Taking picture of sleeping care home worker did not breach data rules

Report reveals a school's student data was hacked and a ransom demanded for release of files

 Data Protection Commissioner Helen Dixon published her annual report for 2016 on Tuesday. Photograph: Cyril Byrne/The Irish Times

Data Protection Commissioner Helen Dixon published her annual report for 2016 on Tuesday. Photograph: Cyril Byrne/The Irish Times


An employee of a residential care home was fired after a supervisor used a mobile phone to take photos of them sleeping on the job covered in a duvet, and made an audio recording of them snoring.

The case features in the 2016 annual report of Data Protection Commissioner Helen Dixon, published on Tuesday.

The commissioner investigated a complaint from the former employee, who claimed the photographic evidence and the audio recording were used in a disciplinary case against them, resulting in their dismissal.

During the investigation, the operator of the care home told the DPC’s office that a formal, external investigation had been conducted into allegations that the employee had been found asleep during a night shift on two separate occasions.

“Having discovered the complainant asleep on the first occasion, the supervisor had warned the complainant that if it happened again it would be reported in line with the employer’s grievance and disciplinary procedure,” the commissioner’s report said.

“On the second occasion, when the supervisor discovered the complainant to be asleep, fully covered by a duvet on a recliner with the lights in the room dimmed and the television off, the supervisor had used their personal phone to take photographs of the complainant sleeping and make a sound recording of the complainant snoring.”

The allegations were upheld by the investigation team and the employer later held a disciplinary hearing.

It outlined that the act of sleeping on duty constituted “gross misconduct in light of the vulnerabilities and dependencies of the clients in the complainant’s care and the complainant had been dismissed”.

The DPC said that having regard to the information supplied to it by the operators of the residential care home and, in particular, the vulnerability of the clients involved and the nature of the complainant’s duties, it formed the view that no breach of data protection law had occurred.

The commissioner said the case demonstrated that data protection rights should not be used to trump the rights of particularly vulnerable members of society or the legitimate interests pursued by those organisations responsible for safeguarding the health and life of such individuals in discharging their duties of care and protection.

Employee monitoring by means of CCTV remained a concern for many during the year, the annual report said.

The DPC said while in the case of some complaints investigated during the year it had found that the monitoring and processing of CCTV images was lawfully justified, a trend had emerged of employers failing to make the rules around reliance on CCTV footage in disciplinary processes clear to employees.

In another case, the commissioner issued a formal decision that a primary school had broken the law after it was subjected to a ransomware attack involving pupils’ data.

It received the report in October last year that parts of the school’s information systems had been encrypted by a third party, rendering its files inaccessible.

The details included names, dates of birth and PPS numbers. A ransom was demanded from the school to release the encrypted files.

The DPC found the school had deficiencies in the measures it had take to secure the pupils’ personal data, including that it had no policies or procedures in place to maintain back-ups of its files.

The school took steps to address the issues, including the implementation of a staff training programme on the risks associated with email and personal USB keys.

The commissioner also issued a formal decision against Bank of Ireland, in a case where it disclosed the details of a man’s loan accounts to his mother over the phone.

During 2016, the office dealt with 15,335 queries by email, 16,744 telephone calls and 1,150 queries by posts. It opened 1,479 complaints for investigation.

Some 2,224 valid data breach notifications were received by the office last year, a slight decrease on the 2,317 the previous year.

It carried out 50 audits and inspections, including in-depth audits on State agencies such as An Garda Síochána, the Defence Forces, the Revenue and the Garda Síochána Ombudsman Commission with regard to their access to the communications data of individuals.