data protection and hr in the civil service...5 data protection guidelines for hr in the civil...

DATA PROTECTION AND HR IN THE CIVIL SERVICE

Guidelines for HR Units in the civil service

Civil Service HR Policy [email protected]

Abstract These guidelines are produced as a support for HR Units in the Civil Service in

fulfilling their responsibilities under data protection legislation. Version August 2019

1

Data protection guidelines for HR in the civil service vf January 2020

Data Protection and Human Resources Guidelines for HR Units in processing records of Civil

Servants

Table of contents

Introduction

Data Protection and the National Archives Act Page 3

Data Protection and your department/office Page 3

Data sharing – Relationships between departments/offices within the Civil

Service

Page 3

Data sharing – pensions data Page 3

Joint controller relationships Page 4

How to identify personal data Page 4

Processing Personal Data

Civil servants and personal data processing Page 5

Legal Basis for the Processing of Personal Data (Article 6)

Ground 1 - The Consent Basis Page 5

Ground 2 – The Contract Basis Page 8

Ground 3 – The Legal Obligations Basis Page 8

Ground 4 – The Legitimate Interests Basis Page 12

Ready Reckoner: Legal Basis for Processing Personal Data Page 15

Legal Basis for the Processing of Special Category Data (Article 9)

Ground 1 – The Explicit Consent Basis Page 16

Ground 2 – The Legal Obligations Basis Page 16

Ground 3 – The Legal Defence Basis Page 18

Ground 4 – The Occupational Medicine Basis Page 18

Ready Reckoner: Legal Basis for Processing Special Category Data Page 19

2


Rights of individuals

Article 12: Conditions applicable to the exercise of rights Page 20

Article 13: Right to be Informed Page 20

Article 15: Right to Access Page 21

Article 16: Right to Rectification Page 22

Article 17: Right to Erasures Page 23

Article 18: Right to Restriction of Processing Page 24

Article 20: Right to Data Portability Page 24

Article 21: Right to Object to Processing Page 25

Article 22: Right not to be subject to a decision based solely on automated

processing, including profiling

Page 25

GDPR Readiness

Audit of Data Processing Activities Page 26

Additional Steps Page 28

Subject Access Requests 0

Appendix 1: Fictional Scenario 1 (Mr. Burns)

Fictional Scenario 2 (Mr. West)

Page 33

Page 39

Appendix 2: Questions and answers Page 42

Appendix 3: Subject Access Request (SAR) HR Quick Guide Procedure and

redaction instructions

Page 45

Appendix 4: Data Protection principles Page 47

Appendix 5: Data Checklist Page 50

Appendix 6: Sample Audit Template Page 52

3


Introduction These guidelines are produced as a support for HR Units in the Civil Service in fulfilling their responsibilities

under data protection legislation. The GDPR came into effect on 25 May 2018 and is directly applicable as

law in all member states. The Data Protection Act 2018 gives further effect to the GDPR.

These guidelines are produced for guidance only.

Data Protection and the National Archives Act For the civil service, Data Protection must be viewed in conjunction with any obligations placed on

departments/offices by the National Archives Act 1986. When a record, or series of records, is due to be

destroyed, no record can be destroyed without the express authorisation of the Director of the National

Archives. Contact must be made with Archives and Government Services Division of the National Archives

before any disposal can take place – queries on disposal can be directed to [email protected].

Data protection and your department/office Please note that these guidelines are not designed to override any instruction issued by your department/

office. Each department/office is its own data controller and you should therefore read these guidelines in

conjunction with any instructions or documentation issued by that department/office. If you are in any

doubt as to the procedure surrounding any data protection related work, please consult with your

department’s/office’s Data Protection Officer (DPO).

Data sharing – Relationships between departments/offices within the Civil Service Data controllers (i.e. each department/office) that are part of a group of undertakings or institutions

affiliated to a central body (the civil service) may have a legitimate interest in transmitting personal data

within the group of undertakings for internal administrative purposes, including the processing of

individual’s personal data.

This includes, for example, transferring data to and from the National Shared Services Office (NSSO) for the

purposes of processing and data from the Public Appointments Service (PAS) in relation to recruitment.

HR Units should consult the Memorandum of Agreement: Employee Services Management Agreement

(ESMA) in place with the NSSO, and any other data processing or joint controller agreements in place with

other departments/offices.

Any processing which involves the sharing of data between related civil service bodies, or related

institutions or groups, must comply with the data protection principles laid down under Article 5 of the

GDPR and must comply with transparency obligations laid down under Articles 12, 13 and 14 of the GDPR.

Data Sharing and Governance Act Part 5 of the Data Sharing and Governance Act 2019 gives a Minister of the Government the power to collect

and process specified information regarding public servants, in particular:

Section 25 relates to the administration of the Single Public Service Pension Scheme;

Section 26 relates to the administration of pre-existing public service pension schemes; and

Section 27 relates to Public Service policy analysis.

Sharing the information captured by the above mentioned sections of the Act between public bodies will

not require a data sharing agreement. For example, for pensions purposes and providing information to

DPER for policy analysis (e.g. Civil Service HR databank), a data sharing agreement will not be required.

https://gdpr-info.eu/

http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/pdf

mailto:[email protected]

4


Joint controller relationships There may be certain instances where a department/office is a joint controller with another

department/office for certain functions. You should be aware of who controls which data. The data

protection audit process (see Audit of Data processing) will assist in this regard.

How to identify personal data Given that the GDPR only applies to "personal data", it is important to understand how to identify whether

or not the information set out in a document or record constitutes "personal data". Generally speaking, if

the information tells us something about the individual, in a personal context, that information is likely to

constitute personal data. In the workplace, you are likely to encounter three categories of records

concerning individuals:

1. Records that constitute an individual’s personal data – examples of this include staff time and

attendance records, performance records, etc.

2. Records that do not constitute personal data – just because an individual’s name is at the bottom

of a letter or email does not mean that the content of that letter or email constitutes the personal

data of the individual. Where the letter or email relates to the delivery of the employer's service,

for example, and does not contain anything that relates to the individual in a personal context,

then the information set out in the letter or email does not constitute the "personal data" of the

individual.

3. Records that contain both personal data and non-personal data – an example of this is a scenario

whereby a line manager receives an email from a client, containing four paragraphs; three

paragraphs relate solely to arrangements for the delivery of a service while the fourth contains a

complaint against a member of the line manager's team. In this scenario, only the fourth

paragraph can be said to contain personal data (relating to the team member against whom the

complaint has been made).

There are two types of personal data: ‘standard’ personal data and “special category” personal data (see

Appendix 4 for details of the types of information that constitute special category data).

Processing of Personal Data - Introduction The GDPR prohibits the processing of personal data unless the processing is supported by a legal basis. The

term “processing” encompasses every action, both active and passive, from the moment in which personal

data comes under the control of a department/office until (and including) the moment when the personal

data is irretrievably deleted, anonymised or pseudonymised. As set out above, there are two types of

personal data. Article 6 of the GDPR sets out the circumstances in which personal data may be lawfully

processed, while Article 9 sets out the circumstances in which special category data may be lawfully

processed. Article 6 provides six lawful grounds for processing and Article 9 provides ten lawful grounds

for processing. Within each group, there are four lawful grounds that are most likely to apply to the

processing of personal data in the workplace. These grounds are detailed below.

Civil Servants and Personal Data processing – background to the legal bases to be used when processing Civil Servants’ HR data It should be noted that there is no contractual relationship involved in the service of a civil servant. Rather

than serving under a contract with an employer, civil servants instead hold office by appointment under

the terms of the Civil Service Regulations Acts, with a tenure at will.

5


This distinction is important when considering Article 6(1)(b), the contract basis, as a basis for processing

the HR records of civil servants. It is not recommended that this basis be used for processing under a

contract of employment. This interpretation extends to the “contract” for probation and temporary staff,

for example, Temporary Clerical Officers (TCOs).

In the case of civil servants, the legal bases for processing and retaining HR records are found under Articles

6(1)(c) and 6(1)(f) in relation to personal data, and under Article 9(2)(b) of the GDPR and Section 46 of the

Data Protection Act 2018 in relation to special category data, which should be read in conjunction with,

inter alia, the Civil Service Regulation Acts, 1956-2005; the Public Service Management Act, 1997 and the

Public Service Management (Recruitment and Appointments) Act, 2004, together with regulations and

circulars made thereunder.

It is important that the processing and retention of civil service HR data by departments/offices must be

considered in terms of their obligations under the National Archives Act 1986. The disposal of any

departmental records made or received, and held in the course of its business, by a department/office

cannot take place without a certificate for disposal signed by the Director of the National Archives.

Processing of Personal Data (Article 6 of the GDPR)

Article 6: Ground 1 – Processing of Personal Data – The Consent Basis Article 6(1)(a) permits the processing of personal data where “the data subject has given consent to the

processing of his or her personal data for one or more specific purposes” (‘the Consent Basis’).

Consent should not be relied upon as the basis for processing within an “employment” relationship,

including in the civil service, save in circumstances where the individual is truly free to withhold consent,

or is truly free to withdraw consent after it is given.

Consent, in a data protection context, is an often misunderstood term. Consent is defined in Article 4(11)

of the GDPR as being:

“any freely given, specific, informed and unambiguous indication of the individual’s wishes by

which he or she, by a statement or by a clear affirmative action, signifies agreement to the

processing of personal data relating to him or her”

The Article 29 Data Protection Working Party ("WP29”), now known as the European Data Protection Board,

considered the definition of valid consent, outlined above, and identified that it comprises five separate

elements, each of which must be satisfied in order for consent to meet the standard required by the GDPR.

Those five elements of valid consent are:

1. ‘… any indication of the employee’s wishes … signifying agreement …’ – this element requires;

(a) any kind of signal on the part of the individual;

(b) sufficiently clear to indicate the individual’s wishes;

(c) given orally/in writing/by conduct or behaviour;

(d) some form of positive act is required on the part of the individual.

6


2. ‘it is freely given’ – this means that;

(a) this element can only be satisfied where the individual can exercise a real choice without

fear of repercussion or negative consequences;

(b) it is not suitable for situations where there is an imbalance in power between the

department/office and the individual, i.e. not suitable for use in employment relationships

or in the context of the relationship between public bodies and members of the public.

3. 'it is specific’ – in order for this element to be satisfied;

(a) the individual must be fully informed;

(b) the information provided must be specific;

(c) the information as to the processing operations must be granular;

(d) the language used to inform the individual must be intelligible;

(e) references to an open-ended set of processing activities is not permitted;

(f) it is possible to base different processing operations on a singular consent if those

processing operations fall within the reasonable expectations of the individual.

4. ' …it is informed …’ – this element requires that;

(a) the individual is given sufficient information so as to enable him/her to appreciate and

understand the facts and implications of giving consent;

(b) the consequences of refusal to consent must also be clearly set out;

(c) clear language is used and the relevant information is provided at the time of consent;

(d) all of the information required to be given pursuant to Article 13 (see below) is provided

at the time of consent.

5. It is ‘unambiguous’ – this means that;

(a) a positive act on the part of the individual is required (i.e. non-reply to a letter or email will

not suffice);

(b) the organisation needs to be clear that it is in fact the individual that is consenting to the

processing.

Notes on how to apply the Consent Basis: Consent should not be relied upon as the basis for processing within an employment relationship, save in

circumstances where the data subject is truly free to withhold consent, or is truly free to withdraw consent

after it is given.

The imbalance in power between the department/office and individuals means that the situations in which

consent may be relied upon as the basis for processing will be few and far between. When considering

whether or not consent might be an appropriate basis in a particular situation, it is important to identify

the impact of a refusal to consent, i.e. if the individual refuses to consent, will he/she suffer any detriment

7


or be unable to avail of a particular benefit or be prevented from participating in a scheme/programme

which is important in the context of his/her job or career progression.

It is also important to remember that an individual is entitled to withdraw consent at any time. Where

consent is withdrawn, the processing activity to which the consent relates must immediately cease. Thus,

when considering whether or not consent might be an appropriate basis in a particular situation, it is also

important to identify the impact of a subsequent withdrawal of consent, i.e. if the processing activity cannot

stop where the individual subsequently withdraws his/her consent, then consent was not an appropriate

basis for the activity in the first place. It must be as easy to withdraw consent as it is to give it.

Similarly, where there are a number of potential grounds that could be relied upon as the legal basis for

processing, one of which is the Consent Basis, the processing should be based on those other grounds,

and not the Consent Basis. To do otherwise would risk giving the individual the impression that the

processing is taking place on his/her consent and that he/she has the power to stop the processing simply

by withdrawing consent. The WP29 considered this scenario to be "misleading” and “inherently unfair”.

For example, processing of a data subject’s time and attendance records is a statutory obligation under the

Organisation of Working Time Act 1997 and so the processing of this personal data is done on the basis of

a statutory requirement, and not on the basis of the data subject’s consent. This being the case, a data

subject should not be lead to believe that the processing is done on the basis of their consent as this would

necessarily lead them to believe, incorrectly, that the processing of their time and attendance records could

be stopped if they simply requested it to be stopped.

If it is decided to proceed with consent as the basis for processing, it is important to remember that the

consent must be actively managed. Consent should firstly be recorded in writing so as to ensure that the

department/office is in a position to prove compliance with the GDPR. Where the consent was not

originally given by the individual in writing, the circumstances in which he/she consented to the processing

activity should be documented. Secondly, consent must be proactively managed. This means that the

department/office must periodically contact the individual to ensure that the consent is still valid, i.e. to

ensure that the individual is still happy for the processing in issue to continue.

For the reasons set out above, consent should be a last resort for processing operations within the

employment relationship. Where consent is the legal basis for processing, it is important to ensure that

the consent is recorded and managed and that the process by which consent may be withdrawn is clearly

set out, communicated to the individual and is easy to understand.

An example of a situation where consent would be an appropriate legal basis for processing is a scenario

whereby a department/office is facilitating a voluntary ‘Get Fit and Healthy at Work' programme involving

a series of talks to be given to staff during lunchtime and the opportunity to participate in a subsidised gym

membership scheme. In order to participate in the programme, the department/office will need to process

staff names and bank account details. Participation is voluntary and staff not wishing to participate will not

suffer any detriment or adverse consequence in the context of their employment or career progression.

The participants would also be free to withdraw their consent at any time after the initial consent was given.

While consent may be given orally or by conduct, it is preferable that consent is recorded in writing so as

to ensure that your department/office will be able to demonstrate compliance with the GDPR. It is also

important to remember that the "positive step" aspect means that pre-ticked or pre-populated boxes

should be avoided - where an individual is presented with options, in terms of a 'yes/no' response or in

terms of the matters to which the consent relates, boxes should be left blank for the individual to tick

himself/herself. Default settings on electronic devices fall into this same category; an individual's lack of

8


action (i.e. failure to change default settings where the 'I consent' or 'yes' setting is automatically selected)

gives rise to a risk that the consent being conveyed might not satisfy the requirements of the GDPR.

Below is a three-point test for assessing whether consent can be relied upon as a basis on which to process

an individual’s personal data:

1. What is the impact of a refusal to give consent? For example, if the individual refuses to consent:

will he/she suffer any detriment?

Will he/she be unable to avail of a particular benefit?

Will he/she be prevented from participating in a scheme/programme which is important in

the context of his/her job or career progression?

2. Can the consent be easily withdrawn after it is given?

3. Is the department/office in the position of being able to periodically check the continued validity

of the consent?

In most cases, you may find, when considering HR data, the answer to the questions above will be no, and

therefore the consent basis should not be relied upon unless it can be absolutely proven that consent fulfils

these criteria.

Article 6: Ground 2 – Processing of Personal Data – The Contract Basis Article 6(1)(b) permits the processing of personal data where the “processing is necessary for the

performance of a contract (“the Contract Basis”). As noted previously, civil servants are not employees,

and it is therefore not advisable to rely on Article 6(1)(b) as a basis for processing or retaining data for civil

servants. Articles 6(1)(c) (Legal Obligation) and 6(1)(f) (“the Legitimate Interest Basis”) should be used in

this regard.

Article 6: Ground 3 – Processing of Personal Data – The Legal Obligations Basis Article 6(1)(c) permits the processing of personal data where the “processing is necessary for compliance

with a legal obligation to which the controller is subject” [NOTE: a specific legal basis is required, laid down

by EU or Member State law AND the legislation, in issue, must state the purpose of the processing] (“the

Legal Obligations Basis”).

Notes on how to apply the Legal Obligations Basis: This ground may be relied upon as the legal basis to support processing activities that are carried out for

the purposes of compliance with a legal obligation to which the department/office is subject, for example:

(i) the processing of individual PPS numbers for the purposes of remitting taxes and

levies to Revenue,

(ii) the recording of an individual's working time and attendance for the purposes of

compliance with the Organisation of Working Time Act 1997;

(iii) the maintenance of an individual's annual leave records for the purposes of

compliance with the Organisation of Working Time Act 1997;

(iv) the maintenance of an individual's maternity leave, parental leave, adoptive leave

or paternity leave records for the purposes of compliance with the Maternity

9


Protection Acts; the Parental Leave Act 1998; the Adoptive Leave Act 1995 and the

Paternity Leave and Benefit Act 2016; and

(v) the processing of data relating to accidents or dangerous occurrences in the

workplace for the purposes of compliance with the Safety, Health and Welfare at

Work Act 2005 (as amended).

Legal obligations in the civil servant-HR relationship In the case of civil servants, the legal basis will be found in, inter alia, the Civil Service Regulation Acts, 1956-

2005, the Public Service Management Act, 1997 and the Public Service Management (Recruitment and

Appointments) Act, 2004, together with regulations and circulars made thereunder. Other examples of

legislation to which a record may relate include, but are not limited to:

Legislation1 Examples of records to which it applies

Adoptive Leave Acts 1995 and 2005 and associated regulations

Records relating to compliance with facilitating leave for adoption.

Any and all relevant Regulations and Circulars affecting the appointment, performance, discipline or dismissal of civil servants

Records relating to the terms and conditions of civil servants, and regulation and control of the Civil Service.

Any other Act affecting the appointment, performance, discipline or dismissal of civil servants

Records relating to the terms and conditions of civil servants, and regulation and control of the Civil Service.

Carer’s Leave Act 2001 Records concerning carer’s leave taken by a civil servant.

Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010; Civil Registration Act 2004

Records relating to the registration of civil partnerships and any connected matters e.g. pensions.

Civil Service Regulation Acts 1956-2005 (CSRAs)

Section 17 of the CSRAs sets out that the Minister for Finance and PER is responsible for the regulation and control of the Civil Service, the classification, reclassification, numbers and remuneration of civil servants, the fixing of terms and conditions of service and promotion of civil servants.

Comptroller and Auditor General (Amendment) Act, 1993

All records subject to audit – this act gives the Office of the Comptroller and Auditor General the power to obtain any information that is required for the performance by the Comptroller and Auditor General of his functions.

Credit Union Act 1997 to 2012 Records concerning credit unions and connected purposes insofar as they relate to any civil servants personal data.

Data Protection Act 2018 Changes the previous data protection framework, established under the Data Protection Acts 1988 and 2003. Its provisions include giving further effect to the GDPR in areas where member states have flexibility.

Data Sharing and Governance Act 2019 Processing and sharing of information (including personal data) for the purposes of administering a public service pension scheme and for public policy purposes under Part 5.

1 Where associated regulations are made under any Act, these are to be included.

10



Defence Acts 1954 to 1993 (in respect of civilians recruited or appointed under the Defence Acts 1954 to 1993)

Matters relating to the employ of civilians into the Defence Forces.

Disability Act 2005 and associated regulations

Records relating to individual staff entitlements and request for access to reasonable accommodation.

Employment Equality Acts 1998-2015 Records relating to equality actions or entitlements of individual civil servants.

Employment Permits Acts 2003 and 2006

Records concerning employment permits for Non-EEA nationals.

Equal Status Acts 2000-2015 Records relating to compliance with equalities of opportunity under Employment Equality legislation.

Equality Act 2004 and Equality (Miscellaneous Provisions) Act 2015

Records relating to equal treatment in the workplace and any discrimination of an individual civil servant.

Ethics in Public Office Acts 1995-2001 Records of civil servants annual declaration/returns under the Act.

Family Law Act 1995, Family Law (Divorce) Act 1996 and associated regulations

Family law records, divorce records e.g. for Pension Adjustment Orders.

Freedom of Information Act 2014 Identified personal data records the subject of an FOI request.

General Data Protection 2018 A regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.

Industrial Relations Acts 1946 - 2015 Records produced for inspectors under the Acts.

Maternity Protection Acts 1994 and 2004 and associated regulations

Records relating to benefits / entitlements of civil servants

Minimum Notice and Terms of Employment Act 1973 - 2005

Records relating to individuals on probationary or temporary contract.

Ministerial and Parliamentary Offices Act 1938 as amended

Records relating to remuneration of Members of the Government, Parliamentary Secretaries, the Attorney-General, and the Chairman and Deputy Chairman of Dáil Eireann and Seanad Eireann.

Ministers and Secretaries (Amendment) Act 2011

Data which is required for the performance of functions under sections 8(3), 9(1)(a), 10 or 17 of the Act.

National Archives Act 1986 A departmental record in section 2(2) of the Act is any record made or received and held in the course of its business by a department of state.

National Minimum Wage Act 2000 Such records as are necessary to show compliance with the Act’s provisions (payslips, etc.).

National Shared Services Office Act 2017

Functions of a public service body that may be delegated to the National Shared Services Office.

Official Secrets Act 1963 Declarations from civil servants relating to the safeguarding of official information.

11



Organisation of Working Time Act 1997 Records detailing the starting time, finishing time, hours worked each day, hours worked each week and leave taken by each civil servant together with the name and address of each civil servant, the civil servants’ PPS number and a brief statement of the civil servant's duties.

Parental Leave Acts 1998 – 2019 and European Union (Parental Leave) Regulations 2013

Records showing the period of employment and setting out the dates and times upon which the civil servant availed of parental leave and/or force majeure leave.

Paternity Leave and Benefit Act 2016 and associated regulations

Records relating to benefits / entitlements of civil servants

Payment of Wages Act 1991 Records relating to the payment of gross pay and declaration of associated deductions to civil servants. Records relating to compliance with payment of wages and deductions and to defend any claim made against the employer under section 5.

Pensions Act 1990 as amended Records relating to pensions and retirement.

Protection of Employees (Part-Time Work) Act 2001 and Protection of Employees (Fixed-Term Work) Act 2003

To determine that part-time and fixed-term employees have been given the same rights as full time and permanent employees. Records of fixed term staff engagement.

Protection of Employees (Temporary Agency Work) Act 2012

To determine that temporary agency workers are treated equally in relation to basic working and employment conditions.

Protected Disclosures Act 2014 Any records relating to a protected disclosure.

Public Service Management (Recruitment and Appointments) Acts 2004 and 2013

Ministerial functions relating to matters for recruitment, eligibility criteria and promotion, etc.

Public Service Management Act 1997 (PSMA)

The PSMA provides for the management structure to enhance the management, effectiveness and transparency of operations of Departments of State and certain other offices of the Public Service, and to increase accountability of civil servants.

Public Service Pensions (Single Scheme and Other Provisions) Act 2012 and associated regulations

Records concerning pension / superannuation deductions made including records, calculations and documents relating to the value of benefits for civil servants.

Safety, Health and Welfare at Work Act 2005 (as amended) and associated regulations

Records relating to compliance with duties under the Act and to records of accidents and dangerous occurrences in the workplace. Records of accidents and dangerous occurrences in the workplace.

Social Welfare Consolidation Act 2005 Records relating to compliance with social welfare deductions, entitlements and returns for civil servants.

12



Superannuation Acts 1834 to 1963 Superannuation and Pensions Act 1976

Public Services Superannuation

(Miscellaneous Provisions) Act 2004

and associated regulations

Records concerning pension / superannuation deductions made including records, calculations and documents relating to the value of benefits for civil servants. Section 6 of the Superannuation Act, 1909 and Sections 6 and 7 of the Superannuation and Pensions Act, 1963 specifically with regard to severance payments.

Taxes Consolidation Act 1997 Records of tax payments made to Revenue, including records, calculations and documents relating to the value of benefits for civil servants.

Terms of Employment (Information) Acts 1994 - 2014

Written statement of the terms and conditions of employment.

Unfair Dismissals Acts 1997-2015 Records relating to individuals on probationary or temporary contract.

Article 6: Ground 4 – Processing of Personal Data – The Legitimate Interests Basis Article 6(1)(f) permits the processing of personal data where the processing “is necessary for the purposes

of the legitimate interests pursued by the controller or by a third party, except where such interests are

overridden by the interests or fundamental rights and freedoms of the data subject which require

protection of personal data …” NOTE: this does not apply to processing carried out by public authorities in

the performance of their official functions and therefore for the purposes of this document for HR Units,

the below information should be considered in the context of administering the “employment” relationship

(“the Legitimate Interests Basis”).

The WP29 provided guidance on the correct application of this ground. It explained that, in order to be

able to rely on this ground as the legal basis for processing;

“... the purposes of the processing must be legitimate, and the chosen method or specific

technology with which the processing is to be undertaken must be necessary for the legitimate

interest of the employer. The processing must also be proportionate to the business needs, i.e.

the purpose, it is meant to address. Data processing at work should be carried out in the least

intrusive manner possible and be targeted to the specific area of risk. Additionally ... the employee

retains the right to object to the processing on compelling legitimate grounds under Article 14.

In order to rely on Article 6(1)(f) as the legal basis for processing it is essential that specific

mitigating measures are present to ensure a proper balance between the legitimate interest of

the employer and the fundamental rights and freedoms of the employees. Such measures,

depending on the form of monitoring, should include limitations on monitoring so as to guarantee

that the employee’s privacy is not violated. Such limitations could be:

geographical (i.e. monitoring only in specific places; monitoring in sensitive areas such as

religious places and for example sanitary zones and break rooms should be prohibited);

data-oriented (i.e. personal electronic files and communication should not be monitored);

and

time-related (i.e. sampling instead of continuous monitoring).” [emphasis added]

13


Notes on how to apply the Legitimate Interests Basis: This ground may be relied upon as the legal basis to support processing activities that are carried out in

pursuance of the legitimate interests of the department/office.

Examples of scenarios where legitimate interest will form the legal basis for processing include:

Processing and retaining HR records for statutory retention periods;

Processing and retaining HR records to pursue the working relationship;

Retaining HR records beyond any statutory retention period so as to ensure that the

department/office is in a position to defend any legal action that might be commenced by a current

staff member, or former staff member following termination of employment; and

Monitoring in the workplace.

The correct application of this test involves three-steps. In order to help you to understand how to apply

the test, we have applied it to a fictional scenario whereby an organisation is concerned about the security

of its staff and visitors in circumstances where its building is located in an area experiencing a high level of

anti-social activity. The building itself has never been broken into and is not believed to be at risk of being

broken into; the anti-social activity in question comprises several incidents of mugging/assault by gangs of

delinquent youths operating in the area. The organisation wishes to install a CCTV system to address the

issue. In these circumstances, the three-step test may be applied as follows;

1. Identify the legitimate interest in question: in the scenario outlined above, the organisation

wishes to ensure the safety and security of staff and visitors attending at its premises. It is clear

that the anti-social activity taking place in the area gives rise to concern for the safety of

individuals attending at the organisation's building. In these circumstances, it can be said that

the organisation’s wish to ensure the safety of its staff and visitors is legitimate.

2. Identify the measure that the organisation proposes to implement for the purposes of meeting

its objective/legitimate aim AND assess whether the measure is necessary for the purpose of

meeting the objective: in the scenario outlined above, the organisation is considering the

installation of a CCTV system outside and inside its building. The organisation is satisfied that the

installation of CCTV cameras outside the building is necessary for the purposes of ensuring the

safety of staff and visitors. It is unlikely that the installation of CCTV cameras inside the building

will help to achieve the organisation's aim, given that the risk of the building being broken into is

low. For this reason, the organisation cannot assert that the installation of interior cameras is

necessary for the purposes of achieving its aim.

3. Assess whether the measure is proportionate to the objective/legitimate aim AND assess the

impact of the measure on the fundamental rights and freedoms of individuals that will be

affected by the measure: in the scenario above, the organisation must consider whether the

installation of CCTV cameras outside and inside its building is a proportionate response to its

objective. While it is clear that cameras outside the building will have a deterrent effect on anti-

social behaviour and will almost certainly help to protect staff and visitors entering/exiting the

building, the same cannot be said about cameras inside the building.

Addressing the second part of the three step test, the organisation must consider the impact that

the installation of an external CCTV system will have on the fundamental rights and freedoms of

individuals that will be affected by the measure. It is clear that the installation of a CCTV system

will impact the privacy rights of staff and visitors to the building as well as members of the public

that will be recorded as they pass by the building. Given that the measure will have an impact on

individuals' right to privacy, the organisation must then consider if there is anything it can do to

14


minimise the negative impact. The organisation decides that it can minimise the impact of the

CCTV system by ensuring that individuals are made aware of the system and how their personal

data will be processed by the use of clear signage. These signs will be located both inside and

outside of the building, and will notify individuals of the existence of the cameras and advise how

individuals can find out more about how their personal data will be processed (that information

to be set out in an appropriate privacy policy which will be accessible on the organisation's

website and contained in the staff handbook).

At the conclusion of the process, the organisation should have established:

(i) that it has a legitimate interest in seeking to protect the safety and security of

individuals attending at its premises;

(ii) that the installation of a CCTV system outside the building is necessary for the

purposes of achieving that aim (but that the installation of such a system inside the

building is not) and

(iii) that the installation of a CCTV system outside the building is a proportionate step

for the purposes of meeting the aim and that, while the system will impact on the

privacy rights of others, any negative impact can be minimised by the use of clear

signage and an appropriate privacy policy.

It is important to remember that individuals have a right to object to processing where the processing is

based on the Legitimate Interests Basis. A department/office receiving such an objection is not obliged to

stop processing on foot of such an objection; rather it is obliged to consider the request, taking account

of the specific concern (if any) raised by the individual in question, in light of the three-step test above.

If the activity in question still satisfies the three-step test, the department/office is entitled to continue

processing. If not, the processing activity must stop.

Finally, it should be noted that the Legitimate Interests Basis does not apply to processing operations

"carried out by public authorities in the performance of their tasks”. In order to identify whether or not a

public organisation can use the Legitimate Interests Basis, it is necessary to consider the task or function

for which the organisation was established to perform. Where the processing activity concerns the

performance of the task/delivery of the organisation’s function, the Legitimate Interests Basis should not

be relied upon. The Legitimate Interests Basis can only be applied to processing operations that are

secondary to the organisation's function. Taking the example of a public body whose statutory function is

the delivery of illness benefit to members of the public, that organisation cannot rely on the Legitimate

Interests Basis when providing illness benefit services; on the other hand, it is not the organisation’s

function to employ staff – this function is ancillary to the organisation’s statutory task/function and, for this

reason, the Legitimate Interests Basis may be considered in the context of certain processing activities

relating to staff data.

The legitimate interest ground may be relied upon as the legal basis for processing operations carried out;

(i) in the context of recruitment, for example, processing (i.e. receiving, copying, reviewing and

storing) of job applications, references, C.Vs and interview notes.

and

15


(ii) for the purposes of administering the working relationship, for example, processing

“onboarding” information such as emergency contact detail; processing payroll data such as

details of salary, PPS number, P.45 and P.60; processing of personal data for the administration

of pension benefits including date of birth, civil and family status, instructions to pensions

provider; processing data relating to the individual’s performance at work and many of the

processing activities that are required for the purposes of administering the employment

relationship.

16


Ready Reckoner: Basis for Processing

Processing of Personal Data – Article 6 Legal Basis Essential Requirements

Article 6(1)(a): the

Consent Basis

Purely voluntary scenario

Individual will not suffer any detriment, adverse consequence or

otherwise be deprived of a benefit if he/she refuses to consent

Consent must satisfy the five elements

Organisation must be able to stop processing if the individual

subsequently withdraws consent

Consent must be recorded in writing and managed

This basis will have very limited use in the processing of HR data.

Article 6(1)(b):

the Contract Basis

Processing must be necessary

o for the purposes of taking steps at the request of the individual

prior to entering into employment; or

o for the purposes of administering the contract of employment

As this is a “contract” basis, it is not advisable to use it for civil servants HR records.

Article 6(1)(c): the

Legal Obligations

Basis

Processing must be necessary for the purposes of compliance with a legal

obligation to which the organisation is subject

The legal obligations must be set out by EU or Irish law

Article 6(1)(f): the

Legitimate

Interests Basis


Apply the three-step test

Remember to consider the impact on individuals – is it possible to

mitigate any negative impact?

Does not apply to processing carried out by public bodies in the

performance of their tasks

Can be used for civil service HR records as this processing is ancillary to the body’s

tasks.

17


Processing of Special Category Data (Article 9)

Article 9: Ground 1 – Processing of Special Category Data – The Explicit Consent Basis Article 9 (1) prohibits, subject to limited exceptions or grounds, the processing of special category data.

Article 9(2)(a) sets out the first ground, i.e. where the individual “has given explicit consent to the processing

of his/her personal data” and where this processing is “for one or more specific purposes”. This ground

cannot be relied upon, however, where Union or Member State law (e.g. the Irish Data Protection Act,

2018) provides that the prohibition on processing of special category data may not be lifted by the

individual’s explicit consent in that particular circumstance (“the explicit consent basis”).

Notes on how to apply the Explicit Consent Basis: Please see the notes in relation to the use of consent in the Article 6 section above – those comments apply

equally to reliance on explicit consent as the legal basis for the processing of special category data. Consent

as the legal basis for processing should be avoided within the employment relationship. An example of a

situation where consent would be an appropriate legal basis for processing is a scenario whereby a

department/office facilitates a ‘flu vaccination” programme at work. In order to participate in the

programme, the department/office will need to process limited information concerning participating

individual’s medical histories. Participation is voluntary and individuals not wishing to participate will not

suffer any detriment or adverse consequence in the context of their employment or career progression.

Article 9: Ground 2 – Processing of Special Category Data – The Legal Obligations Basis Article 9(2)(b) permits the processing of special category data where the processing is “necessary for the

purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject

in the field of employment and social security and social protection law in so far as it is authorised by Union

or Member State law or a collective agreement pursuant to Member State law providing for appropriate

safeguards for the fundamental rights and the interests of the data subject” (“the Legal Obligations Basis”).

Employers can process special category data where there are specific obligations or they have specific rights

to the data (as per 9(2)(b) of the GDPR). For the civil service, such obligations and rights arise under the Civil

Service Regulation Acts, 1956-2005, the Public Service Management Act, 1997 and the Public Service

Management (Recruitment and Appointments) Act, 2004 together with Section 46 of the Data Protection

Act 2018 which gives further effect to Article 9(2)(b) of the GDPR regarding processing for employment

purposes.

Notes on how to apply the Legal Obligations Basis: This ground may be relied upon as the legal basis to support processing activities that are carried out for

the purposes of:

(i) carrying out any obligations imposed on the department/office by law, or

(ii) granting the individual his/her legal rights and entitlements.

Examples of scenarios where legal obligations will form the legal basis for processing include:

medical certificates for the purposes of Section 86 of the Organisation of Working Time Act 1997 (as

amended), and

communications with the Office of the Chief Medical Officer (CMO) in relation to the provision of

reasonable accommodation to an individual with a disability.

18


It is important to remember that the legal obligations basis will apply to the processing of any type of special

category data, and not just medical data.

It is also crucial to remember that the legal obligations basis only permits the processing of special category

data where it is necessary to achieve the stated purposes. This means that consideration must be given,

on each occasion, as to the extent of data that needs to be processed so as to meet the legal

obligations/entitlement in question. Taking the example of Section 86 of the Organisation of Working Time

Act 1997 (as amended), this piece of legislation permits a staff member to continue accruing annual leave

entitlements if he/she is absent from work by reason of certified sick leave. A department/office could rely

on the obligations/entitlement imposed/granted by Section 86 to collect medical certificates from staff who

are absent from work, as a result of certified illness/injury. The obligations/entitlement however is not

dependent on the individual suffering from a particular illness or injury; it merely requires an individual to

be certified as unfit for work. For this reason, an employer is entitled to collect data that confirms the fact

that the individual is medically certified as unfit for work; the employer, however, is not entitled to collect

data relating to the nature of the illness/injury itself.

Similarly, while an employer is obliged, by reason of Section 16 of the Employment Equality Acts 1998 –

2015, to consider the implementation of appropriate measures for the purposes of reasonably

accommodating an individual with a disability, this does not necessarily mean that the employer has an

automatic right to access the individual’s medical records or to know the individual’s medical status.

Applying the data minimisation principle, the employer must consider the extent of processing that is

"necessary" for the purposes of achieving compliance with its obligations. In the context of the obligations

to provide reasonable accommodation for a disability, it is the assessing doctor who will be responsible for

considering the individual's disability and what measures, if implemented by the employer, would be likely

to best assist the individual’s return to work/ability to participate in the workplace. In these circumstances,

it is not necessary for the employer to elicit information from the individual about the nature of his/her

medical condition; the individual should simply be referred for medical assessment and the assessing doctor

should return recommendations as to the options that the employer should consider, in the context of

reasonable accommodation. For example, an employer can provide an accommodation in the form of a

standing desk without knowing if a individual has a neck problem, back problem or some other injury/illness

that necessitates the use of a standing desk.

The same considerations apply to the routine collection of medical information from staff who are absent

from work on sick leave. Medical information should not be sought from individuals in circumstances where

an employer does not have a legal basis to process that information. Unless there is a legal

obligation/entitlement to collect medical information, for example, the legal obligation to keep individuals

safe at work under the Safety, Health and Welfare at Work Act 2005, then HR Units should not collect such

information.

Where information in relation to an individual’s medical condition is received (as can occur where an

individual has furnished a medical certificate that identifies the nature of the illness/injury), the employer

will need to consider if it has a legal basis, such as under Section 86 of the Organisation of Working Time

Act 1997, to hold that information. There are certain medical conditions that, when brought to the

attention of an employer, will give rise to obvious concern. For example, if an individual reveals that he/she

has been diagnosed with epilepsy, an employer will naturally wish to record that information on the

individual's personnel record so as to ensure that the person is not placed in an environment or asked to

perform tasks that could trigger a seizure. In these circumstances, an employer could rely on the obligations

imposed by the Safety, Health and Welfare at Work Act, 2005 to collect and hold the information in

question. Consideration will need to be given as to how much information is actually required in each

particular case.

19


In respect of processing special category data between departments/offices within the civil service, this

should only be done if the department/office needs the information to carry out an obligation or if they

have a right to it. A practical example of this is in the case of the Mobility Scheme where

departments/offices are seeking to have access to the health records of employees to make a joint decision

about whether an employee can transfer to their department/office, on the basis of:

(a) the person’s capacity, and

(b) whether the reasonable accommodation can be provided if required.

This is a requirement under the Employment Equality Acts and such processing accords with Article 5(1)(c)

of the GDPR where data to be processed is adequate, limited and relevant. Any processing which involves

the sharing of data between related employers must comply with the data protection principles laid down

under Article 5 and must comply with transparency obligations laid down under Articles 12 to 14 of the

GDPR.

Article 9: Ground 3 – Processing of Special Category Data – The Legal Defence Basis Article 9(2)(f) permits the processing of special category data where the processing is “necessary for the

establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”

(“the Legal Defence Basis”). Section 46 of the Data Protection Act 2018 gives further effect to Article 9(2)(b)

of the GDPR regarding processing for employment purposes.

Notes on how to apply the Legal Defence Basis: The legal defence basis may be relied upon as the legal basis to support processing activities such as the

disclosure of an individual’s medical records to a firm of solicitors, where necessary, for the purposes of

defending legal proceedings brought by an individual.

Article 9: Ground 4 – Processing of Special Category Data – The Occupational Medicine Basis Article 9(2)(h) permits the processing of special category data where “the processing is necessary for the

purposes of preventative or occupational medicine, for the assessment of the working capacity of the

individual, medical diagnosis, the provision of health or social care or treatment or the management of

health or social care systems and services on the basis of Union or Member State law or pursuant to a

contract with a health professional and subject to [the processing taking place by/under the responsibility

of a professional subject to the obligations of professional secrecy under Union or Member State law]”

(“the Occupational Medicine Basis”).

Notes on how to apply the Occupational Medicine Basis: It is important to remember that this basis requires the processing to be both “necessary” and taking place

“by/under the responsibility of a professional subject to the obligations of professional secrecy". This

means that the application of this basis will be somewhat limited in an employment context and it will only

apply to the processing of medical data. The circumstances which might require reliance on this basis are

unclear - it is likely that any processing of special category data, including medical data, in the workplace

will be based on Article 9(2)(b) above. Reliance on this ground appears to be limited to those subject to an

obligation of professional secrecy such as doctors.

20


Ready Reckoner: Basis for Processing

Processing of Special Category Data – Article 9 Legal Basis Essential Requirements

Article 9(2)(a): the

Explicit Consent

Basis

Purely voluntary scenario

Individual will not suffer any detriment, adverse consequence or

otherwise be deprived of a benefit if he/she refuses to consent

Consent must satisfy the five elements

Organisation must be able to stop processing if the individual

subsequently withdraws consent

Consent must be recorded in writing and managed

Article 9(2)(b): the

Legal Obligations

Basis


o for the purposes of carrying out an employer's legal obligations;

or

o for the purposes of enabling the data subject to avail of his/her

legal rights and entitlements

The legal obligations/entitlement must be set out in EU or Irish law

Article 9(2)(f): the

Legal Defence

basis / Section 46

of the Data

Projection Act

2018

Processing must be necessary for the purposes of establishing, exercising

or defending legal claims

Article 9(2)(h): the

Occupational

Medicine Basis

Processing must be necessary for the purposes of occupational medicine

or for the assessment of the working capacity of a data subject

There must be a basis in Irish or EU law to support the processing

The processing must be carried out by/under the responsibility of a

professional subject to the obligations of professional secrecy (e.g. a

doctor)

Check whether or not the processing is covered by the Legal Obligations

Basis

21


Rights of individuals The GDPR enhances the existing rights of individuals as well as introducing some new ones. These rights

are set out in Articles 12 - 22 of the GDPR.

Article 12: Conditions applicable to the exercise of rights Requests made under Articles 15 to 22 (as detailed below) must be complied with within one month of

receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity

and number of the requests. The department/office must inform the individual of any such extension

within one month of receipt of the request, together with the reasons for the delay.

Where the request is received in electronic form, the response should issue in electronic form (unless

otherwise requested by the individual). Otherwise, the information must be provided in writing. If

requested by the individual, the information may be provided orally, provided that the identity of the

individual is proven by other means. A written record of any such oral interaction should be retained so as

to enable the department/office to demonstrate that it has complied with its obligations under the GDPR.

Information provided on foot of requests made pursuant to Articles 15 to 22 and any communication or

actions taken must be provided free of charge. Where requests from an individual are “manifestly

excessive”, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee, taking into account the administrative costs of providing the

information or communication or taking the action requested; or

(b) refuse to act on the request.

The organisation bears the burden of demonstrating the manifestly unfounded or excessive character of

the request.

If the department/office has “reasonable doubts” concerning the identity of the requester, it may ask

the individual to provide additional information, as necessary to confirm his/her identity. The statutory

response time does not begin to run until the department/office has verified the identity of the

individual.

If the department/office is not in a position to take the action requested by the individual, the

department/office must inform the individual of this along with the reasons why the action requested

cannot be taken. The individual must also be informed of his/her right to (i) lodge a complaint with the

Data Protection Commission (DPC); and (ii) seek a judicial remedy.

Departments/offices may decide at a local level how they wish the internal process of responding to a

request under Articles 15 to 22 to proceed (for example, who within the department/office manages the

data gathering process and who manages the redaction process), however, these processes should always

be carried out under the supervision of the DPO.

Articles 13 and 14: Right to be Informed Individuals are entitled to be given the following information before any processing takes place:

1. the identity and the contact details of the data controller;

2. the contact details of the DPO (where applicable);

22


3. the purposes of the processing as well as the legal basis for the processing;

4. where the processing is grounded on the Legitimate Interests Basis, the individual must be

informed of the legitimate interest in issue;

5. the recipients or categories of recipients of the personal data;

6. where applicable, the fact that the data controller intends to transfer personal data to a third

country as well as the measures that will be implemented to ensure that the data is protected

once it leaves the EEA;

7. the period for which the data will be stored (or, if that is not possible, the criteria used to

determine that period);

8. the existence of the right to request access to and rectification or erasure of personal data or

restriction of processing or to object to processing as well as the right to data portability;

9. where consent is the basis for processing, the individual must be informed of the right to

withdraw consent at any time;

10. the right to lodge a complaint with the DPC;

11. whether the provision of personal data is a statutory or contractual requirement, or a

requirement necessary to enter into a contract, as well as whether the individual is obliged to

provide the personal data and of the possible consequences of failure to provide such data;

12. the existence of automated decision-making, including profiling, along with meaningful

information about the logic involved as well as the significance and the envisaged consequences

of such processing for the individual.

Article 15: Right of Access The GDPR reduces the timeframe for response from 40 days to one month (understood to mean 30 days).

No fee shall apply unless the request is "manifestly unfounded or excessive, in particular because of its

repetitive character", in which case a "reasonable" fee, based on the administrative cost may be charged.

Where the individual requests further copies of personal data that has already been provided to him/her,

the organisation may charge a reasonable fee for any additional copies, based on administrative costs.

The right to access personal data is couched in the following terms;

“the data subject shall have the right to obtain from the controller confirmation as to whether or

not personal data concerning him/her is being processed, and, where that is the case, access to

the personal data and the following information …” [emphasis added]

It is therefore clear that, as well as having an entitlement to access the personal data being processed, the

individual also has the right to receive the following information;

1. the purposes of the processing;

2. the categories of personal data concerned;

3. the recipients or categories of recipient to whom the personal data has been or will be disclosed,

in particular recipients in third countries or international organisations;

23


4. where possible, the envisaged period for which the personal data will be stored, or, if not

possible, the criteria used to determine that period;

5. the existence of the right to request rectification or erasure of personal data or restriction of

processing of personal data concerning the individual or the right to object to such processing;

6. the right to lodge a complaint with the DPC;

7. where the personal data is not collected from the individual, any available information as to the

source of the data;

8. the existence of automated decision-making, including profiling and meaningful information

about the logic involved as well as the significance and the envisaged consequences of such

processing for the individual;

9. where the personal data has been/will be transferred to a third country/to an international

organisation, the individual is entitled to be informed of the measure that will safeguard the data

once it leaves the EEA.

The right to receive copies of one’s personal data shall not adversely affect the rights and freedoms of

others. This means that the information should be reviewed and redacted, as required, including CCTV

footage, so as to uphold the privacy rights of third parties that might be referenced in the documents, or

images, that fall to be released to the individual.

Where required, the department/office may request the individual to furnish additional

information/documentation so that the department/office can verify the individual's identity. The one

month response period does not start to run until the identity of the individual has been verified.

Where the request concerns a potentially large amount of personal data, the department/office should

consider writing to the requester to ascertain if he/she is looking for particular information, with a view to

limiting the scope of the data covered by the request. An individual is not obliged to limit the scope of

his/her request.

There is provision under the GDPR to extend the time by up to a further two months where the request is

complex or particularly large in volume, the maximum time period being three months in total calculated

from the date of receipt of the request. The proposal to extend should be notified to the individual within

the first 30 days of receipt of the request with an explanation of the reason for the extension.

Article 16: Right to Rectification An individual has the right to obtain the rectification or correction of any inaccurate data held by their

employer. Taking into account the purposes of the processing, the individual also has the right to have

incomplete personal data completed, including by means of providing a supplementary information

statement containing the correct details.

Where an employer is satisfied that the personal data to which the request relates is inaccurate, the

employer must rectify the data as soon as possible and in any event no later than one month after the date

on which the request is made. It is important to remember that the right to rectification is not an absolute

right; it only applies where the personal data in issue is either inaccurate or incomplete.

Article 19 requires the department/office to communicate any rectification of data to each recipient to

whom the data has been disclosed e.g. if the individual’s bank account details change this should be

24


communicated to the payroll function, unless this proves impossible or involves disproportionate effort.

The department/office shall inform the individual about those recipients, if requested by the individual.

Article 17: Right to Erasure (‘Right to be Forgotten’) An individual has the right to request the erasure of his/her personal data if:

1. the data is no longer necessary in relation to the purposes for which it was collected or otherwise

processed, for example, if an individual changes the bank account they wish their salary to be

paid into they may request their employer delete the previous bank account details;

2. the individual’s consent/explicit consent forms the legal basis for processing and he/she

subsequently withdraws that consent (assuming that there is no other legal ground to support

the processing), for example, if an individual provided health data for the purposes of a ‘Get Fit

and Healthy at Work' programme and they have since left the programme they may request that

this data be deleted;

3. the legitimate interests of the department/office forms the legal basis for processing and the

individual objects to the processing (assuming that there are no overriding legitimate grounds for

the processing), for example, an individual might request that their image be deleted from CCTV

footage;

4. the data has been unlawfully processed, for example, if an individual discovers that data obtained

from their Facebook page is being stored on their HR file, they may request that this be deleted;

or

5. the personal data must be erased for compliance with a legal obligation in EU or Irish law, to

which the department/office is subject.

Again, the right to request the erasure of personal data is not an absolute one. The department/office is

obliged to consider the request but is not obliged to delete the data unless the circumstances of

processing fall into one of the categories outlined above. For example, if an individual requests that you

delete all of their time and attendance records, this request should not be acted upon as the processing

of this data is taking place on the basis of a statutory obligation under the Organisation of Working Time

Act 1997.

Where the request is made and granted on the basis that the data is no longer necessary in relation to the

purposes for which it was collected or otherwise processed (as at point number 1 above), Article 19 requires

the department/office to communicate the fact of erasure to each recipient to whom the data has been

disclosed, unless this proves impossible or involves disproportionate effort. The department/office shall

inform the individual about those recipients, if requested by the individual.

If the department/office has already made the data public, prior to receipt of the request for erasure (and

assuming that the request is valid), the department/office, taking account of available technology and the

cost of implementation, must take reasonable steps, including technical measures, to inform other

controllers which are processing the erased personal data that the individual has requested the erasure by

such controllers of any links to, or copy or replication of, the personal data.

Article 17 provides that the right to erasure does not apply to certain situations, including where the

processing is necessary:

25


1. for the purposes of exercising the right of freedom of expression and information;

2. for the purposes of compliance with a legal obligation which requires processing by EU or Irish

law to which the department/office is subject or for the performance of a task carried out in the

public interest or in the exercise of official authority vested in the department/office;

3. for the establishment, exercise or defence of legal claims.

Article 18: Right to Restriction of Processing An individual has the right to obtain the restriction of processing where:

1. the accuracy of the data is contested by the individual – in this case, the processing must be

restricted for a period so as to enable the department/office to verify the accuracy of the data;

2. the processing is unlawful and the individual opposes the erasure of the personal data but

requests the restriction of its use instead;

3. the controller no longer needs the personal data for the purposes of the processing, but they are

required by the individual for the establishment, exercise or defence of legal claims;

4. the individual has objected to the processing (where the processing is grounded on the Legitimate

Interests Basis) – in this case, the processing must be restricted for a period so as to enable the

Department/Office to verify whether the legitimate grounds of the department/office override

those of the individual.

As with the previous rights, the right to request the restriction of processing is not an absolute one. The

department/office must consider the request but is only obliged to comply where the circumstances of

processing are as outlined above.

Where a request for restriction is granted, the data in question must, with the exception of storage, only

be processed with the individual's consent or for the establishment, exercise or defence of legal claims or

for the protection of the rights of another natural or legal person or for reasons of important public interest

of the EU or of a Member State.

Where an individual has been granted temporary restriction of processing pending consideration of a

request (in the circumstances envisaged by numbers 1 and 4 above), he/she must be informed by the

department/office before the restriction is lifted.

Article 19 requires the department/office to communicate any restriction of processing to each recipient

to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.

The department/office shall inform the individual about those recipients, if requested by the individual.

Article 20: Right to Data Portability Where the individual has supplied his/her personal data to the department/office in a “structured,

commonly used and machine-readable format”, he/she has the right to receive that data back from the

department/office or to transmit that data to another department/office without hindrance if:

1. the basis for processing was the individual’s consent/explicit consent or the Contract Basis; and

2. the processing is carried out by automated means.

26


Where the individual requests the transmission of the data to another department/office, he/she is entitled

to have the data transmitted directly from the original department/office to another (where this is

technically feasible).

It is important to remember that the exercise of the Article 20 right must not adversely affect the rights and

freedoms of others. This means that redaction must be considered if the data in question also contains

personal data pertaining to other individuals.

Article 21: Right to Object to Processing An individual has the right to object, “on grounds relating to his/her particular situation”, to processing

where the processing is grounded on the Legitimate Interests Basis.

Where such an objection is received, the department/office shall no longer process the data unless it can

demonstrate compelling legitimate grounds for the processing which override the interests, rights and

freedoms of the individual or for the establishment, exercise or defence of legal claims. As before, this is

not an absolute right; where an individual refers an objection to the department/office the

department/office must consider the request but is not obliged to comply.

For example a staff member may query the presence of CCTV in the workplace and seek to object to the

processing of their personal data in the form of their image. In such circumstance, the department/office,

if they wish to keep processing the personal data using CCTV, must be able to demonstrate a legitimate

interest in keeping the CCTV in place, for example, to ensure the safety of individuals while at work.

Article 22: Right not to be subject to a decision based solely on automated processing, including profiling Individuals have the right not to be subject to a decision based solely on automated processing (for

example, psychometric testing), including profiling, which produces legal effects concerning him/her or

similarly significantly affects him/her. This right does not apply where the decision:

1. is necessary for entering into, or performance of, a contract (not applicable to civil servants)

between the individual and the department/office, for example the employment contract, or in

the case of the civil service, the application of the legislation, circulars and guidelines governing

the management of the “employment” relationship (provided that suitable measures have been

implemented to safeguard the individual’s rights and freedoms and legitimate interests, including

at least the right to obtain human intervention on the part of the department/office, and the

individual’s right to express his/her point of view and to contest the decision);

2. is authorised by EU or Irish law; or

3. is based on the individual’s explicit consent (provided that suitable measures have been

implemented to safeguard the individual’s rights and freedoms and legitimate interests, including

at least the right to obtain human intervention on the part of the department/office, and the

individual’s right to express his/her point of view and to contest the decision).

Article 22 expressly prohibits decisions based solely on automated processing where the processing

concerns special category data unless the processing is based on the individual's explicit consent and

suitable measures to safeguard the individual's rights and freedoms and legitimate interests are in place.

27


HR Data Protection readiness

Audit of Data Processing Activities Article 30 requires most organisations to maintain a record of processing activities under its responsibility.

That record must contain the following information:

1. the name and contact details of the organisation (and, where applicable, the name and contact

details of the joint controller, the controller's representative and the DPO);

2. the purposes of the processing;

3. a description of the categories of data subject, for example, civil servants, applicants etc. and of

the categories of personal data;

4. the categories of recipients to whom the personal data have been or will be disclosed, including

recipients in third countries or international organisations;

5. where applicable, transfers of personal data to a third country or an international organisation,

including the identification of that third country or international organisation and, where the

transfer is to a country outside of the EEA that is not subject to an adequacy decision by the

European Commission, the measure that will be used to protect the data once it leaves the EEA;

6. where possible, the envisaged time limits for erasure of the different categories of data;

7. where possible, a general description of the technical and organisational security measures in

place to protect data being processed - such measures may include;

(a) the pseudonymisation or encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of

processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the

event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and

organisation measures for ensuring the security of the processing.

This record keeping obligation provides a useful starting point for any GDPR-preparedness exercise. The

DPC has included a sample audit form (please refer to Appendix 6 of these Guidelines)

www.dataprotection.ie A separate audit sheet should be used for each category of individual (e.g. civil

servants, service users/clients/customers and consultants/independent contractors).

A basic audit exercise would require you to take the following steps:

1. decide the category of individuals under audit - for the purposes of this example, the audit will

concern the civil servant category;

2. document the categories of data that you might expect your department/office to collect, process

and hold over the course of time. You may find it helpful to 'walk' through the lifecycle of the

individual's relationship with your department/office noting the different pieces of data that your

department/office will collect, generate and process during the course of the relationship. Taking

http://www.gdprandyou.ie/

28


the civil servant category as an example, your department/office will probably collect and process

civil servant data at the following stages of the working relationship;

(a) Pre-employment: including a job application, CV, correspondence to/from the individual,

interview notes, pre-employment medical, etc.

(b) During the course of employment: including “on-boarding” information, contract of

employment, payroll information, performance reviews, time and attendance records, sick

leave records, grievance and disciplinary records, pensions data, etc.

(c) Post-employment: including a Form P45, references to potential employers on request,

etc.

3. Having completed this exercise, then consider what personal data is being collected in each

category of document. It is particularly important to assess any standard data-set collection, for

example, an "on-boarding" form which, although a single document, collects a variety of different

information such as the individual’s name, address, emergency contact details, bank account

details, PPS number etc.

4. Next, document why your department/office collects/processes the categories of data in

question. It is important to remember, at this stage of the exercise, that data may be used for a

number of different purposes, e.g. time and attendance records might be primarily collected for

compliance with the Organisation of Working Time Act, however they might also be used for the

purposes of calculating flexi-time entitlements and also for disciplinary purposes (where, for

example, the individual is persistently late for work). It is essential to document all of the different

ways in which the data might be used by your department/office.

5. The next step requires you to identify the individuals/categories of individual who will have access

to the data in your department/office e.g. the HR Department, the individual's line manager, a

third party payroll provider, etc. Again, it is important to consider all scenarios where data might

be processed for a number of different purposes - where this is the case, you should document

the different units, departments, companies or organisations that will have access to the data.

It is particularly important, at this stage, to consider any external recipients of data. Where data

will be passed to an outside organisation or company for the purposes of an outsourced function,

for example, it is important to establish whether or not there is any risk of the data being further

transferred outside of the country. Where this is likely to occur, you will need to have the third

party identify the country to which the data will be transferred so that you can identify whether

or not you need to consider taking particular measures as a result of the data leaving the EEA.

This can be a particular risk where your organisation outsources storage functions to a cloud-

based storage provider, in which case, you will need to ask your provider to confirm the location

of the relevant servers.

6. After this, you should document the periods of time for which your department/office stores each

category of data.

7. Finally, you should remember to make a note of any particular security measures that might be

in place to protect personal data being held and processed by your department/office/any third

parties to which data will be transferred, as you go along. Examples of such measures are set out

above.

29


In order to ensure that the audit provides a complete and accurate picture of processing activities within

the department/office, you might wish to consider asking for input from individuals working in different

areas of your department/office, for example, line managers and members of your IT team. Involving

others will help to ensure that you have documented everything relevant. It will also ensure that you

capture processing activities that take place outside of your knowledge. It will also enable you to identify

whether or not processing operations are the same throughout the department/office, i.e. it will help you

to identify any differences in processing operations that take place within the same function, for example,

line managers might have different ways of recording and storing performance records for the staff under

their remit. It is useful to revisit the document after a couple of days - you may discover that you have left

something out of the document.

Remember that data protection is an ongoing obligation. For this reason, it is important that you

periodically review your data processing activities to ensure firstly that your records are up to date and

secondly to identify any issues involving ‘scope-creep’, i.e. situations whereby data that was previously only

processed for one specified purpose is now being processed for additional purposes.

Use the audit document to consider the data minimisation principle, i.e. ask yourself:

(a) if you really NEED to collect/process all of the data on the Audit Report;

(b) if each of the individuals with access to the data really NEED access to the data;

(c) if you really NEED to share the data with third parties (internal or external);

(d) if you really NEED to retain the data.

Remember the golden rule: do not process personal data unless you actually need to.

Additional Steps Once you have completed your audit, you may then wish to consider the following issues:

1. Have you reviewed your contracts, policies and procedures to check for references to consent as

the basis for processing? You may need to update these documents to refer to the correct legal

basis;

2. Have you updated your data protection policy? You can turn your audit report into a schedule

that you can attach to the back of your policy to help your department/office comply with its

transparency (information) obligations to staff;

3. Have you reviewed any sick leave policies to remove references to medical certificates seeking to

identify the nature of the illness/injury? Given the restricted circumstances in which a

department/office may legally process medical data, it is important that the department/office

moves from a position where it collects medical data by default to a position whereby it only

collects medical data where required to comply with a legal obligation;

4. What monitoring operations are in place within the department/office? It is likely that there will

be overt (e.g. CCTV, biometric time recording systems, etc.) and covert (e.g. security software on

IT systems) monitoring operations in place. You will need to ensure that such monitoring

operations are documented in a policy so that individuals know (i) that the monitoring is taking

place; (ii) what personal data will be processed by the monitoring operations; and (iii) any rules

in place so as to ensure that individuals can take steps to limit the circumstances in which their

personal data will be processed as part of any monitoring operations. Overt monitoring

operations can easily be addressed in the data protection policy however covert monitoring

30


operations are more appropriately addressed in your department’s/office’s ICT/Acceptable Use

policy. Remember to inform staff if the department/office might use personal data collected

during the course of any particular monitoring operations as part of disciplinary proceedings;

5. Have you considered how you will meet your transparency (information) obligations to

individuals who are not staff, such as candidates for employment and independent

contractors/consultants? It is not always appropriate to rely on the department’s/offices general

privacy statement or the data protection policy to cover your transparency obligations to non-

staff such as those just identified. For this reason, you may wish to consider implementing short-

form policies to govern any processing activities that will take place in relation to individuals that

are neither staff nor clients/customers/service users;

6. Are there appropriate data processing agreements in place to govern the transfer of data to third

parties?

7. Have you established whether there is any risk of personal data being transferred outside of the

EEA? If so, have you decided which measure will be used to protect the data once it leaves the

EEA? Have you remembered to include this in the relevant privacy/data protection policies?

8. Have you trained all members of staff so that they know:

(a) what circumstances will constitute a data breach;

(b) how to avoid a data breach;

(c) the identity and contact details of the department’s/office’s DPO; and

(d) that they must immediately report suspected data breaches to the DPO.

9. Finally, you might wish to plan how you will continue to review and assess the effectiveness of

your policies and procedures over time.

31


Subject Access Requests (SARs) Under the GDPR, the individual shall have the right to obtain from the department/office confirmation as to whether or not personal data concerning him/her is being processed, and, where that is the case, the individual is given access to the personal data being processed, along with the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) the period for which data will be stored (or, if not possible, the criteria used to determine that period);

e) the existence of the right to request from the department/office rectification or erasure of personal

data or restriction of processing of personal data concerning the individual or to object to such processing;

f) the right to lodge a complaint with a supervisory authority, i.e. the DPC;

g) where the personal data is not collected from the individual, any available information as to their

source;

h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.

It is the responsibility of the organisation to process SARs they may receive. Where data is being processed by a processor on behalf of a department/office, it is the responsibility of the department/office to contact the processor and gather the data being processed by the processor. In the event the HR Unit receives a SAR they should immediately notify their DPO that a SAR has been received as well as the nature of the SAR so as that the DPO can make a decision on what actions to take. Assuming that HR Units are instructed to process the request, the deadline for response should be noted (one month, commencing on the date of receipt, by the department/office of the request and verification of the requester’s identity). This timeframe still stands even in the case where you were not given the request to process until two weeks after the original date of receipt. A maximum two month extension will be permitted where necessary due to complexity. If the HR Unit deems an extension may be warranted, such as where a request is manifestly unfounded or excessive, the HR Unit should consult directly with their DPO and the individual should be informed of the extension.

Please refer to Appendix 3 for an outline of the steps and procedures to be followed by HR Units in the event of receiving a SAR.

Where HR Units have reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the department/office may request the provision of additional information as being necessary in order to confirm the identity of the individual.

Where the individual makes the request by electronic means, and unless otherwise requested by them, the information shall be provided in a commonly used electronic form. In most cases, no charges can be made for SARs, unless the department/office can demonstrate that the request itself is manifestly unfounded or excessive (for example, repetitive).

32


For any further copies requested by the individual, the department/office may charge a reasonable fee based on administrative costs. Local HR Units in departments/offices should make SAR forms publicly available so as individuals can submit a SAR should they wish to do so – please refer to your own department’s/office’s DPO for a SAR form template.

Grounds for Refusal of a SAR The department/office will have some grounds for refusing to grant a SAR such as where a request is deemed manifestly unfounded or excessive. This decision will be the responsibility of the DPO. However, HR Units will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Advice should be sought from internal DPOs to clarify where and why a request may be refused.

Should the DPO decide not to process the request of the individual on valid grounds, the department/office shall inform the individual without delay and, at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with the DPC and the seeking of a judicial remedy.

How to Respond to a Request to Rectify or Stop Processing Data Records The individual shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the individual shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If a HR Unit receives a request for rectification from an individual they should take reasonable steps to satisfy themselves that the data is accurate and to rectify the data if necessary. The HR Unit should refer this request to their local DPO and aid him/her in processing the request. With the assistance of HR, the DPO will take into account the arguments and evidence provided by the individual. What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for.

Should it be decided that no rectification will be conducted, the HR Unit should inform the individual without undue delay and within one month of receipt of the request about:

– the reasons action is not being taken;

– their right to make a complaint to the DPC; and

– their ability to seek to enforce this right through a judicial remedy.

In rare cases where consent from an individual is being relied upon to process data: such as voluntary subscriptions to various providers e.g. credit union, social club deductions, etc. individuals have the right to withdraw their consent at any time. Should anyone wish to withdraw their consent in such circumstances, it is of the utmost importance that the HR Unit ceases the processing of data, which relied upon this consent, immediately.

Note: This communication is not intended to replace or contradict guidance and approaches being used by

individual departments/offices and HR Units in relation to the GDPR and Data Protection compliance. HR

Units should work in collaboration with their DPOs and teams to ensure HR approaches are fully consistent

with the wider organisational approach.

Where departments/offices consider that they may need specific legal advice on a particular issue relating

to HR and Data Protection, they should contact their DPO in the first instance. HR may also contact the Civil

Service HR Division at [email protected]

mailto:[email protected]

33


The templates attached in the appendix of these guidelines are indicative templates and are not intended

to replace your interaction with your department’s/office’s DPO on the approach you are taking and its

consistency with broader internal developments.

34


Appendix 1 – Fictional Scenarios

Scenario 1 – Mr. Burns You receive a subject access request from Ed Burns, a long-standing staff member. Mr. Burns is due to

retire next year and was just wondering what would happen if he made a subject access request. Given his

length of service, you are apprehensive about the time it will take to process the request.

Question 1: What action do you take on foot of Mr. Burns’ request? Answer:

1. Firstly, notify your DPO (or the person that your department/office has decided will be

responsible for co-ordinating responses to subject access requests).

2. Assuming that you are instructed to process the request, you should note the deadline for

response (one month, commencing on the date of receipt, by the department/office, of the

request). While the GDPR provides for a timeframe of one month, it is likely that this will be

understood to mean a period of 30 days. Remember that the key date is the date on which the

department/office received the request – you have one month (e.g. if the request is received

on 29 June it must be responded to by 28 July) to respond from this date (this is the case even

if you were not given the request to process until two weeks after the original date of receipt).

3. Review the request to ensure that you can identify the individual making the request. If, for

example, Mr. Burns provided you with a different address to that recorded on your system or if

there are two Mr. Burns on your system and you cannot identify which one has made the request,

you should ask for evidence of identity (e.g. a copy of a driving licence/passport, etc.). Note that

the one month response period does not start to run until such time as you can identify the

person making the request.

4. Review and assess the scope of data that has been requested by Mr. Burns. If the request is

unlimited in scope, you should contact him with a view to ascertaining if he is looking for

particular records - if so, he may be willing to reduce the scope of the request to a particular

category of records. He is not obliged to narrow the scope of his request but making this enquiry

might save you considerable time and effort if he is only really looking for specific data.

5. Write to Mr. Burns, acknowledging receipt of the request and confirming what will happen next,

i.e. that you will process the request and that you will provide him with copies of the data

requested by X date. This step might help to avoid situations whereby, having heard nothing

back, Mr. Burns contacts various individuals within the department/office for the purposes of

following up on his request; by providing him with your name and contact details, he will

hopefully direct any queries to you.

6. If, having considered the request, you are of the view that you will not be able to comply with the

request within the prescribed one month period, you must write to Mr. Burns to explain this to

him. This letter must issue within one month of receipt of the request and you must explain why

you cannot comply with the request within one month of receipt (e.g. because the request is

large in scope, either by reference to time or the volume of data requested). The letter should

explain to Mr. Burns that you are going to extend the time for response to Y date (you can extend

time by up to a further two months, the maximum time permitted being three months in total,

calculated from the date of receipt of the request). NOTE: an extension of time should only be

applied in exceptional circumstances, for example, if the extent of the personal data held on Mr.

Burns is vast and the resources are not available to deal with the request within the month

timeframe- it should not represent the default position.

35


Question 2: What steps do you take to process the subject access request? Answer:

1. Use your department’s/office’s audit report to identify the locations/’owners’ of the data being

sought. Where necessary, liaise with appropriate members of staff (the HR department, Mr.

Burns' line manager) to ensure that non-centrally stored data (such as emails) are reviewed and

collected if relevant to the request.

2. Once all of the data covered by the request has been collated, you will need to review it so as to

redact (remove/cover) personal data relating to third parties who have not consented to the

release of their personal data to Mr. Burns and to remove any data that is covered by an

exemption/exception. The GDPR provides for exemptions/exceptions in a very general sense -

the precise nature of any exemptions/exceptions is set out in sections 42, 54 and 55 of the Data

Protection Act 2018 (such exemptions/exceptions will include records created/processed for the

purposes of defending legal proceedings/obtaining legal advice).

3. Once the data has been reviewed and is ready for release, you should prepare a cover letter to

Mr. Burns, including the following information (which you can answer by reference to your audit

document and data protection policy:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data has been or will be

disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not

possible, the criteria used to determine that period;

(e) that Mr. Burns’ has the right to request the rectification or erasure of personal data or

restriction of processing of personal data or to object to such processing;

(f) that Mr. Burns has the right to lodge a complaint with the DPC;

(g) where the personal data has not been collected from Mr. Burns, information as to the

source;

(h) (where applicable), the existence of automated decision-making such as psychometric

testing, including profiling and meaningful information about the logic involved as well as

the significance and the envisaged consequences of such processing for Mr. Burns;

(i) where the personal data has been/will be transferred to a third country/to an international

organisation, Mr. Burns is entitled to be informed of the measure that will safeguard the

data once it leaves the EEA.

4. If Mr. Burns has made his request by electronic means, the data should be released by electronic

means (unless Mr. Burns’ has requested otherwise). If the request was received in any other

format, the information should be released in a manner that incorporates proof of delivery. It is

important that you retain a record of what has been released to Mr. Burns, together with a copy

of the request itself and a summary of the steps taken to process the request.

36


Having carefully reviewed the response to his subject access request, Mr. Burns contacts you again. He

appears aggrieved at the fact that you are still holding records of disciplinary action that was taken against

him 20 years ago and demands that you remove these records from his file. He also notes that you are

maintaining continuing records of his time and attendance at work and directs that you cease collecting

these records.

Question 3: How would you respond to Mr. Burns' request that you remove the historic disciplinary records from his personnel file? Answer:

1. As before, notify the department’s/office’s DPO (or the person that your department/office has

decided will be responsible for co-ordinating responses to requests from staff).



request).

3. Assuming that you are clear as to the identity of the requester (see above), review the request

and ensure that you are in a position to respond to Mr. Burns within one month of receipt of his

request. If you do not believe that you will be in a position to comply with this timeline, you may

extend the time for response by a further two months (noting that the maximum time permitted

response is three months, from the date of receipt of the request). If an extension of time is

required, write to Mr. Burns as detailed at point number 6 of the Answer to Question 1 above).

4. Assuming that no extension of time will be required, write to Mr. Burns to acknowledge receipt

of the request, to confirm that you are the person dealing with the request and to confirm that

you will respond within one month of X date (being the date of receipt of the request by the

department/office).

5. Then consider Mr. Burns’ request (that the department/office erase the historic disciplinary

records from his personnel file). You should firstly consult the department’s/office’s data

protection policy and HR records retention schedule to identify the retention period for

disciplinary records. The fact that the disciplinary action was taken 20 years ago does not

necessarily mean that the records should be removed from the file - your department/office will

have considered this and decided upon a position which will be reflected in its data protection

policy/retention schedule. Assuming that the disciplinary records are being retained on the file

in reliance on the Legitimate Interests Basis (so as to ensure that the department/office is in a

position to defend any litigation that might be made by an aggrieved staff member/former staff

member), it will be necessary to consider whether Mr. Burns' objection overrides the

department’s/offices legitimate interests. In order to assess this, the three-step test described in

the section detailing the Legitimate Interests Basis above, should be reapplied, incorporating any

specific concerns raised by Mr. Burns (and if no specific concerns have been raised, incorporating

the fact of his objection) into the final step. The department/office may well conclude that Mr.

Burns’ objection/concerns do not override the department’s/office’s legitimate interests in

retaining the records in question.

6. Assuming that the department/office has concluded that it has an overriding legitimate interest

in favour of retaining the data, it will be necessary to write to Mr. Burns to advise him of this. The

letter should confirm the legal basis for the retention of the records and identify the legitimate

interest in question (i.e. the records are retained so as to ensure that the department/office is in

a position to defend any litigation that may be made by an aggrieved staff member either during

37


or following termination of employment). The letter should confirm that Mr. Burns' request was

considered in light of this interest however the department/office has determined that it has an

overriding legitimate interest in favour of the retention of the documents. The letter should also

detail the measures taken to mitigate the impact of retention on individuals such as Mr. Burns

(e.g. measures such as encryption, security and access protocols whereby access to the record is

limited, the limitation of the retention period by reference to the legal options available to

staff/former staff, the fact that the retention period is clearly set out in the data protection policy,

etc.). The letter should finally advise Mr. Burns that he is entitled to (i) lodge a complaint with

the DPC; and (ii) seek a judicial remedy. As before, a record should be retained of Mr. Burns’

request, the steps taken to consider the request and the response that issued to Mr. Burns.

Question 4: How would you respond to his request that you stop processing his time and attendance records? Answer:

1. See point numbers 1 – 4 above (it is not necessary to treat the requests separately if they are

received in the same request - both requests can be addressed together).

2. Then consider Mr. Burns’ request (that the department/office cease processing his time and

attendance records). As before, begin by consulting your department’s/office’s data protection

policy. It is likely that time and attendance records are being processed in at least two different

ways: they are initially collected and retained for compliance with the Organisation of Working

Time Act (the Legal Obligations Basis); outside of the statutory retention period, the records are

likely to be retained on the Legitimate Interests Basis (for the purposes of ensuring that the

organisation is in a position to defend any litigation that may be made by an aggrieved staff

member/former staff member). Mr. Burns' request cannot override the processing carried out

on foot of the Legal Obligations Basis (i.e. the collection of the records and their retention for a

period of three years). In relation to the further retention of the records in reliance on the

Legitimate Interests Basis, it will be necessary to consider Mr. Burns' request by reference to the

three-step test (see paragraph number 5 of the Answer to Question 3 above).

3. You should then draft a response to Mr. Burns, firstly explaining that the department/office is

legally obliged to collect and retain his time and attendance records for a period of three years

for the purposes of compliance with the Organisation of Working Time Act.

4. The letter should:

explain that, in these circumstances, the department/office cannot grant his request that

it stop processing this category of his personal data. Assuming that the

department/office has concluded that it has an overriding legitimate interest in favour

of retaining the data beyond the statutory retention period, it will also be necessary to

advise Mr. Burns of this;

confirm the legal basis for the retention of the records and identify the legitimate interest

in question (i.e. the records are retained so as to ensure that the department/office is in

a position to defend any litigation that may be made by an aggrieved staff member either

during or following termination of employment);

confirm that Mr. Burns' request was considered in light of this interest however the

department/office has determined that it has an overriding legitimate interest in favour

of the retention of the documents;

38


detail the measures taken to mitigate the impact of retention on individuals such as Mr.

Burns (e.g. measures such as encryption, security and access protocols whereby access

to the record is limited, the limitation of the retention period by reference to the legal

options available to staff/former staff, the fact that the retention period is clearly set out

in the data protection policy, etc.);

finally, advise Mr. Burns that he is entitled to (i) lodge a complaint with the DPC; and (ii)

seek a judicial remedy. As before, a record should be retained of Mr. Burns’ request, the

steps taken to consider the request and the response that issued to Mr. Burns.

Before you have a chance to formally respond to Mr. Burns, you receive a further subject access request

from him. He explains that he wants to make sure that you have complied with his direction that you

remove the historic disciplinary records from his file and cease processing his time and attendance records.

Question 5: How do you respond to Mr. Burns’ further subject access request? Answer:

1. As before, notify the department’s/office’s DPO (or the person that your department/office has

decided will be responsible for co-ordinating responses to requests from staff members).



request).

3. Assuming that you are clear as to the identity of the individual, review the request and ensure

that you are in a position to respond to Mr. Burns within one month of receipt of his request. If

you do not believe that you will be in a position to comply with this timeline, you may extend the

time for response by a further two months (noting that the maximum time permitted response

is three months, from the date of receipt of the request). If an extension of time is required, write

to Mr. Burns as detailed at point number 6 of the Answer to Question 1 above).

4. Assuming that no extension of time will be required, write to Mr. Burns to acknowledge receipt

of the request, to confirm that you are the person dealing with the request and to confirm that

you will respond within one month of X date (being the date of receipt of the request by the

department/office).

5. Issue your letter to Mr. Burns, responding to his requests (as detailed in the Answer to Question

4 above).

6. Then consider how you wish to respond to his second subject access request. The

department/office is entitled to (i) process the request in the normal way; or (ii) decide that the

request is "excessive, in particular because of [its] repetitive character". Assuming that you

determine that the request is excessive, you are entitled to either refuse to act on the request or

charge a "reasonable fee, taking into account the administrative costs of providing the

information".

7. You should write to Mr. Burns, advising him of your decision (to either refuse the request or to

charge a reasonable fee for processing the request) and the reasons for the decision (i.e. the fact

that he has only just been provided with copies of his personal data). As before, he should be

advised of his right to (i) lodge a complaint with the DPC; and (ii) seek a judicial remedy.

39


8. If, having decided to charge a reasonable fee, Mr. Burns furnishes payment, you should then

prepare a further copy of the data previously released to him and update it, as required, to take

account of any processing that has taken place between the date on which the data was originally

released and the date of receipt of the second data access request. Please see point number 3 in

the Answer to Question 2 for details of the information that must be provided in the cover letter

to Mr. Burns. As before, a record should be retained of Mr. Burns’ request, the steps taken to

consider the request and the response that issued to Mr. Burns

While drafting your letter of response to Mr. Burns, you receive a number of irritated calls and emails from

colleagues – apparently Mr. Burns has been in contact with a number of different individuals, demanding

to know why he has not yet received a response to his requests. He is threatening to take matters further

if an immediate response is not forthcoming.

Question 6: What do you do now (after receiving a number of calls and emails from colleagues)? Answer

1. Contact Mr. Burns to remind him that (i) you are the person with responsibility for processing his

request, and (ii) you have already written to him to advise that he would receive a response within

one month of X date. If possible, you should advise him of when you expect to be in a position to

respond to his most recent request and you might wish to politely ask him to please be patient

while you attend to his request. It might also be a good idea to remind him of your name and

contact details so as to ensure that any further queries are directed to you. As before, you should

retain a note of your interaction with Mr. Burns (by way of an attendance note if, for example,

you contacted Mr. Burns by telephone).

Question 7: What action could you take to manage the expectations of staff in respect of any future subject access requests? Answer

1. The best way to manage the expectations of individual staff members is to issue a letter upon

receipt of the request, advising them that you are the person in charge of processing the request,

providing your contact details and confirming what will happen next/when you expect to issue

your response. In order to be effective, this letter should issue as quickly as possible following

receipt of the request however not before you have firstly notified the department’s/office’s DPO

(or other appropriate individual) and assessed the scope of the request to ensure that you can

deliver a response within one month of the date of receipt. By taking these preliminary steps,

you will ensure that you can provide all of the relevant information to the individual, at the outset,

in a single letter.

40


Scenario 2 – Mr. West On the 5th January 2018, John West, a Clerical Officer working in a Department, had an accident in work

and badly cut his hand on a piece of broken glass that had been carelessly thrown into the recycling bin.

Mr. West was extremely distressed and his manager, who witnessed the incident, sent Mr. West

immediately to Occupational Health to be reviewed, following which he completed a risk management

form. Mr. West took four weeks off work to recover and, as a result, the incident had to be reported to the

Health and Safety Authority (HSA).

In late February, Mr. West instructed his solicitor to commence a claim for compensation for his injuries

through the Injuries Board, claiming for both his physical injuries and psychological trauma suffered as a

result of his injuries. The State Claims Agency has been notified and a law firm has been appointed to act

for the Department in the defence of the claim.

Yesterday, Mr. West attended at the department's offices to hand deliver a letter from his solicitor. While

waiting to speak with his manager in the open-plan office, he observed an incident report relating to

another civil servant on the desk of a member of staff. Having delivered his letter, Mr. West left the

building. The staff member subsequently notices that the incident report she was working on has gone

missing from her desk.

Question 1: What immediate action needs to be taken, by the member of staff, in relation to the missing incident report? Answer:

1. The staff member should immediately notify the department’s DPO so that the DPO can assess

the breach and decide whether it is necessary to notify the DPC and/or any affected individuals.

The DPO only has 72 hours, from the discovery of the breach, to establish the likelihood and

severity of the resulting risk to the rights and freedoms of any affected individuals. If there is a

risk, the DPO must report the matter to the DPC. If there is a high risk, the DPO must also notify

the individuals affected. For this reason, it is crucially important that members of staff do not

delay reporting breaches.

2. The staff member should then document as much information as possible about the

circumstances of the breach, for the purposes of assisting the DPO with his/her task. The

minimum information that the DPO will require is as follows;

(a) the circumstances in which the breach occurred;

(b) the nature of the data that has been lost (i.e. whether it is personal data or special category

data);

(c) the data in issue (e.g. names, information in relation to a medical condition, etc.);

(d) the number of individuals affected (i.e. the number of individuals referenced in the

document);

(e) any measures that had been taken to protect the data (i.e. confirmation of whether or not

the data was in pseudonymised form or in such form as does not permit the identification

of the individuals in question).

41


Question 2: What action could be taken by the department to prevent such an incident from happening again? Answer:

1. The department should assess the circumstances in which the data was lost with a view to

identifying what measures (if any) could be taken to prevent reoccurrence. In this scenario, the

department might consider;

(a) transitioning to a ‘clean desk’ policy whereby members of staff are not permitted to leave

documents containing personal data unattended on or around their desks;

(b) prohibiting the processing of incident reports in hard copy form; by moving to a soft copy

system, this would easily allow members of staff to quickly lock their screens if they are

called away from their desks;

(c) adjusting access controls in the building by restricting access to any area in which personal

data is being processed;

(d) restricting the processing of certain types of records to a secure area, for example by

requiring incident forms to be completed within the confines of the HR office;

(e) having all members of staff sign confidentiality agreements.

Earlier today, the DPC contacted the department regarding a complaint that it received from Mr. West. Mr.

West’s complaint concerns his belief that personal information relating to him has been sent to the HSA

and the State Claims Agency. He explained that he knows people working in both offices and that he would

be deeply embarrassed at the prospect of them knowing his personal business. Mr. West asserts that he

did not give his consent to the passing on of his information to either office and he claims that his rights

under the Data Protection Acts have been breached. The DPC has requested that the department respond

to the complaint.

Question 3: How do you respond to Mr West's complaint? Answer:

1. You should prepare a letter explaining that Ms. West's consent was not the legal basis relied upon

when his personal data was shared with the HSA and the State Claims Agency. You should explain

that the department is legally obliged, by the Safety, Health and Welfare at Work (Reporting of

Accidents and Dangerous Occurrences) Regulations 2016 (S.I. 370/2016) to report the incident to

the HSA in circumstances where Mr. West injured himself at work and, as a result, was absent

from work for more than three consecutive days. In these circumstances, the Department relied

on the Legal Obligations Basis set out in Article 6(1)(c), in respect of the sharing of Mr. West's

personal data and Article 9(2)(b), in respect of the sharing of Mr. West's relevant special category

data.

2. Turning to the sharing of data with the State Claims Agency, you should explain that this

information was shared following receipt of correspondence from Mr. West's solicitor/the

Injuries Board, notifying the department of Mr. West's intention to commence legal proceedings.

In these circumstances, the department relied on the Legitimate Interests Basis set out in Article

6(1)(f), in respect of the sharing of Mr. West's personal data and the Legal Defence Basis set out

in Article 9(2)(f), in respect of the sharing of Mr. West's relevant special category data. You should

42


also clarify that the legitimate interest being pursued, in respect of the department’s reliance on

Article 6(1)(f), is the defence of legal proceedings.

3. You might also wish to enclose a copy of the department's data protection policy, for the purposes

of demonstrating compliance with the transparency (information) requirement.

43


Appendix 2 – Questions and answers

Q. Does the department/office need consent to display photographs of staff (for example on the intranet organisation chart)? A: With all processing of personal data, only processing which is strictly necessary should be carried out. If

a staff member’s photograph is being used, there must be a legal basis for doing so – as for example where

it is necessary for the purpose of a legitimate interest pursued by the employer. Individuals must be

informed of the proposed use. In any instance where there is no legitimate interest or other legal basis,

consent must be obtained.

Q. Does the department/office need consent from a candidate to contact a referee in relation to obtaining a reference, or is there another legal basis that can be relied upon? A: You should only hold contact details for a referee where the details have been voluntarily provided by a

candidate as part of a recruitment process. These details will only be handed over if the candidate is happy

for you to use them. In these circumstances, there is a legal basis that can be relied upon to process

reference information other than consent i.e. Article 6(1)(f), the processing is necessary for the purposes of

the legitimate interests pursued by the department/office.

Q. Is the department/office within its rights to request staff contact details and next of kin information? A: The reason for collection would need to be made clear to the individual upon request of the information.

For example, under the broad principle of ‘duty of care’ to individuals in the workplace, in the event of an

emergency posing a threat to the individual member of staff, the department/office would have a

legitimate interest in processing the contact details of the staff member or next of kin information.

Q. A person resigned from the civil service several years ago and had their pension contributions refunded. There is a personnel file which is being retained indefinitely. Is that correct? The same person also has a disciplinary file with a verbal warning on it relating to punctuality which is being retained indefinitely. Is that correct or should it be destroyed? A: A personnel file, including disciplinary file, should be retained for seven years and six months post

termination of employment. Records relating to pensions should be kept for a longer period.

Records relating to the refund of pension contributions for former staff should be kept until 7.5 years after

the latest date at which the person could have retired. This is in order to protect against an incorrect claim

for pension.

Q. Is there any issue with assisting someone gaining access to their personal data outside of a formal data request? A: It is safer to do so within the confines of the data protection legislation. The benefit of this approach is

that you will be able to rely on a statutory obligation if it is ever queried why certain information was

released.

Q. Do local HR files need to be kept along with the information held by the NSSO? The NSSO holds the information on behalf of the employing department/office and as such another file is

not necessary. By keeping a separate file in local HR, the employing department/office is doubling its risk

44


of a data breach. However, departments/offices should check with the NSSO before proceeding with any

changes. This only applies to records held by the NSSO. There will be many records held by Local HR and

Local HR must be aware of where each type of record is held. Please note that no disposal of any records

can take place without the authorisation of the Director of the National Archives.

Q. Once the retention period is up, can we start deleting/destroying records? A: Not immediately – you must first consult your records retention schedule and the National Archives Act.

You need to consider if the files, or any part thereof, need to be kept for transfer to the National Archives.

No disposal of any records can take place unless individual departments/offices have sought and obtained

a signed disposal authorisation from the Director of the National Archives.

Q. Do we need to keep the original record if a scanned copy is kept digitally? A: This is a records management issue. Please consult your department’s/office’s Records Management

policy.

45


Appendix 3 – Subject Access Request (SAR) HR Procedure

1. SAR Received by HR Unit –

The Right of Access is an important right for individuals. Individuals have the right to access

their data being held and processed by HR units. This increases transparency and allows

individuals to obtain information about the types and purpose of data being processed

about them as well as verify that the information is accurate and up to date. In the normal

course of events, HR will be obliged to respond to a SAR within one month of receiving the

request. HR should without undue delay notify their DPO of the SAR.

2. Verify Identification –

Once HR have received a SAR, they will need to verify the identity of the individual

and ensure that they are who they say they are. This is an important step as HR need

to ensure that only personal data concerning the individual is provided in the SAR.

3. Data Identification –

HR needs to identify all forms of data they may process on a

individual. In order to make the process more seamless, HR should determine if the

individual is seeking a particular piece of information. Unnecessary workloads can

be avoided should HR determine that the individual is only seeking a particular piece

of data.

4. Data Location –

Due to the various services Civil Service HR and departments/offices use, HR must

determine the location of the data being requested in the SAR. For example, data being

processed on behalf of a department/office by CMO, PAS, NSSO, CSEAS, flexi system

providers, OGCIO, OGP etc.

5. Data Collection – Request Data from Processors

It is the controller’s responsibility to process a SAR. Where data is being processed by a

processor on behalf of a controller, it is the responsibility of the controller to contact the

processor and gather the data being processed by the processor. HR should contact any

relevant processors in order to process the request.

6. Extract and Redact -

Only data relating to the individual who made the SAR should be supplied. This means that,

where necessary, HR may need to extract relevant information relating to the individual

and redact certain sections of documents to ensure that the data protection rights of others

are not being breached.

For electronic publishing of redacted documents, the following steps can be employed to

ensure the document has been properly redacted: 1. Print out the document that requires redaction 2. Cover (fully) the required text with a suitable (redaction) pen, or, cut out the text for redaction

from the printed document with a scissors (most reliable), 3. Scan the redacted printout back into electronic form using a scanner 4. Open and review the scanned document on your computer to ensure the redacted text is not

legible in any way. Try zooming into areas with redactions as part your test.

46


7. Data Available -

Where the individual makes the request by electronic means, and unless otherwise

requested by the individual, the information shall be provided in a commonly used

electronic form. If HR are unable to or do not process the SAR they must notify the

individual within one month of receipt of the request.

Under the GDPR it is the individual’s right to have their SAR processed within 30 days. If the individual is

not happy with the process, he/she has the right to complain to the DPC www.dataprotection.ie

https://dataprotection.ie/docs/Home/4.htm

47


Appendix 4 – General Data Protection principles

Data Protection by Design and Default The GDPR is essentially concerned with the right to privacy. It requires organisations to incorporate privacy

"by design and default" into its operations. This principle is set out in Article 25 of the GDPR, which provides

that:

“Taking into account the state of the art, the cost of implementation and the nature, scope,

context and purposes of processing as well as the risks of varying likelihood and severity for rights

and freedoms of natural persons posed by the processing, the controller shall, both at the time

of the determination of the means for processing and at the time of the processing itself,

implement appropriate technical and organisational measures, such as pseudonymisation,

which are designed to implement data-protection principles, such as data minimisation, in an

effective manner and to integrate the necessary safeguards into the processing in order to meet

the requirements of this Regulation and protect the rights of individuals.

The controller shall implement appropriate technical and organisational measures for ensuring

that, by default, only personal data which are necessary for each specific purpose of the

processing are processed. That obligation applies to the amount of personal data collected, the

extent of their processing, the period of their storage and their accessibility. In particular, such

measures shall ensure that by default personal data are not made accessible without the

individual’s intervention to an indefinite number of natural persons.” [emphasis added]

In order to achieve compliance with the above, organisations must implement appropriate protocols and

practices so as to ensure that any data processing operations comply with the eight data protection

principles.

Data Protection Principles There are seven principles that organisations must adhere to when processing personal data relating to

individuals. Those principles (which are similar to those already provided for in the Acts) are detailed in

Article 5 of the GDPR as follows:

1. “Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the individual

(‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a

manner that is incompatible with those purposes … (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which

they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to

ensure that personal data that are inaccurate, having regard to the purposes for which

they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of individuals for no longer than is necessary

for the purposes for which the personal data are processed … (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including

protection against unauthorised or unlawful processing and against accidental loss,

48


destruction or damage, using appropriate technical or organisational measures (‘integrity

and confidentiality’).”

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1

(‘accountability’).

Useful Terminology/Relevant provisions of the GDPR It is useful to examine the terminology that you are likely to encounter when considering data protection

matters. Article 4 of the GDPR sets out a list of relevant data protection terms. A selection of the most

relevant terms, for the purposes of these Guidelines, is set out below:

‘controller’ means the natural or legal person, public authority, agency or other body which,

alone or jointly with others, determines the purposes and means of the processing of personal

data; where the purposes and means of such processing are determined by Union or Member

State law, the controller or the specific criteria for its nomination may be provided for by Union

or Member State law;

‘joint controller’ means where two or more controllers jointly determine the purpose and means

of processing, they shall be joint controllers. They shall in a transparent manner determine their

respective responsibilities for compliance with the obligations under GDPR.

‘processor’ means a natural or legal person, public authority, agency or other body which

processes personal data on behalf of the controller;

‘Data Protection Officer’ (DPO) means the mandatory designated officer where the processing

of personal data is carried out by a public authority or body, except for courts acting in their

judicial capacity.

‘Supervisory authority’ is responsible for monitoring the application of GDPR, in order to protect

the fundamental rights and freedoms of natural persons in relation to processing. In Ireland the

supervisory authority is the DPC;

‘biometric data’ means personal data resulting from specific technical processing relating to the

physical, physiological or behavioural characteristics of a natural person, which allow or confirm

the unique identification of that natural person, such as facial images or dactyloscopic data;

‘consent’ of the individual means any freely given, specific, informed and unambiguous indication

of the individual’s wishes by which he or she, by a statement or by a clear affirmative action,

signifies agreement to the processing of personal data relating to him or her;

‘data concerning health’ means personal data related to the physical or mental health of a

natural person, including the provision of health care services, which reveal information about

his or her health status”;

‘personal data’ means any information relating to an identified or identifiable natural person; an

identifiable natural person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location data, an online

identifier or to one or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on

sets of personal data, whether or not by automated means, such as collection, recording,

organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure

49


by transmission, dissemination or otherwise making available, alignment or combination,

restriction, erasure or destruction;

‘profiling’ means any form of automated processing of personal data consisting of the use of

personal data to evaluate certain personal aspects relating to a natural person, in particular to

analyse or predict aspects concerning that natural person’s performance at work, economic

situation, health, personal preferences, interests, reliability, behaviour, location or movements;

‘pseudonymisation’ means the processing of personal data in such a manner that the personal

data can no longer be attributed to a specific individual without the use of additional information,

provided that such additional information is kept separately and is subject to technical and

organisational measures to ensure that the personal data are not attributed to an identified or

identifiable natural person;

‘restriction of processing’ means the marking of stored personal data with the aim of limiting the

processing of that data in the future;

'special category data' means data revealing racial or ethnic origin, political opinions, religious or

philosophical beliefs, or trade union membership. It also includes genetic data, biometric data for

the purpose of uniquely identifying a natural person, data concerning health or data concerning

a natural person's sex life or sexual orientation.

“data protection impact assessment” – where a type of processing particularly using new

technologies, and taking into account the nature, scope, context and purposes of the processing,

is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall,

prior to the processing, carry out an assessment of the impact of the envisaged processing

operations of the protection of personal data. A single assessment may address a set of similar

processing operations that present similar higher risks.

50


Appendix 5: Data Checklist

Item Questions Answer 1 What type of data are you responsible for?

Personal Non-personal Both

2

Can you identify all the personal data you are responsible for?

Do you know:

Where it’s located? How to find it? If it’s classified and labelled correctly? How do you know this?

3 What safeguards have you in place to protect the personal data that you hold?

Who has access to the personal data?

Do your access control lists need to be updated? Do you have data on paper, is the data filed/locked away safely when not in

use?

4 Do you/your staff practice a clean desk and locked screen policy?

Do you have you accountability mechanisms in place to demonstrate this?

5 Under the GDPR can you demonstrate that you will be processing your data lawfully?

Are you relying on a legal basis to process your data?

Do you collect only the data that is relevant for your purpose and no more?

Can you justify every piece of information you hold about a person if asked to do so?

Do your data requests meet the data minimisation/proportionality requirements?

What transparency (privacy) notices might you need (Articles 13 and 14 of GDPR)?

Do you know that you will need to inform your data subjects how their data will be used and to whom it will be disclosed?

Do you have an archive/destruction policy?

6 Data subject rights to Information

Are you aware that you need to provide information notices at data collection stage?

Do you know what type of information notice you need to provide?

7 Are you familiar with the rights of data subjects to:

• Right to information? • Right of access? • Rectification? • Erasure or restriction? • Object? and that these are qualified rights

8 When processing personal data, do you consider Data Protection by design and by

default?

Have you policies/procedures in place?

Have you considered? Safeguards Minimisation

51


• Pseudonymisation

9 Is your data safe?

Do you hold personal data in offsite storage?

Who are the key-holders/who has access?

Is this storage provided by a commercial company? Do you inspect this premises, and the area in which your records are stored, on a

regular basis?

Who has access to your onsite personal data?

Do your access control lists need to be updated?

Do you have data on paper, is the data filed/locked away safely when not in use?

10 Do you have a data retention policy for your area?

Can you demonstrate accountability for the implementation of the policy?

Do you regularly delete personal data when it is no longer required?

Do you understand that any deletion of records can only be undertaken once authorisation is obtained from the Director of the National Archives?

11 Do you have section procedures in place to report data breaches under GDPR?

Are you/your staff familiar with the procedures for reporting a data breach?

Are you/your staff aware that data breaches must be reported to your Data Protection Officer as soon as the breach has been identified?

12 Do you work with Remote Workers?

• If yes do you need to change anything here, for example, restriction on the use of usb memory stick/hard drives/encryption of sensitive data?

13 Are you responsible for Subject Access Requests?

Can you readily access all the data

Are you aware of the timelines involved

14 Do you have contract or processor agreements in place?

• Have you reviewed these to make sure they fully comply with the GDPR? • Do they need to be updated?

15 Do you receive data from an external source?

• Do you need to discuss transparency/privacy notices with that other source?

16 Are your Memorandums of Understanding up to date?

Is there a signed copy of the MOU published on your website?

Do they need to be renewed

Do you need to contact providers to ensure transparency notices are set up?

17 Do you transfer employee data to third countries? (Non EU countries)

• Do you or will you use cloud computing? • Do you need to conduct a Data Privacy Impact Assessment (DPIA)

18 Can you demonstrate accountability under the GDPR?

• How do you know? • What procedures/polices have you in place? • Do you need to set these up? • Do you retain documentation to verify compliance

52


19 Security Incident/ Data Breach

Taking into account all of the above what damage could not closing the Gap between where you are and where you should be cause your department/office?

Would the risk be? High Medium Low

20 Data Controller

Do you know who your Data Protection Officer is?

Do you have/require a Data Officer for HR/Employee Data?

52

Appendix 6 - Sample audit template

data protection and hr in the civil service...5 data protection guidelines for hr in the civil...

Documents