Protecting employees’ “stories” – Avoiding fines of up to €20m under the incoming General Data Protection Regulations

Last night, I visited a local community café for a fascinating talk about ‘story’. The gist of the evening centred around how humans think and dream in script form rather than in bullet points. A case in point? You dream in vivid, moving events, not static images.

Every part of our lives involves in story. Music is the story of events in lyrical form, whilst books and films introduce characters with backstories which shape their character going forwards. An example? In the Harry Potter books, Harry and Voldemort have the same backstory (magical orphans with horrible childhoods who are ‘saved’ by Hogwarts School) but both deal with that in different ways – i.e. one becomes good and one becomes evil.

Everybody has an individual story, whether in their social lives or during their employment. So, why am I going on about ‘story’?

US firm starts microchipping employees – Science fiction or the future?

Microchip reader Yes, you read that correctly. Microchipping employees. And, no, that’s a real headline. A technology company in the USA has been widely reported as microchipping employees in place of their security and identity cards.

The first thing to get out of the way here is that they aren’t implanting an actual, square computer chip. Rather, they insert a tiny implant (the same size as a grain of rice) between an employee’s thumb and forefinger with a syringe. Apparently, removing it is akin to taking out a splinter (ouch?)

Now, apparently, the ‘younger generation’ are most likely to get onboard with this in the future. Well, I’m in my twenties and I’m not tempted in the slightest. Saying that, I hate needles, so that’s a poor starting point…

Looking at the wider picture, we live in a world of fingerprint ID on phones and being able to unlock the latest phone handsets with your own face. So why is an implant so controversial?

data protection versus data access

It never ceases to surprise me that employees can be so horrified when action is taken against them following the misappropriation and/or misuse of information belonging to an employer. All employment contracts incorporate an implied duty to keep confidential  information belonging to the employer and not in the public domain. Confidential information in the nature of a trade secret, such as financial information, customer lists, production processes and sales strategies is protected. Further, any decently drawn contract of employment will include express protection of confidential information, both during and after employment.

If an employer has good reason to believe that confidential information has been misused, for example by disclosure to a competitor or by a former employee diverting business away from the company, there is a clear risk that serious damage could quickly follow. Consequently, it is often thought appropriate to apply for an injunction requiring the current or former employee (and any of his or her associates) to stop using the information and to deliver up the information in whatever form it has been taken. In order to prevent action being taken to thwart the employer’s efforts (e.g. by hiding away the information) injunctions are often granted without notice to the party to be served.

I recall some years ago making a home visit to a suburban address early one morning. The purpose of the visit was to carry out the terms of an injunction order requiring the delivery up of property belonging to the employer. A supervising solicitor from another firm was in attendance to ensure that correct procedures were followed. The recipient of the order was shocked to find out that the order covered delivery up of all physical documents at the house and, in addition, all electronic devices that could hold information belonging to the company including PCs, mobile phones and even the children’s laptops. Technological advances have served to widen even further the scope of disclosure to include, for example, documents stored in the cloud through Google, OneDrive, Dropbox or any number of other providers. It has also come to the attention of many employers that, particularly in the online world we nearly all inhabit, relevant data is one of their most important assets.

The recent High Court case of Warm Zones v Thurley and Buckley includes a useful summary of the relevant factors to be taken into consideration when considering such an application and confirms the willingness of the court to make an order in appropriate cases.

Warm Zones is a not-for-profit company that provides energy efficiency and related advice for domestic users, targeting principally low income and vulnerable households throughout the UK. Ms Thurley was a zone director from January 2007 until she was dismissed in March 2013. She covered addresses in North Staffordshire and Cheshire West. Mr Buckley worked as an IT and project manager, also based in North Staffordshire. Both had access to the employer’s database for the region containing, according to Warm Zones, “important, unique confidential information and property belonging to it”.

is it any wonder that incompetence thrives?

Employers necessarily gather, store and use personal data about applicants and employees and so must comply with the Data Protection Act 1998. Halliday v Creation Consumer Finance Ltd considers what sort of compensation should be awarded if that information is misused. It arose in the context of consumer credit finance. After Mr Halliday bought a new television on credit, there began something of a saga. The credit company, CCF, was ordered to delete the information they held on Mr Halliday and pay him £1500 compensation and costs for breaches of the Act. Initially they mistakenly paid the sum into the wrong bank account, but then made the payment correctly and attempted to get the money back from the bank. When the bank refused, they started proceedings to try to claw back the double payment from both the bank and Mr Halliday. Next, they made a further mistake and passed information to Equifax, with the result that anyone checking Mr Halliday’s credit rating for a period of four months would have seen a debt of £1500 owed to CCF without a credit agreement governing it.
Mr Halliday successfully counterclaimed for these further breaches of the Data Protection Act but was awarded only nominal damages. On appeal to the Court of Appeal, he argued that nominal damages, or even nominal damages plus damages for distress were not an effective remedy. He also proposed that damages for distress should be assessed in the same way as compensation for injury to feelings in discrimination cases (applying Vento guidelines).
Lady Justice Arden, while confirming that that an individual can be awarded damages for distress arising from a contravention of the Act, pointed out that it was “not the intention of the legislation to produce some kind of substantial award”. She remarked that that the breach complained of was a single episode, had not led to any actual damage to Mr Halliday’s reputation and that there was no evidence of injury to feelings or distress over and above what might normally be expected “from frustration at these prolonged and protracted events”. In the circumstances nominal damages of £1 plus £750 for distress were “appropriate and sufficient”. She went on to reject any analogy with discrimination claims which, she said, are liable to involve distinct and well-known distress to the complainant.
In the meantime the Information Commissioner is doling out swingeing fines for data protection breaches.

beware when dealing with CCTV images

It seems that the anomalies which can be found in modern life are expanding exponentially. Last weekend it was reported that “crime maps” on Government websites which identify the locations of local villains are going to be enhanced so that details of crimes, criminals and even photographs will be made available. Meanwhile, the Information Commissioner has taken action against Internet Eyes, a business with a website that rewards members for spotting shoplifters using CCTV footage.