CCTV and other technology used for recording of images (and sometimes sound) is increasingly common across many contexts. Whilst already ubiquitous on high streets and on commercial premises there is an increasing number of homeowners using cameras to protect their properties and their cars. Our modern mobile devices are also capable of capturing images of remarkably high resolution even in poor light conditions.
However, capturing such images and their subsequent processing needs to be undertaken in refence to the data protection legislation, with due consideration to adequately describing the purpose of such recordings. Recently a set of Irish court rulings have advanced our understanding of what is expected of those capturing images of others.
Use of CCTV images in the workplace
Many organisations have installed CCTV on their premise for the purpose of protecting facilities and assets as well as for health and safety. These are legitimate reasons for the use of cameras but a recent ruling in the Irish High Court in Doolin v DPC , the Judge held that an employer’s use of CCTV footage in an employee’s disciplinary proceedings was unlawful as it represented further processing other than for the purposes declared for the CCTV system.
The employer had had an issue with graffiti and, on advice of An Garda Síochána, had accessed the CCTV to investigate. They identified members of staff entering the area at the time the graffiti was written. While the images were used as part of the disciplinary proceedings, assurances were given that any disciplinary proceedings would proceed solely on the basis of any admissions made by staff. The employer believed they were entitled to use these images under the declared purpose of ensuring security of the premises. As a result of the investigation a member of staff was asked to attend a disciplinary hearing and received a minor sanction.
This staff member appealed the use of the CCTV to the Data Protection Commission (DPC) which found the employer had, in their opinion, a lawful basis to access and view the CCTV footage in dealing with a security issue. The DPC did not hold that use of the same footage for disciplinary proceedings constituted a different purpose for processing and that the limited viewing of the images for disciplinary proceedings occurred within the scope of the original stated purposes.
However, in the Circuit Court, the DPC changed its position to accept there was a second use of the images but that this second use for disciplinary proceedings was pursuant to the original stated purpose. Being in the location with the graffiti and at an unauthorised time meant the employee was guilty of a breach of security. This was accepted by the Circuit Court.
Finally, when the decision of the circuit Court was appealed to the High Court, the Judge ruled that the use of the CCTV images in disciplinary action could not be said to be carried out for security purposes. He decided that use of CCTV for the security purposes and for disciplinary actions were two separate data processing activities. Referencing the Opinion 3/2013 of the Article 29 Working Party (now the European Data Protection Board – EDPB) regarding purpose limitation, the Judge’s position was that these two separate purposes were not compatible. This being the case, the Judge also noted the employer’s signs for the CCTV cameras as well as its CCTV policy made no mention of disciplinary action as a declared purpose.
Learning from the ruling:
Transparency is key. Following the ‘no surprises’ rule the Judge noted that issue could have been avoided if the communication of the proposed purposes for processing CCTV images by the employer had been clearer. In fact, afterwards the employer did update their policy setting out that while CCTV would not be viewed solely for the purpose of monitoring staff, respecting employees’ right to privacy in the workplace, it might be used for disciplinary matters:
“If, in the event of viewing CCTV for the specified purpose, a disciplinary action is observed, the CCTV can be used for the purpose of a disciplinary investigation.”
Our advice is to be very clear as to why your organisation is using CCTV, to control any access to the system and to the recordings and to log such access whether by staff or a relevant authority (e.g., the police). Once you have decided on the declared purposes and established a lawful basis for these, review your CCTV policy and the necessary signage to make sure these purposes are clearly set out. The signage, as well as stating the purposes, must also include the name of organisation operating the CCTV system and how to contact them. During on-boarding of new staff, use the opportunity to make clear how CCTV will be used and include this in an updated version of the staff handbook if you have one.
If you need assistance with reviewing your purposes for the recording of images via a CCTV system, carrying out a Data Protection Impact Assessment for a new, existing or updated CCTV system, or simply to assess the adequacy of your policies and signage, please feel free to contact our Data Governance and Cyber-Risk team for more information.