Data Protection: Court of Appeal rules CCTV footage was unlawfully used to investigate employee discipline matter

The Court of Appeal has determined that an employer was in breach of the Data Protection Act 1988 when they used CCTV footage to investigate instances relating to employee discipline since, under the data protection legislation, data processors are required to properly notify data subjects as to why their data is being processed. In this case, the employer was only permitted to collect and process the footage for the specific purpose of security. The employer had not been notified that the footage would also be used to investigate discipline issues.

Delivering the judgment for the Court, Mr Justice Noonan held that the employee could have reasonably expected that the footage would be used to assess their performance at work and that in such instances this amounted to the employer using the data for a purpose other than that specified.

Background

During a security investigation arising from matters unrelated to the defendant employee in the initial case, the employer, Our Lady's Hospice and Care Services, Dublin on the advice of Gardai were reviewing CCTV footage spanning a three day period which captured employees entering and leaving the staff lunch room. The employee in the present case was witnessed taking extended, unauthorised lunch breaks.

The employers began disciplinary action against the employee resulting in a sanction being imposed upon him. In the final report it was stated that the purpose of accessing the CCTV footage and the lunch room access fob records was solely in relation to the disciplinary investigation into his unauthorised lunch breaks, not the original security matter (offensive graffiti on a table in the staff room).

The employee complained to the Data Protection Commissioner on the basis that the employers' policy on CCTV made it clear that it would only be used for security purposes. This was supported by signage in the area of the lunch room. Thus, it was argued by the employee that the use of the footage for disciplinary action was unlawful. Initially the Data Protection Commissioner rejected the complaint stating that the footage had been properly processed in connection with the security incident and that the use of the footage in the disciplinary proceedings did not constitute a different purpose.

However, on appeal to the Circuit Court and subsequently to the High Court, it was held that although the data had been lawfully collected for security purposes, it had then been further used, impermissibly, for the “distinct and separate purpose” of investigating employee discipline. Accordingly, the court held that the processing was unlawful. The decision was appealed to the Court of Appeal.   

Court of Appeal

Mr Justice Noonan outlined at the beginning that the Data Protection Act 1988 applies, in particular S.2(1)(c)(ii) which states that data “shall not be further processed in a matter incompatible” with the specified purposes.

The court also noted that the relevant principles on statutory appeals were contained in Deely v Information Commissioner [2001] 3 IR 439, which included that findings of fact could not be set aside unless there was no evidence to support such findings and that a decision could be side aside if the DPC had taken an erroneous view of the law.

In the absence of any decision from the ECJ or the Irish courts relating to these matters, the Court considered the views of a Working Party established under the Data Protection Directive 1995 where it was outlined that the limitation of data collection through the application of strict boundaries as to the data's purpose was necessary in order to protect individuals. Further processing beyond the scope of the original purpose must be assessed on a case by case basis.

Mr Justice Noonan held that the DPC had made a "manifest error" in ruling that the employee's data had not been processed more than one. He held that the footage went beyond just the employee's image, as suggested by the DPC, since in fact it disclosed his image, his location and the time he was there. Furthermore, the DPC was wrong to state that processing only occurred when the CCTV footage was viewed by the employer. It was originally processed when it was recorded and further processing took place when it was accessed by the disciplinary investigators. A third processing occurred when data of dates and times were tabulated in the final report.

The court held that there were “plainly two investigations or at minimum, one investigation into two difference matters”. Since there were two investigations, it could not be said that the disciplinary investigation was for the purpose of security. The report itself described that it was investigating a staff member’s access to the tea room. The court then considered whether the data being used for a different purpose was incompatible with the specified purpose of security. In this case, the viewing of CCTV to identify the graffiti perpetrator was “entirely irrelevant to the incidental observation of [the employee] taking unauthorised breaks”. There was no evidence that these breaks represented security issues in themselves.

In conclusion the Court held that as the employee had not been notified that the CCTV could be used against him for the purposes of employee discipline, then there was no basis for the argument that he might have reasonably expected it to be used in that way. The data was used for a purpose other than the specified purpose and was therefore unlawful.

Share

Resources

Sustaining Partners