Data Protection Commissioner
Data Protection Commissioner

CASE STUDY 3/2001

Employee performance ratings disclosed to other staff – inadequate security

I received a letter of complaint from a number of employees within a particular company. It appeared that the company had created a computer file setting out performance assessment reports for individual members of staff. The file – of which staff members had been unaware – was accessible throughout the company to a wide range of line managers, including managers who had no role in relation to the staff members in question. The employees were concerned that their data protection rights had been infringed by the unnecessarily widespread dissemination of confidential personnel details, and they asked me to investigate the matter.

On raising the issue with the company, it was explained that the line manager of a particular unit had created a file, setting out performance ratings for staff under his supervision. However, the "access permissions" on this file had inadvertently been set to allow numerous people outside of his management team to read it. A staff member who noticed this problem had brought it to the attention of management, and the file in question was destroyed. The company had also arranged for a formal investigation into the matter, which had concluded that there had been –

  • a failure to adequately protect and secure sensitive information held on the staff within the particular business unit
  • insufficient detailed knowledge by managers of the security environment in which the data were held
  • a failure by the staff member who initially discovered the file to alert the appropriate manager to its existence, as required under various HQ policies and the unit's own confidentiality statement
  • subsequent failures by some staff members to prevent ongoing disclosure of the contents of the file.

The company accepted these findings and that a breach of the Data Protection Act, 1988 had occurred in this incident. They acknowledged the need to address these issues, and had put in place the following measures –

  • an immediate training programme in IT security for all managers and staff, together with regular refresher programmes
  • all remaining hard- and soft-copies of the file in question to be destroyed as a matter of the utmost urgency, with all company systems swept to confirm this
  • HQ policies on security should be reissued to all managers and staff
  • standards for holding sensitive data, both personal and commercial, to be reviewed and published.

As regards my own findings, I accepted that, in an employment context, staff members may not automatically have the option of objecting to their data being used for appraisal purposes – this would naturally depend on conditions of employment and industrial relations norms. However, I concluded that staff should be made fully aware of new appraisal initiatives which involve the use of their personal data, if the 'fair obtaining' requirements of section 2(1)(a) of the Act were to be respected. The performance appraisal file in this case had not met these standards, and so its creation entailed a contravention of the Act.

I also confirmed that the failure to implement appropriate access restrictions contravened the security requirements of the Act (section 2(1)(d)), and that the resulting dissemination of the file to other unauthorised staff members amounted to an incompatible disclosure of the personal data (contrary to section 2(1)(c)(ii) of the Act).

However I was pleased to note that the Company had taken immediate and appropriate steps to address the issues involved in this case, particularly in terms of ensuring that appropriate security measures are in place and improving awareness of staff and management regarding the importance of adhering to correct procedures. I believe that this case is a useful reminder of the need for appropriate internal security measures – both as regards the pitfalls, and as regards the correct way to address any deficiencies that are identified. This issue now takes on an added importance with the implementation in Ireland, from 1 April 2002, of the revised security provisions introduced in the European Communities (Data Protection) Regulations, 2001, which have transposed certain provisions of the European Data Protection Directive into Irish law.