In this article, Eimear Boyle provides an overview of the derogations from the General Data Protection Regulation (GDPR) contained in the Irish Data Protection Act 2018 (DP Act 2018) that will apply to Irish HR professionals’ data processing activities.
Lawful Basis for Processing of Special Categories of Personal Data and Personal Data Relating to Criminal Convictions and Offences
Special Categories of Personal Data: In order to lawfully process special category (sensitive) personal data under the GDPR, it is necessary to have a legal basis. The DP Act 2018 (giving effect to Article 9 of the GDPR) provides legal bases for processing of special category personal data for a number of specific purposes. The following are examples of sections under the DP Act 2018 that HR practitioners should be aware of when considering how to lawfully process special category personal data, subject always of course to suitable and specific measures being taken:
- Section 46: When processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller (employer) or the data subject (employee) in connection with employment or social welfare law. This legal basis mirrors Article 9 (2) (b) of the GDPR and is, in our opinion, a sensible restatement by the DP Act 2018 of how practical the GDPR is and that both recognise the clear need for employers to be able to process some special category personal data, simply in order to comply with employment law.
- Section 47: Where processing is necessary for the purposes of providing or obtaining legal advice for legal proceedings or is necessary for the purposes of establishing or defending legal rights. Employment litigation more often than not requires the processing of some special category personal data, such as personal data revealing racial origin, ethnic origin or religious beliefs (for example, in alleged workplace discrimination cases) or health data (for example, in workplace personal injury cases). It is logical that HR professionals would be provided a legal basis in this regard in order to allow them to obtain legal advice and to best state their case.
- Section 50: Where processing is necessary and proportionate for insurance and pension purposes. This explicit legal basis was not included in the General Scheme of Data Protection Bill (May 2017) but is clearly set out in the DP Act 2018, much to the relief of those working in the insurance industry and to employers for the administration of benefits and their employee-related insurance policies.
- Section 52: Where processing is necessary for health-related purposes, including a specific stipulation for the assessment of the working capacity of an employee. Section 52 is another very practical legal basis that the DP Act 2018 simply calls out. It will hopefully be of comfort to HR professionals to know that they can continue to engage medical professionals to assess an employee’s fitness for work as normal (subject to any workplace-specific policies).
Criminal Convictions and Offences: Article 10 of the GDPR permits personal data relating to criminal convictions and offences or related security measures to be processed under the control of official authority or where it is authorised by national law. Section 55 (1) (b) of the DP Act 2018 outlines where such processing is permitted. Of note for HR professionals includes:
- where the data subject has given explicit consent (except where EU or Irish law prohibits it);
- where the processing is necessary for the performance of a contract to which the data subject is a party; and
- for the purpose of legal advice, legal proceedings, defending or establishing legal rights.
Subject to additional considerations (and possibly restrictions) in respect of the processing of criminal convictions and offences personal data in an the employment context, which are likely to be sector and role-specific, it is helpful to know that there are derogations under the DP Act 2018 that may be explored and, subject to careful case management, utilised.
In line with the legal basis for processing special categories of personal data, the processing of personal data in respect of criminal convictions and offences is subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects.
Suitable and Specific Measures Taken for Processing: Thankfully, Section 36 of the DP Act 2018 outlines the types of suitable and specific measures that may be employed in order to avail of the data processing described in this article, namely, special categories of personal data and personal data relating to criminal convictions and offences (which also apply where suitable and specific measures are required for other data processing activities).
Such suggested measures include:
- explicit consent from the data subject;
- access limitations and logging mechanisms in order to verify access to and prevent unauthorised consultation, alteration, disclosure or erasure of personal data;
- strict implementation of retention and erasure mechanisms;
- specific targeted training for those involved in processing operations;
- even where it is not mandatory, appointing a data protection officer; and
- pseudonymisation and encryption of personal data.
If you have any queries regarding the processing of employee data or any GDPR or e-privacy related issues please contact the team at Crowley Solicitors at 021 428 9560 or at GDPR@crowleysolicitors.ie
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.