The Office of the Data Protection Commissioner (DPC) is the national independent authority in Ireland with responsibility for upholding the rights of individuals to have their personal data protected. The DPC issued their annual report in 2017, highlighting the work that has been done in order to prepare for GDPR and the plans for the coming years.
The year 2017 saw the largest number of complaints of data breaches ever received by the DPC. There were 2,642 complaints recorded in 2017, compared to 1,479 in the previous year. The DPC believes that the new General Data Protection Regulation (GDPR) should be seen as an opportunity, and not a burden, and want to work with organisations to provide them with clear, high quality and timely guidance.
The DPC also reported that there was an increase in the number of phishing attacks designed to gain access to organisations’ infrastructure. They recommend that an organisation’s security measures are regularly reviewed, and that staff receive adequate training in order to prevent a breach in data protection legislation.
Points to note from the report
The report examined a number of cases, resulting in several important points that can be helpful from an Employment Law/HR perspective – let’s take a look at them here...
Employer responsibilities
Employers must be aware that they’re responsible for their employees’ actions in regards to the processing of personal data. The employer has an obligation to make sure that their employees follow data protection legislation.
In one particular case, an employee took a Snapchat of two applicants’ CVs and cover letters, and posted it to her account. The two applicants found out about this from a third party.
The employee, in this case, was on her last day with the employer as her employment had been terminated. She was aware that she shouldn’t have been using her phone during working hours, as this was against the company policy on mobile phone usage.
The Data Protection Commissioner found that the employer was in breach of the Data Protection Acts 1988 and 2003. It was
their responsibility to ensure that employees did not breach the legislation, regardless of if it was the last day of their employment.
Subject access requests
In regards to a subject access request, in most circumstances, an employer must fully respond. With the GDPR, the subject access request will have to be responded to within one month and there will be no fee, unless the request is either:
- Unfounded
- Excessive
- Repetitive
The DPC’s report highlights the need to preserve material which may have been requested until the request is resolved. In this case, the complainant had requested CCTV footage of a certain timeframe (4 hour period), during which time he had been allegedly attacked. The complainant’s data request was approved as being valid by the organisation.
The complainant was provided with an 11 second clip, which did not show the alleged attack. The complainant pointed out to his employer that his data request had been for footage from the four hour period. He was told that he must submit a new request.
The organisation only kept CCTV footage for 28 days and then it was overwritten – so by the time the data request was processed, the footage was gone. The Data Commissioner found that the organisation should have retained the footage until such time where they had clarified exactly what the complainant was looking for.
It’s important for employers to know that as data controllers, and upon receipt of a data request for footage, they
must keep that footage from the day they get the request until such time when the matter is resolved. It doesn’t not matter if the company have a policy to overwrite footage after 28 days, they must preserve the specific footage.
CCTV footage in disciplinary hearings
The DPC looked at the issue of using CCTV footage in a disciplinary hearing – a matter that many employers may have to consider at some point. The employee in this case was the sole night security officer. The company had a CCTV system and maintained that this system was not used for supervision of staff, and they conducted random audits of the employees’ access cards.
There were some irregularities on the night security officer’s access card, and they suggested that he had been away from his post for long periods of time. The company had a contractual obligation to their client to monitor their premises, and if something happened while the security officer was away from their post, this would breach the employer’s contract with the client.
The company began an investigation. The employee said that the data gathered was not correct and that the employer needed to provide further evidence that he had been away from his post.
The employer maintained that the use of CCTV footage was the only way to back up the access card data. The employee at the beginning of his employment had signed a set of procedures, one of which was in relation to CCTV footage being used in investigations. The employee was dismissed after the disciplinary procedure.
The DPC explored whether or not the employer could rely on having a legitimate interest as a legal basis. Certain criteria must be followed: “
There must be a legitimate interest justifying the processing; the processing of personal data must be necessary for the realisation of the legitimate interest; and the legitimate interest must prevail over the rights and interests of the data subject”. The Commissioner was satisfied that the company had a legitimate interest in investigating the conduct.
Takeaways for employers
The DPC’s report highlights some very important points for employers. With GDPR being on the top of everyone’s agenda for 2018, it’s essential that employers are aware of the obligations and implications that come along with being a data controller/processor.
With the amount of complaints being brought to the Data Commissioner almost doubling from 2016 to 2017, it’s likely that the amount of complaints in 2018 will increase as everyone becomes more aware of GDPR.
If you have any questions regarding the topics in this article, please don’t hesitate to contact our 24 Hour Advice Service on 0818 923 923 where an advisor will be happy to help.
