Employee privacy rights is an area that presents Irish employers with a shifting landscape of requirements that they need to be mindful of. For example, the European Union (EU) Commission has proposed in 2012 a new Data Protection Regulation. The current directive dates from 1995 and fails to take into account developments such as social networks and cloud computing. The timetable for adoption of the new Regulation is 2014 and thereafter implementing legislation in the various member states will need to be changed. This could even result in Ireland’s Data Protection Acts being replaced.
Those Data Protection Acts 1998 and 2003 (“the Acts”) offer Irish employees certain legal protections, for example, from surveillance in the workplace. Employers should also note that additional protections are offered to employees by case law related to the European Convention on Human Rights – implemented in Ireland by the European Convention on Human Rights Act 2003.
Let us look at some examples. In a 2009 case study the Data Protection Commissioner (DPC) describes receiving a complaint from an individual whose employer had used a private investigator to record his movements. The context was that the employer was concerned at the man’s performance of his duties as a sales representative and the employer wanted to see whether he was performing his duties. The private investigator provided a DVD to the employer of the employee’s movements over the course of a week – a DVD that included “images of the employee’s children”. In addition to the DVD’s contents – the material was also gathered without the employee’s consent.
Now the employer felt that what they were doing was legitimate. But the DPC disagreed – and for two reasons. Firstly, the employer had taken a very serious step in hiring a private investigator without taking sufficient steps to make the employee aware of its concerns. Secondly, the surveillance was covert and “covert surveillance of individuals is very difficult to reconcile with the Data Protection Acts”.
So this employer had overstepped the mark. However, the DPC’s conclusions can also serve to illustrate what actions are allowable by employers. In a 2005 case study, employees of a public institution complained that “the biometric time and attendance system installed involved an unreasonable intrusion on their privacy”. However, the institution had told its staff what it was doing and why it was doing it. It also pointed out that the biometric system would enhance security. The DPC also recognised that security was “of paramount importance” to this particular institution. The DPC concluded therefore that the “system was proportionate and did not constitute an unjustified interference with the privacy rights of individuals”.
These two examples illustrate that it is not possible for law, let alone case law, to cater to all the potential circumstances that can arise. Indeed, with respect to the introduction of biometric systems, the DPC says that “all situations must be judged on a case-by-case basis”. This is challenging for employers as there are no clear rules. Indeed the DPC recommends that employers considering the introduction of such a system carry out a Privacy Impact Assessment – and provides a long list of over 30 points to be considered!
Of course, in addition to surveillance and the introduction of biometric systems, there are many other areas relating to privacy that employers need to be attentive to, for example, sickness. Under the Data Protection Acts an employer is entitled to know for how long an employee will be absent from work and is also entitled to know if, upon their return, the employee will be capable of doing particular types of work. A requirement to produce doctor’s certificates is also allowable. However, what is normally not allowable is for the employer to know the precise nature of the illness. But again this is not black and white as there are certain exceptions to this. For example, a doctor may be “legally obliged to report certain conditions to an employer”. It is also allowable for employers to have a requirement that employees on long term sick leave be “referred after a certain period to a company doctor for examination and the doctor will provide a report to the company advising whether they consider the person fit for work or not”. The DPC has advised that there would be no breach of the Acts in either of these scenarios.
In this article we’ve touched on just a few privacy issues. The list goes on – background checks, Garda vetting, email usage, internet usage, photograph usage, GPS tracking, etc. To get expert guidance on how to manage your business without infringing on employee privacy rights, call Mary Cullen, Patrick Foley or Liam Barton on 056 770 1060 or email firstname.lastname@example.org.