On 21 June 2016, the Data Protection Commissioner (the “DPC”), Helen Dixon, published her Annual Report for 2015. The Report identified a number of issues which are relevant to organisations with employees in Ireland.
Background checks – enforced subject access requests
Since 18 July 2014, it has been a criminal offence for employers to require employees or prospective employees to make a subject access request seeking copies of their personal data, for example, from An Garda Síochána (the Irish police force) or a credit bureau. The practice of requiring employees or prospective employees to make subject access requests to An Garda Síochána and requiring employees to hand over the results of those checks had been used as an means of conducting unofficial criminal background checks.
During the course of 2015, the DPC investigated compliance with this law with a particular focus on the use of subject access requests to conduct criminal background checks. The reason for this focus was a concern about the consistently high number of subject access requests being made to An Garda Síochána each year.
The DPC’s Report refers to an audit of forty organisations across a range of industries following which a number of organisations were directed to cease the practice immediately. The DPC plans to continue monitoring organisations across a range of sectors for this practice throughout the remainder of 2016.
We recommend that employers review their background check policy to ensure they are fully compliant with the law in this regard.
The law on enforced background checks does not affect mandatory Garda vetting for those working with children, vulnerable adults or in the security sector.
Use of CCTV footage
The DPC considered the use of CCTV footage as evidence in a disciplinary process in a case study involving a bus company.
While reviewing CCTV footage as part of an investigation into an unrelated customer complaint, the bus company saw an employee using her mobile phone while driving. The company sought to introduce the CCTV footage into evidence as part of a disciplinary process against the employee. The employee objected, claiming that the footage had been unfairly obtained.
The DPC found that the company had breached its data protection obligations on the basis that:
- it failed to properly inform the employee that CCTV footage might be used in disciplinary proceedings; and
- there was no indication at the time the footage was initially processed that it related to a “serious matter” involving the employee. Therefore, the processing was unjustified.
The DPC went on to comment that in other circumstances the use of the footage might have been acceptable, particularly if it was “in response to an urgent situation” and the employer had the correct procedures in place.
In a separate case study involving CCTV, the DPC found that the use of a CCTV camera in a staff canteen was “excessive” and in contravention of the data protection legislation.
An employee of a supermarket was dismissed after she placed a paper bag over a CCTV camera in the canteen. In a complaint to the DPC, the employee argued that she was never officially told about the existence of the camera or why it was in the canteen. In its response, the supermarket stated that the camera had been installed for a number of reasons, including, to prevent staff theft, to prevent bullying and harassment and for the overall hygiene of the canteen. The DPC rejected this argument and found that there was no justification for having a CCTV camera in the staff canteen area.
Both cases highlight the importance for employers to have a comprehensive CCTV policy in place, which is properly adhered to, and brought to the attention of every employee.
Use of biometric attendance systems
A biometric system is a technological system which uses physical or physiological information about a person to identify them. Examples include a clock-in system which requires the person to scan their fingerprint, hand or eye.
While such systems are still relatively uncommon, the DPC made it clear in her Report that before introducing a biometric system, employers must carry out an assessment of the need for such a system and an evaluation of any possible alternatives.
An employee's right to privacy and to the protection of their personal data should be at the forefront of every employer’s mind. The collection and use of an employee’s personal data must be fair, lawful and proportionate.
As stated in the Report, the DPC is absolutely committed to ensuring that all organisations properly comply with data protection legislation as regards their employees. The issues highlighted serve as a helpful reminder to employers to ensure that they have adequate data protection policies in place which are fully compliant with these laws.