Case Name And Reference: Case Study 16: Employee obtains data from customer file for his own use [2010] IEDPC 16

Source: Data Protection Commissioner

Subject Matter: The impact of Data Protection legislation on Irish Employers


Employers need to be mindful of the implications of the Data Protection Act within the workplace. Any employer established in Ireland is a data controller for the purposes of the Irish Data Protection legislation as they collect and control personal data about their employees during the course of the employment relationship.


Facts

An insurance company employee telephoned the complainant accusing him of scratching his car while parking in the grounds of a University. The complainant was informed by the caller that he had noticed the car was insured with a particular insurance company and as the caller was employed by that insurance company, he was in a position to source the complaint’s contact details from the company system.


Determination

The Data Protection Commission’s findings can be summarised as follows:

A. All data controllers can only keep personal data for specified, explicit and lawful purposes and are only permitted to use the data in ways compatible with these purposes.

B. The message that customer personal information can only be accessed on a “need to know” basis must be continually reinforced.

C. Safeguards are required to protect customer data from disclosure to third parties outside the organisation.

D. Similarly, protection must be afforded to safeguard the data from internal misuse.


Essential Data Protection Facts For Employers

CCTV Footage

CCTV footage containing recognisable images is personal data for the purposes of the Data Protection Acts. Persons whose images are captured on camera must be informed about the identity of the data controller and the purpose of processing the data. This can be achieved by placing easily read signs in prominent positions. Covert surveillance should be focused, of short duration, of specific individuals / locations only and must involve An Garda Siochana or a clear intention to involve the Gardai.


Private Investigators

The Data Protection Commissioner takes the view that the processing of employee’s personal data by way of a private investigator recording an employee’s movements is not justified in circumstances where the employer failed to take appropriate steps in advance to highlight its concerns to the employee.


Monitoring Use of Email, Internet and Telephone

The monitoring of email, internet access and telephone use involves the processing of personal data and, as a result, data protection laws apply. Employers should implement an 'Acceptable Usage Policy' which should reflect a proportionate balance between an employee’s right to privacy and an employer’s right to protect their legitimate business interests. The policy should explicitly state the nature, extent and purposes of the monitoring. At a minimum, an Acceptable Usage Policy should deal with the following:

* Acceptable personal use
* Time wasting and disciplinary implications
* Nature, extent and purposes of the monitoring within the workplace
* Improper or illegal use of technology to include downloading or distributing child pornography, indecent and offensive material and viruses


Employee Data Protection Requests

Employers should be mindful that an employee’s right to access personal data generally extends to appraisal and performance reports, disciplinary and appeal records and references. All managers or persons conducting a disciplinary hearing or an appeal should be wary of the fact that notes or minutes can be accessed by an individual and therefore there is a requirement that records need to be accurate, adequate and relevant.

Where an employer holds medical data relating to an employee and subsequently receives a data request, best practice is to advise the company doctor who should make the medical data available to the employee directly. There are circumstances where the release of medical data to an individual may cause serious harm to the physical or mental health of an employee and for this reason the decision to release information should be taken by a suitably qualified health professional.


Transfer of Undertakings

Business mergers and acquisitions will generally involve the prior disclosure of employee data. A comprehensive Data Protection policy will make provision for the processing of such data in the context of acquisition discussions. However, in the absence of such a policy and employer should ensure that:

* Employee consent is obtained where possible
* Data is anonomysed
* Disclosure of sensitive data such as medical records should be avoided
* Assurances should be secured from the acquiring business that the data will be maintained confidentially and will not be used for any purpose other than for evaluation of the business.
* Caution should be exercised for any transfer of personal data to organisations outside of the EU. Generally speaking, personal data should not be transferred unless the country safeguards an adequate level of data protection. The EU Commission maintains a list of approved countries which satisfy the adequacy test. The United States is not on the approved list, however personal data may be transferred to organisations which have signed up to the Safe Harbour arrangement. The Safe Harbour arrangement is an enforceable code of practice governing data protection safeguards. The US Department of Commerce maintains a list of organisations which have signed up to this agreement. In general, for all other unapproved countries and US organisations which have not signed up to the Safe Harbour arrangement, best practice is for data controllers to enter into approved contractual arrangements which guarantee the rights of employees irrespective of whether an employee has consented to the transfer of data.