Thursday 22 February 2018

Dixon: Bosses watching staff through CCTV get the thumbs down

The latest annual report of the Irish Data Protection Commissioner contains stark warnings for any companies thinking of using CCTV as a standard measure to monitor staff.

Helen Dixon said that "certain situations, such as staff canteens and changing rooms", should be beyond the scope of bosses checking on their staff.

The Commssioner highlighted one case where a supermarket worker was fired when she placed a paper bag over a CCTV camera in her workplace staff canteen to prevent anyone watching her as she did her hair. Despite the supermarket's arguments about preventing pilfering and bullying, the Commissioner ruled that the surveillance was unjustified.

Bosses have some rights to monitor staff for security purposes, Ms Dixon's office said. But employees also have "fundamental rights to privacy at work in certain situations, such as staff canteens and changing rooms".

The Commissioner also upheld a number of complaints about unsolicited marketing activities from a range of big companies.

In one case, Eir (previously known as Eircom) was forced to pay a €35,000 fine for a series of illegal marketing calls and text messages to customers who thought they had opted out of Eircom's systems.

Other cases involved prosecutions of Imagine Communications and the waste management company Greyhound.

Elsewhere in her report, the Data Protection Commissioner revealed that she rejected requests from an unnamed "key" tribunal witness to delete their name from certain Google searches.

Ms Dixon's report says that 23 complaints were received by the State's data privacy body in relation to the 'right to be forgotten' from search engines. However, the office only upheld seven of the complaints, while 16 of them were refused.

"One rejected complaint centred around a long-running tribunal, where the Office concurred with Google's position not to delist certain URLs found following a search conducted using an individual's name," said the annual report. "Given that the individual concerned had given key testimony at this important tribunal, it was considered that there was a legitimate public interest in maintaining access to this information against a search on that individual's name. A search against other keywords in the original content would still have produced a result in the search engine."

Under European law, an individual can request that a personal name be delinked from searches that return web links deemed outdated or irrelevant. However, freedom of information advocates fear the rule is sometimes exploited by white collar individuals to whitewash misdeeds or matters of genuine public interest.

Overall, the Irish Data Protection Commissioner's Office received 932 complaints from members of the public last year, most relating to denial of access to personal records.

"The largest single category of complaints related to access rights, which accounted for over 60pc of the total and reflecting the extent of the difficulties some individuals experience exercising their statutory right of access," said the report.

"The second largest category of complaint concerned electronic direct marketing."

The number represents a 3pc fall from the year before.

However, the number of data breaches notified to Helen Dixon's office was up 6pc to 2,317. And her office applied three enforcement notices against Aer Lingus, O2 and Arizun Service Irelan.

Meanwhile, Ms Dixon said "intense" engagement with Facebook "over a number of months" led to new tools launched by the social network that lets people opt out of online behavioural advertising through Facebook's service.

She said that an audit completed by her office resulted in the launch of a Facebook tool called 'Download Your Information' that allows users to download a copy of their Facebook data. She said that Facebook had also introduced a "privacy checkup tool" in response to the Irish office's investigations.

And Ms Dixon said that her office was engaged in an "organisational and technical review of settings and controls in relation to advertising, updated and new features such as legacy accounts and family tagging, handling of consent to the use of cookies, personal data inventories, use and retention of location data, use of contact data, and an extensive engagement on details of access request handling".

Other companies to come under the Irish data protection spotlight include LinkedIn, which is being acquired by Microsoft for over €23bn. Ms Dixon said that discussions between her office and LinkedIn have resulted in adjustments to the layout and location of settings on LinkedIn members' profiles. She also said that Linkedin has created a new 'Cookie Council'.

Indo Business

Promoted Links

Business Newsletter

Read the leading stories from the world of Business.

Promoted Links

Also in Business