Tina Kraigher and Milena Podjed-Fabjančič 18 April 2010 Processing of Processing of Telephone Traffic Telephone Traffic Data of Employees Data of Employees ( ( a Case Study a Case Study ) )
Tina Kraigher and Milena Podjed-Fabjančič 18 April 2010 Processing of Telephone Traffic Data of Employees ( a Case Study )
Dec 24, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Tina Kraigher and Milena Podjed-Fabjančič18 April 2010
Processing of Telephone Processing of Telephone Traffic Data of Traffic Data of
EmployeesEmployees
((a Case Studya Case Study))
Background
Possible violation detected
Inspection procedure ex officio
Offence proceeding
Appeal
Personal Data Violation Allegations
Head of a state office allegedly obtained and examined itemised billing for business mobile phone services, with no legal basis for such
processing of personal data, with the intention to determine which of his employees contacted a reporter and disclosed classified information.
Facts establishedTelephone traffic data obtained:
- for 6 business mobile telephones used by employees
- for a certain time period
- data separately stated in the itemised billing :
- exact date and time of call/sms
- the called number
- exact call duration
- type of mobile service provided (call, sms…)
- sum charged for the provided service
Facts establishedStatement of the offender in the inspection procedure:
- Itemised billing obtained for the purpose of reconstructing the path and establishing exact time line of communication between employees in the night of the attempt assassination.
- Aiming to inform the public of a prompt and correctly lead procedure in crisis situation.
- Legal basis: General Terms and Conditions of the mobile operator.
- Belief that the subscriber is entitled to obtain and examine itemised billing irrespective of who is the actual user of a certain telephone number.
Facts establishedStatement of the offender in the offence proceeding:
- All actions taken in accordance with the Internal Rules.
Internal Rules on the use of business mobile phones and mobile phone services:
The employee agrees with the employer to obtain telephone traffic
data and data on charged services for the purpose of verifying the sum
charged and objecting against it by signing the acceptance papers for the
use of a business telephone.-
Facts establishedStatement of the offender in the offence proceeding:
-Data obtained for the purpose of verifying the accuracy of sum charged – exercising general competence to supervise the use of public funds in the body as head of state body.
- Notwithstanding the signed acceptance forms, the offender obtained written consents of 4 employees prior to obtaining the itemised billing – consenting to any form of processing.
Facts establishedThe offender refutted the offence charges claiming
that:- Data was not obtained with a purpose of establishing a time line of
actions taken in the night of the attempt assassination – the two events merely coincided.
- Data obtained was not examined with a purpose of determining which of the 6 employees communicated with the reporter – phone number of the reporter was an accidental discovery.
As to the Law
Art. 37 : Protection of the Privacy of Correspondence and
Other Means of Communication
(1) The privacy of correspondence and other means of communication shall be guaranteed.
(2) Only a law may prescribe that on the basis of a court order the protection of the privacy of correspondence and other means of communication and the inviolability of personal privacy be suspended for a set time where such is necessary for the institution or course of criminal proceedings or for reasons of national security.
The Constitution
Art. 38 :Protection of Personal Data
(1) The protection of personal data shall be guaranteed. The use of personal data contrary to the purpose for which it was collected is prohibited.
(2) The collection, processing, designated use, supervision and protection of the confidentiality of personal data shall be provided by law.
(3) Everyone has the right of access to the collected personal data that relates to him and the right to judicial protection in the event of any abuse of such data.
As to the Law
Electronic Communications Act:
Art. 3:25. Traffic data shall mean any data processed for the purpose of conveying a
communication on an electronic communications network or for the billing thereof.
As to the Law
In the Supreme Court of RS opinion telephone traffic data are essentially equal to data concerning postal correspondence and are therefore protected in the same manner - as communications privacy.
The Constitutional Court of RS held that communications privacy includes private and business correspondence and that invasion of privacy cannot be legitimately justified solely on the ownership of the means of communication.
As to the Law
Purpose for which data is obtained:- prescribed by law
or- informed consent given
Purpose for which data is further processed:
- not in counter to the purpose for which data was obtained
Unless otherwise
- prescribed by lawor- informed consent given
As to the Law
Personal Data Protection Act:
Art. 16:
“Personal data may only be collected for specific and lawful purposes, and may not be further processed in such a manner that their processing would be counter to these purposes, unless otherwise provided by statute.”
As to the Law
Personal Data Protection Act:
Art. 8:“The purpose of processing personal data must be
provided by statute, and in cases of processing on the basis of personal consent of the individual, the individual must be informed in advance in writing or in another appropriate manner of the purpose of processing of personal data.”
As to the Law
Personal Data Protection Act:
Art. 91:
A fine from EUR 830 to 2.080 shall be imposed for a minor offence on the responsible person of the legal person if he collects personal data for purposes that are not defined and lawful, or if he continues to process them in contravention of Article 16.
As to the Law
There is no national law determining the legal purpose for collecting and further processing of telephone traffic data of an employee’s business telephone.
Therefore the employer can only collect traffic data and process it further if the employee gives his personal consent and is aware of the purposes for which they are collected and further processed.
As to the Law
Internal Rules on the use of business mobile phones and mobile phone services:
The employee agrees with the employer to obtain telephone traffic
data and data on charged services for the purpose of verifying the
sum charged and objecting against it by signing the acceptance
papers for the use of a business telephone.
Conclusions of the procedure The offender illegally obtained itemised billings for 2 employees:
He obtained the itemised billings not for the purpose of verifying the sum charged or objecting against it, but he collected data for the purpose of reconstructing the events and establishing exact time line of Communication between employees in the night of the attempt assassination and further used it to determine which of the 6 employees communicated with the reporter.
The Information Commissioner fined the offender for 2 violations of personal data with the total sum of 1.660 euros.
Some Considerations
According to the latest Law amending The Electronic Communications Act such “accidental” disclosure is not possible – the mobile operators are obliged to hide last three digits of called phone numbers in the itemised billings.
There are some propositions to enforce a special law, which would regulate privacy at work as a whole – including electronic and other communication of employees.
Related Documents
