Inchicore College of Further Education Business Law Discussion

Evaluate the impact of Data Protection

and

Freedom of Information in the

management and maintenance of employee information in the workplace.

In your evaluation please include reference to:

-the employers role in the processing of personal data in compliance with GDPR and the Data Protection Acts 1988-2018

-the circumstances where an employer is justified in limiting an employee’s privacy in order to manage and protect the business -electronic communications, Email and Internet usage, CCTV Surveillance and Biometric testing

-an employee’s right to privacy outside the workplace

(refer to relevant caselaw)

and

formulate

(a) the Key Steps an employer must take to Ensure Compliance with Data Protection legislation and

(b) the key steps in processing FOI request in relation to personnel records. All I need id outline for this Assignment

QQI
6N4322
Employment law
Assessment Brief 2 – 30%
Class:
BHR6
Date handed out: 9/2/22
Tutor: Joan Kelly
Submission date: 4/3/22
Scenario
You are an intern in a HR firm and have been asked to carry out some
research and present your findings. You are required to choose one of the 3
topics/tasks below
Tasks
1 Prepare a report on a Court case (including the factual history, the main
legal arguments made by both sides and the decision) which deals with a
principle of employment law and evaluate the impact of that principle on a
chosen vocational area.
2 The Irish legislature, largely influenced by EU law, has enacted various
pieces of legislation creating/protecting individual rights in employment law.
Research the main pieces of legislation and evaluate the individual rights
created/protected by them to support family life, prevent discrimination and
protect privacy.
Your evaluation should include reference to the main terms of the
following pieces of legislation:
Maternity Protection Acts 1994-2004
The Adoptive Leave Acts 1995-2005
The Paternity Leave Act 2016
The Parental Leave Acts 1998-2019
The Carers Leave Act 2001
The Parent’s Leave and Benefit Act 2019 as amended by the Family
Leave and Miscellaneous Provisions Act 2021
Protection of Employees (Part time) Work Act 2001
Protection of Employees (Fixed Term) Work Act 2003
The Protection of Employees (Temporary Agency Work) Act, 2012
The Organisation of Working time Act 1997
Employment (Miscellaneous Provisions) Act 2018
National Minimum Wage Act 2000
The Payment of Wages Act 1991
The Employment Equality Acts 1998-2015
The Safety Health and Welfare at Work Act 2005 as amended
The Unfair Dismissal Acts 1977-2015
GDPR and the Data Protection Acts 1988-2018
The Pensions Act 1990 and EU Occupational Pension Scheme
Regulations 2021
The Social Welfare and Pensions Act 2011 as amended.
And refer to relevant caselaw
3 Evaluate the impact of Data Protection and Freedom of Information in the
management and maintenance of employee information in the workplace.
In your evaluation please include reference to:
-the employers role in the processing of personal data in compliance
with GDPR and the Data Protection Acts 1988-2018
-the circumstances where an employer is justified in limiting an
employee’s privacy in order to manage and protect the business electronic communications, Email and Internet usage, CCTV
Surveillance and Biometric testing
-an employee’s right to privacy outside the workplace
(refer to relevant caselaw)
and
formulate
(a) the Key Steps an employer must take to Ensure Compliance with
Data Protection legislation and
(b) the key steps in processing FOI request in relation to personnel
records.
Submission guidelines
The information is to be presented in the form of a case report for topic 1 and
an essay for topics 2 and 3 using Font 12 Times New Roman, 1.5 line spacing
and referenced as per the Harvard System with use of a Bibliography and
case law referenced by Name and Year
Submission is through moodle on or before the submission date.
Marking Scheme
Criteria
Relevant information appropriately
presented
Understanding and knowledge of
chosen topic clearly demonstrated
and a comprehensive evaluation
provided
Legal Principles appropriately
applied, and relevant case law and/or
examples included
Total
Marks
10
10
10
30
1
Data Protection
Data protection is very important in the various business environments, with the
technological tools being rapidly developed, capturing data has become very easy due to
these developments. According to (Schartz, 1995), the digitization of information, paired
with the rapid advancement of technology, has expanded the flow and application of data
(p.471). Therefore, the increased need to protect access to this data. Data protection is a
critical notion in data management. This data protection is accomplished by the use of data
protection techniques. Data protection is done to keep data safe from unauthorized users. The
type of data and the permissions to access it determine the level of authorization. An
organization secures its data from unauthorized access by deploying the necessary software.
This necessitates the organization’s use of specifically qualified personnel. Although data
protection is a solitary work, it cannot be completed in a single day.
Data security, storage, recovery, and backup are all aspects of data protection. These
functions are not done by a single program; rather, data protection is provided through the
implementation of numerous system components and apps. The government is in charge of
data protection and data limitation. Many governments have enacted data protection
legislation. These statutes establish the limits of access and who is permitted to access certain
data. The goal of such legislation is to ensure that personal data or data belonging to a certain
organization are not accessible without the agreement of the person involved.
(Chassang, 2017) Asserts that, Personal data must be used to ensure the quality and
trustworthiness of scientific research (p.1). A person can only access or handle another
person’s personal information if that person grants him permission or access privileges. These
access privileges are specified when the data protection measures are put in place. These data
security measures secure not only the data but also the hardware and software components
associated with the defined data. This is done to guarantee that an unauthorized individual
does not gain access to even a small portion of the data.
Data Protection Acts
The laws governing data protection range from one nation to the next. The laws are
enforced based on the country’s condition and the position of the organization. (Rodotà,
2009) Explains that, we live in a period where there is a noticeably inconsistent attitude to the
protection of personal data (p.77). As a result, in order to secure the data, the organization
must follow certain regulations. The choice of legislation is determined by the company’s
2
status and the current difficulties. Problems can be handled by following regular techniques
and processes.
Data Protection Act 1988 and 2003, this act presents individual’s legal responsibilities
in relation to the information that has been stored on electronic devices such as computers or
some kind of structured filed-based storage system. It provides the following eight rules with
which businesses are expected to comply:
•
Acquire and process information in a fair manner.
•
Only use it for one or more specific and legal objectives.
•
Process it exclusively for the reasons for which it was originally supplied to you.
•
Maintain its safety and security.
•
Maintain its accuracy and timeliness.
•
Make certain that it is sufficient, relevant, and not overdone.
•
Keep it for no longer than is required for the identified purpose or reasons.
•
On request, provide a copy of his/her personal data to any individual.
As a result, the data protection act 1988 and 2003 brought about a lot of changes which
included the following; Protected the right to privacy in respect to computerised data (1988
Act) and manual and paper files that form part of a filing system (2003 Act) held about a
specific individual (personal data) by a data controller in a private or public
capacity. Personal data collection, processing, storage, usage, and disclosure were all
regulated. Processing of sensitive personal data disclosing racial or ethnic origin, political
ideas, religious beliefs, or health data is prohibited unless the requirements set out in Art 7
(applied by Section 4 of the 2003 Act) are met.
Exceptions to the processing ban – instances in which the data subject has granted express
consent or the processing is required for the sake of employment duties. Individuals were
given safeguards in relation to information kept about them.
The 1998 act has several specific characteristics that protect data stored in a machine as
well as data in hard copy form. Hard copy data can include images, audio or video
recordings, and information from data readers. This statute addresses infiltration and
unauthenticated access to this type of data. Another feature of this act is the safeguarding of
sensitive data. Sensitive data contains information regarding politics, medical records, and
caste.
3
Data Protection Principles
This principle states that personal data shall only be treated with the consent or
indication of the data’s owner. Before processing personal data, data controllers must get the
owner’s consent. Personal data must be gathered only for one or more specific and legitimate
reasons, and it must not be further processed in any way that is incompatible with that
purpose or those purposes.
Freedom of Information
The Freedom of Information Act requires access to government and associated public
sector authorities’ information. This statute gives a person access to information about the
government that has not been made public. In general, only a limited amount of information
about a country’s government is available to the public. If an individual need access to any
other information, he is not permitted to do so without prior authorization. This can be
accomplished through the use of the Freedom of Information Act. This legislation grants the
general public the right and freedom to access information belonging to the government or
any public sector firm.
This statute covers all types of information and allows users to obtain information via
any channel. Thus, a user can submit a request to the relevant government, to which the
government will answer within 20 days. When the government gets a request, it must
determine whether or not to release the information to the user. The appropriate data is then
sent as a response to the respective request. This user does not have to be from the same
government. Instead, anyone living anywhere in the globe can make a request to the
government. If a person asks information and does not obtain a response from the relevant
organization, the government will take action against that organization.
Employer’s role – Compliance with GDPR and the Data Protection Acts 1988-2018
The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. It
applies broadly to the processing of personal data in the EU, imposing broader requirements
on data controllers and processors and strengthening data subject safeguards. Although the
GDPR is immediately applicable in all Member States, it enables for specific matters to be
given more weight under national legislation. The Data Protection Act 2018 is the national
law of Ireland that, among other things, provides greater effect to the GDPR.
4
Employers, handle and collect personal data on all employees on a daily basis for a
variety of reasons. Employee benefits, pay, sick leave, maternity or paternity leave,
performance review, and other information may be included. Some of the information is
required to be collected and processed by law, while others are handled for internal processes
and regulations. However, as an employer, you should consider all GDPR standards as well
as aspects of national legislation that need to be studied further, because Member States
might apply their own regulations and limits.
As stated in GDPR Article 88, “Member States may, by legislation or by collective
agreements, provide for additional specific requirements to guarantee the protection of rights
and freedoms in relation to the processing of workers’ personal data in the employment
context, in particular for the purposes of recruiting, execution of the contract of
employment…” therefore, employers must follow the following lawful 4 biases to guide them
process employee data.
Consent: According to (Ryan, 2018), Consent must be unequivocal, informed, and
freely granted under the existing Data Protection Acts of 1988 and 2003. Consent must also
be unequivocal under GDPR, and the extent to which consent may be relied on in the job
context to justify the use of personal data is questionable.
When it comes to permission given in the context of an employee-employer
relationship, it is extremely difficult to secure compliant consent that is freely offered,
explicit, informed, and clear, especially given the partnership’s uneven allocation of power. If
an employee wishes to refuse his or her employer’s approval, there is always the possibility
that the employee may consider the consequences of such decision. This can persuade
employees to offer agreement in order to avoid unpleasant situations at work or falling out
with an employer. Companies, you should be completely informed with national legislation
and determine if there are any specific scenarios or forms of processing in which you cannot
process employee data even with their agreement.
Example of consent: Employers typically have more power over their employees,
therefore, it is easy for them to get as much information as possible about an employee. For
example, they can ask around the employee’s family members, close friends and even a
spouse. Furthermore, this information may end-up being used to disadvantage the employee.
This is one example which shows why consent is important.
5
Fulfilment of the contract: Companies, for example, may need to handle personal
information of your workers about their account details and other personal information in
order to pay a wage or perks. There is also a unique category of personal data known as
sensitive personal data, which requires enhanced protection under the GDPR since processing
such data might pose serious and unacceptable risks to basic human rights and freedoms.
Individuals’ racial or ethnic origin, political ideas, religious or philosophical beliefs,
trade union membership, genetic data, biometric data, health data, sex life data, or sexual
orientation are all special kinds of data. Sensitive data can be processed if it is required to
carry out duties in the workplace. Processing health information for sickness benefits, for
example. Explicit consent will be required for some forms of sensitive data processing. The
consent must also be documented and explained, including information on what processing is
going place and how to withdraw consent.
Legitimate interest: One of the legal basis on which most businesses would rely on
collecting employee personal data is legitimate interest (except for public authorities).
Processing that is required for the purpose of the employer’s legitimate interests or the
legitimate interests of a third party falls under the purview of legitimate interests.
The exception is where such interests are outweighed by the data subject’s basic rights
and freedoms, which need the protection of personal data, particularly if the individual is a
child or a juvenile.
Compliance with the legal obligations: Companies will be required to process
personal data of workers in order to satisfy their legal duties under data protection regulations
and national Member state laws. Tax legislation, for example, may demand the submission of
wage information to local authorities.
Example of legal obligation: Employees work with a lot of information that requires
processing, in this case, the company can access an employee’s private information like age,
health status and so much more if the end result will benefit the employee and it is within the
data protection laws.
Limiting Employee’s Privacy
Employee privacy rights are the regulations that govern how far an employer can
examine an employee’s property or person; monitor their behaviour, statements, or
communications; and learn about their personal life, particularly but not primarily in the
6
workplace. The form and scope of these safeguards have grown increasingly important in
recent years, particularly with the growth of the internet and social media. Many of these
modes of communication appear to be private, yet there is little genuine privacy to be
achieved with them. Employers may generally look through anything that occurs on
corporate computers, as well as social media and the internet.
To justify the limitations of employee privacy:
•
As the data controller, an employer must have a legal basis for processing personal
data.
•
When there is a legitimate purpose, an employer may request consent from employees
to process their personal data.
•
The following are examples of justifiable interests:
o the safeguarding of an organization’s intellectual and physical assets
o Fraud and theft in the workplace are avoided.
o Efficiency delivery – Increases in total staff performance and productivity rates
may be possible.
Furthermore, the following are some justified situations where employers may want to limit
an employee’s privacy:
Email Monitoring
Employers may desire to monitor their workers’ e-mail communications for a variety
of reasons, including measuring staff efficiency and effectiveness and protecting trade
secrets.
Furthermore, according to the Electronic Communications and Transactions Act of 2002, an
employer may wiretap its workers’ communications:
•
It is a party to such communications when it is a party to them.
•
Where workers have provided prior written agreement for interception; or
•
If the communication occurs while the employer is conducting business.
As a result, it is proposed that the employer include a communication provision in its
employment contract to safeguard both its rights and the employee’s right to privacy. In the
case of a communication breakdown, this will safeguard both parties. Thus, by knowing a
7
company’s duties regarding employee privacy, an employer would be able to monitor its
employees without violating the law.
CCTV
Nowadays, in every street the chance of having CCTV at business buildings is very
likely. One might wonder, doesn’t this go against employee privacy? Well, in most cases if
not all, companies install CCTV to protect their business. Every company has the right to
defend its property, including the installation of security cameras in the workplace. The topic
frequently raised is whether security cameras must be disclosed to employees or whether they
may be put without their knowledge. The answer to this question is often determined by the
location of the security cameras. That means that putting a security camera in a common
workplace space is perfectly allowed. Putting a camera in the business restroom, on the other
hand, will be perceived as a violation of employee privacy.
Internet
Employers can decide to monitor internet traffic if there reported or identified cases of
misuse in the company. For example, if employees are downloading large files and streaming
videos for hours, which results in a huge internet cost for the company. Then it would be
justifiable if the employer decides to monitor traffic coming in and going out of their
computer network.
Examples of how to monitor and control internet usage
Employers frequently prohibit access to websites judged unrelated to the task at hand
or wrong in general, or they utilize tracking software that alerts them to transgressions,
because they generally do not have the time or resources to monitor every employee.
Employers may also utilize numerous tools that allow them to view their workers’ screens in
real time as well as what is on their hard drives and computer terminals. Employers can also
monitor internet activity, including email, which includes private correspondence received
outside of the workplace. While it may not be examined on a regular basis, it is frequently
preserved in case it has to be searched later.
An employee’s right to privacy outside the workplace
Employees’ privacy rights are derived from four sources, including the state and
federal constitutions and statutes. Furthermore, the Electronics Communications Privacy Act
8
of 1986 (ECPA) forbids malicious interception of oral, wire, or electronic communication.
Employees must, as a result, safeguard their privacy outside of work at all times. Therefore,
the following are the key steps that can be followed by employees to ensure that they are and
remain GDPR compliant:
(a).
Raise awareness: Everyone in the organization who works with personal data (which
will very certainly be everyone) will need to understand data protection. Key decision makers
will need to be well-versed in a wide range of topics.
Make a map: Determine what information the business gathers, why collect it, with
whom they share it, and what protections are in place to secure personal data.
Controller and processor: The distinction under data protection legislation is
between controllers and processors. The distinction is critical in determining what legal,
regulatory, and commercial duties and liabilities your organization has. It also necessitates
the existence of a legally enforceable agreement between controllers and processors and
specifies specific standards for such agreements. Companies should revise their supply
agreements as needed.
Plan: Make a plan. Put the strategy into action. Put the strategy into action. Whether
it’s responding to a data breach or handling a data subject access request, having procedures
in place is only beneficial if critical staff understand how to utilize them.
(b). the following are the key steps in processing FOI request – Personnel records
Step one: Ensure that the FOI is valid
Step two: Acknowledge the FOI request
Step three: Locating the necessary documents
Step four: Consulting others
Implications of Data Protection and Freedom of Information on businesses
One of the concerns that organizations should be asking themselves is how the Data
Protection Act affects them. The fact is that data protection may go much beyond what is
legally required, and any organization serious about building a security-conscious culture
should also engage in employee education and awareness. Furthermore, it is worth noting
9
that, Human mistake is directly responsible for a considerable fraction of all information
security incidents, such as data leaks and cyber-attacks. Either by carelessness or malice.
Businesses as well as individual employees have become very sensitive to the usage
and sharing of data. This has brought about the restrictions on how and what data employees
share. On the other hand, businesses have become very strict on their methods of data
collection.
10
References
Chassang, G., 2017. The impact of the EU general data protection regulation on scientific
research. Ecancermedicalscience, 11(709), pp. 1-12.
Rodotà, S., 2009. Data Protection as a Fundamental Right. Springer, pp. 77-82.
Ryan, M., 2018. Employment Law. [Online]
Available at: https://www.rdj.ie/insights/ten-things-employers-need-to-know-about-thegeneral-data-protection-regulation–gdpr-?s=0.128751449215
[Accessed 27 February 2022].
Schartz, P. M., 1995. European Data Protection Law and Restrictions on International Data
Flows, s.l.: HeinOnline.