Oliver Brettle London. Employee Monitoring in the UK and Generally: Concerns Beyond the EU Data Protection Directive

Transcription

1 Oliver Brettle London Employee Monitoring in the UK and Generally: Concerns Beyond the EU Data Protection Directive 6 th Annual Privacy Law Symposium April 27, 2006

2 The Focus Part I an overview on data protection Part II case studies applying the UK s Data Protection Act 1998 health records and monitoring employee monitoring April 27,

3 Part I Overview of the DPA 1998

4 The Data Protection Act 1998 (1) Application jurisdiction which employers? what type of information? what form of information? what type of action? April 27,

5 The Data Protection Act 1998 (2) The eight data protection principles for personal data fairly and lawfully processed obtained for specific and lawful purposes and in compliance with those purposes adequate, relevant and not excessive accurate and up to date kept no longer than necessary processed in accordance with data subject s rights subject to appropriate protections not to be transferred outside EEA without adequate protection (this principle does not apply in all situations) April 27,

6 Processing Personal Data Personal data is either sensitive or non-sensitive The processing of sensitive personal data has extra conditions to be satisfied As many US employers have found it is not just enough to comply with the specific data laws when you have the data an employer has to collect the data in the correct way in the first place The roles of works councils, trade unions and individual employment contracts April 27,

7 The Fair Processing Requirements The fair processing requirements are to be met in addition to meeting one of the non-sensitive conditions (and one of the sensitive conditions, if appropriate) Employer must communicate fact processing personal data purposes of the processing any other relevant information Employee not misled as to nature and purpose of processing satisfy one of the non-sensitive conditions Remember in the UK the Employment Data Protection Code! This helps the employer in complying with the DPA and helps to prevent enforcement action April 27,

8 Enforcement Rights Right of access of a data subject to personal data Must notify the Information Commissioner Request for assessment Information notice Enforcement notice Criminal sanctions Also consider the effect of collection of the data not being in accordance with local laws eg admissibility as evidence, breach of employment rights, industrial relations, works council relations April 27,

9 Part II Case Studies

10 Case Study 1 An employer maintains health records for all employees on its personnel files. Such records include a record of absence and a record of the type of illness or injury causing the absence of the employee in each case. The employer also wishes to have the ability to monitor whether employees on long-term sick leave are genuinely ill/injured. How can the employer do this in compliance with the DPA? April 27,

11 Case Study 1 Health Records and Monitoring (1) Sensitive personal data absence records sickness/injury records Maintaining health records fair and lawful processing sensitive personal data, therefore performing a legal right/obligation; or explicit consent separation of records April 27,

12 Case Study 1 Health Records and Monitoring (2) Monitoring sickness absence doctors reports explicit consent The UK s Access to Medical Reports Acts express contractual clauses implied contractual duties the role of works councils and others April 27,

13 Case Study 2 An employer wishes to monitor employee use of its and Internet systems and introduce a covert CCTV system in certain parts of the workplace. It has no particular suspicions of employee misbehaviour but would like to be in a position to know of any potential problems as soon as they arise. How can the employer put such monitoring systems into place without contravening the DPA? April 27,

14 Case Study 2 Employee Monitoring (1) All monitoring is processing The right to respect for private and family life Impact assessment and internet CCTV Covert monitoring April 27,

15 Case Study 2 Employee Monitoring (2) Documentation and training communications policy standards of use of systems expected training employees and managers April 27,

16 Case Study 2 Employee Monitoring (3) Action points impact assessment the least intrusive method inform employees of any monitoring communications policy destroy data inadvertently uncovered April 27,

17 Case Study 2 - Employee Monitoring (4) Employer to check all policies comply with the data protection policy , internet, telephone policies standards of use expected how and to what extent monitored the purpose of monitoring disciplinary and grievance policies sickness absence Employer to check all other is legislation complied with April 27,

18 Worldwide. For Our Clients. White & Case, a New York State registered limited liability partnership, is engaged in the practice of law directly and through entities compliant with regulations regarding the practice 6of th law ANNUAL in the countries PRIVACY and jurisdictions LAW in SYMPOSIUM which we have offices. April 27,