The organisations being targeted include AIB and Bank of Ireland, Eircom, Bord Gáis, Electric Ireland and Abtran which provides call services for Irish Water.
Major chain stores include Dunnes Stores, Tesco, Marks and Spencer, Lidl and the Musgrave Group. The Commissioner is attempting to assess compliance with legislation on ‘Enforced Subject Access Requests’ by employers.
This is where someone is obliged by a potential employer or organisation to make an access request to a data controller under Section 4 of the Data Protection Acts. Section 4 gives individuals the right to obtain a copy of any information relating to them held by any entity or organisation and in an Enforced Subject Access Request the individual is then required by the potential employer or organisation to provide this information to them.
This procedure is wholly different to the legitimate vetting of individuals for certain roles, such as childcare. In a statement the DPC said that last year 11,219 access requests were made by individuals under section 4 of the Data Protection Acts to the Data Protection Processing Unit in the Garda Central Vetting Unit in Thurles.
The DPC said it considered these access request figures to be questionably high and is concerned that organisations who would not legitimately qualify to conduct a vetting check are instead turning to Section 4 of the Data Protection Acts to engage in “vetting by the back-door”.
“Worryingly, this request could potentially reveal a lot more sensitive data than a legitimate vetting check,” said the DPC.
Data Protection Commissioner Helen Dixon, said: “It is a clear abuse of the right of access for an employer to force a prospective employee to make an access request under Section 4 of the Data Protection Acts and to disclose the entire result. Such practices constitute a breach of the Acts as the consent given cannot be considered to be free.
“Enforced subject access has been an offence since last July, and I intend to vigorously pursue and prosecute any abuse detected in this area.
“In this regard, I will liaise with An Garda Síochána to identify any trends of concern in terms of the access requests made.”
The companies contacted have been given three weeks to respond to the Commissioner and follow-up inspections will be carried out.