Privacy Policies
Privacy Policy
The employer’s privacy policy should be set out in the employee handbook. An employer may take steps to protect its business in the context of internet use and e-mail. The reasons and rationale for the policy should be described. The policy must be kept up-to-date. It must be reviewed and amended from time to time as required.
Permitted e-mail and internet use should be defined. The terms on which an employee may use the internet at work or over the employer’s IT system should be set out. It should specify the type of material that cannot be viewed. The required data security measures on the part of the employee should be specified. The employer’s right to full access to “work” e-mails should be confirmed.
The privacy policy should set out whether the employee is entitled to have or use a personal e-mail account at work and / or whether he is permitted to use the employer’s IT system for private use. It may be preferable that the employee be allowed to use his personal e-mail account at work in some cases, in order to protect the employer’s interests. This may facilitate less intrusive monitoring.
The right, if any of the employer to have access to “personal” e-mails on the employer’s IT system, should be set out. Any monitoring policies in respect of possible misuse should be set out. The particulars of data retention should be set out.
Procedural Aspects
The procedures for and consequences of a breach of the privacy policy on the part of the employee should be specified. If disciplinary issues arise in relation to the misuse of internet and e-mail use, then ordinary fair procedures are required. Standard grievance and disciplinary procedural requirements should apply.
The procedures should provide that employees are notified of breaches of the use and privacy policy. They must be given the opportunity to respond and make representations. Those representations must be taken into account before a decision is made on any disciplinary steps.
If an employee is to be dismissed on account of misuse, this may not be fair, unless the policy specifically provides that the dismissal or an equivalent disciplinary step is specified as a likely consequence. A dismissal involving the inconsistent treatment of employees in the same circumstances may be unfair.
Job Applications
Issues of confidentiality arise in the context of job applications. Where CVs have been sent containing personal information, there are likely to be express or implied limitations as to whom, they may be disseminated. In a number of cases, complaints have been upheld by the Data Protection Commissioner where referees were contacted without consent and where CVs were circulated more widely than permitted.
The issue of data protection arises in the context of references. A person owes a duty of care in giving a reference. The duty owed to both the employee and recipient. The duty may arise unless excluded to the recipient of the reference. The employer must not give an unfair or misleading reference to the detriment of the employee concerned.
Medical reports and examinations by the employer for the purpose of employment require strict consent. Matter of health may constitute sensitive personal data, which is subject to more rigorous.
Monitoring Communications
The use of e-mail raises significant issues for employers and employees. This sending of e-mails in the employer’s name may affect the employer’s good name and reputation. An employee may defame another or incur legal liability for an employer by means of the use or misuse of e-mail.
The monitoring of e-mail which relates to core work matters will usually be legitimate. Where the use of e-mail is part of the provision of the business services, monitoring and review will usually be legitimate and appropriate.
Any monitoring of e-mail, to the extent that it is permissible under the circumstances at all, must be for a legitimate purpose and must be necessary. It must be no more intrusive than strictly necessary for that purpose. If any means of securing the same objective is available which is less intrusive, it should be used
Where an employer has not given a warning or published a policy regarding the monitoring of workplace e-mails and telephones, the commencement of such a practice may constitute a breach of the employee’s rights. The requirements must be set out in sufficiently clear terms in advance, in order to give the employee adequate indication of the circumstances and conditions in which such measures might be taken.
Personal Mail
EU Directives and domestic legislation require the maintenance of the confidentiality of communications by means of public communication networks and publicly available electronic communication system. In particular, they prohibit listening, tapping and other types of interception and surveillance of communication and related traffic data, by third parties, without the consent of the user.
The monitoring of personal employee e-mails should occur only exceptionally. Where necessary and unavoidable, the monitoring of personal e-mails must be proportionate, relative to the objective which it seeks to achieve. It may be legitimate and necessary to for an employer to monitor e-mails which may impact on the employer’s reputation and risk employer liability.
Where permissible on the basis of strict necessity, the commencement of monitoring of personal emails must be clearly announced in advance, in order to give the employee adequate indication of the circumstances and conditions in which such measures might be taken. It must be no more extensive than necessary.
Employers should use means other than the direct monitoring of the employee’s personal e-mails, in so far as possible. Measures such as appropriate firewalls are preferable to the monitoring of e-mails.
Surveillance
Closed circuit surveillance raises privacy and data protection issues. The same principles as set out above apply. It must be strictly necessary and the data recorded is subject to the same principles as other personal data.
The use of the system must be transparent. Employees should be warned of the presence of cameras and the use of the footage collected. The undisclosed installation of cameras will be rarely justifiable. It must be strictly and objectively necessary, and there must be no alternative. Where footage is taken for one reason (as with any other compilation of data) its use for another purpose may be unlawful.
Alcohol and drug monitoring may be employed, only where it is strictly necessary. It may be possible in some cases to justify such monitoring by reason of the risk of employer liability or a substantial health and safety risk.
The circumstances must be such that employer has an interest in ensuring that an employee under the influence of drugs or alcohol does not pose a threat to themselves or to others. Whether this is permissible will depend on the nature of the employment. Periodic testing may be legitimate only where it is strictly necessary for the health and safety or the employee and other employees.
Justifying Monitoring
There may be circumstances and cases in which the employer has a legitimate interest in monitoring. Where the employee is in a position such as to risk incurring employer liability (e.g. for defamation) or adversely affecting the employer’s vital interests, then it may be appropriate. Monitoring may be necessary in order prevent fraud and theft. Accordingly, CCTV systems will be usually permissible in retail premises.
The monitoring should be transparent, and the employee should be aware of it. There must be express communication of the monitoring policy and proposals in advance. It is recommended that an employer should enter into consultations with the employees or their representatives before implementing a monitoring policy.
The use of monitoring technology for performance management is more controversial and must be strictly justified. There must be a legitimate and demonstrable benefit. A monitoring system must be strictly necessary and proportionate. It must be fair and transparent to employees.
The monitoring of an employee’s e-mail or Internet use is appropriate in exceptional circumstances only. Other methods of supervision, which are less intrusive on privacy should be considered, where at all possible.
Data Protection Issues
The requirements of the Data Protection Act must be complied with in respect of monitoring and surveillance. They must be completely transparent. Personal images and other data recorded on a CCTV system is subject to the legislation. The information acquired is likely to be personal data. Further data protection issues arise in respect of monitoring, where third parties interact with the employee.
There must be an accessible, clear and accurate statement of the policy in relation to e-mail monitoring and use. It must state the extent to which electronic facilities may be used for personal and private communication. It should set out the reasons and purposes of any surveillance. Details of the surveillance measures taken should be specified in full.
The data processing must be fair. It must be necessary in order to protect the employer from real threats or real harm. It must be proportionate.
Higher standards apply to the acquisition and processing of sensitive personal data. See the sections on data protection in relation to sensitive personal data. The processing of sensitive data may constitute discrimination under the Employment Equality Act. Sensitive data coincides with several of the prohibited grounds, on which discrimination is prohibited.
References and Sources
Primary References
Employment Law Meenan 2014 Ch.24
Employment Law Supplement Meenan 2016
Employment Law Regan & Murphy 2009 ( 2nd Ed 2017) Ch. 13
Employment Law in Ireland Cox & Ryan 2009 Ch 15
Practical Guide to Data Protection Law in Ireland 2003 A& L Goodbody
Data Protection: a Practical Guide to Irish & EU Law 2010 Carey
Privacy & Data Protection Law in Ireland 2015 2nd Ed Kelleher
Data Protection Law in Ireland: Sources & Issues 2016 2nd Ed Lamber
Other Irish Books
Employment Law Forde & Byrne 2009
Principles of Irish Employment Law Daly & Doherty 2010
Statutes
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Legislation
Dismissal & Redundancy Consolidated Legislation Barrett, G 2007
Irish Employment legislation (Looseleaf) Kerr 1999-
Employment Rights Legislation (IEL offprint) Kerr 2006
UK Texts
Textbook on Employment Law, Honeyball, et al. 13th Ed. 2014
Labour Law, Deakin and Morris 5th Ed. 2012
Employment Law, Smith and Wood 13th Ed 2017
Selwyn’s law of Employment Emir A 19 Ed. 2016
Employment law : the essentials. Lewis D Sargeant M and Schwab M 11 Ed.2011
Labour Law Collins H, Ewing K D and McColgan 2012
Industrial relations law reports. (IRLR): Law Section,
Employment law Benny R Jefferson M and Sargent 5th Ed. 2012
Pitt’s Employment Law 10th Ed. Gwyneth Pitt 2016
CLP Legal Practice Guides: Employment Law 2016 Gillian Phillips, Karen Scott
Cases and Materials on Employment Law 10th Ed. Richard Painter, Ann E. M. Holmes 2015
Blackstone’s Statutes on Employment Law 2015 – 2016 Richard Kidner
Drafting Employment Contracts 3rd Ed. Gillian Howard 2017
The Contract of Employment Edited by Mark Freedland, Alan Bogg, David Cabrelli, Hugh Collins, Nicola Countouris, A.C.L. Davies, Simon Deakin, Jeremias Prassl 2016
UK Practitioner Services
Tolley’s Employment Handbook 2017 Mrs Justice Slade 2017
Butterworths Employment Law Handbook 2017 Peter Wallington 2017
Blackstone’s Employment Law Practice 2017 Edited by Gavin Mansfield, John Bowers, John Macmillan 2017