Data Privacy at work

Data privacy at work.

As with all rights, they bring responsibilities; they are not unqualified. The right  to privacy  is frequently  balanced  with the exigencies  of the common good; it is fair to say that the Courts have typically left both privacy and the exigencies  of the  common  good  without  rigid   parameters. We  must  default  to  the  great  lawyer  escape  argument   on  these  points; namely that each case must be judged on its merits.

Employees  have  a right  to  data  privacy  in the  workplace;   this  is not  an absolute  right.  It is balanced with other rights such as the right to one’s good name, the right to earn a living and to hold property.

Data privacy issues arise in the workplace from the time that an employee applies for a job; through to the termination of their employment and for a reasonable period after it ends.

Data governance should be actively reviewed by an employer but particularly where there is a change in how an employee may be required to work. For example, if an employer agrees to allow an employee work from home or outside the employer’s premises; data security and privacy of personal data of clients, customers’ and other third parties must be protected. Care must be taken in relation to how an employer will monitor employees working from home; for example, an employer does not have a right to enter an employee’s home without their consent.

Boundaries- What is considered private?

What are reasonable boundaries on data privacy within the workplace?

Peev V Bulgaria 64209/01   [2007] ECHR 6551

The applicant   was   employed   as an expert   by the Supreme   Cassation Prosecutor’s Office (SCPO) in Bulgaria.

Following the  death  by suicide  of a prosecutor   colleague who had alleged that  the  chief prosecutor   and  his entourage   were  harassing  and  exerting improper  pressure on him, the applicant  considered  resigning  and to that end prepared  two draft letters  which he kept in a drawer  of his office desk. However, he eventually  decided  not to resign and sent a letter  to two daily newspapers   and  the  Supreme  Judicial Council making  a number   of grave accusations   against   the  chief  prosecutor    and  urging  the  authorities   to investigate.

One of the newspapers published the letter.  On the  evening  preceding publication,  a prosecutor  from the SCPO sealed off the applicant’s  office and ordered   the  duty  police  officer  not  to  allow  the  applicant   to  enter  the building as he had been dismissed. The  applicant  was  subsequently   informed  that  his resignation   letter  had been   brought    to  the   attention    of  the   chief  prosecutor    and   that   his resignation  had been accepted. Some  days  later,  the  applicant  was  allowed  into  the  office to  collect  his personal   belongings.  He discovered   that it had been searched   and that certain items, including the draft resignation letters, were missing.

The   prosecuting     authorities     refused    to   open   criminal   proceedings. However,  the  applicant  brought  a civil action  for unlawful  dismissal  and obtained   an  order  for his  reinstatement    and  an award  of compensation. Although  he  was  not  in  fact  reinstated    in  his  former   position   as  the department for which he had worked  had been abolished  in the interim,  he did succeed in obtaining  a post with a similar body.

The ECHR concluded that under Article 8 the applicant had a “reasonable   expectation of privacy”, if not in respect of his entire office, at least in respect of his desk and filing cabinets.  The search of Mr. Peev’s office amounted to interference   by a public authority with the applicant’s private life. Under Article 13 (in conjunction  with Articles  8 and  10) –  the Government  had failed to show that  any remedies  existed  in respect  of the unlawful  search. The domestic   proceedings   in which the   applicant   had challenged   his dismissal had concentrated   on the resignation   issue and had not discussed the substance   of his freedom-of-expression    grievance. The proceedings, therefore,  did  not  amount  to  an avenue  whereby   he  could  vindicate  his freedom  of expression  as such and no other  remedy  had been suggested  by the Government.

Halford V United Kingdom (25 June 1997)

Ms. Halford was   appointed   to the   rank   of Assistant    Chief Constable with the Merseyside Police.  Following  a refusal  to promote     her, Ms.  Halford commenced    proceedings    in  the Industrial Tribunal  claiming  that  she  had  been  discriminated against on  grounds   of  sex.  Ms. Halford   alleges that   certain members of the   Merseyside    Police   Authority   launched   a ‘campaign’   against her in response   to her complaint   to the Industrial Tribunal. This took the form of leaks to the press and interception of her telephone calls.

She alleged that calls made from her home and her office telephones were   intercepted    for the purposes   of obtaining information to be used   against   her   in the   discrimination proceedings.  She claimed a breach of Article 8 of the Convention.

The ECHR held that conversations   made on the telephones   in Ms. Halford’s   office at Merseyside   Police Headquarters   fell within   the scope of “private   life” and “correspondence” in Article 8 (1).

Data Governance

There is a critical need for all employers  to know what they are required to do as data controllers;  an employer  will hold data in relation  to employees but following the DPA obligations  the data must be “adequate,  relevant and not excessive’?

An employer  must accept that the majority  of data kept about  an employee is data  that  must  be given to the  employee  upon  request  under  the  DPA.

There are some exceptions but those exceptions are limited. This is important   if there an employee raises a grievance or there is a disciplinary process underway. A common   error   by employers is to assume that data really only refers to the personnel file and anything outside that is not covered by the DPA. This is wholly incorrect.

Sensitive   data   including   health   information,   trade   union   membership, details  of criminal  convictions  can be processed  if it is necessary  “for the purpose   of  exercising  or  performing   any  right   or  obligation   which   is conferred or imposed by law on the data controller in connection  with employment’

It is advisable for an employer to have a clear data retention policy relating to all employees.  At a certain time, it will no longer be reasonable   to retain a former employee’s data; or for example, the records of a recruitment drive.

Workplace Surveillance

An employer  can monitor  employees  in the  workplace  provided  that  any limitation  on an employee’s  right to privacy is proportionate   to the possible damage to the employer’s  legitimate interests.

For example,  in Case Study  101/2013  the  night  manager  of a hotel  used  a mobile phone  to take photographs   of employees  who had fallen asleep  on duty.  The photographs   were used in subsequent   disciplinary proceedings which the Data Protection   Commissioner   (DPC) found to be against   the DPA.

Danniger   V SIPTU Labour Court LCR 19328

An objection  was  raised  by SIPTU to the  company  operating  a biometric clocking-in system  because  it had been  brought  in following the  dismissal of a small number  of employees  who had been  abusing the system.  SIPTU argued   that   this   was   excessive;   the   company   argued   that   it  was   in compliance  with  the  DPA because  the  copies  of the fingerprints   were  not stored   on  the  system  and  could  not  be  retrieved   from  the  system.  The Labour Court recommended   that the system  continued for so long as it was transparent and legally operated.

Kopke V Germany 420/07[2010] ECHR 1725

On 5 November 2002 the applicant’s employer dismissed the applicant without notice for theft. The applicant was accused of having manipulated the accounts in the drinks department of the supermarket where she worked and of having taken money (some 100 euros during the period in which she had been covertly filmed by a detective agency on behalf of the employer) from the tills for herself which she had hidden in her clothes.

Ultimately the case reached the ECHR where Ms. Kopke alleged a breach of her Article 8 right to privacy because of unlawful processing of her personal data. The ECHR found that the surveillance had only taken place for two weeks and was not in the immediate vicinity of where Ms. Kopke usually worked; further, it found that there was a balance between her right to privacy and the employer’s legitimate interest in protecting its property rights; in establishing the truth of what was happening in the workplace; to exonerate fellow employees who were not guilty of any offence.

What changes are coming?

The Article 29 Data Protection Working Party published an Action Plan for the implementation of the new General Data Protection Regulation (GDPR Regulation (EU) 2016/679).

The Regulation provides for a new governance model with enhanced roles for Data Protection Commissioners remaining in the EU will be established.

It envisages enhanced co-operation between national DP authorities.

A one-stop shop on enforcement cooperation is envisaged.

Guidance will follow on the following topics;

 

• The new portability right; easy transfer of data between service providers;
• The Right to be forgotten;
• Affirmative steps for a data subject’s consent to release of data to be valid;
• High Risk and Data Protection Impact Assessments
• Certification
• Roles of Data Protection Officers

 

This post has been prepared for general information purposes. As such it does not purport to provide legal advice. O’Connor Solicitors accept no responsibility for losses that may arise from reliance on information contained in this document.  It is intended to identify general issues on which you may require legal advice. Full legal advice should be taken from a suitably qualified professional when dealing with particular circumstances.