Are you entitled to all data or just partial data in a personal info data request

lifeandtimes

Hi,

Just a quick question.

I heard from a friend that they had requested a data request from their employer under the 1998 and 2003 act for all info they have on them i.e. their contract(s), any hearing notes,hr interviews etc so was pretty detailed as possible. They work for a big company here but are outsourced with a vendor. Since they took up employment the vendor has changed 3 times

The current vendor came back to say as they are employed for nearly 10 years that the request would be too big and could they specific a time frame or what they want based on interactions with people. Needless to say they are a bit unsure what to do as they were specific on the information they wanted

So my question is,are you entitled to ALL data a company have on you (within the allowed requirments i.e. not providing personal info of someone else not in the request) or can a company say it's too big to process this request and make you pick specific times and/or pieces of data you want?

To me it sounds like a cop out as you would be required to pay the charge to get said data so you should be entitled to it all right?

GM228

lifeandtimes wrote: »

Hi,

Just a quick question.

I heard from a friend that they had requested a data request from their employer under the 1998 and 2003 act for all info they have on them i.e. their contract(s), any hearing notes,hr interviews etc so was pretty detailed as possible. They work for a big company here but are outsourced with a vendor. Since they took up employment the vendor has changed 3 times

The current vendor came back to say as they are employed for nearly 10 years that the request would be too big and could they specific a time frame or what they want based on interactions with people. Needless to say they are a bit unsure what to do as they were specific on the information they wanted

So my question is,are you entitled to ALL data a company have on you (within the allowed requirments i.e. not providing personal info of someone else not in the request) or can a company say it's too big to process this request and make you pick specific times and/or pieces of data you want?

To me it sounds like a cop out as you would be required to pay the charge to get said data so you should be entitled to it all right?

The Data Protection Act 1998 S4 (9)(a) allows that where there is a "disproportionate effort" required (finding 10 years data from different employers would probably require a disproportionate effort) a request for access can be denied which is essentially what they are doing.

They can simply refuse the request on the grounds stated, they don't have to ask you to narrow your request but they are being helpful by suggesting such. Nothing wrong with that.

Fred Swanson

This post has been deleted.

GM228

Fred Swanson wrote: »

You are entitled to all your data but you will have to pay their searching and printing costs. The fact it might take them a long time is neither here or there.

The Data Protection (Amendment) Act 2003 S5 (d) amended the 1998 Act to allow a refusal for requests which would involve disproportionate effort.

http://www.irishstatutebook.ie/eli/2003/act/6/section/5/enacted/en/html#sec5[/b]

lifeandtimes

Thanks for the replies.

From what this friend has told me they weren't looking for a massive amount of information and they said the company wouldn't have too much info about them other than contracts,a couple of hr interviews and maybe sick notes, I get the impression my friend feels they are being difficult due to ongoing issues with them and my friends role.

I've advised that maybe he could try and be more specific if possible to narrow it down so they wouldn't really be able to refuse

gizmo555

GM228 wrote: »

The Data Protection Act 1998 S4 (9)(a) allows that where there is a "disproportionate effort" required (finding 10 years data from different employers would probably require a disproportionate effort) a request for access can be denied which is essentially what they are doing.

The right to access one's data is a fundamental right under, for example, article 8 of the European Union Charter of Fundamental Rights. While you are correct that the "disproprtionate effort" exemption exists, in practice it is very narrowly interpreted.

If the OP's friend is unhappy with the employer's response, they can complain to the Data Protection Commissioner who will adjudicate on whether the refusal was justified or not. I would be very surprised if she considered a refusal to be justified just because the volume of data is large. The obvious question would be, why do you have so much data? The likely answer would be, in case we need it. And the probable response to that would be, if you're prepared to keep it for your own needs you have to be ready to provide a copy of it to meet the data subject's requirements. That's the responsibility an organisation takes on by keeping and processing personal data. Also, Fred is incorrect in his comment about the costs - regardless of the actual costs, the maximum fee chargeable is €6.35.

You do not have to narrow down your request and you can submit a request for all your data. A valid and good reason to do so would be to find out exactly what information an organisation has about you, if you're unsure. And people are often surprised by what they get!

Fred Swanson

This post has been deleted.

GM228

gizmo555 wrote: »

The right to access one's data is a fundamental right under, for example, article 8 of the European Union Charter of Fundamental Rights. While you are correct that the "disproprtionate effort" exemption exists, in practice it is very narrowly interpreted.

If the OP's friend is unhappy with the employer's response, they can complain to the Data Protection Commissioner who will adjudicate on whether the refusal was justified or not. I would be very surprised if she considered a refusal to be justified just because the volume of data is large. The obvious question would be, why do you have so much data? The likely answer would be, in case we need it. And the probable response to that would be, if you're prepared to keep it for your own needs you have to be ready to provide a copy of it to meet the data subject's requirements. That's the responsibility an organisation takes on by keeping and processing personal data. Also, Fred is incorrect in his comment about the costs - regardless of the actual costs, the maximum fee chargeable is €6.35.

You do not have to narrow down your request and you can submit a request for all your data. A valid and good reason to do so would be to find out exactly what information an organisation has about you, if you're unsure. And people are often surprised by what they get!

First thing to realise is neither the European Union Charter of Fundamental Rights or the Data Protection Directives give unlimited powers or rights. Infact the scope of the charter can be limited by law (as per the charter itself), and it is indeed limited by EU law in relation to data protection and the "disproprtionate effort" clause.

The clause which came about as a result of EU Directive 95/46/EC thrumps the general provision of Article 8 in circumstances where the balancing of rights and interests comes into play between the data controller and those who request their data based on the principle of proportionality and is in accordance with EU law. This has been confirmed by the courts in many countries and the ECJ itself.

lifeandtimes

GM228 wrote: »

First thing to realise is neither the European Union Charter of Fundamental Rights or the Data Protection Directives give unlimited powers or rights. Infact the scope of the charter can be limited by law (as per the charter itself), and it is indeed limited by EU law in relation to data protection and the "disproprtionate effort" clause.

The clause which came about as a result of EU Directive 95/46/EC thrumps the general provision of Article 8 in circumstances where the balancing of rights and interests comes into play between the data controller and those who request their data based on the principle of proportionality and is in accordance with EU law. This has been confirmed by the courts in many countries and the ECJ itself.

But where is the line drawn between acceptable amount of data vs disproportionate amount of data?

As an example it could be 10 years of data but could be no more than 10 pages but the length of time is considered disproportionate or it could have been data from a month of disciplinaires/hr hearings which amounts to a lot of data and therefore considered disproportionate as well but neccisary for the requester if they needed said data for anything.

It's a tough one and I haven't been in touch with my friend since but the whole thing was niggling at me so i thought I'd ask here

GM228

lifeandtimes wrote: »

But where is the line drawn between acceptable amount of data vs disproportionate amount of data?

As an example it could be 10 years of data but could be no more than 10 pages but the length of time is considered disproportionate or it could have been data from a month of disciplinaires/hr hearings which amounts to a lot of data and therefore considered disproportionate as well but neccisary for the requester if they needed said data for anything.

It's a tough one and I haven't been in touch with my friend since but the whole thing was niggling at me so i thought I'd ask here

The disproportionate exclusion does not apply to the amount of data or the timeframe, but rather the effort required to gather such, the test for which is based on the balancing of the rights and interests between the data controller and those who request their data based on the principle of proportionality.

The DPC can advise weather or not it is justified based on the specifics.

Victor

So, clock card entries from 10 years ago are needed. Which might be in a completely different format to the current files and can't be displayed easily?

gizmo555

GM228 wrote: »

First thing to realise is neither the European Union Charter of Fundamental Rights or the Data Protection Directives give unlimited powers or rights. Infact the scope of the charter can be limited by law (as per the charter itself), and it is indeed limited by EU law in relation to data protection and the "disproprtionate effort" clause.

Of course it's not unlimited. But, on the other hand, the employer does not have the final say on what is disproportionate. If the OP's friend is unhappy with the response, they should make a complaint to the Data Protection Commissioner. And because the right of access is a fundamental right, the employer will have to make a strong case for its refusal. In my view, merely saying in essence "you can't have your data because we have a lot of it" is not a strong case.

lifeandtimes

gizmo555 wrote: »

Of course it's not unlimited. But, on the other hand, the employer does not have the final say on what is disproportionate. If the OP's friend is unhappy with the response, they should make a complaint to the Data Protection Commissioner. And because the right of access is a fundamental right, the employer will have to make a strong case for its refusal. In my view, merely saying in essence "you can't have your data because we have a lot of it" is not a strong case.

Well after a quick chat with my friend he's of the mind set it's a deflection. He thinks the company don't actually have data from the previous 2 vendors he worked with before they took over and are using it as an excuse to try and push back. And even they did the data isnt a lot of information.
I don't know what to advise as if they don't have it and they should there isn't really anything he can do in my opinion or maybe they are using the fact they have to go through their own back catalogues as an excuse not to go through it?

Carawaystick

Victor wrote: »

So, clock card entries from 10 years ago are needed. Which might be in a completely different format to the current files and can't be displayed easily?

why would a data controller need those data anyway?

lifeandtimes

Carawaystick wrote: »

why would a data controller need those data anyway?

Not related to my query but surely it could be used as an alibi for someone in a serious case like murder etc

If they kept them logs about someone then that someone should have rights to them