At the moment, the Data Protection Acts 1988-2003 provide that employees have the right to request their employer (who are “data controllers”) to rectify, erase, or block personal data accessible by them if it is incomplete, inaccurate or not up to date.
Personal data includes an employee’s HR file, reference checks, medical information, details of accidents or other claims, information in investigation and disciplinary processes, redundancy or dismissal of the employee. There are restrictions preventing access by employees to certain data, for example information relating to investigating or detecting offences, and legally privileged information.
The European Court of Justice ruling in Google Spain, Google Inc. –V- AEPD and Gonzalez (C – 131/12) in 2014, said that Mr. Gonzalez could require the Google search engine to remove information linked to his name about the repossession of his home, some 16 years earlier. The Court said that individuals have the right to ask search engines or “data controllers” to remove links to personal information which is inaccurate, inadequate, irrelevant or excessive. This right of removal is subject to the right of freedom of expression and of the media.
This ruling has stirred up debate about what should be removed and whether individuals should be able to whitewash their reputations through the “right to be forgotten” and their right to do so where time has passed. Similar concerns arise for organisations when requests are made by employees to rectify, delete or block their personal data, where it relates to their HR file.
Employees “right to be forgotten” is strengthened in the new General Data Regulation which will be in force in 2 years’ time, and this provides:
- An employer is obliged to erase an employee’s personal data where requested without undue delay
- Employees will be able to supplement incomplete information held by an employer with a statement
- If the information to be removed under the “right to be forgotten” has been made public, an employer shall take reasonable steps (taking account of technology and cost) to require that links and copies are erased
Employees “right to be forgotten” is not unlimited and will be subject to:
- the right to freedom of expression
- the processing required by law, or in the public interest, or for public health
- archiving in the public interest or for historical, statistical and scientific reasons
- the establishment, exercise or defence of legal claims
An employee will have the right to restrict an employer from processing personal data, where its accuracy is being verified, or when it’s not necessary but is required for legal reasons, or if it is pending verification as to whether the grounds of the employer override the rights of the employee to rectify, erase or block the data.
The General Data Regulation allows fines of up to 4% of the annual worldwide turnover of a company who does not comply with the rights of employees “right to be forgotten”.
WHAT STEPS SHOULD AN EMPLOYER TAKE NOW?
- The organisation should review its Data Protection Policy to ensure compliance with “the right to be forgotten”.
- When a request to rectify, erase and block data is received by an employer, the request should be assessed on a case by case basis, as an employee’s right to rectify, erase and block data is limited.
- Relevant factors to be considered by an employer are the time that has passed, the reason for the retention of the information, its relevance, whether this is required for legal proceedings or other processes which are ongoing.
- The “right to be forgotten” request should be complied with within 40 days.
For further information and advice in relation to “The Importance of The Right to be Forgotten”, please contact Deirdre Farrell, partner, Amorys Solicitors firstname.lastname@example.org, telephone 01 213 5940 or your usual contact at Amorys.