The 2014 Annual Report for the Data Protection Commissioner (DPC) has been published and, as always, it makes for some interesting reading. By far the most interesting news for employers centres around the increased levels of prosecution of company directors over data protection.
Of the 960 complaints received, 521 of those (54.3%) related to subject access requests. In an employment context, this would relate to an employee seeking access to their full files and any material about them kept on company records.
Under the Data Protection Acts, an employee has the right to request a copy of all data on record about them, why the data is being retained by the company, who has access to the data, and the source of the data. An employer can charge the employee a fee not exceeding €6.35 for processing the information. If an employee lodges a legitimate access request then the employer has 40 days to provide the information.
Very importantly, the Report has reiterated that “enforced subject access requests” is an offence and “the Data Protection Commissioner intends to vigorously pursue and prosecute any abuse detected in this area." This most commonly arises where a candidate for a job is required by the interviewing company to submit a subject access request to their previous employers. The interviewing company then uses that information as a part of their interview decision making process. Again to note, such a practice is deemed an offence and the DPC will look to prosecute any employer on this matter.
The Report highlighted that 2014 was the first time that the DPC prosecuted company directors for their use of private investigators. The cases did not relate to investigating employee behaviour through private investigators, however, the 2014 report puts employers on notice that the DPC very much frowns upon the use of private investigators and employers should thread very carefully in this area.
An interesting case highlighted by the Report related to the HSE giving an employee’s payslips and a P60 to that employee’s ex-wife. The ex-wife then used these documents in court proceedings in relation to maintenance issues. The DPC went on to specify that the HSE had breached the Data Protection Acts by issuing the employee’s information to a third party without the employee’s prior consent. Other case studies highlighted how a Dublin County Council issued a person’s email address details to third parties without consent and also a credit union issued details of a member’s loan to that member’s daughter without consent. Both the County Council and the credit union were found to have breached the Data Protection Acts.
Employers are advised to not issue any employee data any third party unless you have secured prior employee consent.
Another case that employers should take note of is that of a financial institution reporting an ex-employee to the DPC after that ex-employee had sent a customer list to his personal email address around the time he left employment. This ex-employee was now running a business from his own home. The DPC contacted the ex-employee who affirmed that they had deleted the data in question. This case was interesting as it is a legitimate avenue that employers can pursue to protect business interests whilst also protecting the personal data of customers.
Data Protection is a growing area of employment law and it can impact on a variety of issues and areas that employers need to be aware of - the DPC has the power to audit or inspect any workplaces and indeed 39 company inspections were carried out in 2014.
The DPC's annual budget has been doubled to 3.65m, demonstrating the Government's recognition of the growing demands on the DPC's Office. Additionally, the appointment of a junior minister with responsibility for data protection further signals the importance attached by the Government to Ireland's role in the space.
The full report can be read here: https://www.dataprotection.ie/docimages/documents/Annual%20Report%202014.pdf