Irish Data Protection Commission Issues Guidance for Employers

It’s been five years since the introduction of the General Data Protection Regulations (GDPR), and HR and in-house legal teams are all too aware of the challenges that it can bring in the workplace context, whether that is disgruntled employees submitting subject access requests or difficulties in introducing new HR systems, diversity monitoring or employee monitoring.

It’s clear from the recent annual report of the Irish Data Protection Commission (DPC) that employee complaints around the GDPR continue to increase (for more information and key takeaways for employers see our article here). Helpfully for employers, the DPC has recently issued two guidance notes that will assist employers in navigating the tricky compliance issues that can arise when processing personal data in the workplace context:

• Data Protection in the Workplace: Employer Guidance; and
  
• Subject Access Requests: A Data Controller’s Guide.

Data Protection in the Workplace: Employer Guidance

In the UK, the Information Commissioner’s Office has always produced clear and helpful guidance for employers on their obligations when processing employee personal data in the workplace. The DPC had previously stated in annual reports that it intended to issue specific guidance for Irish employers, and it has finally been published. This guidance note is specifically aimed at assisting employers as data controllers regarding their data processing obligations and duties when processing the personal data of their employees, former employees and prospective employees - so not one employers should ignore!

Of particular interest to employers will be the sections dealing with employee emails, purpose limitation, occupational health matters, employee monitoring and the case studies set out in the guidance. We focus on these specific topics in turn below.

1. Employee emails

Emails containing work product

The guidance note examines what might be considered personal data in the workplace context and, as part of this analysis, it looks at the thorny issue of employee emails. The guidance specifically states that this is an area the DPC receives a large number of queries on and notes that this is often in the context of an employee making a subject access request. Helpfully, the guidance concludes that although an individual’s name is clearly their personal data, it’s unlikely that the content of an email signed off by someone in their professional or work capacity constitutes their personal data. This is of critical importance to employers as very often large amounts of ‘work product’ emails will come up in subject access request search results. Many employers have generally sought to exclude pure ‘work product’ from the results provided to employees, but this guidance now makes it clear that this approach is seen as reasonable by the DPC. However, the guidance does state that employers must still examine the content of the email to ascertain if the content could be considered personal data. So, while this is helpful, it doesn’t reduce the amount of effort an employer must go to when looking at emails as part of a subject access request.

Email addresses

On the topic of work email addresses, the guidance note gives the example of john@abc.ie versus johnsmith@abc.ie. As expected, the guidance is that john@abc.ie may or may not be personal data and the context is key. If there are lots of Johns working in the organisation, then it is less likely the employee is personally identifiable from the email address. Where the full name is included in the email address this is more likely to be personal data as they are clearly identifiable. Again, employers will still need to consider the content of the email to see if it contains personal data pertaining to the individual who has made the request.

Outlook calendar and job description

The fact that the guidance specifically deals with this topic indicates that it is one the DPC regularly receives complaints about. The guidance has provided a case study to demonstrate how employers should approach calendar entries and job descriptions:

An employee made a complaint to the DPC as they were dissatisfied they had not been provided with a copy of their personnel file or a copy of their job description when they made a subject access request to their employer. The employer advised they had previously provided the employee with a copy of their personnel file and said that a copy of their job description would not be provided as it did not contain their personal data. The employee also sought data from their Outlook calendar as part of their subject access request. The employee believed that this data related to organised events relating to work and due to their involvement the data was personal. The employer stated to the DPC that the details of meetings in the data subject’s outlook calendar would not be provided as this information is work related and is not about the data subject. The DPC was satisfied that the job description and outlook calendar do not fall under the remit of personal data as defined in Article 4(1) of the GDPR.

This case study likely came before the DPC as part of its amicable resolution procedure in dealing with disputes and will be a very helpful example for employers to rely on when deciding not to provide such information on the basis of a subject access request. It also demonstrates a sensible and pragmatic approach on the part of the DPC.

2. Purpose Limitation

Purpose limitation in the employment context

As expected, the guidance reiterates the general GDPR principles around transparency and lawfulness of processing which apply in the employment context as they do in any other processing of personal data situation. The guidance also looks at purpose limitation in the employment context and reinforces that personal data should only be used for the purposes for which it was originally collected and as were made clear to the employee. Another interesting case study is used to demonstrate how the DPC approaches this, again in the employment context:

In a matter where a complaint was made to the DPC in relation to the use of car park and building access data that had been used by a manager to verify employee’s time and attendance record, an employer stated the company car park and building access data was collected for security purposes and for the purposes of verifying time. The employer also stated that attendance in the building was a security concern. The DPC deemed such processing incompatible further processing, as the employees had not been informed that such data would be used to verify their time and attendance. The DPC informed the employer of this and highlighted that it was concerning regardless of the proposed lawful bases relied upon. The DPC recommended the employer consider an alternative way to verify time and attendance. In addition to this the employer was required to update their record retention policy to include car park and building access data and provide staff training on the GDPR.

This is an issue that often arises for employers. It’s clear from this case study that employers need to be careful not to use easy workarounds with employee personal data just because it’s available. The privacy notice will be crucial here but it’s also likely that use of personal data in this manner could be considered too intrusive by the DPC for certain employer purposes.

Lawful Basis, Legitimate Interests and the Importance of a DPIA

Another case study included in the guidance serves as a good reminder for employers that legitimate interests can be a difficult lawful basis to stand over and is not always the solution for processing that falls outside standard employee personal data processing. It also highlights that employees are entitled to a general expectation of privacy in their workplace.

The case study focusses on a complaint by an employee that their employer had printed out and circulated emails from their personal email account. The employer argued that initially they did not realise it was a personal email account but that in any event they had a legitimate interest in processing the personal emails. The DPC found this processing infringed the employee’s rights and that the legitimate interests of the employer had to be balanced with the employee’s interests and rights.

While the full background of the case is not included in the case study, it’s easy to see how this situation could arise in the context of an investigation, for example where an employee is accused of having misappropriated confidential information. This again highlights the importance of a clear privacy notice as well as the fact that each situation must be carefully weighed up where seeking to rely on an employer’s legitimate interests for processing.

The guidance also makes clear that employers have to consider what is actually necessary when collecting and processing personal data and must look at less intrusive ways of achieving the same aims. The DPC recommends a Data Protection Impact Assessment (DPIA) approach by employers when considering legitimate interests as the lawful basis for processing employee personal data. This conflict of interest often arises in the employment context particularly around employee monitoring. If your organisation is considering implementing employee monitoring (particularly intrusive monitoring) a DPIA is a must. The guidance explicitly states ‘should a complaint be received by the DPC from an employee and the employer has relied upon this legal basis for the processing of personal data, the DPC will request sight of the DPIA’. So, no excuse for not having a DPIA!

3. Occupational Health

The DPC guidance refers to occupational health as being underpinned by the Safety, Health and Welfare at Work Act 2005 and the general duties employers have in ensuring the health and safety of their employees. It specifically refers to section 23 of that legislation which provides that an employer can require an employee to undergo a medical assessment of fitness to work. No surprises here but actually very helpful in explaining to employees that their employer can require them to attend occupational health without requiring their consent. This is a query often raised by employees.

The guidance on this point goes on to refer to there being several lawful bases that an employer may rely on in the occupational health context when processing employee health data and includes another helpful case study. The case study refers to a situation where an employee was dissatisfied with the processing of their health and special category data by a third party (a HR investigator). The employer argued that they had a lawful basis to process the data in that they were complying with a legal obligation and that the processing was necessary for the purposes of carrying out their obligations and exercising specific rights in the field of employment and social security and social protection law. They therefore argued that they had both an Article 6 and an Article 9 basis for the processing. The DPC was satisfied with this but did recommend that the employer inform their employees that they rely on those lawful bases in their data protection policies.

The key takeaway here is that the DPC recognises there can be a lawful basis to process this type of personal data, but employers need to make sure this is clearly set out to employees in their privacy notices and data protection policies.

4. Employee Monitoring

It couldn’t be a guidance note on data protection in the workplace without a reference to employee monitoring. In this context, the DPC already has extensive guidance available on both the use of CCTV and vehicle tracking. However, this guidance goes on to provide useful information on monitoring of computer networks, internet and email by employers, which is of course critical to employers in protecting their business interests. The DPC guidance recognises this need for protection but states that this must be balanced with employee rights under the GDPR and the European Convention on Human Rights.

The guidance also considers ‘keystroke monitoring’ or ‘tattleware’ and notes that this type of monitoring is extremely intrusive. Of particular note is the statement ‘If an employer wants to install covert software, by way of keystroke logging, “tattleware” or other monitoring software programmes on an employee’s PC or laptop to investigate possible misconduct, or to monitor an employee’s activity when working or working from home, it should be borne in mind that the use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful’. The guidance sets out all the principles that employers should take into account, particularly where the monitoring is relatively intrusive but the key takeaway for employers is that monitoring has to be proportionate, limited and not excessive.

If your organisation is considering implementing or changing any employee monitoring, we recommend you carry out a DPIA and have an acceptable usage policy in place that corresponds with your privacy notice so that employees are clear what monitoring might take place and on what basis.

Another key takeaway from the guidance is considering if your organisation can achieve the same results or protection with less intrusive measures. The less intrusive measures an organisation has considered before implementing employee monitoring should be detailed in a DPIA explaining why they won’t achieve the same results.

Employers should continue to proceed with caution when looking to monitor employees particularly in respect of covert monitoring which the DPC states should be ‘avoided where at all possible and is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders’. Acceptable usage policies and clear signposts to employees on monitoring will be key in defending any future employee complaints.

5. Case Studies

As previously highlighted in our articles in data protection in the workplace, the case studies published by the DPC are a really useful resource for employers in understanding how the DPC will likely approach specific employee complaints and this guidance note closes out with some further case studies. Most of these focus on CCTV, but one looks at the retention of employee personal data.

The complaint at issue related to an employee contacting a member of staff on their personal private number (having obtained this number from the staff members’ personal Facebook page). This incident was recorded on the employer’s risk register and the employee sought erasure of the incident report. The employer relied on both Articles 17(3)(b) and 17(3)(e) of the GDPR, namely that under Safety, Health and Welfare legislation they were obliged to keep a risk register as an employer and “for the establishment, exercise or defence of legal claims”, including any possible claim the contacted staff member might make against the employer. The DPC did not disagree with this but recommended that the employer informs employees of the retention period for such incident reports in the future. This highlights the importance of a clear retention policy that is communicated to employees.

The full guidance note, including all the case studies, is available here.

Conclusion

As can be seen from the above, the DPC is live to the specific data protection issues that can arise in the workplace context. It’s crucial that as part of an employer’s compliance framework they take this most recent guidance into account. While the guidance is helpful for employers in certain respects, it’s also clear that there remains a significant obligation on employers to consider their GDPR obligations carefully when processing employee data. The various case studies included by the DPC in this guidance make it clear that, where an employer has properly considered the processing, taken into account and balanced employees’ rights and properly documented their decision-making process, it’s less likely that the DPC will find that employers have infringed the GDPR. This is in line with the accountability principles enshrined in the GDPR. So, still lots of food for thought for employers after five years of the GDPR!

Our second article will consider the DPC’s guidance on handling subject access requests and the takeaways for employers.

For more information on this, or any other data protection or employment law matters in Ireland, please contact the Lewis Silkin team.