Mounting a CCTV camera on your premises and gathering email addresses are two common activities that result in data protection issues for business owners. But why?
Mounting a CCTV camera on your premises and gathering email addresses are two common activities that result in data protection issues for business owners. But why?
Because you can gather personal information about your employees and customers. This information comes in a number of different forms such as:
- Employee records
- CCTV footage, and
- Email acquisition, among others.
You will also be in a position where you will be sending your business’s information to customers, through emails, text messages and even online cookies.
Every Irish citizen has a fundamental right to privacy, as recognised by the courts. However, the storage of personal data by businesses is ubiquitous. Hence, the storage and processing of such information has been regulated, to ensure people’s rights to privacy are upheld.
The law
The Data Protection Act is a complex document which has undergone a number of revisions. Here are the main provisions relevant for business owners:
- You must ensure your customers and employees know what information you hold on them, why you hold it and what you do with it
- You may need consent before collecting certain personal information
- Stricter rules apply to sensitive information, such as medical records
- Other sensitive information includes:
- Racial or ethnic details
- Trade union membership
- Details on an individual’s physical, sexual or mental health, and
- Whether the individual has been charged with, or is alleged to have caused, an offence.
- Sending information out of Ireland may be prohibited
- Individuals can insist on access to information you hold on them
- You may need to register with the Data Protection Commissioner
- Non-compliance could lead to fines and/or imprisonment
You can learn everything you need to know about the act by checking out the obligations for businesses.
Implications for business
As a business owner, you are what is known as the ‘Data Controller’. That means that you (either alone or with others) control the contents and use of personal data. The points above seem fairly straightforward, but let’s look at some practical examples of how you should act to avoid running foul of the Data Protection Commissioner. Make sure you refer to the Data Protection Website FAQs for more details and information.
The Data Protection Act requires that all Data Controllers register with the Data Protection Commissioner. However, there are exceptions. For example, certain not-profit-making bodies may not have to register.
Personal data
- If you hold personal data on a specific individual, and that individual writes to you asking if that data exists, you are required to give a description of the data and the purpose for which it is kept within 21 days of the request being made.
- If you are keeping personal data for the purposes of direct marketing and the individual on your database requests that you cease processing data for that purpose, generally you have 40 days to comply.
- Individuals have a right to access the data that you hold on them. Again, this must be given provided there is a written request. However, there are a number of exceptions to this rule, such as if this would impede a criminal investigation.
Direct marketing
- If you are making an unsolicited call for the purposes of direct marketing, you must disclose your name and, on request, your address and telephone number. If you are sending an unsolicited email or text message for direct marketing purposes, you must include your name and a valid address at which you may be contacted.
- Personal information gathered from a sale, text or email can only be used if there is an easy-to-use, free opportunity for the individual to object.
- Location data may only be processed if kept anonymous, or with the consent of the individual for the provision of a value-added service. Consent to the processing of location data may be withdrawn at any time by simply making a request that the processing be stopped.
- Information can only be stored on or retrieved from a computer or phone provided the user is offered the right to refuse such processing, and that clear and comprehensive information is provided. This covers the use of cookies on websites.
CCTV
- It is necessary that people whose images are captured on camera are informed about the identity of the Data Controller, and the purpose(s) of the processing data. In many cases, seeing as the default reason for CCTV monitoring is for security purposes, all that may be needed is a sign saying that CCTV is in operation, as well as contact information.
- If you intend to use cameras to monitor employees, employees must be informed before cameras are used for this purpose. Use of cameras in private staff areas may be considered to be disproportionate. Cameras placed to record an external area should be placed so as to prevent recording of someone’s private property.
- The recommended time period for the storage of CCTV footage is 28 days. If no issue is recorded over that period, the tape must be recorded over. If the gardai request tapes, it is up to you to decide whether there is a legitimate investigation underway.
- Any person whose image has been recorded has a right to be given a copy of the information recorded, but must make the request in writing.
- The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful.
Non-compliance
Non-compliance does not necessarily constitute a criminal offence. The Data Protection Commissioner investigates complaints, and ultimately decides on a ruling.
4 Action Points
