Knowledge is Power: How Data Protection Rules Impact on the Security Industry

Knowledge is Power: How Data Protection Rules Impact on the Security Industry

Oisín Tobin, Senior Associate, Mason Hayes & Curran

Information can be a key security asset. However, it can also give rise to legal challenges, particularly under data protection law. This article considers some of the recent developments in this space.

Background Screening

Many multinational companies based in Ireland seek to ensure effective internal security by conducting background screening of potential employees.

While such background screening is common in the US, it can give rise to some challenges in Ireland.  The lack of a centralised and publicly available criminal record check function in Ireland (save for limited circumstances where Garda vetting is possible) can lead to employers finding novel methods of screening prospective employees.

The Data Protection Commissioner (“DPC”) has, in the past, criticised certain background screening practices. Given the lack of a criminal record check function in Ireland, some employers have taken to requiring that candidates make a “subject access request” to the Gardaí so as to take up a copy of their police file (if any) and then provide that to the prospective employer. While this practice is not explicitly prohibited by data protection law (since the specific section outlawing this practice has never gone into force) the DPC has suggested that it is incompatible with the general data protection principles and is consequently unlawful.  

Engagement of Investigators

The use of private investigators to look into the affairs of certain individuals, often in the context of a business or financial dispute, has recently come under scrutiny by the DPC. Care needs to be taken to ensure that such investigations, or other surveillance, is conducted lawfully and does not infringe the privacy and data protection rights of the person under investigation.

The DPC is applying a zero-tolerance approach to private investigators that breach data protection laws. In the past few years there have been a number of successful prosecutions against insurance companies that used investigators to obtain non-public social welfare information. Additionally, the impending prosecution of Michael Gaynor, a private investigator from Kildare, for alleged breaches of data protection laws is evidence of the willingness of the DPC to take an aggressive approach when dealing with private investigators

All contracts between an investigator and their client need to contain certain provisions dealing with the security of the information obtained by the investigator. Additionally, an investigator needs to consider the period for which they can retain their file following the conclusion of the investigation.

Confidentiality

The contents of private investigator’s reports can be commercially sensitive and one is unlikely to want to share such reports with the person under investigation. However, we have seen an increasing trend of individuals making “subject access requests” against clients who commission such reports (particularly financial institutions). 

In Case Study 13 of the 2011 DPC Annual Report, the DPC responded to a complaint by a former employee of HSG Zander Ireland Ltd (“HSG”). In this case HSG refused to disclose a security report compiled by a private investigator for HSG, citing litigation privilege. However, following correspondence with the DPC on this matter, HSG decided to release the report to the former employee.

This case is indicative of the tough line taken by the DPC on this point. The DPC has directed that, as a general principle, where a subject access request is made, the contents of investigators’ reports should be disclosed to the person under investigation. This state of affairs needs to be considered and addressed by investigators as the reports they prepare into incidents and individuals may very well need to be turned over to the person under investigation.

CCTV

Remote surveillance plays a key role in ensuring the security of assets and employees. However, to the extent that identifiable individuals appear in CCTV images, those images may be “personal data” and protected by the Data Protection Acts. Consequently, security professionals need to have regard to data protection considerations when designing and operating CCTV surveillance systems.

The transparency principle in the Data Protection Acts requires that the purpose of CCTV surveillance be disclosed to employees. In particular, if cameras are being used for staff monitoring, this fact must be drawn to the employees’ attention. Similarly, hidden cameras should generally not be used unless they are necessary to actively investigate potential criminal wrongdoing. Employers should also bear in mind that, as CCTV images can constitute personal data, it may be necessary for such footage to be handed over in response to a subject access request. The use of CCTV footage for disciplinary purposes can be a fraught topic. Misuse of such images can potentially derail disciplinary proceedings.

In Case Study 10 of the 2008 DPC Annual Report, an employer used CCTV to monitor its employees’ workplace attendance, and sought to use such evidence to justify disciplinary proceedings. The employees were never informed that the cameras would be used for staff monitoring. The DPC intervened and the employer had to drop the disciplinary proceedings.

It is vital that an employer intending to use CCTV footage for staff monitoring informs its staff of this intention. While such an announcement may give rise to a complaint, particularly by workers’ representatives, concealing the intention is self-defeating. If an employer is not upfront, not only may they encounter grave difficulties in using any CCTV footage in disciplinary proceedings, but also they may, by engaging in unfair processing, find themselves to be in breach of the Data Protection Acts.

General Data Protection Regulation

A new European Regulation, the “General Data Protection Regulation”, is currently being debated in Brussels. This new Regulation is likely to harden significantly existing rules around data protection in a manner which is liable to impact on the security industry in Ireland. These new rules include strengthening the “right to be forgotten”. Perhaps most importantly, the Regulation significantly increases the fines that can be levied for breaches of data protection law: the regulation envisages fines of up to 5% of global turnover for many infractions. This increases the risk to the security industry posed by non-compliance in this space.

In short, the restrictions imposed by data protection law are apt to impact upon operators in the security industry in a variety of ways. Companies in the sector should endeavour to keep abreast of developments in this space, and should endeavour to ensure that their operations are in line with the Data Protection Acts. Failure to do so may lead to enforcement action by the DPC.

ISIA Awards 2014

The Irish Security Industry Association (ISIA) hosted the ISIA Awards on Saturday 1st November at the Powerscourt Hotel.  The awards were attended by over 230 individuals from the private security industry and senior management from a variety of industries.  Also in attendance were members of the Private Security Authority, An Garda Síochána and His Excellency, Dominick Chilcott, British Ambassador to Ireland.  The MC on the night was Sinead Desmond of TV3. 

As pointed out by ISIA President, Sheenagh McCullagh “The ISIA Awards gives us an opportunity to celebrate our industry leaders and their people”.  McCullagh thanked all those members “who came to the event to celebrate their employees success” and she paid tribute to all those who submitted nominations this year.  “It is evidence of ISIA member’s dedication to excellence, that they take the time to consider those individuals and teams that help make their company a leader in the security industry”.  There were ten awards presented on the night. 

The Premier Award

The Premier Award, sponsored by Noonan, was this year bestowed upon Her Majesty Queen Elizabeth II for the contribution that her visit in 2011 and the reciprocal state visit by President Michael D. Higgins to the UK have made to solidify the new era of peace within which we now live.  The award was accepted on her behalf by His Excellency, Dominick Chilcott, British Ambassador to Ireland.  The Ambassador addressed the members of the ISIA and emphasised that he was ‘very proud to collect the award on Her Majesty’s behalf’.  His Excellency finished his speech with the words of Queen Elizabeth spoken during the State Visit of President Michael D. Higgins to the United Kingdom.  “My visit to Ireland and your visit this week, Mr President, show that we are walking together towards a brighter, more settled future. We will remember our past, but we shall no longer allow our past to ensnare our future. This is the greatest gift we can give to succeeding generations."

The Courage Award

This year’s Courage Award was presented to Mark Pollock of the Mark Pollock Trust and was sponsored by G4S.  Pollock was unbroken by blindness in 1998 and went to complete numerous ultra-endurance challenges.  In 2010 Pollock was then left paralysed after falling from a second story window.  Through the Mark Pollock Trust, he is now on a mission to find and connect people around the world to fast track a cure for paralysis.  The President of the ISIA, Sheenagh McCullagh said, ‘Mark is such an incredible man and an incredibly worthy recipient of the courage award.  It was an honour to be able to present it to him’. 

Security Officer of the Year

The award for Security Officer of the Year was presented to Jonathan Waters of Synergy Security Solutions and was sponsored by Arantico.  Waters was presented this award for the exceptional service and outstanding contribution he makes as a store detective at Boots Ireland.  There were also four merit award recipients on the night; Paul Bridgeman, Synergy Security Solutions; Robert Delaney, Synergy Security Solutions; Darragh Lawlor, NOONAN and Micheál Moylan, G4S.

Security Supervisor of the Year

The award for Security Supervisor of the Year was presented to Terence Murphy, Synergy Security Solutions, for the outstanding work he carries out at a multi-national cork based technology company where he supervises a team of officers.  There were three merit award recipients on the night; Adrian Duffy, Synergy Security Solutions; Vitalijus Durkovas, G4S and Warren Humphrey’s, G4S.  This award was sponsored by JW Balfour. 

Event Security Person of the Year

The winner of the Event Security Person of the Year award, sponsored by Hytera and RSP, was Derek O’Rourke, Pulse Security Management, who was specifically nominated for the work he carries out as an Event Security Supervisor at the Aviva Stadium.  Trevor Goode of Brinks Ireland was presented with a merit award for the event security work he carries out for ESB and Croke Park. 

Electronic Security Technician of the Year

The award for Electronic Security Technician of the Year, sponsored by IC Realtime, was presented to Cormac Sullivan of Brinks Ireland who works with a variety of their key clients.  There were three merit award recipients on the night; John Berkery and Billy Hills of Stanley Security and Adrian Jones of MTS Security.

Electronic Security Supervisor of the Year

The award for Electronic Security Supervisor of the Year was presented to Martin Mills of MTS Security who is their Support Desk Supervisor.  There were three merit award recipients on the night; Phil Ledwith and Darren McCormack of G4S and Austin O’Sullivan of Brinks Ireland. 

Innovation in Security

There were four finalists selected for this award; Action Security and Alarm Control 24, All Security Mobile Shredding, Brinks in Partnership with Arantico, and Stanley Security.  .  The award was sponsored by Bosch and the winner was Action Security and Alarm Control 24.  “The submission was based on their development of a nationwide radio network for the monitoring of security systems”, stated Sarah O’Donnell, Communications Director, ISIA.  O’Donnell added “it was clear from the selection process that not only with this development, but in general, innovation is part of the day to day culture of Action Security and Alarm Control 24”. 

ISIA Locksmith of the Year

A customer’s choice award, clients of ISIA members were invited to complete a survey and provide feedback on their locksmith of choice.  Survey respondents were asked to rate their locksmith in terms of customer service, quality of work and technical knowledge.  There were three finalists; Crothers Security, Fogarty Lock and Safe and J. Williams.  The overall winner of this year’s ISIA Locksmith of the Year award was J. Williams. 

Community Contribution Award

Earlier this year Darragh Lawlor of NOONAN played a part in saving his Uncle’s life, who had a heart attack at Ladbrokes in Swords.  Crucial to Lawlor being able to assist with this was a defibrillator held at the Pavilions Shopping Centre where Lawlor is assigned as a Security Officer.  What Lawlor did next was beyond anyone’s expectations.  He recognised how critical the defibrillator had been in saving his uncle’s life and recognised the lack of other defibrillators in Swords.  He set up a Facebook page to raise awareness and campaign to get a Defibrillator for the main street of Swords.  Through his efforts he exceeded his initial goal to get one defibrillator on Swords Main street, but managed to ensure that two were placed in different locations with 24/7 access.  He also arranged for individuals to be trained in the use of the defibrillators.  Lawlor’s efforts not only ensured that his Uncle’s life was saved, but will have the potential to save more lives in the future.  Darragh Lawlor is not only a hero to his family, but a hero to the community of Swords and all who visit there.