Tricky issues with use of employee data

Helen Farr
Helen Farr

Employers cannot manage the employment relationship without using their employees’ data. Data is used by employers on a daily basis for a variety of tasks ranging from monitoring sickness absence, administering benefits to paying salary using payroll.

To process this data lawfully most employers rely on provisions in the employment contract authorising them to do so.‎ However, employers need to be aware that simply including a provision in a contract may not be enough if the employer is using a specific class of data; sensitive personal data.

Sensitive personal data includes data about an employee’s health, sexuality, diversity and political beliefs. To use this data lawfully employers need the employee’s express consent to do so.

Problems can arise for employers in a number of situations where they need to use sensitive personal data.

A common problem area is when a referral ‎is made to a company’s occupational health team for an opinion and prognosis on an employee’s health problems. There are two main components to occupational health records: transferable information and the confidential clinical record. Transferable information is information that is generally accessible by the employer, the employee and enforcing bodies like the HSE – it includes information about accidents at work, monitoring data and exposure to hazards. The confidential clinical record is specific to the employee and his or her health during employment. This is sensitive personal data.

‎When the referral is made to Occupational Health it must be made with the employee’s consent. However, relying on consent may not be enough to protect the employer from a claim.

Employers must ensure that when they make a request for a medical report from Occupational Health the request is focussed and limited to the purposes for which consent is obtained.

They also need to make sure that any medical information provided to Occupational Health is focused. It is common practice for HR practitioners making the referral to send all sickness records they have about the employee. But what if the employee has suffered various health problems over the years, including conditions that the employee would not necessarily want his or her line manager or the wider business to know about? If the Occupational Health report refers to these historical conditions there could be claims by the disgruntled employee.

The consent that has been obtained is unlikely to be enough to protect the employer from a claim. Potential claims include a breach of the employee’s right to privacy and breach of the Data Protection Act. The issue could also lead to claims of discrimination. Therefore employers should not complacently rely on the consent received when requesting a report but must properly consider the ‎particular purposes for which the report is needed.

Our experience is most businesses do not send a copy of the Occupational Health referral to the employee. Best practice must be to do so. This will avoid any potential problem when the employee reads a report containing lots of historical medical information ; it makes it difficult for them to claim they did not agree to it being referred to.

Another potential problem area is the use of sensitive personal data about an employee’s sexual orientation. Many large employers have relationship at work policies obliging their employees to disclose information about romantic relationships with work colleagues. Of course this policy applies to same sex relationships.

Again the problem employers often omit to consider is how that information is used. The business justification for disclosure of a relationship with a work colleague is to enable the employer to ensure that the parties to the relationship do not either benefit or suffer because of it. Sometimes employers post information about the existence of a relationship with a colleague on their intranet.

What the policy authors overlook is that the employer needs express consent to process information about sexuality which of course this is. Therefore posting such information on the company’s intranet, unless the employee expressly consents to this, will be a clear breach of the Data Protection Act. There may also be claims for discrimination if the employee suffers less favourable treatment following publication of the information.

Employers therefore need to take care when relying on policies that allow them to use data. If the data concerned is sensitive personal data reliance on the policy is not enough to protect them from claims.

 

Helen Farr is a Partner in the HR Law team at Fox Williams LLP and can be contacted at HFarr@foxwilliams.com.

Advertisements

Court of Appeal rules on subject access request in favour of data subjects

Laura Monro
Laura Monro

Back in November 2015 we reported that the High Court decision in Dawson-Damer v Taylor Wessing brought cautious optimism for data controllers when the judge refused to make an order for compliance with three subject access requests (see https://idatalaw.com/2015/11/24/high-court-decision-brings-cautious-optimism-for-data-controllers/). However, the Court of Appeal has taken a different approach, overturning the High Court decision and ordering compliance by Taylor Wessing, the data controller, with the subject access requests.

In its decision the Court of Appeal focused on the following three key issues:

The extent of the legal professional privilege exception

One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was the Bahamian trustee of the family’s trust fund. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. The High Court decided that all documents in respect of which the trustee would be entitled to resist disclosure under the ongoing litigation in the Bahamas would be protected by the legal professional privilege exception under English law.

However, the Court of Appeal took a more narrow view, finding that the legal professional privilege exception:

  1. applies only to documents which are protected by legal professional privilege under English law, and does not extend to systems of law outside the UK; and
  2. does not extend to documents which are the subject of non-disclosure rules, in this case the applicable rules being the trustee’s right of non-disclosure.

Whether any further search would involve “disproportionate effort”

The Data Protection Act provides that a data controller must supply the data subject with a copy of the information requested under a subject access request unless the supply of such information “is not possible or would involve disproportionate effort”.

Although the High Court concluded that it was not reasonable or proportionate for Taylor Wessing to carry out searches to determine if any particular document was covered by privilege, the Court of Appeal disagreed.

 The Court of Appeal stated that Taylor Wessing must produce evidence to show what it has done to identify the material and to work out a plan of action. It found that further compliance with the subject access requests would not involve disproportionate effort by Taylor Wessing, and that disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers.

Whether the judge would have been entitled to refuse to exercise his discretion in favour of the data subjects because their motive was to use the information in legal proceedings against the trustees

The Court of Appeal held that the High Court judge was wrong not to enforce the subject access requests despite the motive of the data subjects.

Neither the Data Protection Act nor the ICO’s subject access code of practice provides that data subjects have to inform the data controller of their reason for making the subject access request, or what they intend to do with the information requested. There is no “no other purpose” rule which would allow a data controller to refuse to respond to a subject access request if the data subject proposes to use the information obtained for a purpose other than verifying or correcting the personal data held about them.

It follows that the intention of the data subject to use the personal data for the purpose of litigation proceedings cannot be used by a data controller to avoid complying with a subject access request.

The decision of the Court of Appeal finds in favour of the data subjects and serves as a warning to data controllers that significant effort may be needed in responding to subject access requests. Data controllers should also bear in mind that following the implementation of the GDPR in May 2018 there will be less time to comply with subject access requests – the GDPR requires that information must be provided without delay and at the latest within one month of receipt rather than the current 40 days. It is prudent for data controllers to be reviewing their policies and procedures now to ensure that they will be able to comply with the GDPR once it comes into force.

Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com

Take Subject Access Requests Seriously

Daniel Geller
Daniel Geller

The ICO’s recent fine for a data breach at a GP surgery in Hertfordshire was the direct result of a subject access request (“SAR”) that had gone wrong.

The surgery revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with SARs.

Subject access is a fundamental right of individuals under the Data Protection Act, enabling individuals to find out what personal data you hold about them, why you hold it and who you share it with is fundamental to good information-handling practice. This right, commonly known as subject access, is set out in section 7 of the DPA. Individuals may exercise the right by making a written subject access request, or SAR.

Aside from a £40,000 fine this case caused huge damage to the organisation’s reputation. Such a significant and high profile data breach could have been avoided had suitable internal measures been put in place.  No matter the size of the organisation, if you hold personal data, most organisations will have to respond to a SAR at some point.

Dealing with SARs involving third party data

As evidenced by the GP surgery, responding to a SAR may involve providing information that relates both to the requester and another individual.  Under the DPA you will not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information except where:

  1. the other individual has consented to the disclosure; or
  2. it is reasonable in all the circumstances to comply with the request without that individual’s consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway. You should make decisions about disclosing third-party information on a case-by-case basis. It is not advisable to apply a blanket policy of withholding it.

For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.

ICO figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties people face when trying to get hold of their personal information.  This is a substantial figure and highlights that – however inconvenient – SARs should not be taken lightly by companies.

It is important to make sure staff are equipped to deal with SARs. The ICO has provided some helpful guidance as to best practice with dealing with SARs, alternatively for more information on this subject feel free to contact a member of the Fox Williams idatalaw team.

 

Daniel Geller  is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at dgeller@foxwilliams.com

An Inside Job?

Audrey Williams
Audrey Williams

Last month a disgruntled Citibank employee was sentenced to 21 months in a Texan prison after he issued commands which left 90% of all Citibank branch offices without network or phone access. In court, the employee admitted “They [were] firing me. I just beat them to it… the upper management need to see what they guys on the floor [are] capable of doing when they keep getting mistreated…

Businesses are alive to external cyber attacks but as this example highlights, problems may be lurking closer to home. ‘Insider threats’ may be one of the biggest and least reported risks facing businesses today. A malicious employee can wreak havoc on an operating system at the touch of a button. Insiders can expose confidential information, violate data protection rules, compromise trade secrets and severely damage reputations, not to mention the impact on the bottom line.

Whilst most businesses would prefer to keep such things under wraps to avoid the bad press the problem is very real. In January this year, GlaxoSmithKline was reported to have been ‘attacked’ when two of their own scientists allegedly hacked into the system and stole confidential cancer research to sell on. According to the 2015 ‘Vormetric Insider Threat Report’[1] 89% of global respondents felt their business was now more at risk from an insider attack with 34% saying they felt “very or extremely vulnerable”. Businesses must be on the front foot to combat both opportunistic and premeditated attacks.

The Aftermath

If a similar situation to Citibank occurred in the UK, the individual would be prosecuted under the Computer Misuse Act 1990. Where individuals are found guilty of “unauthorised access to computer material” (as in the Citibank example) or worse, accesses a computer illicitly with the intent to steal and sell on hacked data (as in the GlaxoSmithKline example), the individual risks a prison sentence of between 2 and 10 years depending on the severity of the charge. In addition, if an individual is found guilty of personal data theft under the Data Protection Act 1998, he will be liable to a fine of up to £500,000.

The consequences for the business are wide ranging as is the action that can be taken. The regulatory ramifications of data theft were highlighted in the recent case of Axon where the court stated that an employer may be vicariously liable for a data breach caused by a rogue employee. Moreover, if a company suffers an attack of this nature, they may be liable to their customers or suppliers for (1) breach of an express or implied term that personal data would be stored securely and/or (2) negligence, in failing to take reasonable security precautions storing customer information.

Data protection regulation is being taken increasingly seriously under the new General Data Protection Regulation (GDPR) which is set to come into force in May 2018. Fines will be increased to up to €20 million or 4% of global turnover, whichever is greater. The amount will depend on the type of company and the scale of the breach. Furthermore, whilst it is currently not obligatory to notify the ICO of a data breach, the GDPR makes it mandatory to notify the ICO within 72 hours.

As the examples of Citibank, GlaxoSmithKline and even the NSA in the case of Edward Snowdon reveal, even the most secure of organisations are vulnerable to such attacks. Businesses have the tools and more of a responsibility to tackle insider threats than outside attacks over which they have no control.

Tackling the Threat

Prevention is always better than cure. Access to highly sensitive information should be limited, documents encrypted and passwords and access rights made use of. Recognising and neutralising ‘at-risk’ insiders before they reach crisis point is key. Precautions may include background checks for new starters, robust IT and Data Protection policies and comprehensive risk management procedures.

A support team comprising senior management, HR, IT and legal advisors who can identify trigger events (redundancies or a change of ownership) and high risk individuals (employees under notice to leave) should be ready to take action without creating a culture of distrust. If an individual is under notice period of termination, IT should monitor the employee’s access to the server to ensure confidential information is not sent to a personal account always assuming there is the appropriate monitoring power in the IT Policy. Robust confidentiality clauses should be included in all employment contracts to clearly identify and protect confidential information. Remedies for breach of confidentially include an application to the high court for injunctive relief or a civil claim for breach of contract. Finally, training your workforce on their security responsibilities will get them ‘on side’ and hopefully empower them to form the business’s strongest line of defence against both outside and inside jobs.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com

Privacy in the Workplace?

Audrey Williams
Audrey Williams

Personal relationships at work are often a source of concern and some confusion for employers. Should it be accepted as part of the reality of modern workplaces? Or should employers recognise that such relationships have an impact on the working environment and thus adopt the position that it is legitimate to intervene when it comes to light? This is not so much on the basis of moral indignation but to protect work colleagues, where resentment or worse feelings may arise and the potential risk of a relationship breaking down.

When a relationship is suspected how far can an employer investigate, accessing personal emails for example? Or is there an obligation to respect employees’ privacy?

When things go sour

A recent Appeal Tribunal case shows just how difficult such situations can become and illustrates the balance expected between the right to privacy and legitimate intervention. In Garamukanwa v Solent NHS Trust problems arose after G’s relationship with a staff nurse ended and he began to suspect her of starting a relationship with another member of staff. He sent both of them emails, threatening to inform their manager if they did not and a letter was also sent anonymously to the manager alleging an inappropriate sexual relationship, which was denied.

An unpleasant campaign then began using fake accounts, Facebook and more anonymous emails. The staff nurse complained to the police who investigated the matter but brought no charges.

This then left matters to the Trust to deal with and conduct their own investigation. The police provided the investigating officer in the Trust with photos from G’s mobile, others found at his home, and information including a notebook. G was dismissed for gross misconduct for sending malicious emails, relying on the evidence supplied by the police.

Unfair and invasion of privacy?

In the subsequent claim for unfair dismissal G accused the Trust of breaching his Article 8 right to privacy by relying on issues to do with his private life. The Tribunal was very clear that the circumstances here were impacting on the employment relationship and work matters; that being the case, the Trust was entitled to rely upon the evidence, investigate and address concerns especially given the fact:

• emails were being circulated using work addresses;
• the issues and allegations raised concerned the work environment and relationships; and
• was impacting on other employees.

The EAT agreed rejecting G’s argument that there was a distinction between the police using private emails and the Trust – or that the Trust should have distinguished between the public emails sent to Trust employees and his private information ( the notebook and photographic evidence).

Limits to privacy in work

The EAT reiterated that whilst the material might have been private, it was G who by his actions had brought personal matters and the personal relationship into the workplace. Even though some of the earlier emails to the staff nurse had been sent to her personal email address, because she had raised a complaint about them and G, he could not expect the employer not to address the concerns raised.

The passing of evidence seized from G to the employer is surprising here and an employer would be well advised to treat such information with caution. However, what is clear from this case is that where personal issues and private relationships begin to impact the work environment, privacy rights are likely to come second especially where other individuals are facing consequences.

The writer has experience of many cases where evidence from personal devices and work equipment has been accessed and produced as part of an investigation, and in a range of content (videos, security footage, text messages). This case emphasises the need to weigh carefully the relevance and ability to make use of such evidence, and the personal rights of individuals in the workplace.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP

Amwilliams@foxwilliams.com