The Irish Court of Appeal has handed down a decision (DPC v Doolin) relating to the alleged misuse of CCTV by an employer in disciplinary proceedings relating to an employee taking unauthorised breaks. In this case, the Court of Appeal held that the use of CCTV was unlawful as its use wasn’t provided for in the employer’s CCTV policy.
Although the judgment was decided under the pre-GDPR law, the same data privacy considerations are still relevant for both Irish and UK employers.
The starting point, which many employers will be familiar with, is that data must be processed for an explicit and legitimate purpose (which will normally be set out in the privacy notice) which needs to be communicated to the individual. The individual’s data should not be further processed for an incompatible purpose.
The employer’s CCTV policy stated that: “The purpose of the system is to prevent crime and promote staff security and public safety” (emphasis added). Furthermore, a sign was placed next to each camera, which stated that: “Images are recorded for the purposes of health and safety and crime prevention” (emphasis added).
In this case, the employer sought to rely on CCTV as evidence as part of an employee’s disciplinary process relating to taking of unauthorised breaks. There was no evidence that the disciplinary issue was related to a security issue.
The Court of Appeal said that the mere fact of further processing doesn’t automatically mean that the further use was unlawful, but where the new purpose is incompatible with the stated purpose that is where illegality arises. One of the key factors in considering whether the use was compatible, is the employee’s reasonable expectation as to what further use will be made of their data (in this case the CCTV images).
The Court of Appeal concluded that in this case it was clear that the individual’s data was used for a purpose other than, and incompatible with, the specified purpose and that as a result that use was unlawful.
Impact of Doolin
While Doolin serves as a cautionary tale for employers seeking to rely on CCTV footage in disciplinary processes, in the context of employment claims arising before the Irish employment tribunals, it is likely that this case will be confined to its own facts.
In practice, there is a reluctance on the part of the Workplace Relations Commission and the Labour Court to intervene in relation to complaints concerning potential breaches of a complainant’s data protection rights. For example, in a recent decision of the Labour Court (Go Ahead Transport Services (Dublin) Limited v Mr Thomas Gifford) which also concerned the use of CCTV footage during a disciplinary process, the court expressly stated that arguments raised by the complainant about the use of CCTV footage were outside the competence of the court and that any alleged breaches of a complainant’s rights in this regard were a matter for a different forum and not the employment tribunal.
While the Irish employment tribunals are loath to determine that a disciplinary process has inevitably been tainted on the basis of potential unlawful processing of a complainant’s personal data in the course of the process, Doolin serves as a timely reminder for employers to take steps to ensure compliance with data privacy laws to mitigate any potential exposure.
Practical tips for employers
Although these are quite specific facts, there are a few practical points for employers:
- Ensure that your privacy notices are regularly reviewed (we recommend every 6-12 months) to ensure that all potential uses of data are accurate.
- In the event that you plan to process data in another way, review your privacy notice and if the new use is not already covered ensure that your notice is updated and communicated to staff (or the individuals whose data you are collecting).
- Employers should ensure that they comply with the usual data protection principles when putting in place CCTV. The DPC’s guidance on the use of CCTV for Data Controllers may provide some assistance to employers.
- When putting in place CCTV, ensure that you undertake a data privacy impact assessment to assess and minimise any risk.
If you have any questions about data privacy in either Ireland or the UK, please contact Deborah Margolis or for queries relating to Irish employment law please contact Niall Pelly and Alison Finn.