Use of CCTV in disciplinary processes: New ruling from the Court of Appeal
In Doolin v DPC [2022], the Court of Appeal examined the use by an employer of CCTV footage for disciplinary purposes. Upholding an earlier decision of the High Court, it found such use constituted unlawful further processing. We take a look at the decision and what it means for employers.
Background
Less than a week after the 2015 Paris terror attacks, graffiti stating: “Kill all whites, Isis is my life” was carved into a table in the staff tearoom at Our Lady’s Hospice and Care Service (the "Hospice"). Hospice management contacted Gardaí, who advised the Hospice to review CCTV to ascertain who had accessed the room over the previous days. A viewing of the footage showed Mr Doolin entering the room on a number of occasions, although there is no suggestion that Mr Doolin was involved in the graffiti incident, but the information suggested that he had accessed the room for the purpose of taking unauthorised breaks.
An investigation report which followed was entitled: "Investigation into staff member (Cormac Doolin) accessing the Anna Gaynor House tea room at unauthorised times." This report provided that the "panel have established on the balance of probabilities that unauthorised breaks were taken by Mr. Cormac Doolin on the afternoons of Tuesday 17th, Wednesday 18th and Thursday 19th November 2015." The report made no reference to any findings in connection with the graffiti.
This led to a disciplinary sanction against Mr Doolin in respect of unauthorised breaks.
The legislation
The Data Protection Acts 1988 and 2003[1] provide that data shall be obtained only for one or more specified, explicit and legitimate purposes; and not further processed in a manner incompatible with that purpose or those purposes.
Decisions of the DPC, Circuit Court and High Court
The Hospice CCTV policy stated that "..The purpose of the system is to prevent crime and promote staff security and public safety" and a sign was placed beside each camera, which read “Images are recorded for the purposes of health and safety and crime prevention”.
Mr Doolin made a complaint to the Data Protection Commission (DPC). The DPC rejected Mr Doolin's complaint as it was of the view that the processing of Mr Doolin's data in relation to the security concerns was legitimate. The DPC stated that it was "satisfied that the processing of your personal data in the form of a limited viewing of the relevant CCTV footage, without downloading or further processing of any kind was necessary for this purpose and did not go beyond the stated purpose”. The DPC considered that Mr Doolin’s data was confined to the CCTV images and beyond the first and only viewing of those, no further processing occurred.
Mr Doolin unsuccessfully appealed to the Circuit Court, and then appealed again to the High Court. The High Court found against the DPC's decision, stating "… the CCTV footage was collected for the express and exclusive purpose of security and was used (permissibly) for that purpose but was also used for a distinct and separate purpose, i.e. disciplinary proceedings into unauthorised breaks by an employee. In the premises, it seems to me that there was no evidence upon which the Circuit Court could safely conclude that the further processing in the context of the disciplinary hearing was for security purposes..."
The High Court said that it was indisputable that the information contained in the CCTV footage was used for a different purpose than the one for which the data was originally collected. The fact that it was not downloaded does not mean that no further processing took place. It therefore considered, contrary to the DPC’s findings, that the CCTV images were further processed.
The DPC then appealed to the Court of Appeal, which was critical at the outset of the lengthy appeals process stating "the costs involved in all these appeals are very substantial and entirely disproportionate to the issue concerned, where there is no obvious necessity for such a multiplicity of appeals".
Court of Appeal decision
In the Court of Appeal, the DPC argued that the case rested upon three fundamental propositions:
(a) The CCTV footage was viewed on one occasion only, for the purpose specified in the Hospice CCTV policy, namely security, and was not further processed thereafter. Accordingly, no breach occurred.
The Court of Appeal (COA) found that Mr Doolin's data was in fact processed three times: (i) when it was collected/recorded (ii) when it was watched for the purposes of the security incident and (iii) when the data relating to the dates and times of access/egress by Mr Doolin to and from the staff tea room were tabulated in the investigation report for the purpose of supporting a disciplinary sanction against him.
(b) Alternatively, if the CCTV footage was further processed by the Hospice, it was processed for a security purpose.
The COA stated that "the DPC appears to have considered that there was one investigation only into the security issue and therefore the outcome of that investigation must be regarded as security related", but one of the central features of the case was that it was never explained by the Hospice or the DPC, how the taking of unauthorised breaks could be said to amount to a security issue.
The COA did not agree that there was only one investigation and so found that it could not be that the investigation was for the purpose of security. By way of example, the COA pointed out that the title of the investigation report does not refer to security but describes the report as an “investigation into staff member (Cormac Doolin) accessing the Anna Gaynor House Tea Room at unauthorised times.” The COA went on to state that "the processing of Mr Doolin’s data was not for a security purpose as the DPC contends. It was manifestly for a different purpose … but of course that is not the end of the inquiry. It is necessary thereafter to carry out a compatibility assessment ..."
(c) In the further alternative, if the CCTV footage was further processed and such processing was not for a security purpose, then it was for a purpose that was not incompatible with the security purpose.
The COA agreed with the DPC that the mere fact that data was used for a different purpose does not mean that the use was unlawful and that it is only where the further processing occurs in a manner incompatible with the stated purpose that an illegality arises.
The DPC argued that every employee entering the room for a defined period of time had to be regarded as a suspect for the graffiti incident, including Mr Doolin, and accordingly the unauthorised access had a clear security dimension and was integral to the investigation of the graffiti. The DPC argued that it must follow, that even if the disciplinary process was not expressly for a security purpose, it was for a related purpose and thus not incompatible with the specified purpose. The COA disagreed and restated that there was absolutely no evidence that the taking of unauthorised breaks represented a security issue in itself.
What does this mean for employers?
The case provides a cautionary tale for employers in terms of relying on CCTV footage in disciplinary processes.
In the first instance, employers should ensure that they comply with data protection principles when using CCTV, as outlined in the DPC Guidance on the use of CCTV for Data Controllers.
The case highlights the importance of having clear policies and procedures in place for processing personal data relating to employees, particularly in relation to CCTV footage. An organisation must carefully consider the purpose(s) for which it is collecting personal data, and ensure these purposes are clearly set out in the organisation’s data protection notice/policy, and are communicated to employees and/or other data subjects whose personal data is collected.
Although further processing of personal data is not automatically unlawful, it is more likely to be so where: the further processing is not related to the original purpose; would not be expected by data subjects; could have unforeseen or negative impacts on data subjects; and no additional safeguards have been applied to ensure fair and transparent processing.
For further information in relation to this topic, please contact Triona Sugrue, Knowledge Lawyer, Bernard Martin, Senior Associate, or any member of the ALG Employment team.
[1] While these have now been replaced by the Data Protection Act 2018, it contains similar provisions so the issue arising continues to have relevance.