I am supporting HR with a complex SAR .Searching O365 with Ediscovery .
The data subject is being made redundant and questioning the process .The HR director called me today asking if I could search Teams to see if this individual is collaborating with others in same circumstances . He has also asked for me to check if the data subject is communicating with her ex line manager who left under a cloud . He wants to see if the ex line manager is breaking a confidentialty agreement .
Im not comfortable because to me this is not what a data protection manager should be responsible for . Myself and my team are the only ones who know how to use Ediscovery though !
Any thoughts would be appreciated
Ethical ?
Share
Stephen Lark
It depends on the companies policies regarding private use of company systems. I advise my companies to ensure that private use is permitted but subject to surveillance and can be accessed by the company. However if those policies do not exist then your HR director cannot request that information.
The only way I would carry out that search is on the written direction of the requestor who I believe is the HR director.
Simon
Data protection managers absolutely should be responsible for protecting privacy – and that’s what you have the opportunity to do here.
Challenge the HR Director – is there reasonable suspicion or reasonable belief that the alleged activity is happening? (great excerpt from Police National Legal Database on those concepts – http://foi.west-midlands.police.uk/wp-content/uploads/2016/09/6284_ATTACHMENT.doc).
If you think, professionally, that it is likely to be unlawful, say so, and get the HR Dir to order you in writing.
Middle ground might to be conduct the search, but only look at the subject to or whether there are attachments to see if that provides further evidence of the alleged breach of confidentiality.
It’s really worth defining a process, where 2-3 senior individuals have the responsibility to authorise a request like this, that may be a SIRO, HR Director, CG, but where one of those makes the request they should require authorisation.
HellenB
The first thing to do is to separate the two tasks:
1) the eDiscovery that you are doing for the complex SAR which, depending upon the parameters given in the request. This may, in and of itself include the emails that HR are asking you to find if the request includes ‘any email to or from me’ which is a normal request.
This would also include any Teams chat (as per a previous question here) where the data subject is mentioned or is commenting regardless of the topic of conversation.
Presumably the HR team would then get involved in the redaction process, as there may be lawyers involved if there is a dispute about redundancy.
2) the request for you to ‘fact find’ with regards to the communications activity of the employee
This is covered by the company’s policies as to what kind of surveillance they can undertake on their employees. In theory, you won’t find anything other that that described in (1) above because you can’t look beyond the company systems.