Hi Phil,
I agree with you regarding the covert issue on CCTV - that is what I intended to put across, but unfortunately I may have over simplified (as I tend to do!).
Can I ask for clarification about what (in your example below) is included in the definition of 'covert' investigation by an employer or other organisation? Would covert checking of what is in the public domain be included in 'covert' monitoring in this instance? I might (actually I do!) expect employers to check out what information is out there about me - it's in the public domain, so why not? I do not need to know they are doing it, because I've put the information out there. At which point maybe the argument becomes one about whether facebook (in particular) constitutes a private or public social media platform, with all the associated debates about their privacy policies and their communication to users about these policies. My own view, as I said in my original post, is that ignorance is not a form of defence, but I accept others may feel otherwise, namely that facebook has a duty to inform it's users better how to protect their information online.
I think there is a difference between monitoring an account over a period of time and checking it once (and perhaps striking gold). Would that be fair? And would this be lawful?
Best wishes,
Michelle
Michelle Peel
Information Manager
Transport for Greater Manchester
2 Piccadilly Place, Manchester M1 3BG
Direct line 0161 244 1123, Extension 701123
www.tfgm.com
Please don't print this email unless you really need to.
NOTE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by replying to this email, and destroy all copies of the original message.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 04 December 2014 14:35
To: [log in to unmask]
Subject: Re: [data-protection] information sourced from facebook or other social media for investigations
There is a difficulty with the distinction which Michelle seeks to make in that s26 refers to " ... likely to result in the obtaining of private information about a person (WHETHER OR NOT one specifically identified for the purposes of the investigation ... ) . So looking at CCTV to see if Fred (known) is a malingerer and looking at CCTV to discover who (unknown) carried out graffiti are equally directed surveillance.
The real issue I suggest is whether it is covert. In both cases I believe it is proper to regard the use of CCTV as not being covert, because if set up properly public CCTV is not covert - in DP terms fair processing notice has presumably been given in the form of suitable notices. This is not the same as monitoring social media where no FPN may have been given, and reasonable expectation of privacy is not the only issue and can be a red herring.
For example checking or monitoring social media as part of recruitment is clearly not going to get a RIPA authorisation - it is either irrelevant or not covert..
In DP terms, to a large extent people have a very limited reasonable expectation of privacy in respect of their public social media. Nevertheless an employer doing this 'covertly' is, I suggest, in clear breach of DPA if the activity is not clearly communicated. Simple application of SCHEDULE ! Part II : "for the purposes of the first principle personal data are NOT to be treated as processed fairly unless— ... the data controller ensures so far as practicable that ... the data subject has, is provided with, or has made readily available to him, ... the purpose or purposes for which the data are intended to be processed". Remember that processing includes obtaining. So to monitor social media for any routine staff management purpose you need to be open and transparent.
Of course in the OP situation you may well need RIPA authorisation to monitor social network, just as you would for a bespoke CCTV surveillance and if you can get this properly than you will also be DP compliant, usually using s29 to avoid the FPN issue.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|