privacy & data protection: staff monitoring
DESCRIPTION
Presentation given at Legal-Island seminar in Dublin, Ireland on 07 October 2010. Accompanied by detailed notes which are available from the author on request.TRANSCRIPT
Data Protection & Compliance Update
Staff Monitoring
Peppe Santoro Thursday 7 October 2010
Introduction
General principles still apply• Fair obtaining and processing• One or more specified, explicit and lawful purposes • Use and disclose only in compatible ways • Keep secure• Keep accurate, complete and up to date• Adequate, relevant, not excessive• Keep for no longer than necessary• Give a copy to data subject on request
Privacy and consent in the employment context
Guidance notes
Case Studies
CCTV and other recording
Legitimate (security, safety, anti-fraud, compliance verification) vs. illegitimate (inappropriate location, improper ancillary uses) purposes
Expansion of CCTV usage in the UK – an Irish vista
Covert vs. overt recording – when is covert recording acceptable?
Private use of CCTV
Biometrics
Types of biometric data (fingerprints, retinal scans, face recognition, others).
Unencrypted data, encrypted data and partial data
Uses of biometric data• Access control• Time management
Proportionality
Security aspects
Vehicle tracking
• Not apparently personal data but almost always involves personal data by association
• Typical primary purposes of vehicle tracking systems
• Fair collection and primary and secondary purposes
• Non-work-related usage
Surveillance outside the workplace
• Generally problematic
• Other applicable laws (fraud, anti-stalking and similar, human rights)
• Necessity and proportionality a difficulty in almost all cases
• Significant practical compliance issues (HP case)
• Criminal issues/Garda involvement
Telecommunications monitoring
• Other applicable laws (telecommunications, specific data protection regime, criminal aspect)
• Purposes of monitoring – mandatory compliance, recording of obligations, customer service, training
• Work vs. private communications
• Human rights and practical realities
Case Studies
• CCTV
• Biometrics
• Other case studies
• Practical experience of a trusted advisor
Five key points to remember
1. Irish laws generally permissive of staff monitoring provided it’s done properly
2. Incomplete or improper deployment of monitoring systems will result in them failing to achieve their objectives
3. Beware additional legislation (eg telecommunications laws)
4. Consider privacy impact statements as part of planning and deployment
5. Consider available guidance and precedent
Thank you
Peppe Santoro, Commercial PartnerEversheds O’Donnell Sweeney
One Earlsfort CentreEarlsfort Terrace
Dublin 2+353 1 6644200
[email protected]/in/psantoro
www.eversheds.ie