Data Protection Question

cajonlardo

Hi

Just wondering if anyone could answer this:

If an employee is absent due to sickness, is it a breach of the Data Protection act for another employee/manager to tell a customer that the employee is unavailable because they are out sick? ( without disclosing any other details)

Thanks

punisher5112

cajonlardo wrote: »

Hi

Just wondering if anyone could answer this:

If an employee is absent due to sickness, is it a breach of the Data Protection act for another employee/manager to tell a customer that the employee is unavailable because they are out sick? ( without disclosing any other details)

Thanks

Hear say. So no.

If they were to give details or any other info then yes.

cajonlardo

Gosh, that was a quick reply

RainyDay

punisher5112 wrote: »

Hear say. So no.

If they were to give details or any other info then yes.

Excuse me: Where did you get 'hear say' from?

The information that the employer has is not hearsay. It is given to the employer in their role as the employer. It is confidential information, like any information about anybody's health status.

For the employer to use HR information for another purpose (dealing with customers) would be a breach of Data Protection law, which requires data to be only used for the purpose intended.

kippy

RainyDay wrote: »

Excuse me: Where did you get 'hear say' from?

The information that the employer has is not hearsay. It is given to the employer in their role as the employer. It is confidential information, like any information about anybody's health status.

For the employer to use HR information for another purpose (dealing with customers) would be a breach of Data Protection law, which requires data to be only used for the purpose intended.

So what does the employer say.

RainyDay

kippy wrote: »

So what does the employer say.

Nothing. Or nothing more that 'X is not working'.

It is no business of customers to know who is on leave or ill or on holidays or whatever.

cajonlardo

RainyDay wrote: »

Nothing. Or nothing more that 'X is not working'.

It is no business of customers to know who is on leave or ill or on holidays or whatever.

Do you mind my asking what qualifies you to be so certain this breaches the data protection act or is it simply your opinion?

Thanks

RainyDay

cajonlardo wrote: »

Do you mind my asking what qualifies you to be so certain this breaches the data protection act or is it simply your opinion?

Thanks

About 30 years of experience working with IT systems, so it is a professional opinion. I'm not a data protection expert or specialist, but I do know a bit about it. I've also had professional training in data protection, HR management and governance.

Now, over to you...

Tell me again why customers need or should know whether an employee is on leave, or on holidays or on training?

brian_t

RainyDay wrote: »

The information that the employer has is not hearsay. It is given to the employer in their role as the employer.

The OP refers to "employee/manager"

Does the above also apply to employees who may have the information as 'colleagues' of the sick person.

punisher5112

RainyDay wrote: »

Excuse me: Where did you get 'hear say' from?

The information that the employer has is not hearsay. It is given to the employer in their role as the employer. It is confidential information, like any information about anybody's health status.

For the employer to use HR information for another purpose (dealing with customers) would be a breach of Data Protection law, which requires data to be only used for the purpose intended.

Your excused.

RainyDay

brian_t wrote: »

The OP refers to "employee/manager"

Does the above also apply to employees who may have the information as 'colleagues' of the sick person.

I guess it depends how they got that information. If they got it through the course of their employment, then the DP Acts would still apply. If a friend simply told them in a friend-to-friend exchange, I don't think any particular laws would apply. But it would certainly be bad form for them to use information given to them personally when dealing with a customer.

punisher5112 wrote: »

Your excused.

So you've nothing to contribute on the data protection issue then?

punisher5112

RainyDay wrote: »

I guess it depends how they got that information. If they got it through the course of their employment, then the DP Acts would still apply. If a friend simply told them in a friend-to-friend exchange, I don't think any particular laws would apply. But it would certainly be bad form for them to use information given to them personally when dealing with a customer.



So you've nothing to contribute on the data protection issue then?

If no personal data is exchanged then there is no basis.

brian_t

RainyDay wrote: »

Tell me again why customers need or should know whether an employee is on leave, or on holidays or on training?

There are businesses were customers form 'relationships' with employees.

Hairdressing is one that comes to mind. Ladies often ask for a particular stylist.

Mrs OBumble

RainyDay wrote: »

Tell me again why customers need or should know whether an employee is on leave, or on holidays or on training?

If I'm a customer expecting to have employee A to do my work, and all of a sudden get assigned B who's not so familiar with my site or requirements, then you bet I wanticipate an explanation. A bland "he's not working today" will make me suspect he's been fired or similar.

kippy

RainyDay wrote: »

Nothing. Or nothing more that 'X is not working'.

It is no business of customers to know who is on leave or ill or on holidays or whatever.

Depending on the scenario it is the business of the customer to know this.
While I am for data protection in general this is the type of nonsense that only has the potential to fill the pockets of solicitors or increase the cost of doing business like most of the overuse of red tape in this state.

Peregrinus

If you're out for the day, I really don't think it's any concern of the customer's whether you're attending your cousin Betsy's wedding, or attending a clinic to have that embarrassing case of Harrison's incurable crawling sexual mange dealt with.

So, yeah, the customer is not entitle to know the private business of every employee that he happens to have dealt with in the past. It may be relevant to the customer to know whether a particular staff member has left permanently, or is expected back the day after tomorrow. But, more than that, not really. And employers should respect the privacy of employees. It's not rocket science, people.

Claw Hammer

If an employee is walking around with a broken arm, any data the employer may have will be public knowledge anyway. In some cases a customer may be touchy about being fobbed off. Common sense must prevail. Saying that someone broke his arm and won't be back for a month is unlikely to be a release of private date since the employee is going about in public anyway. Saying an employee is in a clinic being treated for depression is different.

RainyDay

brian_t wrote: »

There are businesses were customers form 'relationships' with employees.

Hairdressing is one that comes to mind. Ladies often ask for a particular stylist.

If the ladies have an ounce of respect for the particular stylist that they have built up a relationship with, they will understand and fully accept the need for that person to keep their medical status and private life confidential. What difference does it make to the ladies whether the person is out sick or away on holidays or whatever?

The only questions the customer should ask are
1) Is X here?
2) If not, do you know when they will be back at work?

Other information is of no relevance to the customer.

Mrs OBumble wrote: »

If I'm a customer expecting to have employee A to do my work, and all of a sudden get assigned B who's not so familiar with my site or requirements, then you bet I wanticipate an explanation. A bland "he's not working today" will make me suspect he's been fired or similar.

The only questions the customer should ask are
1) Is X here?
2) If not, do you know when they will be back at work?

Anything beyond that is prurient nosiness.

kippy wrote: »

Depending on the scenario it is the business of the customer to know this.

What scenario is it the business of the customer to know why an employee is out?

kippy wrote: »

While I am for data protection in general this is the type of nonsense that only has the potential to fill the pockets of solicitors or increase the cost of doing business like most of the overuse of red tape in this state.

This is nonsense. There is no red tape or legal fees involved. All that is involved is an employer having the brains to keep their mouth shut when it comes to confidential information.

punisher5112 wrote: »

If no personal data is exchanged then there is no basis.

If an employer reveals personal data about an employee to a customer, then personal data has been exchanged in breach of the principles of data protection.

Claw Hammer wrote: »

If an employee is walking around with a broken arm, any data the employer may have will be public knowledge anyway. In some cases a customer may be touchy about being fobbed off. Common sense must prevail. Saying that someone broke his arm and won't be back for a month is unlikely to be a release of private date since the employee is going about in public anyway. Saying an employee is in a clinic being treated for depression is different.

Again, this is nonsense. Wearing a cast on your arm does not breach your right to privacy. The only thing that is public knowledge in that scenario is the fact that you have a cast on your arm. Any other details about the nature of the injury, cause of the injury, expected absence time are not in public domain. If the employer says anything more than 'he won't be back for x period of time', they are breaching the Act.

Drawing a distinction between mental health and physical illness is one of the factors that creates a stigma around mental health. So when somebody chooses to keep their health status confidential, some fools will be thinking (and probably gossiping) that it must be a sensitive matter. All health matters are sensitive matters, and customers have no need to know them.

kippy

RainyDay wrote: »

If the ladies have an ounce of respect for the particular stylist that they have built up a relationship with, they will understand and fully accept the need for that person to keep their medical status and private life confidential. What difference does it make to the ladies whether the person is out sick or away on holidays or whatever?

The only questions the customer should ask are
1) Is X here?
2) If not, do you know when they will be back at work?

Other information is of no relevance to the customer.



The only questions the customer should ask are
1) Is X here?
2) If not, do you know when they will be back at work?

Anything beyond that is prurient nosiness.


What scenario is it the business of the customer to know why an employee is out?


This is nonsense. There is no red tape or legal fees involved. All that is involved is an employer having the brains to keep their mouth shut when it comes to confidential information.


If an employer reveals personal data about an employee to a customer, then personal data has been exchanged in breach of the principles of data protection.



Again, this is nonsense. Wearing a cast on your arm does not breach your right to privacy. The only thing that is public knowledge in that scenario is the fact that you have a cast on your arm. Any other details about the nature of the injury, cause of the injury, expected absence time are not in public domain. If the employer says anything more than 'he won't be back for x period of time', they are breaching the Act.

Drawing a distinction between mental health and physical illness is one of the factors that creates a stigma around mental health. So when somebody chooses to keep their health status confidential, some fools will be thinking (and probably gossiping) that it must be a sensitive matter. All health matters are sensitive matters, and customers have no need to know them.

Just gonna make the point around legal fees and red tape.

There are significant costs involved for organisations to:
1.Pick apart the Data Protection leglislation to see how it applies to them.
2.Forumlate their own policies based on the leglislation in a manner that can be used to train staff.
3. Train staff in such policies in a uniform manner with refresher courses when required.
4.Have access to a legal resource, if and when there are clarificiations required and/or someone takes them to court for breach of leglislation.

If you dont think that's red tape/legal fees I am not sure what you think it is.

The very fact that there is a discussion on this topic shows that the leglisation is not widely known and it's interpretation isn't exactly based on common sense.

RainyDay

kippy wrote: »

Just gonna make the point around legal fees and red tape.

There are significant costs involved for organisations to:
1.Pick apart the Data Protection leglislation to see how it applies to them.
2.Forumlate their own policies based on the leglislation in a manner that can be used to train staff.
3. Train staff in such policies in a uniform manner with refresher courses when required.
4.Have access to a legal resource, if and when there are clarificiations required and/or someone takes them to court for breach of leglislation.

If you dont think that's red tape/legal fees I am not sure what you think it is.

The very fact that there is a discussion on this topic shows that the leglisation is not widely known and it's interpretation isn't exactly based on common sense.

I thought you were referring to this particular scenario, rather than the broader issue.

On the broader issue, it's not really that hard either. A very broad 'tell nobody nothing unless you absolutely have to' will cover 90% of scenarios. The general principles of data protection are fairly straightforward - Only use data for the purpose intended being a key one.

The discussion here is evidence of widespread enthusiasm for nosiness and gossiping more than any data protection issue - people getting up on their high horse for the right to know the medical status of somebody else's employee.

kippy

RainyDay wrote: »

I thought you were referring to this particular scenario, rather than the broader issue.

On the broader issue, it's not really that hard either. A very broad 'tell nobody nothing unless you absolutely have to' will cover 90% of scenarios. The general principles of data protection are fairly straightforward - Only use data for the purpose intended being a key one.

The discussion here is evidence of widespread enthusiasm for nosiness and gossiping more than any data protection issue - people getting up on their high horse for the right to know the medical status of somebody else's employee.

Apologies, I should have made that clear.

Both of those "not hard" points - while true - are open to interpretation and again the very fact that there is a discussion on this shows there are some major misconceptions around.

If a manager tells a customer that their employee is out sick for 4 weeks, should the data protection commissioner be notified of a data breach?

RainyDay

kippy wrote: »

If a manager tells a customer that their employee is out sick for 4 weeks, should the data protection commissioner be notified of a data breach?

No, the rules around breach notifications are for large scale events - from memory, it needs to have impacted >1000 people.

GM228

RainyDay wrote: »

No, the rules around breach notifications are for large scale events - from memory, it needs to have impacted >1000 people.

RD, all breaches are expected to be notified under current guidelines except:-

When the effected data subjects have already been informed and the loss affects no more than 100 data subjects and the loss involves only non-sensitive or non-financial personal data, medical information is sensitive data.

Strictly speaking this is only a Code of Practice and there isn't any legal requirement for notification however to either the individual or the DPC.