Use Of CCTV In Disciplinary Processes: New Ruling from The Court Of Appeal
In Doolin v DPC [2022], the Court of Appeal (COA) examined the use by an employer of CCTV footage for disciplinary purposes. Upholding an earlier decision of the High Court, it found such use constituted unlawful further processing. This month wetake a look at the COA's decision and what it means for employers.
Background
Less than a week after the 2015 Paris terror attacks, graffiti stating: “Kill all whites, Isis is my life” was carved into a table in Our Lady’s Hospice and Care Service (the "Hospice"). Gardaíadvised the Hospice to review CCTV to ascertain who had accessed the room over the previous days. A viewing of the footage showed Mr Doolin entering the room on a number of occasions, although there is no suggestion that Mr Doolin was involved in the graffiti incident, but the information suggested that he had accessed the room for the purpose of taking unauthorised breaks.
An investigation report which followed was entitled: "Investigation into staff member (Cormac Doolin) accessing the Anna Gaynor House tea room at unauthorised times." This report provided that the "panel have established on the balance of probabilities that unauthorised breaks were taken by Mr. Cormac Doolin on the afternoons of Tuesday 17th, Wednesday 18th and Thursday 19th November 2015." The report made no reference to any findings in connection with the graffiti.
This led to a disciplinary sanction against Mr Doolin in respect of unauthorised breaks.
The Legislation
The Data Protection Acts 1988 and 2003 provide that data shall be obtained only for one or more specified, explicit and legitimate purposes; and not further processed in a manner incompatible with that purpose or those purposes.
The Court of Appeal noted that this legislation has been replaced by the Data Protection Act 2018, which gave effect to the GDPR. However, as the new legislation contains similar provisions, the issue arising in this case continues to have relevance.
Decisions of the Data Protection Commission, Circuit Courtand High Court
The Hospice CCTV policy stated that "….The purpose of the system is to prevent crime and promote staff security and public safety" and a sign was placed beside each camera, which read “Images are recorded for the purposes of health and safety and crime prevention”.
Mr Doolin made a complaint to the Data Protection Commission (DPC). The DPC rejected Mr Doolin's complaint as it was of the view that the processing of Mr Doolin's data in relation to the security concerns was legitimate. The DPC considered that Mr Doolin’s data was confined to the CCTV images and beyond the first and only viewing of those, no further processing occurred.
Mr Doolin unsuccessfully appealed to the Circuit Court, and then appealed again to the High Court. The High Court found against the DPC's decision, statingthat it was indisputable that the information contained in the CCTV footage was used for a different purpose than the one for which the data was originally collected. The fact that it was not downloaded does not mean that no further processing took place. It therefore considered, contrary to the DPC’s findings, that the CCTV images were further processed.
Court Of Appeal Decision
The DPC argued that the case rested upon three fundamental propositions:
1. The CCTV footage was viewed on one occasion only, for the purpose specified in the Hospice CCTV policy, namely security, and was not further processed thereafter. Accordingly, no breach occurred.
The COAfound that Mr Doolin's data was in fact processed three times: (i) when it was collected/recorded (ii) when it was watched for the purposes of the security incident and (iii)when the data regarding Mr Doolin taken from the CCTV was tabulated in the panel report for the purpose of supporting a disciplinary sanction against him.
2. Alternatively, if the CCTV footage was further processed by the Hospice, it was processed for a security purpose.
The COA stated that "the DPC appears to have considered that there was one investigation only into the security issue and therefore the outcome of that investigation must be regarded as security related", however, the COA did not agree. By way of example, the COA pointed out that the title of the investigation report does not refer to security but describes the report as an “investigation into staff member (Cormac Doolin) accessing the Anna Gaynor House Tea Room at unauthorised times.” The COA went on to state that "the processing of Mr Doolin’s data was not for a security purpose as the DPC contends. It was manifestly for a different purpose … but of course that is not the end of the inquiry. It is necessary thereafter to carry out a compatibility assessment ..."
3. In the further alternative, if the CCTV footage was further processed and such processing was not for a security purpose, then it was for a purpose that was not incompatible with the security purpose.
The DPC argued that every employee entering the room for a defined period of time had to be regarded as a suspect for the graffiti incident, including Mr Doolin, and accordingly the unauthorised access had a clear security dimension and was integral to the investigation of the graffiti. The DPC argued that it must follow, that even if the disciplinary process was not expressly for a security purpose, it was for a related purpose and thus not incompatible with the specified purpose. The COA disagreed and restated that there was absolutely no evidence that the taking of unauthorised breaks represented a security issue in itself.
What does this mean for employers?
The case provides a cautionary tale for employers in terms of relying on CCTV footage in disciplinary processes.
Compliance: employers should ensure that they comply with data protection principles when using CCTV, as outlined in the DPC Guidance on the use of CCTV for Data Controllers.
Policies: Organisations must carefully consider the purpose(s) for which it is collecting personal data, particularly CCTV, and ensure these purposes are clearly set out in the organisation’s data protection notice/policy, and are communicated to employees and/or other data subjects whose personal data is collected.
Further Processing of Personal Data: Employers must be very careful! Although further processing of personal data is not automatically unlawful, it is more likely to be so where: the further processing is not related to the original purpose; would not be expected by data subjects; could have unforeseen or negative impacts on data subjects; and no additional safeguards have been applied to ensure fair and transparent processing.
Continue reading
We help hundreds of people like you understand how the latest changes in employment law impact your business.
Please log in to view the full article.
What you'll get:
- Help understand the ramifications of each important case from NI, GB and Europe
- Ensure your organisation's policies and procedures are fully compliant with NI law
- 24/7 access to all the content in the Legal Island Vault for research case law and HR issues
- Receive free preliminary advice on workplace issues from the employment team
Already a subscriber? Log in now or start a free trial
