Data Protection—A Warning for Prospective Employers

Under the provisions of the Data Protection Acts 1988 and 2003 an individual may access personal data held about him by An Garda Síochána, by a request in writing or by completing a Data Protection Access Request. The written request or completed form is sent to the Garda Vetting Unit with the appropriate fee (€6.35) and a copy passport, birth certificate, driving licence or other identification. The data or information disclosed by An Garda Síochána is sent directly to the person involved for that person’s own personal use. It is not a Garda reference nor proof of no convictions – it is a copy of all personal data held by the Garda Authorities in respect of that person.
A practice has arisen with certain employers to require prospective employees, whom they are considering for employment, to make such an access request to An Garda Síochána under the Data Protection Acts and to furnish the information received to the employer. The employer obviously cannot access this information directly.
However, since the coming into force, on the 18th July 2014, of the Data Protection (Amendment) Act 2003 (Commencement) Order 2014, this practice has been outlawed. The new provision brings into force an earlier Section of the 1988 Act which makes it unlawful for employers to require employees, or applicants for employment, to make access requests seeking copies of personal data which is then made available to the employer or prospective employer. This provision also applies to any person who engages another person to provide a service.
Any employer or prospective employer who does so now commits a criminal offence and a maximum penalty of €100,000 may be imposed under this provision. It is vital, therefore, that no such request be made by any prospective employer.
Employers may request a prospective employee to complete a Self-Declaration form and a failure, for instance, to disclose criminal convictions there may permit the employer to withdraw an offer of employment or invoke the disciplinary procedure in the employee’s contract if it is discovered at a later stage that convictions were not disclosed. Of course, any such information gathered by the employer is highly sensitive and strict rules apply under the Data Protection Acts with regard to the handling and retention of such information to which employers should be alert, such as keeping the information secure and disclosing it only when appropriate and not retaining it for no longer than necessary. The area of Data Protection is a minefield for the unwary.
Formal Garda vetting is mandatory for certain employees, for instance those working with children or mentally impaired people. The National Vetting Bureau (Children and Vulnerable Persons) Act 2012, which will shortly come into force, makes it mandatory for persons working with children or vulnerable adults to be vetted by the Gardaí. In the light of recent shocking disclosures of the treatment of vulnerable persons in some institutions this legislation is shamefully long overdue.