Surreptitious monitoring of personal e-mails by employers would be extremely difficult to justify in data protection terms, according to the latest report of the Data Protection Commissioner.
The 11th annual report of the commissioner, Mr Fergus Glavey, presented to the Oireachtas yesterday, reviews the operation of his office over the past year and the issues raised by complainants. He is charged under the 1988 Data Protection Act with ensuring that organisations maintaining electronic records do not abuse the data they obtain.
This is Mr Glavey's final report as commissioner. He has served for the past seven years and is being succeeded by Mr Joe Meade, former Secretary General and Director of Audit in the office of the Comptroller and Auditor General.
Inquiries to the office rose last year by 10 per cent to 2,200. Typical among them were queries involving junk mail, credit ratings, or difficulties in exercising the individual's right of access to information held about them on computer.
One of the main issues raised over the past year, according to the report, is whether employers are entitled to read e-mails sent and received by employees, and to track employees' Web-browsing activities.
Mr Glavey pointed out that Council of Europe recommendations stress the primacy of respect for the privacy of the individual, and his or her right to exercise social and individual relations at their place of work.
Much will depend on the culture of the workplace in question, he said. If the employer had made a clear statement of policy that e-mails might be subject to company monitoring, it would be difficult for the employee to object to the fact that it happened. However, if a relaxed atmosphere exists concerning the use of e-mail as a personal resource, then it is most unlikely that the employer could access personal items of correspondence without contravening the Data Protection Act.
"Similar reasoning can be applied in regard to the monitoring of the Web-browsing habits of employees," he said. "If an employer wishes to track an employee's Web-browsing activity, then the employee should know in advance about the employer's policy."
Referring to the collection and use of personal data, the commissioner said that this should be "fairly obtained", normally from the employee him or herself, and should be relevant. Tests, analyses and similar procedures should only be carried out with the employee's consent. There should be no collection of personal data concerning a worker's sex life, political, religious or other beliefs or criminal convictions, except, in exceptional circumstances, these impinged directly on an employment decision.
In his introduction, Mr Glavey said: "My experience suggests that there is a serious risk of minimising the capacity of the individual as decision-maker by depersonalising and reducing the number of traditional information relationships, in favour of automated decision-making and direct exchanges of personal data between organisations. Over the years, I have found that some of the most intractable data protection issues arise from a belief from some organisations that they know what is best for their clients."