Data protection and privacy

Another avenue for protection of voice in the workplace is legislation specifically concerned with the handling of data, particularly personal information. In the UK, the Data Protection Act 1998 (DPA) transposes the Data Protection Directive 95/43/EC into domestic law.^[1] In so doing, this legislation draws a distinction between ‘personal data’ and ‘sensitive personal data’ (to which additional protections apply); and places certain restrictions on the ‘processing’ of such data by a ‘data controller’. The general principles governing such treatment of data are set out in Schedule 1 to the DPA and informed by Schedules 2 and 3.^[2] In our workplace scenario, the data controller will be the employer, while records of correspondence between workers or their access to social networks can be regarded as ordinary ‘personal information’. Trade union membership certainly constitutes ‘sensitive personal information’, which also covers personal details regarding a worker such as racial or ethnic origin, political opinions, and religious belief.^[3] The legislation is enforced by an ‘Information Commissioner’, an office which now has extensive powers including that to issue monetary penalty notices of up to ?500,000 for serious breaches.^[4] Further, the Information Commissioner’s Office (ICO) first issued ‘The Employment Practices Code’ (EPC) in 2003, which is non-binding but seeks to spell out for employers the extent of their obligations as data controllers to their workers as data subjects. The Code has since been revised and supplemented^[5] (and even abridged for smaller employers).^[6]

Two crucial issues arguably arise for the worker whose personal data is being processed by the employer. One is the issue of consent: should we be applying common law principles indicating that implicit consent is sufficient? The other key issue is the purpose (or purposes) for which data can legitimately be kept by the employer.

While ‘consent’ is stated as a precondition for collection of personal data (under Schedule 2 of the DPA) and ‘explicit consent’ for ‘sensitive personal data’ (under Schedule 3), this is deceptive. For, if any of the other exceptions apply (more generous for bare ‘personal’ information than that which is ‘sensitive’), then consent is not needed, whether implicit or explicit. Where ordinary personal data is at issue and these exceptions do not apply, the EPC seems to indicate that the kind of implicit consent familiar at common law is sufficient. The employer does not need to seek permission to hold employment records but the EPC does encourage employers to ensure that employees are aware of the purposes for which data concerning ‘employment records’ are being kept and the nature of any intended disclosure.^[7] Data management of sensitive personal information is clearly subject to different threshold requirements. Schedule 3 makes clear that ‘explicit consent’ is needed, but this is still not essential if any of the following other criteria are satisfied: necessity for compliance with employment law, necessity for protecting vital interests of the data subject, processing for associative activities (such as a trade union) or data already ‘manifestly made public by the data subject’ or necessary for ‘establishment, exercise or defence of legal claims’. Hazel Oliver has expressed concern at this formulation. First, it offers potential for justification of usage of sensitive personal information without a worker’s consent, which arguably reduces the worker’s capacity for agency. Second, perhaps even more significantly, it enables a worker to ‘contract out’ of privacy rights, even if the further criteria are not met, without further justification.^[8]

Under Article 6 of the EC Directive, data may only be used for ‘specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’. It is recommended as ‘good practice’ that employers ‘consult workers, and/ or trade unions or other representatives, about the development and implementation of employment practices and procedures that involve the processing of personal information about workers’, even where this is not obligatory under legislation.⁶⁰ The EPC acknowledges that:

[m]onitoring may, to varying degrees, have an adverse impact on workers. It may intrude into their private lives, undermine respect for their correspondence or interfere with the relationship of mutual trust and confidence that should exist between them and their employer. The extent to which it does this may not always be immediately obvious. It is not always easy to draw a distinction between work-place and private information. For example monitoring e-mail messages from a worker to an occupational health advisor, or messages between workers and their trade union representatives, can give rise to concern.⁶¹

This could be said to provide an indication that only light touch intervention by an employer is appropriate when it comes to data scrutiny; but at the same time the EPC does not envisage use of ICT to facilitate trade union engagement in the workplace. There is, for example, no comment on ‘blacklisting’, which is now (one presumes) to be addressed by the Blacklisting Regulations of 2010 rather than the DPA. This is perhaps curious given that adoption of those Regulations was prompted by the prominent prosecution by the ICO of the Consulting Association concerning the holding and dissemination of information regarding 3,213 workers in the construction industry.^[9]

In terms of what can or should be disclosed to a trade union in order to assist in recruitment or representation drives, the following observations are made in the EPC:

Personal information about workers should only be supplied to a trade union for its

recruitment purposes if;

• the trade union is recognised by the employer,
• the information is limited to that necessary to enable a recruitment approach, and
• each worker has been previously told that this will happen and has been given a clear opportunity to object.^[10]

This suggests that electronic access to the workplace is likely to be no more available than physical access is at present.^[11]

The UK legislative approach does not compare that unfavourably to those adopted in other common law countries. In the US, for example, an Electronic Communications Privacy Act 1986 (ECPA) allows an employer to ‘monitor an employee’s telephone and wire communications’ under a ‘business extension exclusion’^[12] which enables surveillance of the statistical aspects of for example, destination of calls, call duration, and number of calls. Also, where an employer has a reasonable business purpose, there can be monitoring of the content of employee communications,^[13] as long as the methods and/or scope are not unreasonable and one of the parties (although not necessarily both the employees involved) consented to interception, whether expressly or implicitly. However, the existence of a policy informing the employee is seen as vital: ‘An employer may be acting unlawfully, notwithstanding the ECPA’s business extension exclusion, if it intercepts employees’ private communications absent a published monitoring policy.’^[14]

In Canada, the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA) regulates storage and use of information regarding an ‘identifiable individual’, imposing what is essentially a ‘reasonableness’ test. If covered by PIPEDA then workers are entitled to ensure that their employer: explains the purposes for which personal information is gathered; does not retain more than is necessary for such purposes; keeps any information accurate; gains their ‘consent’; and allows them access to the information kept and a chance to correct inaccuracies. The problem is that coverage is patchy. PIPEDA applies across the private sector, but by reason of the Constitutional division of powers, only to federally regulated workers. ‘The majority of workers in each province are not protected by PIPEDA, although their employer might be bound by PIPEDA with respect to their customers’ personal information.’^[15]

In four provinces, a tort of ‘invasion of privacy’ has been established by legislation: British Columbia, Manitoba, Newfoundland, and Saskatchewan. However, once again, difficult issues of ‘consent’ arise here. As Avner Levin has observed, even when such privacy legislation is in place, workers still ‘face a difficult decision’, as ‘either they continue to work and lose their ability to sue for invasion of privacy due to their “consent” to the new measures, or they must risk their employment and claim, without any guarantee of success, that the new measures have brought the employment relationship to an end’.^[16]

[1] Note the further constraints imposed by the Regulation of Investigatory Powers Act 2000 (RIPA) andthe Telecommunications (Law Business Practice) (Interception of Communications) Regulations 2000;but neither is concerned specifically with workplace surveillance. See discussion in Aileen McColgan, ‘DoPrivacy Rights Disappear in the Workplace?’ (2003) European Human Rights Law Review 120 at 133; andHazel Oliver, ‘Email and Internet Monitoring in the Workplace: Information Privacy and Contracting-out’(2002) 31 ILJ 321 at 339.
[2] Cf Data Protection Directive 95/43/EC, Article 6. 4 DPA, s. 2.
[3] 55 See amendment of the DPA by Criminal Justice and Immigration Act 2008, s. 144.
[4] 56 Published November 2011 (96pp. in length) and available at:
[5] data_protection/topic_guides/~/media/documents/library/Data_Protection/Detailed_specialist_guides/the_employment_practices_code.pdf>. Note that this is further supplemented by ‘Supplementary Guidance’published June 2005 (86pp.) and available at: .
[6] Also published November 2011 (but only 26pp. in length) and available at: .
[7] EPC at 32. Note also similar advice re records kept for pensions or insurance purposes.
[8] Oliver 331 (n 52). 60 EPC at 13. 61 EPC at 56.
[9] See text accompanying n 47. 2 EPC at 51.
[10] 64 Limited for non-recognized trade unions only to a balloting period under the statutory recognition procedure. See TULRCA, Sch. A1, para. 26 discussed in Alan Bogg and Tonia Novitz, ‘Recognition
[11] in Respect of Bargaining in the UK: Collective Autonomy and Political Neutrality in Context’ in BreenCreighton and Anthony Forsyth (eds), Rediscovering Collective Bargaining: Australia’s Fair Work Act inInternational Perspective (Routledge, 2012) 233-4.
[12] Electronic Communications Privacy Act of 1986 (ECPA), § 2510(5)(a).
[13] ECPA, §2510(8).
[14] Satch U. Ejike, ‘Workplace Privacy in Domestic and International Business: Employers’ Rights andLiabilities’ (2002) International Trade Law and Regulation 12 at 17.
[15] Levin 199 (n 6). 2 Levin 205 (n 6).
[16] 70 Trade Union and Labour Relations Act 1992 (TULRCA), Sch. A1. A straightforward summary is available in Pascale Lorber and Tonia Novitz, Industrial Relations Law in the UK (Intersentia, 2012) ch. 3; forthorough and comprehensive analysis of the procedure, see Alan Bogg, The Democratic Aspects of Trade

Data protection and privacy

Data Protection and Privacy Issues of the Internet of Things

Data Protection and Privacy Challenges raised by the IoT Technologies, Applications, and Ecosystem

A Broad, Holistic Approach to Data Privacy Remains a Valuable Method for Protecting Patient Privacy

Privacy, confidentiality and data protection

The Legal Framework: Privacy and Data Protection

Privacy and Data Protection in Europe

Privacy and Data Protection by Design and by Default

Cooperation between financial intelligence units in the EU: challenges for the rights to privacy and data protection

FIU cooperation - at what cost for the rights to privacy and data protection?