Data Protection Authority backs decision to suspend employee for unauthorised access to company data

-

Data Protection Authority backs decision to suspend employee for unauthorised access to company data

Newsletters

March 16 2016 | Contributed by Stanchi Studio Legale


The Data Protection Authority recently found that an employer's decision to suspend an employee was legitimate in light of its right to defence against the employee's breach of Article 24 of the Privacy Code and Articles 2104 and 2015 of the Civil Code.

Facts
Image result for data breachAn employee appealed to the Data Protection Authority against his employer processing his personal data, which was stored on his work computer. The computer had been seized when the employee was suspended. It was subsequently subjected to a content check and a copy of the hard disk was made.
The employee challenged the employer's actions as unlawful and arbitrary due to the absence of assurances regarding "the immutability of the contents of the PC" and the fact that the data acquisition took place "in his absence and in the presence of a third party unconnected to the company… in violation of the principles of relevance".
The authority's findings revealed the following:
    Image result for employee suspension
  • The employer had taken only the necessary steps to prevent interference that could have affected the investigation of serious and repeated violations of criminal and civil laws during the disciplinary proceedings that it had brought against the employee. The violations concerned the rules for processing personal data.
  • After discovering the leak of confidential corporate information, the company examined the event logs on the registries of computers used by other employees. The findings revealed numerous instances of unauthorised access of these computers via the computer used by the employee under suspicion. The company subsequently suspended him as a precautionary measure.
  • When performing processing operations, the company's data controller asked the employee to hand over his personal work computer, which was put into a sealed envelope without being switched on or given to anyone else. The computer was only switched on and the hard disk verified during a meeting that the employee attended.
  • The employee had refused to check the content of his computer together with company personnel. As a result, the company used an external IT company to analyse the PC in the presence of a trusted staff member. The examination process was conducted and documented meticulously, without accessing the employee's personal files. A technical report of the operation was drafted.
  • The examination's findings confirmed the company's accusation against the employee. The computer was subsequently put back into a sealed envelope and held on the company's premises to be made available to civil and criminal judicial authorities.
Decision
The Data Protection Authority assessed the legitimacy of the employer's actions, having found that the employer was entitled to carry out proper checks on performance and protect its assets. It found that correct procedure had been followed in that regard, as the checks had aimed to protect the company's rights.

Comment

The authority's decision is notable because it examined a specific procedure that used digital forensics techniques to examine a company's computer system and IT tools entrusted to employees.

 For further information on this topic please contact Andrea Stanchi or Laura Lattanzi at Stanchi Studio Legale by telephone (+39 02 546 9522) or email (a.stanchi@stanchilaw.it or studio@stanchilaw.it).

Comments

Post a Comment

Please share your valuable comments and thoughts on this article. Thanks!

Popular posts from this blog

Responding to Software Review Audits- Good tips on how to handle audit requests and settlements

-
Image
Managing Audits to Prevent Unauthorized Disclosures by Technology Teams by Keli Johnson Swan in Blogs , Software Audits Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams.  It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request. It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software. Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages cla
Read more

The 6-D model of national culture by Geert Hofstede

-
Image
The 6-D model of national culture Geert Hofstede, assisted by others, came up with six basic issues that society needs to come to term with in order to organize itself. These are called dimensions of culture. Each of them has been expressed on a scale that runs roughly from 0 to 100. Dimension maps of the world: Individualism Each dimension has been derived by comparing many, but not all, countries in the world. The findings can be summarized into six world maps of the distribution of that dimension. Of course, in reality there can be quite a bit of within-country variation; these maps should be seen as rough 'climate maps' of culture. Individualism Individualism is the extent to which people feel independent, as opposed to being interdependent as members of larger wholes. Individualism does not mean egoism. It means that individual choices and decisions are expected. Collectivism does not mean closeness. It means that one "knows one's place&q
Read more

"What is the right thing to do?" What's The Difference Between Compliance And Ethics?

-
Image
  What's The Difference Between Compliance And Ethics? Bruce Weinstein, Ph.D. Contributor Customized ethics keynotes, training, and online courses for CE credit May 9, 2019, 01:19pm EDT  TWEET THIS High-character leaders ask, "What is required of me?" but they don't leave it at that. Ethical leaders also ask, "What is the right thing to do? How would an honorable person behave in this situation?" I've noticed some confusion about the roles that ethics and compliance play in organizations. This confusion arises, in part, from the way these two fields are identified. Some companies have only a compliance department. Others have a compliance  and  ethics (or ethics and compliance) department. Some companies have a Chief Ethics Officer separate from compliance. To get some clarity on these crucial roles, I asked seven leaders who are involved in both ethics and compliance to explain the similarities and differences as they saw them. I'll present their vi
Read more