Privacy Policies

Privacy Policy

The employer’s privacy policy should be set out in the employee handbook. An employer may take steps to protect its business in the context of internet use and e-mail. The reasons and rationale for the policy should be described. The policy must be kept up-to-date. It must be reviewed and amended from time to time as required.

Permitted e-mail and internet use should be defined.  The terms on which an employee may use the internet at work or over the employer’s IT system should be set out. It should specify the type of material that cannot be viewed. The required data security measures on the part of the employee should be specified. The employer’s right to full access to “work” e-mails should be confirmed.

The privacy policy should set out whether the employee is entitled to have or use a personal e-mail account at work and / or whether he is permitted to use the employer’s IT system for private use. It may be preferable that the employee be allowed to use his personal e-mail account at work in some cases, in order to protect the employer’s interests. This may facilitate less intrusive monitoring.

The right, if any of the employer to have access to “personal” e-mails on the employer’s IT system, should be set out. Any monitoring policies in respect of possible misuse should be set out. The particulars of data retention should be set out.


Procedural Aspects

The procedures for and consequences of a breach of the privacy policy on the part of the employee should be specified. If disciplinary issues arise in relation to the misuse of internet and e-mail use, then ordinary fair procedures are required. Standard grievance and disciplinary procedural requirements should apply.

The procedures should provide that employees are notified of breaches of the use and privacy policy. They must be given the opportunity to respond and make representations. Those representations must be taken into account before a decision is made on any disciplinary steps.

If an employee is to be dismissed on account of misuse, this may not be fair, unless the policy specifically provides that the dismissal or an equivalent disciplinary step is specified as a likely consequence. A dismissal involving the inconsistent treatment of employees in the same circumstances may be unfair.


Job Applications

Issues of confidentiality arise in the context of job applications.  Where CVs have been sent containing personal information, there are likely to be express or implied limitations as to whom, they may be disseminated.  In a number of cases, complaints have been upheld by the Data Protection Commissioner where referees were contacted without consent and where CVs were circulated more widely than permitted.

The issue of data protection arises in the context of references.  A person owes a duty of care in giving a reference. The duty owed to both the employee and recipient. The duty may arise unless excluded to the recipient of the reference. The employer must not give an unfair or misleading reference to the detriment of the employee concerned.

Medical reports and examinations by the employer for the purpose of employment require strict consent. Matter of health may constitute sensitive personal data, which is subject to more rigorous.


Monitoring Communications

The use of e-mail raises significant issues for employers and employees. This sending of e-mails in the employer’s name may affect the employer’s good name and reputation. An employee may defame another or incur legal liability for an employer by means of the use or misuse of e-mail.

The monitoring of e-mail which relates to core work matters will usually be legitimate. Where the use of e-mail is part of the provision of the business services, monitoring and review will usually be legitimate and appropriate.

Any monitoring of e-mail, to the extent that it is permissible under the circumstances at all, must be for a legitimate purpose and must be necessary. It must be no more intrusive than strictly necessary for that purpose. If any means of securing the same objective is available which is less intrusive, it should be used

Where an employer has not given a warning or published a policy regarding the monitoring of workplace e-mails and telephones, the commencement of such a practice may constitute a breach of the employee’s rights.  The requirements must be set out in sufficiently clear terms in advance, in order to give the employee adequate indication of the circumstances and conditions in which such measures might be taken.


Personal Mail

EU Directives and domestic legislation require the maintenance of the confidentiality of communications by means of public communication networks and publicly available electronic communication system.  In particular, they prohibit listening, tapping and other types of interception and surveillance of communication and related traffic data, by third parties, without the consent of the user.

The monitoring of personal employee e-mails should occur only exceptionally. Where necessary and unavoidable, the monitoring of personal e-mails must be proportionate, relative to the objective which it seeks to achieve.  It may be legitimate and necessary to for an employer to monitor e-mails which may impact on the employer’s reputation and risk employer liability.

Where permissible on the basis of strict necessity, the commencement of monitoring of personal emails must be clearly announced in advance, in order to give the employee adequate indication of the circumstances and conditions in which such measures might be taken. It must be no more extensive than necessary.

Employers should use means other than the direct monitoring of the employee’s personal e-mails, in so far as possible.  Measures such as appropriate firewalls are preferable to the monitoring of e-mails.


Surveillance

Closed circuit surveillance raises privacy and data protection issues. The same principles as set out above apply. It must be strictly necessary and the data recorded is subject to the same principles as other personal data.

The use of the system must be transparent. Employees should be warned of the presence of cameras and the use of the footage collected. The undisclosed  installation of cameras will be rarely justifiable. It must be strictly and objectively necessary, and there must be no alternative. Where footage is taken for one reason (as with any other compilation of data) its use for another purpose may be unlawful.

Alcohol and drug monitoring may be employed, only where it is strictly necessary. It may be possible in some cases to justify such monitoring by reason of the risk of employer liability or a substantial health and safety risk.

The circumstances must be such that employer has an interest in ensuring that an employee under the influence of drugs or alcohol does not pose a threat to themselves or to others. Whether this is permissible will depend on the nature of the employment. Periodic testing may be legitimate only where it is strictly necessary for the health and safety or the employee and other employees.


Justifying Monitoring

There may be circumstances and cases in which the employer has a legitimate interest in monitoring. Where the employee is in a position such as to risk incurring employer liability (e.g. for defamation) or adversely affecting the employer’s vital interests, then it may be appropriate.  Monitoring may be necessary in order prevent fraud and theft.  Accordingly, CCTV systems will be usually permissible in retail premises.

The monitoring should be transparent, and the employee should be aware of it.  There must be express communication of the monitoring policy and proposals in advance. It is recommended that an employer should enter into consultations with the employees or their representatives before implementing a monitoring policy.

The use of monitoring technology for performance management is more controversial and must be strictly justified.  There must be a legitimate and demonstrable benefit.  A monitoring system must be strictly necessary and proportionate.  It must be fair and transparent to employees.

The monitoring of an employee’s e-mail or Internet use is appropriate in exceptional circumstances only.  Other methods of supervision, which are less intrusive on privacy should be considered, where at all possible.


Data Protection Issues

The requirements of the Data Protection Act must be complied with in respect of monitoring and surveillance. They must be completely transparent. Personal images and other data recorded on a CCTV system is subject to the legislation. The information acquired is likely to be personal data.  Further data protection issues arise in respect of monitoring, where third parties interact with the employee.

There must be an accessible, clear and accurate statement of the policy in relation to e-mail monitoring and use.  It must state the extent to which electronic facilities may be used for personal and private communication.  It should set out the reasons and purposes of any surveillance.  Details of the surveillance measures taken should be specified in full.

The data processing must be fair.  It must be necessary in order to protect the employer from real threats or real harm.  It must be proportionate.

Higher standards apply to the acquisition and processing of sensitive personal data.  See the sections on data protection in relation to sensitive personal data.  The processing of sensitive data may constitute discrimination under the Employment Equality Act.  Sensitive data coincides with several of the prohibited grounds, on which discrimination is prohibited.


References and Sources

Primary References

Employment Law  Meenan  2014 Ch.24

Employment Law Supplement Meenan 2016

Employment Law Regan & Murphy  2009 ( 2nd Ed 2017) Ch. 13

Employment Law in Ireland Cox & Ryan 2009 Ch 15

Practical Guide to Data Protection Law in Ireland         2003 A& L Goodbody

Data Protection: a Practical Guide to Irish & EU Law 2010      Carey

Privacy & Data Protection Law in Ireland 2015  2nd Ed           Kelleher

Data Protection Law in Ireland: Sources & Issues         2016  2nd Ed     Lamber

Other Irish Books

Employment Law Forde & Byrne 2009

Principles of Irish Employment Law          Daly & Doherty         2010

Statutes

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Legislation

Dismissal & Redundancy Consolidated Legislation      Barrett, G       2007

Irish Employment legislation (Looseleaf) Kerr     1999-

Employment Rights Legislation (IEL offprint)      Kerr     2006

UK Texts

Textbook on Employment Law, Honeyball, et al. 13th Ed. 2014

Labour Law, Deakin and Morris 5th Ed. 2012

Employment Law, Smith and Wood 13th Ed 2017

Selwyn’s law of Employment Emir A 19 Ed. 2016

Employment law : the essentials. Lewis D Sargeant M and Schwab M 11 Ed.2011

Labour Law Collins H, Ewing K D and McColgan  2012

Industrial relations law reports. (IRLR): Law Section,

Employment law Benny R Jefferson M and Sargent  5th Ed.  2012

Pitt’s Employment Law 10th  Ed. Gwyneth Pitt   2016

CLP Legal Practice Guides: Employment Law 2016 Gillian Phillips, Karen Scott

Cases and Materials on Employment Law 10th  Ed. Richard Painter, Ann E. M. Holmes 2015

Blackstone’s Statutes on Employment Law 2015 – 2016 Richard Kidner

Drafting Employment Contracts 3rd  Ed. Gillian Howard 2017

The Contract of Employment Edited by Mark Freedland, Alan Bogg, David Cabrelli, Hugh Collins, Nicola Countouris, A.C.L. Davies, Simon Deakin, Jeremias Prassl 2016

UK Practitioner Services

Tolley’s Employment Handbook 2017 Mrs Justice Slade 2017

Butterworths Employment Law Handbook 2017 Peter Wallington 2017

Blackstone’s Employment Law Practice 2017 Edited by Gavin Mansfield, John Bowers, John Macmillan 2017