Articles: 4
1. Stephenson Harwood LLP – Data Protection update – June 2019
A monthly update covering key developments in data protection law.
(selected issues)
Employer’s review of employee emails need not infringe an employee’s privacy rights
In the case of Argus Media Ltd v Halim the court held that a reasonable and proportionate review of an employee’s emails by his employer, need not infringe that employee’s privacy rights when such a review exposed that employee’s misconduct.
Importance of biometric policies and consent
The use of biometric data has become increasingly prevalent in the workplace; however a recent unfair dismissal case has demonstrated the importance of updating policies and procedures before using such data.
The company began to use biometric scanners to register employee attendance at its site. An employee, refused to use the biometric scanners even after the company released a policy making the use of the scanners compulsory. The employee was eventually dismissed for his refusal and brought an unfair dismissal application.
The Fair Work Commission in Australia (the “Commission”) held that the dismissal of the employee for refusing to use a fingerprint scanner was unfair because the company did not have a privacy policy in place, it didn’t obtain consent before collecting the biometric data and it did not release a privacy collection notice.
The Commission noted that if a refusal to give consent could result in disciplinary action, then any consent given in those circumstances would not be genuine consent. Although this is an Australian case, the position would likely be the same in Europe.
Swedish data-protection authority launches Spotify GDPR investigation
The Swedish data protection authority, the Datainspektionen, confirmed that it has opened a review into Spotify’s practices after the company allegedly provided inadequate responses to a series of subject access requests (“SARs“).
The Datainspektionen used SARs to ask Spotify to confirm: what information it provides to users, the decision making process behind what information it provides, and the systems used to make this clear and understandable to customers. The GDPR requires companies to provide information to customers in clear and simple language; an obligation that Spotify has apparently neglected. Spotify must respond to the Datainspektionen by 1 July 2019.
Restorative Justice Caseworker prosecuted for sending sensitive personal data to her own personal email account
The ICO has prosecuted Jeannette Baines, who previously worked at Victim Support. She was caught sending the information of both victims and offenders from her work email address to her personal email address during her last week working for the charity. It is not known what she intended to do with the information, but the ICO found that she sent it without authorisation and in breach of section 55 of the Data Protection Act 1998 (“DPA”). On top of a three year conditional discharge sentence, she was ordered to pay costs of £600 and a victim surcharge of £20.
2. Handling data subject access requests: is the balance tipping further in favour of data subjects?
In the High Court proceedings (the case had gone to the Court of Appeal and was remitted back), Ashley Judith Dawson-Damer; Piers Dawson-Damer; Adelicia Dawson-Damer v Taylor Wessing LLP; Michael Morrison; James Burns [2019] EWHC 1258 (Ch), the court considered whether a firm of solicitors – Taylor Wessing (“TW”) – were required to search through paper files for the claimants’ personal data in order to comply with data subject access requests (DSARs).
In reaching their decision, the court considered these issues, namely:
- whether specified paper files would be considered a “relevant filing system” under the Data Protection Act 1998 (“DPA 1998”);
- what would be considered to be reasonable and proportionate in respect of searches for personal data; and
- redaction and withholding personal data.
Relevant Filing System
The court found that the paper files, which were stored chronologically, were a “relevant filing system” for the purposes of s.1(1) DPA 1998. TW were therefore required to search these files for the claimants’ personal data.
Reasonable and Proportionate Searches
The case made it clear that evidence – setting out the time and cost associated with a search – is required where it is claimed that the search would be disproportionate. It was found that where documents were held on a back-up system, it would be disproportionate to enforce the searches, especially given the risks that this would result in the disclosure of confidential information/personal data about TW’s employees/clients. The back-up system held too many documents and the court found it would be unreasonable to force TW to search through such a high volume of results when it was argued that the relevant documents would have been covered off in the much smaller document management site search. However, the court held that searches of the relevant current employed TW fee earners’ personal spaces (where they can save documents and emails) would not be considered disproportionate.
Redaction and withholding
The court inspected a sample of documents in order to determine whether the documents had been redacted more than they should have been and held that this was the case. TW were subsequently asked to review their other redaction and ensure that there was a consistent approach throughout the documents.
3. New data protection fines in Hungary make it essential to check balancing tests and subject access
The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently imposed fines in two separate cases, involving balancing tests and subject access.
In the first case, the NAIH imposed a fine of HUF 600,000 (EUR 1,851 representing 0.003% of the offender’s revenue for the preceding year) against a Hungarian employer for sending the tax certificate of an employee to another individual, which constituted a notifiable personal-data breach under the EU’s General Data Protection Regulation (GDPR).
Furthermore, the NAIH established that the employer failed to provide data requested by an employee within one month (as required by the GDPR) and did not specify whether it was necessary to extend the deadline.
In the second case, the NAIH imposed a fine of HUF 2,000,000 (EUR 6,170 or 0.0027% of the offender’s revenue for the preceding year) on a telco company and another fine of HUF 1,000,000 (EUR 3,085 or 0.013% of the offender’s past year’s revenue) on a claim management company as a result of legitimate interest balancing tests and their decision in choosing an incorrect legal basis for data processing for claim management purposes.
4. Room with a View – Who ‘needs to know’?
Employee fined for improper use of business’ information
A recent enforcement action by the Information Commissioners Office (ICO) against a former customer services officer at Stockport Homes Limited (SHL) serves as a timely reminder to landlords (and others) to ensure that their staff are using personal data available to them in the course of their work appropriately.
The former employee of Stockport Homes Limited accessed SHL’s case management system 67 times during 2017 to look at antisocial behaviour cases despite the fact that she was not authorised to view such content and had no business need to do so.
This is the fifth reported criminal prosecution of an individual who has misused personal data accessed in their work capacity so far this year. This case was brought under the Data Protection Act 1998 because the offences to which it related were carried out in 2017; offences occurring on or after 25 May 2018 would be prosecuted under equivalent provisions set out in section 170 of the Data Protection Act 2018.
References:
