Data Protection & Compliance Update

Staff Monitoring

Peppe Santoro Thursday 7 October 2010

Introduction

General principles still apply• Fair obtaining and processing• One or more specified, explicit and lawful purposes • Use and disclose only in compatible ways • Keep secure• Keep accurate, complete and up to date• Adequate, relevant, not excessive• Keep for no longer than necessary• Give a copy to data subject on request

Privacy and consent in the employment context

Guidance notes

Case Studies

CCTV and other recording

Legitimate (security, safety, anti-fraud, compliance verification) vs. illegitimate (inappropriate location, improper ancillary uses) purposes

Expansion of CCTV usage in the UK – an Irish vista

Covert vs. overt recording – when is covert recording acceptable?

Private use of CCTV

Biometrics

Types of biometric data (fingerprints, retinal scans, face recognition, others).

Unencrypted data, encrypted data and partial data

Uses of biometric data• Access control• Time management

Proportionality

Security aspects

Vehicle tracking

• Not apparently personal data but almost always involves personal data by association

• Typical primary purposes of vehicle tracking systems

• Fair collection and primary and secondary purposes

• Non-work-related usage

Surveillance outside the workplace

• Generally problematic

• Other applicable laws (fraud, anti-stalking and similar, human rights)

• Necessity and proportionality a difficulty in almost all cases

• Significant practical compliance issues (HP case)

• Criminal issues/Garda involvement

Telecommunications monitoring

• Other applicable laws (telecommunications, specific data protection regime, criminal aspect)

• Purposes of monitoring – mandatory compliance, recording of obligations, customer service, training

• Work vs. private communications

• Human rights and practical realities

Case Studies

• CCTV

• Biometrics

• Other case studies

• Practical experience of a trusted advisor

Five key points to remember

1. Irish laws generally permissive of staff monitoring provided it’s done properly

2. Incomplete or improper deployment of monitoring systems will result in them failing to achieve their objectives

3. Beware additional legislation (eg telecommunications laws)

4. Consider privacy impact statements as part of planning and deployment

5. Consider available guidance and precedent

Thank you

Peppe Santoro, Commercial PartnerEversheds O’Donnell Sweeney

One Earlsfort CentreEarlsfort Terrace

Dublin 2+353 1 6644200

psantoro@eversheds.iewww.linkedin.com/in/psantoro

www.eversheds.ie