A high profile public figure is caught on CCTV in alleged inappropriate behaviour with a colleague in the workplace and the resulting images are subsequently published in the media. This disclosure however does not simply raise the question of ethical or journalistic practices, but also the spectre of multiple breaches of the UK General Data Protection Regulation (GDPR) and a criminal offence under the Data Protection Act 2018 (DPA). In this article, we consider the risks to organisations arising from insider threats who disclose personal data without authorisation, and the individual liabilities for those insiders.
The disclosure of CCTV footage concerning Matt Hancock
On 25 June 2021, The Sun published CCTV images of the then UK Health Secretary Matt Hancock in close contact with a colleague in his office on 6 May 2021. The Guardian reported that it was unlikely that the Government would conduct an inquiry on the basis that the individual was acting as a whistleblower.
There was initial speculation as to whether the Health Secretary was even aware of the existence of CCTV in his office which captured the relevant footage. On 27 June 2021, The Daily Mail subsequently published an image providing evidence that the camera had been in place since September 2017, i.e. prior to the Health Secretary moving into that office. On 29 June 2021, The Sun published a further image capturing him standing directly below the camera to support their view that he was in fact previously aware of it.
There were concerns that a malicious foreign actor may have been responsible for the leak, with reports arising that the Chinese company Hikvision manufactured the relevant CCTV, as this company has been subject to restrictions in the US for reasons of national security. Subsequently, on 27 June 2021, The Daily Mail published messages from the whistleblower alleging on 19 June 2021 that the footage in their possession would no longer exist on the relevant systems as it was more than 30 days old – purported knowledge supporting The Sun’s claim that: “. . . a concerned Whitehall whistleblower” was responsible for the leak. On 29 June 2021, Cabinet Office Minister Julia Lopez confirmed that: “We do not believe there are covert concerns at this moment.”
On 27 June 2021, Northern Ireland Secretary Brandon Lewis confirmed to Sky News that the Department of Health and Social Care (DHSC) would in fact be conducting an investigation into the leak. He acknowledged that it was important to establish how the leak had occurred as: “. . . what happens in Government departments can be sensitive and important.” Former Health Secretary Jeremy Hunt echoed this sentiment on the Andrew Marr Show, noting that: “ . . . we need to understand how this happened, and to make sure that ministers are secure in their offices, to be able to have conversations that they know aren’t going to be leaked to hostile powers.”
On 15 July 2021, the Information Commissioner’s Office (ICO) announced that based upon a “breach report” submitted by EMCOR Group (UK) Plc, which provides CCTV services for the DHSC, it had searched two residential properties and seized personal computer equipment and electronic devices.
What are the data protection issues?
The CCTV surveillance in itself raises substantive concerns. If the DHSC failed to make the then Health Secretary aware of the CCTV monitoring in his office, the DHSC may have failed in respect of their obligation to provide privacy information to this effect, contrary to the “lawfulness, fairness and transparency” requirement under Article 5(1)(a) and the “right to be informed” under Article 13 of the GDPR. The DHSC may have contravened Article 5(1)(a) of the GDPR once more, as well as the “data minimisation” requirement under Article 5(1)(c) of the GDPR, in respect of the installation of CCTV within the office itself which does not appear to have a justified, necessary or proportionate impact upon the privacy of any individuals subject to the monitoring. On 29 June 2021, the Icelandic Data Protection Authority imposed a fine of ISK 5,000,000 on Huppuís ehf., precisely for the contravention of these 3 provisions of the GDPR in respect of the CCTV monitoring of employees.
There may have been a further contravention of the requirement for appropriate security of personal data under Article 5(1)(f) of the GDPR through the potential failure to ensure: “. . . protection against unauthorised or unlawful processing . . .”, regardless of whether the threat actor responsible for the disclosure was internal or external.
The whistleblower themselves may be individually liable under Section 170(1)(a) of the DPA, as it is a criminal: “. . . offence for a person knowingly or recklessly to obtain or disclose personal data without the consent of the controller. . .”
The Sun maintains that the publication of the CCTV images was in the public interest as those images purportedly evidenced that the then Health Secretary was not abiding by social distancing rules during the pandemic and therefore, it was: “. . . a serious piece of responsible journalism about a cabinet minister potentially breaking the law . . .”, as opposed to: “. . . an old fashioned ‘kiss and tell’ from a bygone era.” The Sun has described the ICO investigation as “monstrous” and an “outrageous abuse.” Secretary of State for Digital, Culture, Media and Sports Oliver Dowden further highlighted: “. . . the concerns that have been raised about how this ICO investigation could have a chilling effect on public interest journalism . . .”. Former Health Secretary Jeremy Hunt also underlined on the Andrew Marr Show that: “We have, rightly in this country as a democracy, as an open society, protection for whistleblowers who find things out and release them in the public interest and we don’t want to undermine that, it’s very important part of how we work.”. The ICO have cautioned that:“. . . it’s important that we go in and we look at the facts and only then will we make a determination as to whether this data breach was in the public interest.”
The whistleblower may therefore be able to rely upon Section 170(3)(c) of the DPA as: “It is also a defence for a person . . . to prove that [they] . . . acted for the special purposes, with a view to the publication by a person of any journalistic, academic, artistic or literary material, and in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.” Section 174(1)(a) of the DPA outlines that: “the special purposes” include journalism.
Recommendations
In light of the above, organisations should ensure that:
- CCTV monitoring of employees is justified, necessary and proportionate, in particular by conducting a Data Protection Impact Assessment (DPIA) at the outset;
- they consistently raise employees’ awareness of the criminal offences and individual liability under Section 170 of the DPA, within employment contracts and data protection policies and training;
- they implement appropriate data loss prevention (DLP) tools and processes to monitor, detect, prevent and respond to threats; and
- there are robust internal whistleblowing procedures for employees.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in conducting DPIAs, implementing appropriate security measures in respect of personal data, and raising internal awareness of the importance of data protection. For more information please feel free to contact our advisers, who would be more than happy to help.
