Data Protection Commissioner's Annual Report for 2007 - Lessons for Employers - Aug '08

The Data Protection Commissioner's Office launched its Annual Report for 2007 recently. The number of complaints received during 2007 was 1,037 (a significant increase on previous years - 300 in 2005 and 658 in 2006). The biggest factor in this increase related to the number of complaints regarding unsolicited text messages, phone calls and emails.

There are some interesting cases listed in the Annual Report which relate to various breaches by employers in the processing and use of personal data. These cases provide lessons for employers on how to adhere to the requirements of Data Protection legislation. The full details of these cases are available in the report at www.dataprotection.ie.

• An employee was asked by her employer to have an independent medical assessment to establish whether she was fit to return to work. The employee disagreed with the medical expert's opinion and she sought to have the report rectified. The medical report was not changed materially, but the Data Protection Commissioner (DPC) allowed the employee to annotate the medical report, supplementing it with her opinion of her medical status.
• After an accident in the workplace, leading to a prolonged absence, an employee took a High Court personal injury claim against the employer. As part of the defence of this claim, the employer requested two medical reports for the employee. The employee was later dismissed based on medical evidence available to the employer, including these two reports. The employee subsequently took an Unfair Dismissals claim and the employer again used these two reports to support the dismissal. The DPC found that the employer was in breach of data protection legislation. The employer was incorrect in using the medical data (which had been collected with the employee's consent for the purpose of defending the personal injury claim) to later terminate the employment contract with the employee and to defend the subsequent Unfair Dismissals claim;
• The DPC found that an employer had breached the legislation in its use of covert CCTV footage. The footage was being collected for the purpose of investigating cash-handling at the bar, but was used to dismiss another employee whose actions were captured by the camera even though she was not the intended data subject. The employee had not been informed that covert CCTV cameras had been installed as part of the other investigation. As part of this determination, the DPC made further clarifications on the correct usage of covert CCTV recording. The DPC explained that the use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful. Such covert surveillance is normally only permitted on a case-by-case basis where the data is gathered for the purpose of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. The DPC explained that this provision automatically implies an actual involvement of the Gardaí or an intention to do so. The DPC noted that in this case no criminal prosecutions took place and the employee was not interviewed by the Gardaí.
• An employee lodged a complaint with the DPC with regard to non-compliance by her employer with a data access request. The employer claimed that an Internal Accident Report was covered by legal privilege in contemplation of a personal injury claim and therefore would not be forwarded to the employee as part of the data access request. The DPC insisted that it be released, and stated clearly that, as it is standard procedure for an accident report to be produced by an employer in the days immediately following a workplace accident, legal privilege does not apply to these documents.

For more information on data protection legislation, please refer to Chapter 3, 'Data Protection' in the Personnel, Policies and Procedures - the Law in Perspective manual.