Skip to content

Cracking the code

first_img Comments are closed. The draft Data Protection Code, which purports to offer employers guidanceon managing employee’s records, has so far caused more confusion than clarity.Linda Farrell and Alison Hollingsworth take at look at the most likelyscenarios where the code may apply and offer some practical solutionsCCTVC Limited has sustained a series of break-ins recently and has lost asubstantial amount of new computer equipment. The MD suspects that it is aninside job. As access to the premises has been gained through the frontentrance and a skylight on the third floor, the MD arranges for concealed CCTVcameras to be installed in the reception area and also in the open plan officeson the third floor. On reviewing the footage one morning, the MD is surprisedto find a recording of his secretary and the office manager in a somewhat compromisingposition. LF comments The Data Protection Commissioner has issued a code of practice dealing withCCTV in public areas (which could include the reception area in this case ifthe public has largely unrestricted access). A draft code has also been issuedcovering the use of personal data in the workplace, which contains guidance onthe use of various types of surveillance techniques to monitor compliance withemployment contracts. Both codes make it clear that covert monitoring can only be justified invery limited circumstances, for example where use of signage would be likely toprejudice the prevention or detection of crime. In this case, as specificcriminal activity has already been identified and the involvement of employeesis suspected, it is likely that C Limited will be able to justify covertmonitoring for a short period, but this should be restricted to out of officehours when the offences have occurred. CCTV monitoring for the detection of crime will amount to the processing ofsensitive personal data and must be justified by reference to one of theconditions in schedule 2 of the Data Protection Act and one in schedule 3. Inthis case, for schedule 2, C Limited can argue that the processing is necessaryfor the purposes of its legitimate interests, and for schedule 3 that it isnecessary for the prevention/ detection of crime (SI 2000/417). However, as thecameras were sited for the purpose of detecting crime, use of the imagesshowing the amorous antics of the two members of staff for another purpose, forexample, disciplinary proceedings, would not be justified unless the evidencereveals criminal activity or gross misconduct. Access to personal dataJohn has been dismissed by M Limited. A settlement was reached but thecircumstances of his departure were less than amicable and it is well knownthat he and his manager had not seen eye to eye for some time. Over the nextfew months references are provided to other companies to whom John applies forwork. After six months, John is still out of work but has twice received offersonly to have those offers withdrawn for no obvious reason. He becomes highlysuspicious that his former manager may have provided bad references. John sendsan email to the company secretary of M Limited in which he asks to see allrecords that the company holds about him, including any e-mails that exist andany references that have been given about him to prospective employers since heleft. AH comments Under the Data Protection Act, John has the right to make a written requestfor access to personal data held about him. The information requested must besupplied promptly and, in any event, within 40 days of the request beingreceived. However, this does not necessarily mean that John can see all thepersonal data that the company holds about him. The company is not required to supply copies of the information if it wouldinvolve a disproportionate effort to do so. Further, where the request wouldresult in the disclosure of information relating to another individual (forexample, identifying John’s manager as the source of the information), thecompany may not be able to comply, unless the manager’s identity can be removedfrom the documents, or he has consented, or it is reasonable to disclose theinformation without consent. In assessing reasonableness, the company shouldtake account of any duty of confidentiality owed to John’s manager (forexample, if any comments were made by him on the understanding that they wouldremain confidential). John is not entitled to see any references given by the company. However, hemight be able to obtain these by making a subject access request of therecipients of the references. Pre-employment vettingBob has applied for a job with a young offenders’ institution. He has successfullycompleted the interview process, but his prospective employer now intends tocarry out pre-employment vetting, including collecting information about Bob’sfamily members and close associates, before making a firm job offer. AH comments Pre-employment vetting is by its nature an intrusive process, since itinvolves seeking information about Bob from a range of third-party sources. Itshould only be carried out in circumstances where it can be justified, such ashere where security is an issue, and should only take place at this stage, whenthe decision to appoint has been taken. The reason for carrying out the vetting is to reduce the potential risks tothe institution, and so the checks should be proportionate to those risks,taking into account the seniority of the post for which Bob has applied. Bobshould be informed of the range of sources, the nature and the extent of theinformation to be sought and should be asked for his consent to the informationbeing provided by the third parties. The institution is not entitled to pursuea general “fishing expedition” – it should only seek information fromsources which are likely to have information relevant to the decision whetheror not to employ Bob. So, for example, it may need to find out about Bob’s family and friends orassociates in order to make sure, so far as possible, that they do not have anycriminal connections which might cause Bob to compromise the security of theinstitution. Information about criminal convictions or prosecutions relating to Bob’sfamily or friends will be sensitive personal data, so it will be necessary forthe institution to ensure that one of the conditions for the processing of suchdata is satisfied. If the explicit consent of the individuals cannot be obtainedthen the institution may need to rely on one of the other conditions in, forinstance, schedule 3, that the processing is necessary for the institution toexercise its statutory duties. Internet misuseX Limited is experiencing problems with its employees’ use of the Internetand e-mail system. It has become aware of pornographic material beingcirculated among employees, emanating from both inside and outside the company.Some employees are believed to be spending a considerable amount of time on theInternet during working hours, visiting leisure sites and chatrooms. X Limitedhas a basic Internet policy which permits reasonable private use of theinternet outside normal working hours. It is proposing to install new softwarethat will enable it to monitor e-mail and Internet use. LF comments In October 2000 The Lawful Business Practice Regulations came into force,permitting employers to monitor and record communications in certaincircumstances without the consent of their employees (although an employer isrequired to make all reasonable efforts to inform users of the system – whichmay include external contacts – that interception may take place). Theregulations legitimise conduct that would otherwise be unlawful under theRegulation of Investigatory Powers Act 2000. Under these regulations, X Limitedis permitted to monitor its employees’ Internet use for the purpose of theinvestigation or detection of unauthorised use of its computer systems. X Limited must also ensure that it complies with the Data Protection Act,which requires that the processing of personal data must be justified.Employers should preferably obtain their employees’ consent to the monitoringprocess. If the consent route is not taken, they may be able to argue thatmonitoring is necessary for their legitimate interests. The draft Code ofPractice on the use of personal data by employers, states that any monitoringshould operate in such a way that it does not intrude unnecessarily onemployees’ privacy. The code also states that employers should identify the specific businesspurposes for which monitoring is to be introduced at the outset and wherepossible should enforce the policy by technical means rather than monitoringbehaviour. If this is not practicable, the least intrusive method of monitoringshould be adopted. The code emphasises that monitoring should be proportionateto the mischief it is designed to detect and that covert monitoring will onlybe justified in very limited circumstances, that is where specific criminalactivity has been identified and disclosure of the monitoring is likely tohinder detection. X Limited should also regularly review its Internet and email policy toensure that it complies with current legislation and that it is enforceable inpractice. Linda Farrell is a partner and Alison Hollingsworth an associate atBristows Related posts:No related photos. Previous Article Next Article Cracking the codeOn 1 Mar 2001 in Personnel Todaylast_img

Comments are closed.

Leave a Reply

Your email address will not be published. Required fields are marked *