Employment Case Law – Data Protection
Each month we review a number of interesting employment law cases and consider their implications for organisations. This month we are focusing on the area of redundancy, including alternatives to redundancy and associated case studies.
A significant amount of information related to Employees is created and gathered during the employment relationship. Information retained may include details of the recruitment process followed to hire an Employee, the written statement of terms and conditions of employment provided on hiring the person, records of pay including holiday pay and public holiday benefits, any information relating to disciplinary situations, grievances and documentation related to workplace investigations, as well as documentation related to Employee benefits, agreements to deductions from pay and so forth.
It is important to be aware that all information held by an Employer related to an Employee must be stored, processed and maintained in accordance with the Data Protection Acts, 1988 and 2003. Furthermore, Organisations holding public information may be subject to the further requirements of the Freedom of Information Acts, 1997 and 2003.
The following legislation should be considered when looking at Data Protection:
The purpose of the Freedom of Information Acts is to establish the right of members of the public to obtain access to official information held relating to them by government departments and certain other Organisations which are funded by the state. The Acts do not apply to the majority of private enterprises.
The Acts were established to ensure that decisions taken by public bodies would be open to public scrutiny, and to allow those affected by these decisions to know the criteria used in taking those decisions. The Acts also establish that every individual has the right to know what information is held in government records about him or her subject to certain exemptions.
Data Protection Principles
The Data Protection Acts set out to establish certain principles which must be adhered to in relation to personal data. A number of these include:
1. Data must be fairly obtained and processed
In order to demonstrate that personal information was fairly obtained and processed the following requirements must be fulfilled:
2. Retain information for the specified purposes only
Information should only be retained for the reasons that were specified to the Employee when the information was initially collected, unless a further agreement has been reached. The reason for keeping information must be lawful.
3. Keep the information safe and secure
In assessing “appropriate” security measures, the Employer should consider the security measures that may be taken, and review these regularly in line with technological advancements. Consideration must be taken as to the level of security that may be provided and the costs associated with this. The greater the financial resources of an Organisation, the greater the amount it would be expected to invest in securing personal data held.
Consideration should also be had for the harm that may arise from unlawful processing, and there is a greater duty of care with regard to sensitive personal information. An Employer is expected to ensure that Employees who handle personal data are trained in the security measures that are in place to protect it.
CCTV
Under Data Protection legislation CCTV cameras may be used in the workplace. However, the data controller (the Employer) must satisfy the Data Protection Principles in that regard. In order to satisfy the fair collection principle, it is necessary that those people whose images are captured on camera are informed about the identity of the data controller and the purpose(s) of processing data. Therefore, in the context of the workplace, it is necessary that signs confirming use of CCTV cameras are placed in prominent positions and are easily legible.
Case 1 – Covert Surveillance of Employees (Patricia Heffernan versus Dunnes Stores)
This case relates to covert surveillance undertaken by the Respondent Organisation in relation to suspected misuse of the Organisations value club scheme. Following an audit of the system anomalies were identified in relation to use of club cards in one particular store, where the Claimant worked. The Store Manager was given a card number and asked to investigate. From CCTV footage the Claimant was identified as working on the terminal when excessive use of the clubcard was being carried out. It was 5 weeks before the Store Manager and HR Manager were in a position to meet with the Claimant.
In May 2009 the Store Manager met the Claimant and told her he had been investigating value club transactions and asked her to attend a meeting about 20 minutes later. The Claimant was presented with stills on different dates and the Claimant did not deny that she was working on those particular dates. On conclusion of the meeting she was suspended with pay, and asked to attend a further meeting on 28th May. The Store Manager felt that due to a breach of trust and believed he had no option but to terminate the Claimant’s employment with immediate effect.
The Claimant had no idea what the purposes of the further meeting on the 28th of May was in relation to and advised that Customers always gave her permission to accept their points and it had never occurred to her she was doing anything wrong in accepting these points. The Claimant advised she was fully aware of other staff members doing this. The Claimant appealed the decision to dismiss, and was not invited to attend an appeal hearing.
The Tribunal found that the Organisation, having discovered irregular use of a card, had conducted a covert operation involving CCTV footage studies and analysis of till receipts. The Tribunal found that it was open to the Organisation at this point to alert Employees that inappropriate use of value club cards would not be condoned and remind Employee of the Handbook statements in this regard. The Tribunal found that dismissal for gross misconduct was not an appropriate and proportionate response in all the circumstances. The Tribunal found the Claimant was unfairly dismissed and awarded her €24,000 and €2,190, being the equivalent of 6 weeks’ notice.
This case highlights to Organisations the importance of following fair procedures whilst operating surveillance of Employees. The Tribunal in this case found it unfair that the Organisation allowed the process to continue without reminding Employees of the policy. Organisations must ensure that Employees are aware of unacceptable practices and not continue to monitor Employees without highlighting these.
Case 2 - Monitoring of Employees (James O’Connor versus Galen Ltd.)
This case relates to an Organisation using covert methods of surveillance in order to monitor an Employee whilst he was out of the office for work purposes.
Poor sales performance was the trigger for the Organisation to proceed with an investigation and it was decided to take a closer look at the activities of the Claimant. A tracking device was installed on the Claimant’s vehicle in spring 2008, which he was not made aware of.
The Respondent was concerned with what the tracking device was recording, in contrast to what the Claimant was submitting on his expense reports. At no time during the surveillance was the Claimant informed of this monitoring. In addition, the Claimant’s expense reports were accepted and approved for payment. The Respondent invited the Claimant to a disciplinary meeting in November 2008.
The meeting occurred in January 2009, and was adjourned a number of times for breaks and consideration, and the Respondent advised the Claimant, 15 minutes following the final adjournment, that he was being summarily dismissed for fraudulent claims of expenses. The total monetary fraud the Claimant committed against the Respondent amounted to €10.80. The Claimant appealed the decision to dismiss, and the original decision to dismiss was upheld. The Claimant advised the Tribunal that he was casual about filling in his expense reports, and this was done retrospectively, and as it turned out, not very accurately. The Claimant maintained this was done in error.
The Tribunal found the dismissal to be procedurally unfair, in particular, the use of surveillance equipment without the Claimant’s knowledge.
This case highlights the importance for Organisations to have policies in place and to be open and transparent when using methods of monitoring Employees. Surveillance of Employees at work falls under Data Protection legislation, so Organisations must be cognisant of this when implementing methods in order to carry out monitoring of Employees.
A significant amount of information related to Employees is created and gathered during the employment relationship. Information retained may include details of the recruitment process followed to hire an Employee, the written statement of terms and conditions of employment provided on hiring the person, records of pay including holiday pay and public holiday benefits, any information relating to disciplinary situations, grievances and documentation related to workplace investigations, as well as documentation related to Employee benefits, agreements to deductions from pay and so forth.
It is important to be aware that all information held by an Employer related to an Employee must be stored, processed and maintained in accordance with the Data Protection Acts, 1988 and 2003. Furthermore, Organisations holding public information may be subject to the further requirements of the Freedom of Information Acts, 1997 and 2003.
The following legislation should be considered when looking at Data Protection:
- Data Protection Acts, 1988 and 2003- set out the principles of data protection, which establish requirements in relation to the holding, use and disclosure of personal data.
- Freedom of Information Acts, 1997 and 2003-establish the right of members of the public to obtain access to official information held relating to them by government departments, and certain other Organisations which are funded by the state.
The purpose of the Freedom of Information Acts is to establish the right of members of the public to obtain access to official information held relating to them by government departments and certain other Organisations which are funded by the state. The Acts do not apply to the majority of private enterprises.
The Acts were established to ensure that decisions taken by public bodies would be open to public scrutiny, and to allow those affected by these decisions to know the criteria used in taking those decisions. The Acts also establish that every individual has the right to know what information is held in government records about him or her subject to certain exemptions.
Data Protection Principles
The Data Protection Acts set out to establish certain principles which must be adhered to in relation to personal data. A number of these include:
1. Data must be fairly obtained and processed
In order to demonstrate that personal information was fairly obtained and processed the following requirements must be fulfilled:
- The Employee should know to whom they are disclosing their personal information.
- The Employee should be aware of the purpose for which the information is being collected.
- The Employee should be advised of any persons or classes of persons to whom the information may be disclosed.
2. Retain information for the specified purposes only
Information should only be retained for the reasons that were specified to the Employee when the information was initially collected, unless a further agreement has been reached. The reason for keeping information must be lawful.
3. Keep the information safe and secure
In assessing “appropriate” security measures, the Employer should consider the security measures that may be taken, and review these regularly in line with technological advancements. Consideration must be taken as to the level of security that may be provided and the costs associated with this. The greater the financial resources of an Organisation, the greater the amount it would be expected to invest in securing personal data held.
Consideration should also be had for the harm that may arise from unlawful processing, and there is a greater duty of care with regard to sensitive personal information. An Employer is expected to ensure that Employees who handle personal data are trained in the security measures that are in place to protect it.
CCTV
Under Data Protection legislation CCTV cameras may be used in the workplace. However, the data controller (the Employer) must satisfy the Data Protection Principles in that regard. In order to satisfy the fair collection principle, it is necessary that those people whose images are captured on camera are informed about the identity of the data controller and the purpose(s) of processing data. Therefore, in the context of the workplace, it is necessary that signs confirming use of CCTV cameras are placed in prominent positions and are easily legible.
Case 1 – Covert Surveillance of Employees (Patricia Heffernan versus Dunnes Stores)
This case relates to covert surveillance undertaken by the Respondent Organisation in relation to suspected misuse of the Organisations value club scheme. Following an audit of the system anomalies were identified in relation to use of club cards in one particular store, where the Claimant worked. The Store Manager was given a card number and asked to investigate. From CCTV footage the Claimant was identified as working on the terminal when excessive use of the clubcard was being carried out. It was 5 weeks before the Store Manager and HR Manager were in a position to meet with the Claimant.
In May 2009 the Store Manager met the Claimant and told her he had been investigating value club transactions and asked her to attend a meeting about 20 minutes later. The Claimant was presented with stills on different dates and the Claimant did not deny that she was working on those particular dates. On conclusion of the meeting she was suspended with pay, and asked to attend a further meeting on 28th May. The Store Manager felt that due to a breach of trust and believed he had no option but to terminate the Claimant’s employment with immediate effect.
The Claimant had no idea what the purposes of the further meeting on the 28th of May was in relation to and advised that Customers always gave her permission to accept their points and it had never occurred to her she was doing anything wrong in accepting these points. The Claimant advised she was fully aware of other staff members doing this. The Claimant appealed the decision to dismiss, and was not invited to attend an appeal hearing.
The Tribunal found that the Organisation, having discovered irregular use of a card, had conducted a covert operation involving CCTV footage studies and analysis of till receipts. The Tribunal found that it was open to the Organisation at this point to alert Employees that inappropriate use of value club cards would not be condoned and remind Employee of the Handbook statements in this regard. The Tribunal found that dismissal for gross misconduct was not an appropriate and proportionate response in all the circumstances. The Tribunal found the Claimant was unfairly dismissed and awarded her €24,000 and €2,190, being the equivalent of 6 weeks’ notice.
This case highlights to Organisations the importance of following fair procedures whilst operating surveillance of Employees. The Tribunal in this case found it unfair that the Organisation allowed the process to continue without reminding Employees of the policy. Organisations must ensure that Employees are aware of unacceptable practices and not continue to monitor Employees without highlighting these.
Case 2 - Monitoring of Employees (James O’Connor versus Galen Ltd.)
This case relates to an Organisation using covert methods of surveillance in order to monitor an Employee whilst he was out of the office for work purposes.
Poor sales performance was the trigger for the Organisation to proceed with an investigation and it was decided to take a closer look at the activities of the Claimant. A tracking device was installed on the Claimant’s vehicle in spring 2008, which he was not made aware of.
The Respondent was concerned with what the tracking device was recording, in contrast to what the Claimant was submitting on his expense reports. At no time during the surveillance was the Claimant informed of this monitoring. In addition, the Claimant’s expense reports were accepted and approved for payment. The Respondent invited the Claimant to a disciplinary meeting in November 2008.
The meeting occurred in January 2009, and was adjourned a number of times for breaks and consideration, and the Respondent advised the Claimant, 15 minutes following the final adjournment, that he was being summarily dismissed for fraudulent claims of expenses. The total monetary fraud the Claimant committed against the Respondent amounted to €10.80. The Claimant appealed the decision to dismiss, and the original decision to dismiss was upheld. The Claimant advised the Tribunal that he was casual about filling in his expense reports, and this was done retrospectively, and as it turned out, not very accurately. The Claimant maintained this was done in error.
The Tribunal found the dismissal to be procedurally unfair, in particular, the use of surveillance equipment without the Claimant’s knowledge.
This case highlights the importance for Organisations to have policies in place and to be open and transparent when using methods of monitoring Employees. Surveillance of Employees at work falls under Data Protection legislation, so Organisations must be cognisant of this when implementing methods in order to carry out monitoring of Employees.