[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Failure to properly safeguard a staff member’s medical certificate [2008] IEDPC 16 URL: http://www.bailii.org/ie/cases/IEDPC/2008/16.html Cite as: [2008] IEDPC 16

[New search] [Printable RTF version] [Help]

Failure to properly safeguard a staff member’s medical certificate [2008] IEDPC 16 (31 December 2008)

Failure to properly safeguard a staff member's medical certificate

My Office received a complaint from a solicitor on behalf of a data subject whose personal information, contained in a medical certificate, had been accessed in an unauthorised manner while in the possession of her employer.

The data subject was employed by a catering company that had a contract to provide services to a public body.  It was brought to her attention by a member of that public body that her medical certificate was displayed on a notice board in the office of a Unit Manager in the catering company.  This office was shared with a member of the public body.

Upon receipt of the complaint, my Office contacted the catering company and requested that the medical certificate be removed from the notice board immediately.  We also advised the company that a medical certificate, which reveals the health status of a person, is sensitive personal data under the Data Protection Acts.  We informed them that, from the information supplied by the data subject, it appeared likely that appropriate security measures were not in place to prevent unauthorised access to the medical certificate.

My Office received a response from the catering company outlining the findings of its investigation into the alleged breach.  It explained that the Unit Manager placed the certificate on her personal notice board which hangs directly behind her desk.  It was not on view at any time.  It was placed behind a number of other documents on the notice board.  It alleged that the third party who had accessed the certificate had entered the office without permission and would have had to deliberately seek the certificate.  The company informed my Office that it takes its obligations under the Data Protection Acts very seriously and that all personal data relating to employees at any unit is the responsibility of the Unit Manager.  Such data is to be held securely in locked cabinets unless required by another department within the business.  The company also informed my Office that steps had been taken to remind all managers of their duties when dealing with confidential data.

The main concern for my Office was that the certificate was placed on a notice board in an unlocked office and it was clear that the Unit Manager did not adhere to the company's security procedures when handling the data subject's medical certificate.  Under Section 10 of the Acts I am mandated to seek an amicable resolution of complaints.  To this end my Office requested that the company submit proposals to help achieve an amicable resolution.  The company subsequently proposed to make a donation to a charity of the data subject's choice and it agreed to send a letter of apology to the data subject.  The data subject, through her solicitor, accepted this proposal as an amicable resolution of her complaint.

This case demonstrates well the care which data controllers must exercise in the processing of all personal data in its possession, especially sensitive personal data.