The 2012 Annual Report for the Data Protection Commissioner has been published and as always makes for some interesting reading. Some of the key stats from the report include 1,349 complaints for investigation, exceeding last year’s record high number with an increase of 188.
Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012. There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012).
However the most interesting parts of the report are usually the case studies that were completed based on some of the inspections carried out by the office. There are a number listed however we have chosen three that can have large implications for employers, one is on the use of CCTV in a nursing home and the second is to do with medical certs, and the third to do with client lists from one company to another.
CCTV Usage
In the case of the CCTV usage a complaint was referred where a Nursing home had installed cameras all over the building and there were concerns that the access was linked to the owners private residence where they could log in remotely at night. The Nursing Home said that this was to ensure safety, protection and quality of care in the premises however the Data Protection Commissioner felt that this was being used as a substitute for on site supervisory care and the use of smart phones for live monitoring was not in accordance with the Data Protection Acts.
The issue of the cameras was resolved with some adjustments however what will be of interest to Employers is the use of remote access for live monitoring, and the Commissioner concedes that this is becoming more and more frequent. However the use of this should be limited to empty buildings etc and should not be used for manned premises where employees perceive that their work performance is being monitored and assessed on a live basis. The Data Protection Commissioner is very insistent that this does not reconcile with the Data Protection Acts, and where live monitoring is used in manned premises they will continue to order that this be terminated.
Medical Certificates
The second case study we have highlighted looks at the issue of Medical Certs provided by employees. In this case the Department of Education issued a circular stating that for a medical certificate to be acceptable it should highlight the specific nature of the illness. The Commissioner accepted that an employer needs to know how long a person will be absent for and if they will be fit to return to work, but suggested that requesting details as to the exact nature of the illness could present data protection issues.
However it did recommend that a previous Department of Finance working group in 2010 had considered this and set out the wording "while the nature of the illness does not have to be included in all circumstances, if it is not stated this may give rise to difficulties if seeking to have the absences discounted", which they felt to be most appropriate and balanced in the circumstances. They recommend that employers should only ask for limited relevant information and asking for excessive information would be a breach of the Act.
Customer Lists taken by an employee
The final case study we will look at is in relation to a client list taken by an ex-employee to a new employer. It concerned Garage A (who had the list taken) and Garage B (who took on the ex employee and with him the list from Garage A). A customer complained of getting an unsolicited marketing letter from Garage B and promoted the employee moving to Garage B and touting their service. Following the investigation Garage B were forced to destroy the lists
However the Data Protection Commissioner provided some advice for employers in respect of their contracts of employment that they include not only the use of business data but also personal data. It recommended that in some situations employees mistakenly believe that the clients are clients of the employee and not the employer, and should an organisation process data that an employee has brought from another employer without consent this is in breach of Data Protection Regulations.
There three cases show the caution that employers must exercise when dealing with personal data (be it CCTV images, information requests, or customer data) as the misuse fo this could lead to difficulties under the Data Protection Act and further complaints or investigations.
To view the full 2012 Annual Report click here.