Data protection: The prying game

Recent incidents of data protection failings, notably on the part of government departments, coupled with the monitoring of individuals by public authorities, such as Poole council’s military-style surveillance operation to discover if a family lived in the catchment area for a particular school, have led to increased public concern about the issue of privacy.

Employees’ right to privacy is enshrined in article 8 of the Human Rights Act 1998 (HRA). However, there are methods by which employers can monitor workers’ activities and the law provides the tools to do so: the HRA, the Data Protection Act 1998 (DPA), the Regulation of Investigatory Powers Act 2000 and the Information Commissioner’s Employment Practices Code, among others, provide the legislative framework that allow employers to monitor employees and access personal data.

But it’s important to remember that any monitoring needs to be legal, reasonable, proportionate and justifiable. In the workplace the first port of call in many disciplinary investigations should be the CCTV manager to ensure images of an incident have been captured and retained. An organisation’s CCTV policy, and notification to privacy watchdog the Information Commissioners Office (ICO), should outline the CCTV system’s intended purpose – “for the prevention and detection of crime”. Therefore evidence should be related to instances of crime such as theft and fraud. However, if the images are used to obtain information on employees outside of this stated purpose, for example to ascertain whether they are coming to work on time or whether they are taking too long on smoking breaks, then this may be a breach of the second principle of the DPA: that data should not be used for purposes other than that for which it was intended.

Similarly it is common to obtain company phone records when investigating internal malpractice or fraud. Although these records may provide data relating to a specific line and an identified employee, the call log may also provide details of who was called from that line, and it may also be used by others in the workplace, for example a contracted security officer, to make check calls to his control room. Therefore the information gleaned from phone records may pertain to the company, the individual and the security company, with both incoming and outgoing calls containing information related to private lives and relationships. Companies therefore must be aware of this fact and ensure any data is treated accordingly within the parameters of the DPA and article eight of the HRA.

In the workplace the first port of call in many disciplinary investigations should be the CCTV manager to ensure images of an incident have been captured and retained

Use of databases such as Companies House records, the electoral roll, land registry, and private companies, such as Experian and Equifax, is common when conducting due diligence or when checking potential employee references. Although data from these formal sources evidently needs to be processed in line with DPA principles, care has to be taken with less formal data collation.

For example, a transport company troubled by repeated instances of graffiti, may want to identify the perpetrators to seek civil remedy. To facilitate this, the company sets ups a database to record incidents, including specifics on the “tags” and “signatures” of those responsible for the graffiti.

Although the identities of the offenders are not known when the details are entered into the register, the information is processed to identify the culprits. The inclusion of tag details related to an “identifiable” individual and the information in the register is personal data and the processing is thereby subject to the data protection principles.

Privacy issues can be complex and while most companies believe they have appropriate measures in place, they should ensure their working practices could withstand scrutiny by the ICO, employment tribunal or courts, and that the privacy of employees and the public are safeguarded.