The 2014 Annual Report for the Data Protection Commissioner (DPC) has been published and, as always, it makes for some interesting reading. Some of the key stats from the report include 960 complaints for investigation were made to the office of the Data Protection commissioner, exceeding the 2013 figure of 910. However, by far the most interesting news for employers centers around the increased levels of prosecution of company directors over data protection breaches and also the Commissioners report on the use of private investigators when investigating employees.
Complaints & Subject Access Requests
Of the 960 complaints received, 521 of those (54.3%) related to subject access requests. In an employment context, this would relate to an employee seeking access to their full files and any material about them kept on company records.
Under the Data Protection Acts, an employee has the right to request a copy of all data on record about them, why the data is being retained by the company, who has access to the data, and the source of the data. An employer can charge the employee a fee not exceeding €6.35 for processing the information. If an employee lodges a legitimate access request then the employer has 40 days to provide the information. Indeed, the 2014 report shows that Eircom were found to have breached the Acts as they failed to comply with an access request within the 40 day window.
Very importantly, the Report has reiterated that “enforced subject access requests” is an offence and “the Data Protection Commissioner intends to vigorously pursue and prosecute any abuse detected in this area.” In an employment context, this most commonly arises where a candidate for a job is required by the interviewing company to submit a subject access request to their previous employers. The interviewing company then uses that information as a part of their interview decision making process. Again to note, such a practice is deemed an offence and the DPC will look to prosecute any employer on this matter.
Company Inspections & Audits
The Report also reminds employers that the DPC has the power to audit or inspect any workplaces and indeed 39 company inspections were carried out in 2014.
Use of Private Investigators
The Report highlighted that 2014 was the first time that the DPC prosecuted company directors for their use of private investigators. The case studies provided in the report related to “methods employed by some private investigators hired by credit unions to trace the current addresses of members who had defaulted on their loans.” Therefore, the cases did not relate to investigating employee behaviour through private investigators. However, the 2014 report puts employers on notice that the DPC very much frowns upon the use of private investigators and employers should thread very carefully in this area.
Who Can You Give Employee Data To?
An interesting case highlighted by the Report related to the HSE giving an employee’s payslips and a P60 to that employee’s ex-wife. The ex-wife then used these documents in court proceedings in relation to maintenance issues. The DPC went on to specify that the HSE had breached the Data Protection Acts by issuing the employee’s information to a third party without the employee’s prior consent. Other case studies highlighted how Dun Laoighaire/Rathdown County Council issued a person’s email address details to third parties without consent and also a credit union issued details of a member’s loan to that member’s daughter without consent. Both the County Council and the credit union were found to have breached the Data Protection Acts.
Therefore, employers are advised to not issue any employee data any third party unless you have secured prior employee consent.
Ex-Employees Removing Customer Data
An interesting case for employers is that of a financial institution reporting an ex-employee to the DPC after that ex-employee had sent a customer list to his personal email address around the time he left employment. This ex-employee was now running a business from his own home. The DPC contacted the ex-employee who affirmed that they had deleted the data in question. This case was interesting as it is a legitimate avenue that employers can pursue to protect business interests whilst also protecting the personal data of customers.
Data Protection is a growing area of employment law and as we just read it can impact on a variety of issues ranging from private investigators to employee files to customer lists Use of Private Investigators
The Report. Therefore, employers are encouraged to seek advice from the experienced Peninsula Employment Law Consultants who are ready and available to take your call 24 hours a day, 365 days a year, on 01 855 50 50 or fill in your details below.