If you’re going to wave a sword, know where the pointy bit is

Over the weekend two Irish newspapers (Irish Examiner and Sunday Tribune) reported that one of our leading Trade Unions had filed a complaint with the Data Protection Commissioner on behalf of staff who had received letters by courier from their employer with whom they are engaged in an industrial relations dispute.

While I’m all in favour of seeing discussion and comment on the Data Protection Acts in Irish media, I am dismayed to see poorly explained use of the legislation and am concerned that this might be a precedent setting strategy that results in nonsensical and vexatious complaints diverting the already limited resources of the Data Protection Commissioner’s Office (only 20 people) away from dealing with the many real and valid complaints and queries they get each day.

Yes, Aer Lingus have duties to their employees under the Data Protection Acts to keep their data safe and secure, to only process it for specific stated purposes, and to only process data in a way or quantity that is relevant and not excessive to the stated purposes. However the Data Protection Acts do NOT prevent employers engaging in legitimate communication with staff members using legitimate 3rd party Data Processors to do so, so long as there are appropriate controls in place and the original intent to engage in that communication is consistent with the purposes for which the personal data was originally provided to the employer.

From the media coverage, it appears that IMPACT’s position is that employers can’t write to their staff because personal data is shared with 3rd parties (in this case a courier company but it could just as easily be An Post).

IMPACT may have grounds for a complaint if Aer Lingus specifically targeted the communication to members of the Trade Union using information contained in the HR or payroll systems of Aer Lingus (e.g. deduction of trade union dues at source). This issue was specifically addressed by the Commissioner in relation to attempts by the Dept of Education to deduct pay from teachers who took industrial action based on the fact that the Dept was processing a payroll deduction at source facility. However, Aer Lingus appear to have used the fact that the staff member is not on the payroll (i.e. is not being paid) as the trigger for the letter, this issue may not arise.

The Union may have grounds for proposing that by sending a batch of letters out to individuals at a time of industrial strife, the courier company could deduce that the addressees were Trade Union members. But, in that context, it must be suggested that Aer Lingus should have appropriate contract terms with the courier company regarding security and unauthorised secondary processing (e.g. making a list) (I’ve written about this on my company’s website today). In addition, if Aer Lingus are sending letters to staff in relation to their work schedules and their contracts of employment they could probably be able to rely on lawful processing conditions under Section 2a and Section 2b of the Data Protection Acts.

IMPACT may have grounds to argue that there was excessive processing as it seems mobile phone numbers were provided to the Courier company as well. However, Aer Lingus might take the position that that was felt to be a necessary step to ensure delivery of the letters could be made in a timely manner. Again, this might fall under a lawful processing condition under S2a or S2b of the Acts.

For example, Dell made my mobile number available to the UPS driver who delivered my computer. Likewise they made my mobile number available to the support technician who replaced my keyboard. It all depends on the validity of the purpose and whether a valid Lawful Processing condition can be met. There were lawful processing reasons there in relation to the execution of a contract. Consent was not required (but was asked for).

What is clear from the media coverage is that:

  1. If you engaging a Data Processor (in this case the Courier) you need to be clear what the minimum necessary information is to achieve your objective and share no more than this. Aer Lingus might argue that the provision of mobile phone numbers was necessary to ensure delivery was made as quickly as possible. The key question to ask is whether the same objective can be met in other ways (for example, would it have been better for Aer Lingus to get the Courier company to report to them on undelivered letters and for Aer Lingus to ring around where delivery was not successful?)
  2. If you are a Data Controller and you are sending letters or otherwise processing personal data during a time of industrial unrest, you should be very clear the purposes for the processing and the specific lawful processing conditions you will be relying on.
  3. If you are a representative body presenting a story to the media or making a complaint you need to be clear what the grounds are for the complaint you are making. Querying the legitimate use of a courier company to send letters and implying threats to the security of staff as a result does a disservice to everyone. Specifically pointing out that the provision of certain data may have been excessive or that the airline had not ensured appropriate security of the data by way of a contract with their Data Processor clearly highlights lack of care or

Dragging the Data Protection Acts in to the middle of an Industrial Relations dispute should be done with care. To do so without clarity as to the specific nature of the complaint and the specific characteristics of the breach that you suspect will result in a waste of the resources of the Commissioner’s Office and will serve to only compound the half-truths and untruths that abound about the Data Protection law in Ireland.

Using the Office of the Commissioner as a negotiating tool is disingenuous and does a disservice to the important role that the Commissioner continues to play in the development of compliant and trustworthy practices in Irish commercial life.