The Data Protection Commissioner has just released the annual report for 2013 and in their findings they have seen a rise in the number of data security breach notifications to the office due to employers either being unaware or negligent of their responsibilities concerning data protection. Such breaches may lead to investigations by the Data Commissioner and can lead to various implications for Employers.
The Data protection Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable, therefor employers should familiarize themselves and be aware of any breach of the act that could be made.
CCTV Usage
We have spoken previously on the use of CCTV, and the Data protection commissioner has highlighted this in recent reports, however surveillance can and continues to raise many privacy and data issues for employers, especially if it is being used as a tool to monitor staff. This is where Employers should take note. Following the broadcast of an episode of RTE’s Primetime featuring practices in certain crèches in Dublin, the Office of the Commissioner had a number of queries in relation to the provision of CCTV in crèches.
The primary function of the cameras was to reassure parents of the welfare and safety of their children. In essence CCTV cameras in crèches raises a range of data protection issues including the rights of parents who do not wish to have video surveillance in place as well as the rights of employees, therefore CCTV is not an answer to the fundamental issues of the quality of staff and their supervision by management in a child-care facility. It is important to note that the view of the Data Commissioner is that CCTV should never be used as a tool to monitor or supervise staff, that is ultimately the duty of management.
Interestingly in comparison to this; another case involving the use of CCTV for monitoring employees concerned a complaint made by an employee of a supermarket regarding the use of CCTV footage in a disciplinary hearing. The complainant was aggrieved that the Supermarket instructed a third-party to remove and view an excessive amount of footage without any consultation with the employee in relation to the removal, viewing or processing of the CCTV footage. The respondents had been contacted by an external third-party alleging irregularities in the cash management process in its store. Their justification for using the CCTV was; as a retail business which is handling large sums of monies on a daily basis, it felt that its actions were guided by a legitimate interest to protect its vested rights and property. It was stated that the amount of CCTV footage viewed was excessive and disproportionate, but as the irregularities in cash handling brought to their attention were quite complex and serious in nature, it would have been impossible to fully investigate the matter by a safe count alone.
Throughout the investigation it was found that the CCTV footage showed actions that were questionable, but that no conclusions were drawn from the footage as to whether the actions were of a criminal nature or a performance and conduct issue, they were satisfied from the complainant’s explanations that the actions were not of a sinister nature, but instead constituted a total disregard for internal cash management procedures. It was concluded that the employer’s use of the CCTV was legitimate as the key issue that arose for consideration under the Data Protection Acts was whether the supermarket acted in accordance with the requirements of the Acts when it processed CCTV footage which contained images of the complainant. Following the investigation of the complaint against the supermarket regarding its processing of the complainant’s personal data in the form of CCTV footage, and having regard to the legitimate interests of the employer in this case, the Commissioner was unable to conclude that a contravention of the Data Protection Acts took place in this instance.
Taking of Confidential Client Lists
Also highlighted in the report, and what will be of particular interest to employers is the topic of client lists being taken by an ex-employee. This is case study 15 of the annual report, and one which the Data Commissioner investigated. It transpired that a former employee had taken a client list with them to the new employers without any knowledge or authorization from the previous employer or clients – a clear breach of the Data Protection Act. The previous employer had to inform the Commissioner of the policies it had in place regarding the security of client information in circumstances where an employee is moving to a new employment. The new employer’s site had to undergo an inspection by the Commissioner’s office, which they complied with and in addition to destroying the list they had to reassure in writing from the Managing Director of the new employer, stating that he fully accepted that breaches had occurred and outlining the actions his company was taking to prevent a recurrence.
Notes for Employers
Although all aspects of data protection should be of concern to employers there are some areas that will hit home such as CCTV and the taking of confidential client lists by ex-employees. Employers should ensure there are clear policies in place to deal with such matters and that they have the appropriate protections in place to remove any exposure in some cases.
Peninsula Business Services will endeavour to keep all of its clients up to date as this matter progresses. If you have any questions on Employment Regulation orders or Registered Employment Agreements then please contact the Peninsula Business Services 24 Hour Advice Line on 01 855 5050 and speak to one of our dedicated Employment Law Advisors.