Technology

Give me a crash course in... how safe is my personal data at work

The Data Protection Commissioner is to conduct an investigation into an alleged data breach at Independent News & Media

If you think your company’s use of your data is “causing or likely to cause substantial damage or distress” then Data Protection Commissioner or even the courts. Photograph: iStock

Conor Pope's face
Conor Pope
Sat Apr 7 2018 - 11:00

I am really confused about what has been going on in INM over that alleged data breach? Can you explain it to me?

Very briefly: the Data Protection Commissioner, Helen Dixon, has announced she is to conduct an investigation into an alleged major data breach at Independent News & Media (INM). The investigation will look into whether personal data was accessed and if so, whether it was processed lawfully and fairly in accordance with data protection legislation. But it is a fairly complicated story.

Okay, well then can you tell me if I should be concerned that everything I do or say on my work devices can be monitored?

There is nothing new about that and it is not limited to your work devices. Virtually everything you do or say online can be monitored by someone. While you might not be able to see it, the digital footprint you leave behind is immense.

READ MORE

Well that is terrifying. But going back to work, do I have any right to privacy there?

The good news is you probably have more rights than you think. For a start, companies have a duty of care to all staff and all staff have privacy rights protected under the Constitution. No company can trawl through your personal data and read through your emails and pore over your internet browsing history just because they fancy it. And no company can share your data with third parties, except in the most extenuating of circumstances.

Really, I thought everything I did at work was fair game?

Not even remotely. According to the Data Protection Commissioner while organisations have “a “legitimate interest to protect their business, reputation, resources and equipment” you “do not lose your privacy and data protection rights” just because you are an employee of a particular company.

What does that mean?

Well again, to use the words of the DPC, any “limitation of the employee’s right to privacy should be proportionate to the likely damage to the employer’s legitimate interests”.

At the risk of repeating myself, what does that mean?

Well legitimate interests might include processing personal data for the development of the employment relationship and the business operation. They need to know where you live and have access to your bank details. They can also reasonably be allowed check you are not running a rival business from their offices – that kind of thing. But, according to the law, “these interests cannot take precedence over the principles of data protection, including the requirement for transparency, fair and lawful processing of data and the need to ensure that any encroachment on an employee’s privacy is fair and proportionate.

So what monitoring is allowed?

Monitoring, including checking email or internet usage, CCTV surveillance must comply with transparency requirements of data protection law and staff must be informed of the existence of the surveillance, and also the purposes for which personal data is processed. Any monitoring must be carried out in the least intrusive way possible and only in exceptional circumstances associated with a criminal investigation, and in consultation with the Garda, is covert surveillance monitoring and surveillance of email, internet use, video cameras or location data permitted.

Anything else?

Personal data processed in the course of monitoring must be adequate, relevant and not excessive and not retained for longer than necessary for the purpose for which the monitoring is justified.

Can I use the internet at work to book my holidays or can they track that and sack me for it?

When it comes to the internet, a balance is required between the legitimate rights of employers and the personal privacy rights of employees. Just as with the phone, a small amount of limited personal use of email and internet facilities is permitted. Obviously the amount of internet usage that is considered permissible will vary from company to company and from role to role.

Can I object to my data being used?

If you think your company’s use of your data is “causing or likely to cause substantial damage or distress” then you can make a complaint to the DPC or even the courts. There is no obligation to show a financial loss in order to be entitled to damages.

LATEST STORIES