Data Protection Commission Annual Report – takeaways for employers

The report always provides important insights for employers on workplace GDPR issues and the 2022 report is no different. It was published in March 2023 and provides a summary of the DPC’s activities over 2022 and highlights emerging themes from the complaints and investigations the DPC has dealt with over the year. The report demonstrates the critical role the DPC plays in GDPR compliance not only at home, but across Europe, with two thirds of all fines issued by data protection authorities across the EU, EEA and the UK in 2022 issued by the DPC.

The report sets out various statistics on the activities of the DPC in 2022 which included;

• Dealing with 21,230 electronic contacts, 6,855 phone calls and 1,118 postal contacts;
• Processing 9,370 new cases (a decrease of 14% on the new cases received in 2021);
• Concluding 10,008 cases (interestingly only 3,133 of these cases required formal complaint handling processes which reinforces how important the amicable dispute resolution process continues to be for the DPC);
• Processing 5,828 breach notifications (the number of notifications received was down 12% from 2021).

While the report includes detailed information on the statutory inquiries and other valuable work carried out by the DPC, in this article we focus on the topics and guidance that we think are most relevant for employers, specifically in the areas of data breaches, subject access requests and data subject complaints. We have also summarised some of the more notable case studies that might be of interest to employers. 

Data breaches

It’s interesting to see a reduction in data breach notifications to the DPC in 2022 and perhaps this is indicative of a complacency amongst people in identifying data breaches. As has been the trend in previous years, the highest category of data breach notifications in 2022 related to unauthorised disclosures (affecting one or small numbers of individuals in 62% of cases). This is a key area for employers to monitor and control as very often we see breach notifications arising where, for example, human error has resulted in pay details or personal employee information being saved accidently into locations where it can be accessed by the wider employee population. Emails being sent to the incorrect email recipient also continues to be a major source of breach notifications, with over 1,000 of such breaches notified to the DPC in 2022.

The report sets out in detail the administrative fines confirmed by the DPC for GDPR breaches and the extent of some of these certainly make for interesting reading for employers.  A trend of poor operational practices and human error continues to underpin most data breach issues for organisations. In one example, a consultancy provider was issued a reprimand by the DPC when they sent an unencrypted USB device containing personal data to the Personal Injuries Assessment Board (PIAB), despite being expressly told by PIAB that it should not be sent the information. The USB key was lost in the posting process with PIAB only receiving a ripped envelope.

This, and other examples outlined in the report, highlight the crucial importance of ongoing training of individuals in the workplace with access to employee and customer personal data and the need to continually review processes to identify any gaps in operational practices.

Data Subject Access Requests (DSARs)

As in previous years, DSARs continue to be a major source of data subject complaints, representing 42% of the total complaints received by the DPC in 2022. This will likely be no surprise to employers as it remains one of the major data protection challenges in the workplace setting. DSARs are not just time-consuming and burdensome, they are often used as a tool by employees who are in dispute with their employers to seek information and, in some cases, to simply create a nuisance for employers and to leverage greater severance and settlement packages.

Towards the end of 2022, the DPC issued detailed guidance to controllers in respect of handling DSARs which employers should carefully review and consider. These guidelines very much align with the more recent guidelines issued by the European Data Protection Board (EDBP) on responding to DSARs. Both sets of guidelines reflect the extremely high standard employers will be held to in their handling of employee DSARs. Thankfully, in its report, the DPC make it clear that it will continue to endeavour to use the amicable resolution process (available to it under the Data Protection Act 2018) to try and resolve such disputes and we continue to see this utilised regularly in practice.

An interesting pre-GDPR DSAR complaint, which was the subject of a Court of Appeal order in 2022, is detailed in the DPC’s annual report. In this case, the employee (Ms. Nowak) had appealed the decision of the DPC in respect of a DSAR she had lodged with her employer. Her complaint was that her employer had failed to fully comply with her DSAR and had not responded within the relevant time frame. The DPC found that her employer had complied with the DSAR but that the response was late. Ms. Nowak appealed this decision to the Circuit Court who upheld the DPC’s decision. The High Court also upheld the DPC’s decision, and the matter ended up before the Court of Appeal. Ms. Nowak was unsuccessful in her appeal and the Court of Appeal noted that she had not identified any relevant point of law which would put the appeal properly before the Court. While this litigation related to the DPC’s handling of her complaint, it demonstrates to employers just how far DSAR issues can potentially go given the complaint was lodged in December 2016.

Other employee DSAR related litigation that is still before the courts is also referenced in the report. For example, an appeal on a point of law has been lodged by an employee (Ms. Scott) to the High Court in respect of her employer’s assertion of legal professional privilege over certain information in response to her DSAR. The DPC agreed with the employer’s submissions on why certain information was subject to privilege and Ms. Scott appealed that decision, and the decision of the Circuit Court which agreed with the DPC, to the High Court.

DSAR related complaints and litigation is only likely to continue and so employers should ensure they have robust DSAR processes in place to ensure they are properly addressed and to minimise the risk of challenge.

Unlawful Processing

Another interesting case highlighted in the report related to an unlawful processing complaint in respect of an employer’s use of CCTV. This decision has received much media attention and is an important one for employers to be aware of when relying on CCTV footage in a workplace disciplinary process.

In the original complaint, the employee, Mr. Doolin, claimed that his employer’s use of CCTV images in a disciplinary procedure was unlawful processing. The DPC found that the personal data processed by the employer had not been used in a manner that was incompatible with the purpose for which it was originally collected. The matter ultimately ended up before the Court of Appeal who agreed with the High Court decision that the DPC’s analysis of the situation was not correct and found that the data being processed for disciplinary purposes was not compatible with the purposes for which it was initially collected (which was for security reasons).

The high level takeaway for employers from this Court of Appeal decision is to ensure their employee privacy notices and CCTV policies are clear that CCTV may be used for investigative and disciplinary purposes if they intend to rely on CCTV in a disciplinary process. This should be double checked by investigators before using it as evidence in any workplace investigation.

Case Studies

The DPC annual report always includes helpful case studies providing useful insight into the approach taken by the DPC to complaints. We’ve read the case studies, so you don’t have to! Some key points of interest for employers are:

• The DPC, in one case study, highlighted that DSARs are not about access to all documents per se and made it clear that DSARs may be fulfilled by providing the data subject with a full summary of their data in an intelligible form. The form in which it is supplied must be sufficient to allow the data subject to become aware of the personal data being processed and to check the data is accurate and being processed lawfully. In this case study, the data controller contended that the documents were not provided as the personal data had been provided ‘in another format’. The DPC found that this was sufficient and that the data subject was not entitled to specific documents he had requested. While this case study is helpful, it is important for employers to bear in mind that, in the employment context, it’s more likely that providing certain documents could be required as it may be more difficult for an employee data subject to be able to exercise their rights in the same way as a customer receiving a response in this format.
• Use of CCTV continues to present challenges. In one of the case studies, a golf club had reviewed CCTV footage to see who had removed a particular Covid-19 safety sign. The complainant lodged a complaint with the DPC about their CCTV images being used as part of the investigation by the golf club into the incident and complained that the way his personal data was processed was not proportionate or transparent. The amicable resolution process resulted in the golf club agreeing to audit its use of the CCTV system and to restrict access to review the footage to designated staff members. Again, this case study highlights the importance for employers in having transparent CCTV policies in place and being careful in how those images are used in investigations.
• Several case studies in the report demonstrate the importance of having a strong rationale when exercising any exemptions in response to employee DSARs and to document that decision making process. While the case studies were not workplace related, they do make it clear that, when dealing with a DSAR complaint, the DPC will closely interrogate any decision by an employer/data controller to withhold personal data. The DPC makes it clear that it expects data controllers to be able to provide detailed responses to questions around any DSAR exemptions they have applied when responding to a DSAR. Each document/category of document/personal data withheld will likely be closely examined by the DPC in the event of a complaint to ensure the exemptions (such as legal privilege and opinion given in confidence) have been properly applied. The DPC has clearly reiterated in the report that any restrictions relied on by data controllers in response to DSARs will be strictly construed and must ‘respect the essence of the fundamental rights and freedoms of individuals’.

Conclusion

As outlined above, the report highlights key compliance areas for employers (and all data controllers) that the DPC has encountered in 2022. As expected, DSARs are still a significant source of complaints to the DPC and this reflects the trend we are seeing whereby employee DSARs are continuing to increase. As we are now five years since GDPR obligations came into force, employers will find it difficult to defend themselves before the DPC if they fail to comply with their obligations and don’t have the necessary safe-guarding processes and compliance frameworks in place.  Perhaps given the five year anniversary of GDPR, it’s an opportune time for your organisation to review and refresh its GDPR compliance when it comes to employee personal data?

A full copy of the report is available here

For more information on this or any other data protection or employment law matters in Ireland please contact the Lewis Silkin team.