Employer's use of CCTV: Irish Data Protection Commission v Doolin and Ors. [2022]

What happens if, during the use of CCTV for one purpose, an employer incidentally captures evidence relating to an unrelated incident? Do data protection laws prevent employers from acting upon this evidence?

These issues were considered in DPC v Dooling and Ors.

It is worth noting that this case was brought under the EU GDPR and heard in the Irish courts, and it is, of course, now possible that the UK courts could adopt a different approach. That said, we consider this highly unlikely given the strong alignment between the two GDPR regimes at present.

Facts of the case

The employer discovered vandalism on site. The employer was advised by the police to review recorded CCTV of the entrance to the building to identify the offender. Whilst reviewing the CCTV, one employee, Mr Doolin, was identified as entering and exiting the break room outside of his authorised break time. The employer took disciplinary action against Mr Doolin.

Mr Doolin complained to the Data Protection Commission (DPC) as his employer's privacy policy indicated that CCTV would only be used for security and crime prevention, not for monitoring his working hours.

DPC / First Court decision

The DPC initially dismissed the claim on the grounds that the data had only been processed once (to investigate the vandalism which amounted to a security issue) and the employer was relying on the admissions of Mr Doolin in bringing the disciplinary action, rather than the CCTV footage.

A further complaint to the Circuit Court (equivalent to a county court in England) was also dismissed on similar grounds.

High Court

The High Court overturned the Circuit Court decision on the basis that the employer had relied on the CCTV footage in bringing disciplinary action since the investigation report included a table setting out the exact times Mr Doolin entered and exited the room. Such use fell outside the uses of CCTV that were cited in the employer's privacy policy.

Court of Appeal

The DPC appealed to the Court of Appeal who raised two points of significance:

• Subsequent processing of personal data is not automatically unlawful, but there must be a case-by-case assessment as to whether further processing of data for a purpose different to the original one is incompatible with the initial processing.
• When considering a compatibility assessment in these circumstances, a key consideration is the context in which the data was collected and its intended use.

The Court of Appeal dismissed DPC's argument that the data was only processed once, stating that it was processed at least three times;

• Upon recording.  
• Upon retrieval and viewing by the Employer.
• When the times and dates of Mr Doolan's movements were used in the investigation report.

Furthermore, the processing was not for a related purpose nor was it compatible with the original purpose of security.

What does this mean for employers who use CCTV?

This case illustrates the importance of transparency when installing and using CCTV in the workplace.  The use of the CCTV must be in line with your privacy policy and you should consider writing explanatory notes to help employees better understand why the use of CCTV is necessary and its purpose.

Before making use of CCTV footage, you should confirm they have a lawful basis to process the data captured by the CCTV and confirm that the use is compatible with the stated purpose in your policies. In this case, if the policy had included 'disciplinary action' as well as 'security and crime prevention' then it is likely that the employer would have had been able to use the footage. t Employees need to be able to foresee such processing could take place.

We recommend that you review your privacy policies to ensure that your intended processing activities are accurately reflected.

If you have, or are thinking of, installing CCTV in your work place, the ICO has a 6 step guide of points to consider which we strongly advise you follow to avoid disputes such as the one cited here:

• Think about how you’ll respect people’s privacy and uphold their rights. People have a right to privacy, so if you’re thinking about installing CCTV, you have to consider how it could impact employees and others being recorded.
• Consider if you need to use audio. Many cameras can record sound – but this doesn’t mean you should. Consider whether it’s necessary in the situation you want to use it in.
• Create a document which explains your decision. You need to set out why you think you need CCTV and how you plan to minimise the impact it will have on people’s privacy (i.e. a data protection impact assessment). 
• Update your policies. You need to pull together the information you’ve gathered in steps one, two and three and use it to update your policies.
• Pay attention to how your CCTV is set-up. Before you start using your CCTV, you need to check the camera angle, put up signs to tell people it’s there and register with the ICO.
• Keep on top of the footage you capture. You shouldn’t keep the CCTV footage for longer than you need it and you need to keep it safe while you have it.