CASE STUDY – Data Protection Rights and the processing of CCTV recordings in the workplace
CCTV Cameras are a daily feature in our lives with almost all supermarkets, restaurants and workplaces fitted with cameras for a variety of different reasons. CCTV recordings of employees in the workplace is a topical issue and it gives rise to interesting to arguments surrounding the monitoring of staff, Data Privacy and GDPR.
These issues are a central feature of an ongoing case which is currently awaiting judgment in the Court of Appeal. Our firm is on record for the Respondent employee who is the data subject in these proceedings. His Employers are the Data Controllers. The current position is as follows:
The Law:
Data Protection Law in Ireland is primarily regulated by the European Union and the General Data Protection Regulation (GDPR). GDPR is implemented in the Irish jurisdiction by the Data Protection Acts 1988-2018.
Crucial to this case was the interpretation of Section 2(1)(c)(ii) of the Data Protection Act 1988.
This statutory provision sets out that the Data Controller in gathering personal data, shall not use or disclose the personal data in a manner that is incompatible with the purpose of purposes for which it is initially gathered.
Section 2(1)(c) 1988 Data Protection Act
2(1) The Data controller shall, as respects personal date kept by him or her, comply with following provisions
(c) The Data –
(i) shall have been obtained only for one or more specified, explicit, and legitimate purposes,
(ii) shall not be further processed in a manner incompatible with that purpose or those purposes
http://www.irishstatutebook.ie/eli/1988/act/25/section/2/enacted/en/html#sec2
The Facts:
Our client was disciplined by his Employers for accessing a tea breakroom at his place of work at unauthorised times. A crucial piece of information used by the Employers during the disciplinary proceedings against our client, was digital video recordings obtained from CCTV cameras.
The CCTV recordings had been collected and processed by the Employers in the first instance for the purpose of conducting a security investigation that arose in relation to the carving of threatening graffiti in the canteen.
The Issues:
The Employer’s Data Protection policy at the time permitted them to collect and process Data for the purpose of preventing crime, promoting staff security, and promoting public safety.
Our Client’s Position
Our client acknowledged that his Employers had first processed the CCTV recordings during the security investigation, but he claimed that they had further processed the CCTV recordings for a second time in order to support a disciplinary investigation in relation to the taking of unauthorised breaks.
In essence, our client argued the first processing of CCTV recordings during the security investigation was legitimate and in compliance with his Employer’s Data Protection Policy. The second processing of the CCTV recordings in the disciplinary proceedings was illegitimate and in contravention of their Data Protection Policy
Our client argued that the Data used by his Employers in the disciplinary proceedings (the CCTV recordings) had been further processed in a manner which was incompatible with their Data Protection Policy and it constituted a breach of GDPR and the Data Protection Acts 1988-2018, namely Section 2(1)(c)(ii) of the 1988 Data Protection Act.
The Data Protection Commissioner (DPC) investigated our client’s claim and found against him.
The Data Protection Commissioner’s Position
The DPC is an Independent national authority that is responsible for the upholding, enforcing, and monitoring Data Protection Legislation in Ireland.
The DPC argued that the processing of CCTV recordings by the Data Controller (The Employers) was for security purposes arising out of the carving graffiti in the canteen.
They claimed that the taking of unauthorised breaks at an unauthorised location was a serious and bona fide security issue and the disciplinary proceedings arose out of and was directly connected to the security issue.
In essence, the DPC’ legal argument was that the CCTV recordings had not been further processed during the disciplinary proceedings. The CCTV recordings were processed for the security investigation only and the Data Controller’s Data Protection Policy permitted the processing of personal data for the purpose of preventing crime and promoting staff security.
As such, there was no breach of Section 2(1)(c)(ii) of the 1988 Data Protection Act.
The Decisions
The DPC Decision
Our client lodged an official complaint with the Office of the Data Protection Commissioner. As outlined above, our client argued that the processing of CCTV recordings to monitor staff and for disciplinary proceedings was not in compliance with his Employer’s data protection policy and it breached his data protection rights under the GDPR and the Data Protection Acts.
The DPC found that the viewing of the CCTV recordings took place exclusively for the security purpose and the images collected were processed in compliance with the Data Controller’s Data Protection Policy. They held there was no breach of our client’s rights under Section 2(1)(c)(ii) of the 1988 Data Protection Act.
The Circuit Court Decision
Our client appealed the DPC’s decision to the Circuit Court pursuant to section 26 of the Data Protection Acts. Our client argued that the DPC erred in fact and/ or law when it determined that his Employer’s had not violated Section of 2 of the Data Protection Acts.
The Circuit Court dismissed our client’s appeal, and the Court upheld the DPC decision.
The High Court Decision
Our client brought a further appeal on a point of law pursuant to section 26(3)(b) of the 1988 Data Protection Act. Complex legal issues were raised at the appeal hearing before Ms Justice Hyland.
In a landmark decision, Judge Hyland allowed our client’s appeal against the decision of the Circuit Court . The basis for this decision was that there was no evidence for the conclusion that the use of the CCTV footage or material was for security purposes.
Judge Hyland further held that the DPC had made an error of law in holding that no further processing took place within the meaning of Section 2(1)(c)(ii) of the 1988 Act.
Judge Hyland perfected an Order which set aside the conclusions of the DPC and upheld our client’s argument that there had been a breach of his Data Protection rights pursuant to Section 2(1)(c)(ii) of the 1988 Data Protection Act.
The Court of Appeal
The DPC sought to set aside the Judgement of Ms Justice Hyland in the High Court and they lodged an appeal to the decision in April 2020.
A three-judge panel presided over the Appeal Hearing on the 16th June 2021 and a decision is awaited.