New Data Protection guidance issued by the Data Protection Commissioner

New Data Protection guidance issued by the Data Protection Commissioner

The Data Protection Commissioner issued his 2012 Annual Report on Monday last. This report contains eighteen new case studies, two of which will be of particular interest for employers.

1. Case Study 11/2013 provides guidance to employers regarding the extent of medical information that they should require from employees on sick leave. This case concerned a Department of Education circular concerning sick leave for registered teachers, which required employees to disclose the nature of their illness on their medical certificates for them to be acceptable. The Commissioner noted that this information was 'sensitive personal data' under Data Protection legislation.

   The Department informed the Commissioner that the reason why it requested this information from its employees was to enable it to make an informed decision as to whether a referral to an occupational health practitioner was required. The Commissioner recognised that employers have legitimate interest in knowing how long an employee is likely to be on sick leave, and in knowing whether an employee will be capable of doing particular types of work. As a result, standard medical certificates do not give rise to data protection difficulties. However, an employer does not 'normally' have a legitimate interest in knowing the precise nature of the illness, and would be at risk of breaching data protection rules if it required this information, even with the employee’s consent.

   He stated that a general practice which requires employees to disclose the nature of their illness in all cases where a medical certificate is required gives rise to serious data protection concerns, as it does not provide adequate protection for the employee's sensitive personal data. Acting on the Commissioner’s advice, the Department confirmed that it would no longer require schools and teachers to disclose the nature of an illness in all cases where a medical certificate is required.

   The Commissioner stated that ‘this case study highlights that employers should be aware that, in general, only limited relevant information should be sought from an employee submitting a medical certificate to account for a period of sick absence. Seeking excessive sensitive personal data in that context is a clear breach of the Data Protection Acts.’




2. Case Study 14/2013 addresses a case where a client list contained in an ex-employee’s diary was taken by that ex-employee to his new employer, and provides guidance on the application of data protection rules to contracts of employment. The customers on the list subsequently received marketing letters from him, on behalf of his new employer.

   It was clear to the Commissioner that the new employer did not have consent from the individuals to process their data or to send marketing communications to them. The new employer destroyed the data in question.

   Notably, when analysing the first employer’s data security, the Commissioner recommended that the term of the first employer’s employee contracts dealing with ‘use of business data’ be amended to include specific reference to the use of personal data to prevent any ambiguity. Employers should therefore ensure that their employee contracts specifically refer to use of personal data to ensure that data protection rules are complied with.

   The Commissioner concluded this case study with a word of warning for employers, stating that ‘data controllers must be aware that where they process data which has been brought in to the organisation by a new employee from their previous employment, without the consent of the individuals, they are in breach of the Data Protection Acts.’ 

If you have any queries, please feel free to contact Michael Kennedy, Lorraine Smyth, Fleur O’Shea or your usual contact at ByrneWallace.