Employees must not lose their right to privacy at work and should be able to carry out their professional duties in the knowledge that their personal data and correspondence will remain private unless otherwise indicated by company directors, legal experts have said.
The National Union of Journalists has said it is “gravely concerned” after reports emerged over the weekend that system back-up tapes containing data on staff at Independent News and Media (INM) may have been removed from the company and accessed by external groups.
The revelations have raised fears around data protection for employees across all sectors and the measures needed to ensure the privacy of personal information in the workplace.
UCD law lecturer Dr TJ McIntyre, who specialises in information technology law, says while there may be certain cases when employers can examine staff emails – for example, as part of a criminal investigation – employee data should never be released to an external third party “in bulk” without first informing staff.
Fred Logue from FP Logue Technology, Intellectual Property and Information Law agrees that when data is accessed by a third party, the employee should be notified in advance. "The basic principle is you should always be aware of who is accessing your personal information," said Mr Logue. "It's been settled that surveillance of employees is in breach of the European Convention of Human Rights. If there's a genuine reason for data to be transferred off site that's fine but the purpose of the access needs to be established.
“The employer doesn’t have complete autonomy to do whatever it wants with employee communication. There has to be transparency and a legitimate reason for accessing information.”
‘Wake-up call’
Dr McIntyre said the reported INM breach should act as a “wake-up call” to the Irish media around the need to respond to data protection measures in “a more structural way”, saying the response to date had been “ad-hoc” and “reactive”.
Under data protection law, the transfer of private information by a member of staff to an external organisation would not necessarily be considered a criminal offence, said Dr McIntyre. “It’s theoretically possible that somebody who did this would be guilty of unauthorised access to data but the problem with that offence is it’s designed for when you have an outsider attacking. It’s not clear if the offence would apply to someone on the inside.”
However, a criminal offence could apply if the data was transferred to a third party and then again transferred to another external body, added Dr McIntyre.
“You can’t expect individuals to have the expertise to secure their devices, the organisation has a responsibility to do that,” Dr McIntyre said. “How many journalists are using insecure android phones? Are journalists doing work on personal laptops and are those devices adequately up to date?”
Encrypted apps
“Should their data being stored for back-up services be encrypted and who holds the keys to decrypt that data? If the data is decrypted it should be done by the journalist or someone senior on the editorial side.”
Dr McIntyre also advised that correspondence between journalists and their sources should not be conducted through email, which is more open to security lapses, but through encrypted communications apps.
Mr Logue noted the alleged INM data breach had raised serious questions around the State’s freedom of press and the protection of sources. “Anyone who has had their information accessed has the right to be told as soon as possible and this includes people on the other side of the communication, anyone who corresponded with the journalists.
“Trust in the media is so important and people need to be able to talk to journalists in a secure way. It’s not only in the journalist’s interest but in the public interest.”