Knowledge is Power: How Data Protection Rules Impact on the Security Industry
Oisín Tobin, Senior Associate, Mason Hayes & Curran
Information can be a key security asset. However, it can also give rise to legal challenges, particularly under data protection law. This article considers some of the recent developments in this space.
Many multinational companies based in Ireland seek to ensure effective internal security by conducting background screening of potential employees.
While such background screening is common in the US, it can give rise to some challenges in Ireland. The lack of a centralised and publicly available criminal record check function in Ireland (save for limited circumstances where Garda vetting is possible) can lead to employers finding novel methods of screening prospective employees.
The Data Protection Commissioner (“DPC”) has, in the past, criticised certain background screening practices. Given the lack of a criminal record check function in Ireland, some employers have taken to requiring that candidates make a “subject access request” to the Gardaí so as to take up a copy of their police file (if any) and then provide that to the prospective employer. While this practice is not explicitly prohibited by data protection law (since the specific section outlawing this practice has never gone into force) the DPC has suggested that it is incompatible with the general data protection principles and is consequently unlawful.
Engagement of Investigators
The use of private investigators to look into the affairs of certain individuals, often in the context of a business or financial dispute, has recently come under scrutiny by the DPC. Care needs to be taken to ensure that such investigations, or other surveillance, is conducted lawfully and does not infringe the privacy and data protection rights of the person under investigation.
The DPC is applying a zero-tolerance approach to private investigators that breach data protection laws. In the past few years there have been a number of successful prosecutions against insurance companies that used investigators to obtain non-public social welfare information. Additionally, the impending prosecution of Michael Gaynor, a private investigator from Kildare, for alleged breaches of data protection laws is evidence of the willingness of the DPC to take an aggressive approach when dealing with private investigators
All contracts between an investigator and their client need to contain certain provisions dealing with the security of the information obtained by the investigator. Additionally, an investigator needs to consider the period for which they can retain their file following the conclusion of the investigation.
The contents of private investigator’s reports can be commercially sensitive and one is unlikely to want to share such reports with the person under investigation. However, we have seen an increasing trend of individuals making “subject access requests” against clients who commission such reports (particularly financial institutions).
In Case Study 13 of the 2011 DPC Annual Report, the DPC responded to a complaint by a former employee of HSG Zander Ireland Ltd (“HSG”). In this case HSG refused to disclose a security report compiled by a private investigator for HSG, citing litigation privilege. However, following correspondence with the DPC on this matter, HSG decided to release the report to the former employee.
This case is indicative of the tough line taken by the DPC on this point. The DPC has directed that, as a general principle, where a subject access request is made, the contents of investigators’ reports should be disclosed to the person under investigation. This state of affairs needs to be considered and addressed by investigators as the reports they prepare into incidents and individuals may very well need to be turned over to the person under investigation.
Remote surveillance plays a key role in ensuring the security of assets and employees. However, to the extent that identifiable individuals appear in CCTV images, those images may be “personal data” and protected by the Data Protection Acts. Consequently, security professionals need to have regard to data protection considerations when designing and operating CCTV surveillance systems.
The transparency principle in the Data Protection Acts requires that the purpose of CCTV surveillance be disclosed to employees. In particular, if cameras are being used for staff monitoring, this fact must be drawn to the employees’ attention. Similarly, hidden cameras should generally not be used unless they are necessary to actively investigate potential criminal wrongdoing. Employers should also bear in mind that, as CCTV images can constitute personal data, it may be necessary for such footage to be handed over in response to a subject access request. The use of CCTV footage for disciplinary purposes can be a fraught topic. Misuse of such images can potentially derail disciplinary proceedings.
In Case Study 10 of the 2008 DPC Annual Report, an employer used CCTV to monitor its employees’ workplace attendance, and sought to use such evidence to justify disciplinary proceedings. The employees were never informed that the cameras would be used for staff monitoring. The DPC intervened and the employer had to drop the disciplinary proceedings.
It is vital that an employer intending to use CCTV footage for staff monitoring informs its staff of this intention. While such an announcement may give rise to a complaint, particularly by workers’ representatives, concealing the intention is self-defeating. If an employer is not upfront, not only may they encounter grave difficulties in using any CCTV footage in disciplinary proceedings, but also they may, by engaging in unfair processing, find themselves to be in breach of the Data Protection Acts.
General Data Protection Regulation
A new European Regulation, the “General Data Protection Regulation”, is currently being debated in Brussels. This new Regulation is likely to harden significantly existing rules around data protection in a manner which is liable to impact on the security industry in Ireland. These new rules include strengthening the “right to be forgotten”. Perhaps most importantly, the Regulation significantly increases the fines that can be levied for breaches of data protection law: the regulation envisages fines of up to 5% of global turnover for many infractions. This increases the risk to the security industry posed by non-compliance in this space.