Ensuring compliance with data protection legislation – avoiding unnecessary issues through the misuse of personal information

Shannon Chamber HR is a dedicated HR and Employment Law Support Service for members of Shannon Chamber provided in partnership with Adare Human Resource Management, experts in Employment Law, Industrial Relations, Human Resources and Health & Safety at preferential rates.

The Data Protection Commission published its Annual Report for 2020 in late February, which highlighted an increase of 9% in the number of cases it handled in 2020, up from 9,337 in 2019 to 10,151 in 2020. A total of 4,660 complaints were received under GDPR, with “Access request” and “Fair processing” making up over half of these.  The report also stated that “cases concerning employment law disputes continue to be heavily represented in the range of complaints received”. However, it also stated “it’s becoming an increasing feature of the complaints received by the office that issues are being raised with the DPC that, in truth, have little or nothing to do with data protection”.

In this week’s article, Derek McKay, Managing Director at Adare Human Resource Management looks at the area of data protection and what employers should be mindful of when managing the personal information of employees and also what they can and can’t do when it comes to monitoring employees during the working day.

Compliance with legislation

A significant amount of information related to employees is gathered during the employment relationship. Information retained may include details of the recruitment process followed to hire an employee, the written statement of terms and conditions of employment provided on hiring the person, records of pay including holiday pay and public holiday benefits, any information relating to disciplinary situations, grievances and documentation related to workplace investigations, as well as documentation related to employee benefits, agreements to deductions from pay and so forth.

It is important to be aware that all information held by an Employer related to an Employee must be stored, processed and maintained in accordance with the General Data Protection Regulation (GDPR). At Adare Human Resource Management, we work with clients to carry out risk assessments, advice on how what type or category of personal information is justifiable and how it should be treated as well as implementing training, if required.

Appropriate use of personal data

The DPC’s Annual Report included a complaint from an employee relating to the use of their photograph in an article that was published in a workplace newsletter without their permission. The Data Controller within the organisation informed the employee that their consent should have been sought before it was used in the newsletter and that a data breach had occurred in this instance. As well as issuing an apology to the employee, the DPC provided recommendations that a consent information leaflet be distributed to staff in advance of using photography, videography or audio being used and that a consent form should also be completed in advance.

Use of CCTV within organisations

Under Data Protection legislation CCTV cameras may be used in the workplace and would normally be in place for the protection of staff, customers and the premises.  However, it is necessary that those people whose images are captured on camera are informed about the identity of the purpose of capturing the data. Therefore, it is necessary that signs confirming use of CCTV cameras are placed in prominent positions in the workplace and are easily legible.

It is considered very intrusive to use CCTV to monitor the performance of employees and would need to be justified by reference to special circumstances. The DPC has previously noted that that a balance must be struck between the privacy of the employee and the interests of the employer.
 
If CCTV cameras are to be used in the unlikely situation of disciplinary action, the employer must have a policy in that regard so that employees are aware that footage captured maybe used for this purpose. Also, if CCTV footage is being used in a disciplinary process as evidence, the employee should be given the opportunity to view the evidence in advance of a disciplinary hearing to allow them to prepare a defence.

Data protection considerations for remote working

The seismic shift to remote working presented new challenges for employers in terms of data protection. Ensuring employees were aware of their responsibilities to protect sensitive information, update security software and regularly change passwords became all the more important. Even what might seem like simple things like the minimal use of paper or keeping work devices safe and secure is crucially important.

Only trusted networks or cloud servers that comply with the organisation’s rules and procedures should be used. Many organisations have also asked employees to ensure “listening” devices such as Amazon Echo should not be in the same room if work-related calls are being conducted.

There is an abundance of information available on Linea, our comprehensive online resource, which is available to Shannon Chamber members at an exclusive rate. This information, including checklists, has been developed to ensure organisations are compliant with data protection legislation as well as providing some more helpful advice as well as further in-depth analysis of GDPR legislation.

Why Shannon Chamber HR?

  • Access to solutions-focused advice and support on HR and Employment Law queries for your Organisation provided by the experienced expert-led team at Adare Human Resource Management, giving you peace of mind that you can effectively manage any employment or HR issues that may arise. For information on the full range of services and supports provided, click here.

Contact:
For further information on the HR and Employment Law support services provided, to arrange a meeting or to receive a quote, contact the team at Shannon Chamber – admin@shannonchamber.ie / 061 360 611