipate and mitigate against human error in storing such sensitive documents and reminded the company of the need to ensure relevant staff were aware of how such personal data should be handled.

This case study clearly highlights that employers need to take potential human error into account when looking at security measures and mitigation measures. Regular training of staff on these points is essential and this training should give clear examples of issues that can arise and learnings from previous breach issues.

Case study 6 – More unauthorised disclosure

In this case study the DPC dealt with a complaint about alleged unauthorised disclosure by the employer of personal data including attendances with the company doctor, details of a personal injury claim and details of a disciplinary procedure. The complainant alleged that these had all been stored on the company’s shared ‘C-drive’ which could be viewed by anyone within the company and had also been left on the complainant’s desk in the form of a CD-ROM. This matter was clearly taken very seriously by the company and, following an internal investigation which determined the personal data had been accessed, two employees had their employment terminated and the police were notified about the incident. The DPC was also notified of the breach and advised that at least two employees had accessed some of the personal data on the shared drive. The employer advised that the incident arose when HR files were being transferred from the HR department to the legal department as one of the HR team members was leaving the company. During this process large numbers of files were available to be accessed by employees who would normally not have access to such sensitive files. The DPC found that the information disclosed in respect of the complainant was particularly sensitive and included ‘data concerning health or data concerning a natural person’s sex life’. Given the nature of the personal data there was a high onus on the employer to ensure that only those who needed to access the information could do so and due regard was not given to the risks to the data subject of placing the information on the shared drive even if only intended to be for a very short time period. The decision to transfer the files in this manner appears to have been because of practical and logistical issues in that the files were too large to share by other means. The DPC found that this did not justify the incident and more secure alternatives were available that would not have presented the same risks.

More training for the staff involved in this situation might have avoided them taking the quick and risky way to transfer the files. The DPC particularly noted the major fall out in this situation (which could have been avoided); not only did it give rise to legal proceedings in respect of the breach itself and have a significant impact on the data subject, but two long term employees also lost their jobs.

The key takeaway here is that even if the transferring of personal data in a more secure way is more time consuming this will not justify unauthorised disclosure. Staff handling sensitive personal data need regular training on how it should be managed.

Purpose of processing

The report reminds us that it’s important for employers not to forget the basics and to ensure they have a lawful basis for any processing that takes place. Case study 4 is a good reminder of this.

Case study 4 – Location, Location, Location

In this case study a former employee made a complaint to the DPC about his employer’s use of location data to verify his expense claims. The employee’s work involved driving to locations assigned by his employer and as part of his expenses claims the employee would complete expense forms which included the relevant places he had been on the relevant dates. The employee made a claim for overtime and subsistence which was rejected by the employer because of inconsistencies between the details on his expenses form and the employer’s dispatch system. The employee complained to the DPC in respect of the employer’s use of the dispatch system for this purpose.

The DPC considered whether the employee had been made aware that the information on the dispatch system would be used for the purposes of validating expense claims. The DPC looked at whether the processing was compatible with the purpose for which the data was collected and whether the employer had a legal basis for that particular processing. The first issue for the employer was that they didn’t have a policy in place around the use of the dispatch system and relied on employees’ ‘general awareness’ that the system use included validating expense claims. The employer referred to previous agreements with unions and the fact that employees had to include the dispatch number on their expense claim forms. The DPC formed the view that this indicated that employees were aware of this potential use of the data in the system and also noted that the employer was subject to financial regulations that required the employer to verify overtime and subsistence claims. The DPC found that even if the principle use of the system was to aid dispatch logistics, using the information to verify overtime and subsistence claims was not incompatible with that purpose. The DPC found that the processing was necessary to comply with the employer’s legal obligations in relation to expenses, but it was also necessary to perform the employment contract and was in the legitimate interests of the employer.

This case highlights the importance of ensuring that there is a legal basis for the processing, that the processing is necessary and that employees are aware of the processing and its purpose.

Conclusion

The DPC 2021 report clearly demonstrates that employee data protection complaints around subject access requests and breaches are here to stay. The case studies show that employers who act quickly and reasonably when employee data protection issues arise and have good practices in place will fare better before the DPC if a complaint is lodged.

It’s key for employers to keep their subject access request and breach policies and procedures under constant review. Learnings from each data protection matter that arises concerning employees should be documented and fed back into the data protection framework to improve data practices. Nearly four years on from the implementation of GDPR there should be lots of learnings and examples that employers can incorporate into staff training to make it more meaningful and relevant for staff. If employers have a breach register that four years on shows no breaches at all this is a major red flag that staff don’t know what a breach is or how to report it.

It’s time to review and reassess policies, procedures, and training to make sure staff know how to manage employee personal data correctly and what they need to do if something does go wrong.

A copy of the full report is available here.

For more information on this or any other data protection matters in Ireland please contact the Lewis Silkin team.

Authors