The Irish Data Protection Commissioner has found the rights of a resident of a direct provision centre were breached when CCTV footage was disclosed to a radio station. The case is outlined in the Data Protection Commissioner’s 2018 Annual Report, which was launched on 23 November.
The complaint was submitted following the complainant’s participation in a radio programme concerning an incident that had occurred between the residents and staff of the direct provision centre. During the programme, the host stated that he had a copy of the CCTV footage which showed the complainant in an argument with another resident.
The direct provision centre in question is owned by the State, under the remit of the Reception and Integration Agency (RIA), and run by Aramark Ireland. The complainant made complaints to the RIA, Aramark and the radio station. An access request was also made to the RIA under Section 4 of the Data Protection Actions 1988 and 2003 seeking information on all those who had been recipients of the complainant’s personal data. The RIA did not respond to this request.
In its investigation, the Commissioner established that Aramark was a data processor on behalf of the RIA. Aramark had transmitted the video of the incident to the RIA as it related to security, and health and safety issues. This was done via Google link due to the size of the file. Aramark contended that this link had not been sent from any Aramark email account to a third party, other than the RIA.
The RIA also confirmed that the CCTV had not been disclosed to a third party, had been deleted and was not retained. It was able to provide its data protection and CCTV policies, and confidentiality agreement with Aramark. However, there were no specific policies in place for the management of CCTV in direct provision centres. The RIA further claimed that it had not responded to the access request as it was awaiting a full report from Aramark.
The Commissioner therefore found the RIA in breach of its duty to respond to the access request within 40 days. She also found the RIA, as data controller, in breach of Section 2C(3) of the Data Protection Acts for not having a contract in place to identify the respective obligations of the RIA and Aramark in relation to the processing of personal data.
Neither the RIA, Aramark or the Commissioner were able to establish how the footage was disclosed to the radio station, however the Commissioner found that the RIA and Aramark had failed in their duty of care to the complainant by failing to have adequate security measures in place. This, compounded by the lack of procedures, led to the Commissioner also finding a violation of Section 2C(2) for failure to take reasonable measures to ensure employees were aware of, and complied with, the relevant security measures.
Click here for the Data Protection Commissioner’s 2018 Annual Report.