Irish regulator issues new data protection guidance

Records of processing activities

In 2022, the Irish Data Protection Commissioner (DPC) conducted a sweep of the records of processing activities (RoPAs) of 30 organisations, across both the public and private sectors, to identify common issues and possible shortcomings. As a result, the DPC has now issued practical guidance on what it considers to be best practice for drafting a RoPA (17 pages / 2.49MB PDF) and has warned controllers and processors that it may carry out similar compliance sweeps in the future.

Article 30 of the the General Data Protection Regulation (GDPR) requires most controllers and processors to maintain a RoPA and to make it available to the regulator on request. In its new RoPA guidance, the DPC noted that some of the organisations found it challenging to provide the DPC with their RoPA within the 10-day period requested by the regulator.

The DPC has highlighted that it can request a copy of a RoPA at any time and advised that 10 days should be sufficient notice for the organisation to provide this. It is therefore important that companies review the guidance issued by the DPC and ensure their RoPAs are in compliance with said guidance and the GDPR.

We regularly remind clients that having a compliant RoPA in place is a good way to demonstrate compliance with data protection laws. The DPC’s guidance now makes it clear that “if an organisation is unable to document its RoPA, it calls into question its understanding of the purposes for which personal data is processed and retained by the organisation, and the ways in which such data is processed.”

It is very helpful that the DPC has now provided examples of well-completed RoPAs, as well as practical information on what falls short of meeting the requirements for RoPAs under the GDPR.

How to create compliant records of processing activities 

There is a common theme throughout the guidance note that the DPC is encouraging organisations to avoid following processes for creating RoPAs that are not clearly defined. For larger organisations, it recommends that the RoPA be broken down into the different functions or business sectors so that processing activities are not missed. RoPAs should be considered ‘living documents’ and should consequently be reviewed and updated on a continuous basis.

The guidance also makes clear that organisations must not cut corners with detail and granularity. The DPC repeatedly notes that if an organisation includes links to inaccessible documents or fails to break down their business activities into different sectors or functions, there is a risk of missing processing activities in their records.

The DPC highlighted practices that should be avoided when completing ROPAs, such as using acronyms and hyperlinking to other documents. Merely stating “in accordance with retention policy” or referring to internal documents that are not accessible is insufficient for the purposes of Article 30. As external legal advisors, we frequently see RoPAs which are difficult for us to interpret and require further explanation or documentation to decipher. The DPC has encountered the same issues and has explicitly set out how controllers and processors should be mindful that a RoPA must be easy to interpret, and has specified that organisations should avoid using their own abbreviations and including links to other documents.

Data protection in the workplace

The DPC guidance on data protection in the workplace (18 pages / 1.09MB PDF) helpfully provides guidance on various workplace data protection issues in one place, making it easy to follow and to digest. It follows previous guidance notes on some workplace data protection issues, such as the use of CCTV or employer vehicle tracking. This new guidance provides helpful information on the legal bases of the processing of employee data – health data in particular – as well as employer policies, monitoring and employee rights. It also provides practical examples.

Personal data

The DPC has provided some helpful examples of what might be considered personal data and in what circumstances, which many businesses struggle with when faced with a data access request from an employee. For example, the DPC has clarified that the content of a commercial or business email signed off by an individual in their professional capacity is unlikely to constitute their personal data. In the context of a data subject access request from an employee, employers must assess the content of their business emails in order to ascertain if the content includes the personal data of the employee.

Occupational health data

The DPC recommends that employers put in place an Occupational Health Policy that allows employers and employees to engage with medical practitioners to ensure the employee’s fitness to work, where necessary.

The DPC’s guidance also contains useful commentary on the 2022 Data Protection (Access Modification) (Health) Regulations. Under the 2022 Regulations, employers no longer need to consult with a medical practitioner before providing health data to the employee in response to a data subject access request. The data controller can exercise discretion where they have “reasonable grounds for believing that granting access to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject”.

This discretion only applies to the part of the data that may be “likely to cause serious harm”, and the rest of the personal data must be released to the data subject unless the controller is relying on another lawful exception. Employers are still free to consult a medical practitioner if they wish to do so, but this data must be pseudonymised and they can only disclose the data of concern.

Employee monitoring

While it has previously been considered good practice for employers to provide their employees with an acceptable use policy, the DPC has stated that it now expects organisations to implement such a policy and to inform their employees about it. This should clearly set out an employer’s policy regarding whether and how business emails and systems may be used for personal reasons, as well as the employer’s policy on internet usage in the workplace.

Retention periods

The DPC provided some helpful guidance as to how it expects employers to think about their data retention periods. It gives examples of retention periods which align with market practice but are helpful to see set out in this guidance.

Co-written by Isabel Humburg of Pinsent Masons.