Data Protection in the Employment Relationship
The Act on Protection of Privacy in Working Life regulates primarily an employee’s right to privacy at work. There are also provisions about employees’ data protection in the Personal Data Act and in the Act on Digital Services. The purpose of these laws is to carry out the protection of the employees’ private life in working life, provide regulations regarding collecting and storing of employees’ personal data, testing, and surveillance and observing.
It is highly recommended to pay attention on proper organizing of the employees’ data protection. A possible consequence on breaking the law are fines. The Criminal Code provides regulation on the matter as well.
This article covers only the main principles of data protection at work. The data protection at work and the rights and obligations of the parties to an employment relationship are covered in more detail in section [10.3 Protection of Privacy in Working Life].
Collecting Data
An employer may ask the Finnish Security and Intelligence Service to carry out a security clearance vetting on employees, if the vetting has a relevance in ensuring information security or protecting vital interests, such as protection of valuable trade secrets or financial interests. Security Clearance Act I shall apply to security clearance vetting.. The applicant’s consent is required for the vetting.
The employer has the right to process information concerning the employee's state of health only from the employee himself/herself, or with the employee’s written consent from other sources. Further, it is required that the information is needed for processing of sick pay or other comparable health-related benefits or to establish whether there was a justifiable reason for absence or if the employee expressly wishes his/her working capacity to be assessed. While contemplating of hiring a job applicant the employer is allowed to ask for only such health related information which is relevant to the performance of the work.
The Act on the Protection of Privacy in Working Life stipulates when an employer has a right to process applicant’s or employer’s credit information for evaluating his/her reliability.
An employer may ask the Finnish Security and Intelligence Service to carry out a security clearance vetting on employees, if the vetting has a relevance in ensuring information security or protecting vital interests, such as protection of valuable trade secrets or financial interests. Security Clearance Act I shall apply to security clearance vetting. The applicant’s consent is required for the vetting.
It is possible for the employer to ask for the local police or for the security police to carry out a security investigations, if the company has a weighty need to protect valuable trade and professional secrets or other financial interests. Security investigations require the applicant’s consent. Act on Background Checks is applied when acquiring security investigations.
According to the Act on Co-operation within Undertakings, principles and procedures of the company for collecting personal data in recruiting and during employment must be discussed with employees’ representatives in accordance with the co-operation procedure.
If the employer stores information collected on the applicants or employees or their test results for further use, such information forms a personal data file. An employer is obliged to draw up registry description of such file in accordance of Personal Data Act. The employer does not have a right to copy or in any other away retain the applicant’s criminal records. Personal health information must be kept separate from other information. Access to all personal information must be limited to as few persons as possible.
Collecting, processing, storing and transferring of the personal data as well as the registry description are covered in more detail in the section [10.3 Protection of Privacy in Working Life]. Further the criminal background checking and security clearance are covered in more detail in the same section .
Testing
With the employee’s consent, he/she can be tested by means of personality and aptitude assessments to establish his/her capacity to perform work or his/her need for training and other occupational development. Test results must be necessary to the employment relationship. The employer must ensure that the assessment methods used are reliable, the persons conducting the assessment are experts, and that the findings of the assessment are free from errors.
The employer may require the employee to present a drug test certificate during his/her employment relationship if the employer has justifiable cause to suspect that the employee is or has been under the influence of drugs at work or that the employee has a drug addiction. Further preconditions are that the testing is essential for determining the employee’s working or functional capacity and that the employee’s work require special precision, reliability, independent judgement or quick reactions, or involves acting with minors. Commissioning drug tests requires an anti-alcohol / drug program in the workplace.
Testing employees and drug tests are covered in more detail in section [10.3 Protection of Privacy in Working Life].
Camera Surveillance
The employer may use camera surveillance for the purposes of ensuring personal security of employees and other persons on its premises, for protecting property, for monitoring production processes, or for preventing or investigating incidents endangering safety, property or production processes.
Camera surveillance may not, however, be used for the surveillance of a particular employee or employees. Neither may camera surveillance be used in lavatories, changing rooms nor social facilities or in offices designated for the personal use of individual employees. The employer may, however, direct the camera surveillance at a particular work locations if the surveillance is essential for example for preventing an apparent work related threat of violence.
The purpose, implementation of and methods used in camera surveillance, access control and other technical monitoring of employees, and the use of electronic mail and other data networks, are governed by the co-operation procedure stipulated in the Act on Cooperation within Undertakings. In undertakings and in organizations subject to public law not governed by the legislation on cooperation, the employer must, before making decisions on these matters, reserve the employees or their representatives an opportunity to be consulted.
Camera surveillance and other technical surveillance are covered in more detail in section [10.3 Protection of Privacy in Working Life].
Opening Electronic Mail Messages
The employer’s right to retrieve and open employee’s email messages is strictly regulated. In the first place the employee’s emails must be asked to be provided by the employee him/herself. During employee’s absence, e.g. because of vacation, the employer may have the right to retrieve and open an employee’s electronic mail messages provided that the employer has fulfilled the duty of care stipulated by law, i.e. employer must have planned and arranged the necessary measures to protect employee’s electronic mail messages with measures set forth in the law. In addition, there are several preconditions for the retrieval of messages, e.g. relating to the work tasks of the employee. There must be a compelling reason for retrieving the messages instead of asking them to be provided by the employee. Certain requirements must also be fulfilled before the employer can open the messages.
The principles of using the e-mail and networks as well as the processing of the information in the employees’ e-mails and other electronic communications must be handled in the co-operation negotiations provided in the Act on Co-operation within Undertakings.
Reading employee’s e-mails and its preconditions are covered in more detail in section [10.3 Protection of Privacy in Working Life].
Employee’s Access to Information and Error Correction
The employee is entitled to check what personal data the employer has collected upon him/her. The employee may request personal information concerning himself/herself for review at any time. The access may be denied only if access to the data would seriously endanger the rights of a third party or harm the prevention or investigation of a crime. If the employer refuses to provide access to the data, a written certificate to this effect must be issued to the employee who may refer the matter to the Data Protection Ombudsman.