Employer

When one thing leads to another: Employer use of CCTV footage in disciplinary hearings

The intersection of data protection and employment law continues to be important when considering the use of video surveillance in disciplinary proceedings. In this briefing note, we examine the impact of a recent Court of Appeal decision on this topic.

REPORT

The highly anticipated decision of the Court of Appeal of Data Protection Commission against Doolin and Ors. [2022] IECA 117 addressed an issue that can arise in employment investigations: if an employer uses CCTV footage to investigate an incident, what happens if they discover another incident unrelated to that investigation? ? Can they act on the information they find or are they limited in what they can do by data protection laws?

In a previous article, available here, we have considered these issues in the context of the High Court’s decision. The Court of Appeal’s decision provides new insights that are helpful to affected stakeholders.

Background

The case concerned a security incident resulting from the discovery of disturbing graffiti on the employer’s property. This led the employer to contact the Gardaí, who recommended that they review the CCTV footage to identify the perpetrator. During the CCTV review, one employee – Mr Doolin – was identified entering and leaving a tearoom at times, indicating he was taking unauthorized breaks. Disciplinary proceedings were initiated and a sanction was finally pronounced. Mr Doolin then complained to the Data Protection Commission (“CPD ») that his employer had unlawfully processed his personal data, as the employer’s CCTV policy stated that CCTV surveillance was for security and crime prevention purposes, not for disciplinary purposes.

The DPC dismissed the complaint, on the grounds that the images had only been processed once (to investigate the incident of the graffiti, which was a security incident), and the employer then relied on Mr. Doolin’s confessions during the investigation (as opposed to CCTV footage).

The Circuit Court dismissed Mr. Doolin’s appeal of the DPC’s decision, noting that Mr. Doolin had, during the investigation, admitted to a breach of security (i.e. taking untimely breaks authorized) and that disciplinary measures had been taken against him for security reasons.

The High Court overturned the Circuit Court’s decision, on the grounds that there was no evidence that the disciplinary action was taken for security purposes. The employer relied on CCTV footage; a table appeared in the investigation report indicating his hours of entry/exit to the tea room. The Data Protection Commission then appealed the High Court’s decision to the Court of Appeal.

Arguments of the DPC before the Court of Appeal

The DPC presented three arguments to the Court of Appeal, essentially reiterating the different (and inconsistent) arguments he had previously presented. First, he argued that the CCTV footage was processed only once (when viewed by the employer) and no further processing took place during the disciplinary process, so that no offense had been committed. In the alternative, it argued that further processing was carried out in accordance with video surveillance policy (i.e. for security purposes) and was permitted. As a further alternative, he argued that the further processing had a purpose which was not incompatible with the purpose contained in the employer’s video surveillance policy, and was therefore permitted.

Approach of the Court of Appeal

The Court of Appeal noted that while the case concerned data protection laws from 1988 to 2003, the issues are relevant today because the relevant provisions of the GDPR are similarly worded. At the beginning of its analysis, it underlined the importance of the opinion of the Article 29 working party on purpose limitation, published on April 2, 2013.

In particular, the Court of Appeal cited two particular aspects of this opinion as being important in this case. First, further processing of data for different purposes does not necessarily mean that such processing is unlawful – on the contrary, a case-by-case assessment is necessary to determine whether the further processing is incompatible with the original processing. Second, a key factor in conducting such a compatibility assessment in these circumstances is the context in which the personal data was collected and the data subject’s reasonable expectations as to its further use. Having noted this, the Court of Appeal turned to consider the DPC’s grounds of appeal.

She rejected the DPC’s first argument, noting that concluding that Mr. Doolin’s data had only been processed once was “a serious and material manifest error.” Mr Doolin’s data was processed at least three times – when it was recorded on the CCTV footage, when the data was retrieved and viewed by the employer, and when the data relating to dates and times of access by Mr. Doolan to and from the tea room was used in the inquest report.

Turning to the DPC’s second argument, it assessed whether Mr Doolan’s data had been processed for security reasons and, like the High Court, concluded that it had not.

Critically, he determined that was not the end of the matter. The mere fact that the data is used for other purposes does not make it illegal. A compatibility analysis is required, and it was noted that this analysis was not explicitly carried out by the High Court. The Court of Appeal made this assessment, but did not agree with the DPC’s third argument that the purposes were not incompatible.

It considered that the processing had no related purpose and was incompatible with the specified purpose for security reasons. He noted that the original purpose of trying to detect the author of offensive graffiti was irrelevant to the “accessory“surveillance of Mr Doolin taking unauthorized breaks – there was no evidence that taking unauthorized breaks was a safety issue. The Court said there were certain circumstances in which this could be a security concern, for example, if Mr Doolin had been employed as a security guard – but it did not apply in these circumstances. He further noted that when conducting a compatibility assessment, the reasonable expectations of a data subject will be taken into account. In the present case, it was clear that Mr. Doolin’s data was used for purposes other than the purpose specified and incompatible with it, and was therefore unlawful. The DPC’s appeal was dismissed.

Conclusion

The Court of Appeal decision clarifies that for Irish courts the starting point for employers using CCTV for workplace investigations is the opinion of the Article 29 Task Force. to note that while certain opinions of the Article 29 Working Party have been approved by the European Data Protection Board (“EDPB”) after the GDPR, this specific opinion of the Article 20 Working Party was not. Therefore, while the opinion is helpful, it does not necessarily represent the current views of the European Data Protection Board. The clarification of the Court that the processing of data for different purposes is not necessarily unlawful is useful for data controllers.

Employers are not expected to ‘see’ or ‘forget’ everything that comes up during a CCTV examination, but before embarking on a different investigative route, they should (i)s ensure they have a legal basis for doing so under their policies (i.e. they must ensure that their employees’ privacy notices refer to the use of CCTV at disciplinary purposes) and (ii) undertake a compatibility assessment to determine whether the purpose of the investigation is compatible with the stated purpose (e.g. if it is security only) for CCTV.

However, the Court’s emphasis on the data subject’s reasonable expectations in conducting this analysis suggests that employers will find it difficult to argue that further processing is “compatible” with the initial processing if an employee could not have foreseen that the processing would take place based on the policies and notices available to the employee at that time.

Employers should continue to follow best practice in the use of CCTV footage in the workplace by:

  1. Review and update their policy on an ongoing basis;
  2. Conduct a data protection impact assessment before deploying CCTV cameras in the workplace;
  3. Deploy CCTV in areas of particular risk, not where employees have high expectations of privacy (e.g. locker rooms);
  4. Clearly communicate CCTV camera locations;
  5. Of course, it’s not about capturing images for one purpose and using them for another;
  6. Clearly communicate to employees that captured footage may be used not only for security purposes, but also for employee investigations and disciplinary proceedings;
  7. When less invasive survey methods are available, consider using them;
  8. Ensure that the CCTV review is conducted in a manner that allows any subsequent issues to be addressed in a manner consistent with natural justice; determine who will review the images and avoid duplication (if possible) with those responsible for conducting HR investigations.