• Areas of Expertise:
  • Business and society
  • Diversity
  • Employment status
  • Gender
  • Health
  • Human capital
  • Industrial change
  • Industrial relations
  • Labour market
  • Participation at work
  • Population and society
  • Quality of life
  • Quality of work
  • Social cohesion
  • Social protection
  • Time
  • Work-life balance
  • Work organisation

PRIVACY PROTECTION IN WORKING LIFE

The purpose of the Privacy Protection in Working Life Act, a special statute which entered into force in 2001, is to implement the fundamental rights guaranteeing the protection of an individual's private life in employment relationships in the private and public sectors and to promote good practice in the handling of personal data in working life. The 1999 Personal Data Act is also complied with in working life as a general statute.

Personal data is taken to mean records of every kind describing a natural person and their qualities or personal circumstances which can be identified as relating to them, their family or those living in a shared household with them. The Personal Data Act contains provisions on the processing of personal data as meaning, inter alia, the collection, recording, use, dissemination, combination and blocking of data. A personal data filing system is taken to mean any structured set of personal data made up of related records for the purposes of its use from which data concerning a specific individual can be extracted. For example, a card index or list can constitute such a filing system. The obligations laid down in the Personal Data Act, such as the duty to exercise care, the prohibition on the processing of sensitive personal data and the duty to keep data secure, are incumbent on everyone who keeps a personal data filing system, and therefore also on employers.

The Privacy Protection in Working Life Act specifies the kind of personal data an employer can collect and process, and the preconditions for doing so. It also contains provisions on the testing, genetic investigation and technical monitoring of employees. A central provision of the Act is that the employer is entitled to process personal data only where this is directly necessary for the observance of the rights and obligations of the parties to the employment relationship, or if such processing is related to employee benefits provided by the employer or connected with the special nature of the work duties involved.

Personal data must be collected primarily from the employee concerned; the latter's consent is required in order to collect it from elsewhere. However, the employee's consent is not necessary where the authorities disclose data for the purposes of a duty that the employer is required by law to carry out, or in the case of data on an individual's credit status or criminal record. Employees must be informed in advance if data is to be obtained in order to investigate their trustworthiness. They must also be informed of any data that has been obtained from a source other than themselves, before it is used in making any decisions relating to them. The collection of personal data is one of the matters covered by the co-operation negotiations procedure governed by the 1978 Co-operation Act.

Tests to assess an employee's personal qualities and suitability may be carried out only with the consent of the individual concerned. The employer must ensure the reliability and expertise of the testing, and the employee has the right to know the results.

When alcohol and drug tests are to be conducted the employer must use professionally qualified personnel, as in the case of medical examinations. This does not, however, preclude breathalyser testing of the type also used by the traffic police. Agreement on undergoing formal alcohol and drug testing (blood tests) can also be specified in the individual contract of employment. The employer does not have the right to require a job applicant to undergo genetic testing, nor to know whether an employee has ever undergone such testing.

In order to receive sick pay employees must present a reliable account of their state of health, which other than in the case of a brief spell of illness is normally a doctor's certificate. In no other instance does the law impose a personal obligation on private-sector employees to consult a doctor, although they cannot refuse to undergo a medical examination that forms part of company health services. In the case of public servants at central-government level, however, the employer can insist on check-ups on their state of health if their official duties make this necessary. Data on an employee's state of health that has been collected legitimately can be processed by the employer when necessary for the purposes of the payment of sick pay, the grant of some other health-related benefit or establishing the reason for absence from work, or because the employee so wishes. Health data must be stored separately from other personal data.

The purpose and introduction of any technical monitoring of employees based on the employer's managerial prerogative, as well as the monitoring methods used, also fall within the scope of the negotiation procedure prescribed in the Co-operation Act. The same applies to the use of e-mail and a computer network. In small enterprises and workplaces to which the Act is not applicable, before taking any decisions the employer must give the employees or their representative an opportunity to express their views on technical monitoring and the use of e-mail and a computer network. Once this stage in the procedure is completed the employer must decide the purpose, methods and content of the technical monitoring concerned and inform the employees of this, as also of the use of e-mail and a computer network.

The stipulations laid down regarding the secrecy of messages include the fact that the employer may not, in the use of e-mail and a computer network, take any action that endangers the secrecy of an employee's private and confidential messages. Finland's Constitution, in addition to the Criminal Code, likewise directly protects the sanctity of the secrecy of confidential messages. This fundamental right may be limited only by necessary restrictions of a certain kind laid down by statute; no agreement on the matter may be reached through collective agreements. Many of the provisions of the Privacy Protection in Working Life Act carry a criminal penalty. Taken together with the provisions of the 1950 European Convention on Human Rights, this means that the employer does not have the right, without the employee's consent on each individual occasion, to read e-mail messages of a personal nature received or sent by an employee. Data protection with respect to telecommunications is also provided under a separate statute. See company health service, data protection, personal privacy protection, security vetting of staff.)