Data Privacy at work
Data privacy at work.
As with all rights, they bring responsibilities; they are not unqualified. The right to privacy is frequently balanced with the exigencies of the common good; it is fair to say that the Courts have typically left both privacy and the exigencies of the common good without rigid parameters. We must default to the great lawyer escape argument on these points; namely that each case must be judged on its merits.
Employees have a right to data privacy in the workplace; this is not an absolute right. It is balanced with other rights such as the right to one’s good name, the right to earn a living and to hold property.
Data privacy issues arise in the workplace from the time that an employee applies for a job; through to the termination of their employment and for a reasonable period after it ends.
Data governance should be actively reviewed by an employer but particularly where there is a change in how an employee may be required to work. For example, if an employer agrees to allow an employee work from home or outside the employer’s premises; data security and privacy of personal data of clients, customers’ and other third parties must be protected. Care must be taken in relation to how an employer will monitor employees working from home; for example, an employer does not have a right to enter an employee’s home without their consent.
Boundaries- What is considered private?
What are reasonable boundaries on data privacy within the workplace?
Peev V Bulgaria 64209/01  ECHR 6551
The applicant was employed as an expert by the Supreme Cassation Prosecutor’s Office (SCPO) in Bulgaria.
Following the death by suicide of a prosecutor colleague who had alleged that the chief prosecutor and his entourage were harassing and exerting improper pressure on him, the applicant considered resigning and to that end prepared two draft letters which he kept in a drawer of his office desk. However, he eventually decided not to resign and sent a letter to two daily newspapers and the Supreme Judicial Council making a number of grave accusations against the chief prosecutor and urging the authorities to investigate.
One of the newspapers published the letter. On the evening preceding publication, a prosecutor from the SCPO sealed off the applicant’s office and ordered the duty police officer not to allow the applicant to enter the building as he had been dismissed. The applicant was subsequently informed that his resignation letter had been brought to the attention of the chief prosecutor and that his resignation had been accepted. Some days later, the applicant was allowed into the office to collect his personal belongings. He discovered that it had been searched and that certain items, including the draft resignation letters, were missing.
The prosecuting authorities refused to open criminal proceedings. However, the applicant brought a civil action for unlawful dismissal and obtained an order for his reinstatement and an award of compensation. Although he was not in fact reinstated in his former position as the department for which he had worked had been abolished in the interim, he did succeed in obtaining a post with a similar body.
The ECHR concluded that under Article 8 the applicant had a “reasonable expectation of privacy”, if not in respect of his entire office, at least in respect of his desk and filing cabinets. The search of Mr. Peev’s office amounted to interference by a public authority with the applicant’s private life. Under Article 13 (in conjunction with Articles 8 and 10) – the Government had failed to show that any remedies existed in respect of the unlawful search. The domestic proceedings in which the applicant had challenged his dismissal had concentrated on the resignation issue and had not discussed the substance of his freedom-of-expression grievance. The proceedings, therefore, did not amount to an avenue whereby he could vindicate his freedom of expression as such and no other remedy had been suggested by the Government.
Halford V United Kingdom (25 June 1997)
Ms. Halford was appointed to the rank of Assistant Chief Constable with the Merseyside Police. Following a refusal to promote her, Ms. Halford commenced proceedings in the Industrial Tribunal claiming that she had been discriminated against on grounds of sex. Ms. Halford alleges that certain members of the Merseyside Police Authority launched a ‘campaign’ against her in response to her complaint to the Industrial Tribunal. This took the form of leaks to the press and interception of her telephone calls.
She alleged that calls made from her home and her office telephones were intercepted for the purposes of obtaining information to be used against her in the discrimination proceedings. She claimed a breach of Article 8 of the Convention.
The ECHR held that conversations made on the telephones in Ms. Halford’s office at Merseyside Police Headquarters fell within the scope of “private life” and “correspondence” in Article 8 (1).
There is a critical need for all employers to know what they are required to do as data controllers; an employer will hold data in relation to employees but following the DPA obligations the data must be “adequate, relevant and not excessive’?
An employer must accept that the majority of data kept about an employee is data that must be given to the employee upon request under the DPA.
There are some exceptions but those exceptions are limited. This is important if there an employee raises a grievance or there is a disciplinary process underway. A common error by employers is to assume that data really only refers to the personnel file and anything outside that is not covered by the DPA. This is wholly incorrect.
Sensitive data including health information, trade union membership, details of criminal convictions can be processed if it is necessary “for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment’
It is advisable for an employer to have a clear data retention policy relating to all employees. At a certain time, it will no longer be reasonable to retain a former employee’s data; or for example, the records of a recruitment drive.
An employer can monitor employees in the workplace provided that any limitation on an employee’s right to privacy is proportionate to the possible damage to the employer’s legitimate interests.
For example, in Case Study 101/2013 the night manager of a hotel used a mobile phone to take photographs of employees who had fallen asleep on duty. The photographs were used in subsequent disciplinary proceedings which the Data Protection Commissioner (DPC) found to be against the DPA.
Danniger V SIPTU Labour Court LCR 19328
An objection was raised by SIPTU to the company operating a biometric clocking-in system because it had been brought in following the dismissal of a small number of employees who had been abusing the system. SIPTU argued that this was excessive; the company argued that it was in compliance with the DPA because the copies of the fingerprints were not stored on the system and could not be retrieved from the system. The Labour Court recommended that the system continued for so long as it was transparent and legally operated.
Kopke V Germany 420/07 ECHR 1725
On 5 November 2002 the applicant’s employer dismissed the applicant without notice for theft. The applicant was accused of having manipulated the accounts in the drinks department of the supermarket where she worked and of having taken money (some 100 euros during the period in which she had been covertly filmed by a detective agency on behalf of the employer) from the tills for herself which she had hidden in her clothes.
Ultimately the case reached the ECHR where Ms. Kopke alleged a breach of her Article 8 right to privacy because of unlawful processing of her personal data. The ECHR found that the surveillance had only taken place for two weeks and was not in the immediate vicinity of where Ms. Kopke usually worked; further, it found that there was a balance between her right to privacy and the employer’s legitimate interest in protecting its property rights; in establishing the truth of what was happening in the workplace; to exonerate fellow employees who were not guilty of any offence.
What changes are coming?
The Article 29 Data Protection Working Party published an Action Plan for the implementation of the new General Data Protection Regulation (GDPR Regulation (EU) 2016/679).
The Regulation provides for a new governance model with enhanced roles for Data Protection Commissioners remaining in the EU will be established.
It envisages enhanced co-operation between national DP authorities.
A one-stop shop on enforcement cooperation is envisaged.
Guidance will follow on the following topics;
- The new portability right; easy transfer of data between service providers;
- The Right to be forgotten;
- Affirmative steps for a data subject’s consent to release of data to be valid;
- High Risk and Data Protection Impact Assessments
- Roles of Data Protection Officers
This post has been prepared for general information purposes. As such it does not purport to provide legal advice. O’Connor Solicitors accept no responsibility for losses that may arise from reliance on information contained in this document. It is intended to identify general issues on which you may require legal advice. Full legal advice should be taken from a suitably qualified professional when dealing with particular circumstances.