Employer Resources Newsletter - Nov 2023

Employer Resources banner
    HR Best Practice: Data Protection, Subject Access Requests, Employer Obligations

    Since the implementation of the General Data Protection Regulations (GDPR) across the EU and the introduction of 99 Articles which provided for significant reforms to the legislation in Ireland with the introduction of the Data Protection Act, 2018, there has been an increase in subject access requests. It is therefore important that organisations in the nonprofit sector continue to assess and review their data protection practices ensuring compliance with the Regulations. 

    Who does GDPR apply to?

    GDPR applies to all entities established in the EU which process personal data in the EU. As such, GDPR and the Data Protection Act, 2018 applies to any person or organisation which processes personal information / data related to an employee (current or past) or an applicant for employment. 

    What exactly is considered personal data?

    This is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an indemnification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” (Article 4, General Data Protection Regulation, 2018).

    General Data Protection Regulation Principles

    The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data. The GDPR is a standardised regulatory framework which ensures that personal information is obtained, handled and disposed of properly. 

    Every organisation in the nonprofit sector is obligated under the GDPR and Irish data protection laws, to abide by the GDPRs’ principles, which ensure that personal information is: 

    a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

    b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’) 

    c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’) 

    d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) 

    e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’)

    f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

    Subject Access Requests:

    Since the implementation of GDPR there is no longer a requirement for an employee to provide their employer with the administrative fee of €6.35 when lodging a Subject Access Request (SAR). This means that employees can now make a SAR completely free of charge. While this might not appear to be a significant change, the payment of the fee by cheque or bank draft was an inconvenient administrative burden for employees which may have dissuaded at least some from making a SAR. However, since the implementation of the regulations a SAR can now be simply initiated by an employee emailing their employer and requesting a copy of all of their personal data.

    In addition, the timeframe for responding to a data request has been shortened to one month, however this can be extended by two months if there is there is complexity involved in fulfilling the request. Furthermore, if a request is “manifestly unfounded” or “excessive” the employer can refuse the request or charge a fee. Unfortunately, “manifestly unfounded” and “excessive” in this context has not been defined. It therefore remains to be seen under what circumstances, in practice, an employer can refuse to comply with a SAR.

    Adopting strict data retention policies and deleting older data in accordance with compliance requirements can help reduce administrative burdens, as there will be less information for employers to provide to data subjects. That being said, in most cases, it will not be possible to avoid SARs. Employers should therefore analyse their systems and work practices in order to see how they can respond to SARs in the most efficient manner possible.

    Frequently Asked Questions

    How should I ensure requests are lodged and received correctly? 

    Data Subjects must be able to lodge access requests with a Data Controller, in accordance with the obligation of Data Controllers to facilitate the exercise of the rights of the Data Subjects (Article 12 GDPR). In order to comply with this obligation a Data Controller should consider two things. Firstly, it must ensure that their organisation has a dedicated way for a Data Subject to make such a request, and for a Data Controller to record such a request. Data Controllers may wish to use standard or online forms for the lodgement of access requests. This can help streamline a Data Subject’s access request and can ensure consistency and timely responses to a request within a Data Controller’s organisation.

    Secondly, Data Controllers must ensure they do not overlook access requests by Data Subjects, just because the request is lodged in a different way than the internal point of contact established within the organisation for dealing with data protection issues. Data Subjects can always validly lodge an access request by contacting the organisation through any method of communication be it by phone, post, informal chat or in person. The GDPR does not require any particular form to be used to make a valid access request. The Data Controller may re-direct the Data Subject to the relevant department of the organisation dealing with access requests or may re-direct the correspondence themselves by internal email or post, however the clock for complying with the relevant time limit begins from the day the request is received by the Data Controller.

    Should I verify the identity of the requester? 

    A Data Controller must adequately identify the requester’s identity (meaning securely associate the Data Subject to a name and surname/to an organisation through a legitimate representative) having used all reasonable measures and should not require any further information from the requester unless the controller still has a reasonable doubt in relation to the requester’s identity (Article 12(6) GDPR). Until the Data Subject’s identity has been adequately established the access request is not effective and the clock for the purposes of the time limit to respond does not begin. 

    Implementing a method of confirming the identity of the requesting Data Subject may be considered a technical and organisational measure put in place by an organisation in order to safeguard the security of personal data and prevent a data breach, which may occur if a Data Controller disclosed information to unauthorised recipients. However, such a measure is justified where there is an actual security requirement, in this case coinciding with the existence of a reasonable doubt as to the identity of the requester. If there is no reasonable doubt, the measure could be seen as an obstacle to the exercise of a Data Subject’s right, in breach of the obligation of controllers to facilitate the exercise of rights by Data Subjects and of the data minimisation principle.

    Can third parties lodge a request? 

    The decision as to how to lodge a request is entirely up to the Data Subject, with no particular or formal method prescribed by data protection law. Therefore, a Data Subject may decide to authorise someone else (including a solicitor, an individual, not-for-profit body, organisation or association referred to by Article 80 GDPR) to lodge a request on their behalf. The third party lodging the request must be able to provide evidence that such authorisation came from the Data Subject. The issue of identification in these cases applies both to the identity of the requester and the person on whose behalf the request is made.

    There may be cases in which specific authorisation is not available, but the right to request access to personal data could derive from more general types of representation, for example power of attorney or parental responsibility. In these cases, a Data Controller must consider whether to contact the Data Subject first and whether to send the response to the access request directly to the Data Subject.

    Can I ask the requester to further clarify their request? 

    A Data Subject is entitled to request access to any or all of their personal data. A Data Controller who processes a large quantity of information concerning the Data Subject can request, as soon as possible after having received the request and before delivering the response to the access request, that the Data Subject specify the information they want to be provided or the specific processing activities which they want access to and, in addition to this, may be entitled to extend the time to answer the access request. Although it is in the interest of the Data Subject to cooperate in order to speed up the process, the Data Subject is not obliged to answer, and a Data Controller must comply with the access request even if the request for clarification remains unanswered. It is recommended that Data Controllers always document the reasons for the request for clarification, in accordance with the principle of accountability.

    What are the deadlines to respond? 

    Data Controllers must provide information on the action taken on the access request without undue delay. This means that they must confirm as soon as possible whether they are processing personal data of the Data Subject and, if that is the case, Data Controllers must either: 

    a) provide all the information on processing and a copy of the personal data at issue as required by data protection law, or 

    b) notify the Data Subject that they need more time to answer the request, or 

    c) notify the Data Subject that they will not take action on the request and the reasons for not doing so. 

    The response to an access request may be considered untimely even before the maximum term provided for by law has expired, depending on the circumstances of the case. The maximum time limit to provide information on the action taken on an access request, is one calendar month from receipt of the access request by identified or identifiable Data Subjects, regardless of the fact that such receipt is not on a working day. 

    Exceeding the maximum time limit would automatically constitute a breach of the Data Controller’s obligations. Data Controllers can be said to have received an access request at the moment in which their organisation has become aware or has had constructive notice of the access request lodged through their established channels of communication, without the need to take any further steps in order to identify the requester.

    Conclusion:

    With the continued focus on GDPR and the subsequent growth of the Data Protection Commission, it has become evident that there has been a considerable increase in Subject Access Requests (SARS) being lodged within the workplace. We expect this to be one of the main areas of dispute with employees going forward, as they challenge the adequacy or validity of responses received to such requests. In summary, SARs will likely give rise to considerable time and cost burdens for employers in the nonprofit sector, with limited scope to refuse the requests. Thus, it is imperative that Data Controllers are fully aware of their obligations under GDPR and have a defined strategy and approach within their organisation with regards to same.

    WRC / Labour Court Decisions

    Employment Status of ‘Contractor’ determined to be an Employee

    Background 

    After completing a tendering process and signing an independent contractor agreement, the Complainant started working for the Respondent in 2015 as a jewellery and ceramic technician. The contract was renewed in 2016 and she successfully re-tendered for the position in 2018 for another two years. On 12 May 2021, the Respondent informed the Complainant that the programme would not be running after the end of the contract, but the tender process may open again in 2022. 

    Summary of Complainant’s Case:

    The Complainant submitted that she was in fact an employee and complained that she had been unfairly dismissed, contrary to the Unfair Dismissals Acts 1977 to 2015. The contract required her to perform a training/ demonstrator role and the Respondent was obliged to provide her with work during the college terms. 

    She reported to a manager and worked fixed hours, receiving a set payment like a salary. While she could take up other work this was limited. 

    Summary of Respondent’s Case:

    The Respondent argued that there was no mutuality of obligation. Prior to entering into the business contract to provide services, she had sought independent legal advice. Furthermore, she could substitute and place another technician in the role and could work for other parties. 

    Findings 

    The Adjudicator first considered whether the correct status of the Complainant was of an independent contractor or an employee. The Adjudicator relied on the Court of Appeal decision in Karshan (Midlands) Ltd t/a Domino’s Pizza v. The Revenue Commissioners [2022] IECA 124) which held that a contract of service must always have mutuality of obligation. This requires “an ongoing reciprocal commitment to provide and perform work on the part of the employer and the employee respectively.” 

    Having examined the 2015 contract, the Adjudicator held that the Respondent’s position that there was no mutuality of obligation was “not credible based on the nature of the contract between the parties … and the reality of any third party observing this relationship.” 

    The Complainant had constant hours: 17 hours per week for 46 weeks of the year. She had to report to a manager and was responsible for her students, prepared teaching materials and assessments, managed a classroom and had health and safety responsibilities. The Adjudicator noted clauses in the contract stating that the Complainant could not assign or subcontract without the prior agreement of the Chief Executive and any additional work could not impede her work with the Respondent. The Adjudicator considered that these clauses were very restrictive and gave a high level of control to the Respondent. Finally, the Respondent emphasised the importance of the intentions of the parties and the fact that the Complainant had had the benefit of independent legal advice. 

    The Adjudicator reiterated that the factual matrix in this case was one of a contract of service and that the power balance in any relationship must be considered. In reality, the Complainant had no choice but to accept the terms as set out in the contract. 

    Having determined that the Complainant was an employee, the Adjudicator next considered whether the Acts applied since an employee must have a minimum of one year’s continuous service prior to dismissal before they are entitled to rely on its provisions. The Adjudicator noted that the Complainant had been engaged by the Respondent on several contracts since 2015 with breaks in service during the summer periods. 

    However, s.2(2A) provides that where a fixed-term contract expires and the employee is re-employed within three months, and the Adjudicator is of the opinion that the entry by the employer into the subsequent contract was wholly or partly to avoid liability under the Unfair Dismissal Acts, the dismissal of the employee falls within the scope of the Acts, even if the employee had less than one years’ continuous service under the subsequent contract. 

    The Adjudicator determined that these successive contracts were provided to avoid liability. Therefore, the Complainant’s dismissal did fall within the Act. The Adjudicator noted that s.6(1) provides that a dismissal is unfair unless there are substantial grounds to justify it. Section 6(7) allows an Adjudicator to have regard to the reasonableness of the employer in relation to the dismissal. 

    Having found that the Respondent was using successive contracts to evade their responsibilities under the Unfair Dismissal Acts, the Adjudicator held that the Respondent’s conduct was “both unreasonable and a fundamental breach of contract rights.” 

    Determination

    The Respondent did not give any evidence of reviewing alternatives or engaging in any form of consultation with the Complainant prior to its decision to dismiss her and accordingly, the Complainant was unfairly dismissed. On the facts of the case, and the fact that the Respondent envisaged a potential resumption of training in September 2022, the Adjudicator determined that compensation would not be appropriate and ordered that the Complainant be re-engaged by the Respondent on terms specified in the decision.

    Our Commentary:

    In most cases it will be clear whether a worker is employed or self-employed. However, it may not always be clear, and this can lead to confusion in relation to their employment status. There is no single, clear legal definition of the terms ‘employed’ or ‘self-employed’ in Irish or EU law. In order to determine a person’s employment status, both the written or oral contract and the reality behind the contract must be taken into consideration. Although the intention of the parties and any written agreement is given due consideration, they do not on their own determine the employment status. 

    While the terms of a contract might be quite clear in saying that a person is engaged as a self-employed contractor, courts and statutory bodies may still conclude that they are, in fact, an employee. Inspectors and adjudicators will consider any formal contracts, but they will also consider how the work is actually carried out and will assess the relationship between the worker providing the service and the business paying for that service. They will consider whether the worker, or indeed the employer, had no option but to sign up to the terms dictated by the other party. 

    As the true agreement will often only be understood by analysing in the round all the circumstances and facts of the case it is essential the employers in the nonprofit sector consider the Code of Practice on Determining Employment Status in order to gain a clear understanding of the employment status and any contractual arrangements being considered. 

    Did You Know?

    Parental Bereavement Leave (Amendment) Bill, 2021

    The proposed Parental Bereavement Leave Bill is currently at the Second Stage of Dáil Éireann and while it has moved slowly since first introduced in November 2021 it remains on the agenda. The Bill itself seeks to amend the Parental Leave Acts of 1998 and 2006 to provide bereavement support to parents coping with the loss of a child. The proposed legislation covers both parents of a child up to 18 years old, allowing them to each take bereavement leave.

    Under the key provisions of the Bill, eligible parents will be entitled to parental bereavement leave for a minimum of 10 working days following the death of their child. This entitlement extends to each child in the case of multiple child losses with the leave to be taken within 42 days of the child's death, with the first day being the day of the child's passing.

    To avail of this leave, it is proposed that employees will need to inform their employer using a prescribed form detailing the date and circumstances of the leave. During parental bereavement leave, it is proposed that employees are regarded as actively working and any parental bereavement leave will not be considered part of any other leave entitlements, including sick leave, annual leave, adoptive leave, maternity leave, and parental leave.

    While we await further progress of the Bill through the Committee stages it is likely to be debated and may lead to amendments from its current format. 

    World Menopause Day

    Last month World Menopause Day was celebrated and importantly is marked as an international observance day to promote knowledge about menopause and the associated impacts on health and wellbeing.

    For employers in the nonprofit sector, it is an opportunity to consider and review your approach to managing and implementing supportive work practices for those who are experiencing menopause which will in turn support your commitment to all employees. Menopause can affect everyone differently and the support needed can vary from person to person. The individual employee is best placed to suggest or feed-back what support will provide the greatest assistance to them, so it is essential that managers encourage open and honest discussion in order to be able to respond appropriately.

    It is also essential for organisations to create positive awareness and understanding on what menopause is, the associated symptoms and impacts, and what organisational supports are available and how these can assist employees reach their full potential at work.

    Actions

    • Ensure that menopause is treated appropriately and that guidance on dealing with this is available. 
    • Encourage employees to speak up if they are struggling at work because of their symptoms.
    • Put formal and informal supports in place and signpost them for all employees; this could include a point of contact, an occupational health assessment, a menopause or well-being champion and access to an employee assistance programme.
    • Develop a menopause policy which sets out the organisation's approach to employees experiencing menopausal symptoms, the responsibilities of employees and managers, and the supports those employees can expect to receive. 

    If your organisation requires support, advice or guidance on developing and implementing policies and procedures, employee relations support or details of the supports provided under our Partnership Programme contact our expert-led team at Adare Human Resource Management.

    Dublin Office: (01) 561 3594 | Cork Office: (021) 486 1420 | Shannon Office: (061) 363 805
    info@adarehrm.ie | www.adarehrm.ie

    Employer Resources