REGIONAL AIRLINE STOBART Air blamed “inadequate training” for its repeated breaches of data protection laws.
A case against the carrier was featured in the Data Protection Commissioner’s 2016 annual report, published today.
Stobart – which operates flights on behalf of Aer Lingus Regional and was previously known as Aer Arann – unlawfully disclosed details of an ex-worker’s redundancy package to another member of staff.
The breach was discovered when the complainant made a request to see what information the airline held on them as part of a so-called ‘subject access request’.
In its response to the complainant’s request, Stobart also disclosed third-party financial data to the individual, which was another breach of data protection laws.
In an attempt to rectify the situation, the carrier wrote a letter to affected third parties to tell them their personal data had been disclosed – but broke data protection rules a third time when it divulged the fact that the complainant was the recipient of the information.
The incident was brought to the attention of the data protection watchdog at the end of 2015.
During the commissioner’s investigation, Stobart confirmed that “it had inadequate training and safeguards around data protection in place”. The airline has since “sought to rectify” the problem.
Asleep on the job
In another case featured in the report, the commissioner found that a residential care home did not break the law when a supervisor photographed and recorded an ex-employee asleep on the job.
The former employee complained to the Data Protection Commissioner, Helen Dixon, that photographic and audio evidence was used against them in a disciplinary case that led to their dismissal.
A supervisor found the ex-worker asleep during a night shift on two separate occasions. Both times, they were the only staff member on duty.
The first time the employee was found sleeping on the job, the supervisor warned them that if it happened again they would be reported “in line with the employer’s grievance and disciplinary procedure”.
The second time, the supervisor “used their personal phone to take photographs of the complainant sleeping” and made “a sound recording of the complainant snoring”.
The commissioner ruled that the interests of the employer and the interests of the clients at the care home “outweighed the complainant’s right to protection of their personal data”, especially given “the vulnerability of the (care home) clients involved”.
Overall, the commissioner dealt with more than 33,000 queries by email, post and phone last year. A total of 1,479 complaints were investigated, up from 932 in 2015.
The commissioner issued 59 formal decisions, of which 55 fully upheld the complaint.
The office also received 26 ‘right to be forgotten’ complaints, which occur when people request that search results about them are removed from services like Google. Six were upheld, 15 rejected and five are under ongoing investigation.
The watchdog’s running costs amounted to just under €4 million during 2015, up from €2.9 million the year before.