Blog and News

Are firms illegally vetting job applicants?

Mike Morrissey - 08 June 2015

Enforced Subject Access Request

Enforced Subject Access Request

The Irish Data Protection Commissioner has stated that some firms are currently breaking the law by forcing applicants to access their garda files and personal information.

Currently data subjects are entitled to receive copies of information which data controllers have on them, known as a Subject Access Request.

However the term, "enforced subject access request" is where a person is obliged, possibly by an employer, to retrieve information on themselves on behalf of, or for the benefit of a third party.

This is now an offense under Irish data protection laws, and should be seen differently from a normal garda vetting process, which is a legal requirement for certain roles such as childcare and security.

"Vetting by the back door"

The Commissioner, Helen Dixon. believes certain employers have used this enforcement technique as a way of "vetting by the back door".

Last year there were 11,219 requests made to the Data Protection Processing Unit in the Garda Central Vetting Unit, which the Commissioner's Office believes is a "questionably high" amount.

Having spoken recently to the Irish Independent, the Office added, "This wasn't an offence until last year under the Data Protection Act, so we have only been looking at data for the last two or three years".

Requests

"We think that the number of access requests has been consistently high and we are aiming to increase public awareness of the practise.

"We don't want to put people off making requests, they are perfectly entitled to do so [but] it is difficult to see why 11,000 people would decide to make an access request.

"If you have had dealings with gardai, it is likely that you know yourself anyway. It is not something that people do without a reason".

The ODPC has written to 40 different companies to ensure they are complying with the law, and each organisation is given three weeks in which to reply with on-site audits to follow.

Previous Post

DPC to conduct review of apps and websites targeting children

Next Post

Lawful Processing Conditions (Sensitive Personal Data) - Irish Act

0 Comments