The European Union Data Protection Directive (95/46/EC) outlines what protections should be afforded individuals with regard to the processing of personal data and on the free movement of such data. In England and Wales the directive was implemented in law as the Data Protection Act 1998 and the local data protection authority is the Information Commissioner. In Ireland the directive was implemented in law as Data Protection Act 2003 and the local data protection authority is the Data Protection Commissioner
Information on all other EU data protection authorities is available here.
The data OfficeMetrics collects relates to an identifiable living individual and can be used, to inform or influence actions or decisions affecting that individual. As such, the data is classed as 'personal data' for the purposes of the Data Protection Directive and the local Data Protection Acts. This document helps determine what is classified as personal data. Collecting ‘personal data’ means the company is classed as a ‘Data Controller’.
Other situations in which a company will be classed as a ‘Data Controller’ include…
· A HR department recording personal and financial information related to employees
· Company management keeping employee performance records
· IT departments recording employee web browsing and email history for security and compliance reasons
· Call centers automatically recording employee performance statistics with call monitoring systems
According to the Data Protection Acts, (UK, IRL) as a ‘Data Controller’, the company has the following responsibilities…
· Obtain and process the information fairly
· Keep it only for one or more specified and lawful purposes
· Process it only in ways compatible with the purposes for which it was given to you initially
· Keep it safe and secure
· Keep it accurate and up-to-date
· Ensure that it is adequate, relevant and not excessive
· Retain it no longer than is necessary for the specified purpose or purposes
· Give a copy of his/her personal data to any individual, on request.
This mean in essence that
1. Employers must inform employees that their workplace computer activity is monitored. This is often included in an employee hand book, or the company’s acceptable computer use policy.
2. The employer must take all possible steps to ensure the security of the information. All communications between the OfficeMetrics agent and server are encrypted. Access to the OfficeMetrics servers is controlled and secure.
OfficeMetrics is the only computer activity monitoring system that complies with the final requirement by default, as it gives all information collected on an employee to the employee automatically.
Some ‘Data Controllers’ are required to register with their local data protection agency. This is not necessary for companies running OfficeMetrics as is clear from these documents (UK, IRL)
As all countries in the European Union derive their data protection legislation from the EU data protection directive, the definition of and requirements on ‘Data Controllers’ are very similar across the EU