Court of Appeal: Use of CCTV footage to investigate employee discipline in breach of data protection laws

Court of Appeal: Use of CCTV footage to investigate employee discipline in breach of data protection laws

The Court of Appeal has ruled that the use of CCTV security footage to investigate an employee discipline issue was unlawful because the footage was collected and processed for the specific purpose of security. It was held that this difference in purpose was in contravention to the Data Protection Act 1988, which required data processors to properly notify data subjects about the specified purpose that data was collected.

Delivering judgment in the case, Mr Justice Noonan held that the CCTV was intended to be used solely for security purposes and that the employee could not have reasonably expected that the footage would be used to monitor their performance. In those circumstances, the employee’s data was used for a purpose other than the specified purpose.

Background

The employee worked at Our Lady’s Hospice and Care Services in Harold’s Cross, Dublin. In 2015, graffiti was discovered that had been carved into a table in a staff tea room. The graffiti said: “Kill all whites, ISIS is my life.”

The graffiti prompted a security review by OLHCS as the graffiti was found one week after terror attacks in Park. The tea room was only accessible to staff members who used electronic fobs to get inside. The outside of the room was monitored by a CCTV camera.

On the advice of gardaí, OLHCS reviewed the footage to identify all people who entered the room in a three-day period. An employee, Mr Doolin, was observed entering the room on several occasions. While there was no suggestion that Mr Doolin was involved in the graffiti, the footage showed that Mr Doolin was taking long, unauthorised breaks from employment during the day.

Arising from this, OLHCS began a disciplinary process against the employee which resulted in sanction. During a formal interview related to the graffiti and the breaks, it was put to Mr Doolin that he had taken breaks between 45 and 55 minutes each day. Mr Doolin agreed that he had taken the breaks.

In a final report, the CCTV footage and fob access records were examined. It was made clear that the sole reason for accessing this information was to investigate the unauthorised breaks and not in connection with the graffiti.

Subsequently, Mr Doolin made a complaint to the Data Protection Commissioner on the basis that the OLHCS policy on CCTV stated that the use of CCTV was for security purposes only. Further, signage in the area stated that images were recorded for health, safety and crime prevention. Accordingly, it was said that the use of CCTV in the disciplinary process was unlawful because there was no element of security to that investigation.

The DPC rejected the complaint, stating that the personal data consisted solely of Mr Doolin’s image and that the footage was viewed without any further processing by OLHCS. The DOC determined that the data was processed in connection with the security incident and that the use of the footage in the disciplinary proceedings did not constitute a different purpose.

The decision was appealed to the Circuit Court, which upheld the appeal. The matter was appealed again to the High Court, which allowed the appeal. The High Court noted that the DPC had changed its stance on the legality of the processing, claiming that the processing had been for its original purpose of security. This marked a “significant departure” from the DPC’s original decision and was “remarkable”.

It was determined that the data had been lawfully collected for security purposes but had been impermissibly used for the “distinct and separate purpose” of discipline. Accordingly, the court held that the processing was unlawful. The decision was appealed to the Court of Appeal.

Court of Appeal

Mr Justice Noonan began by outlining the relevant legislation. It was noted that the Data Protection Act 1988 applied and that the case primarily concerned section 2(1)(c)(ii), which provided that data “shall not be further processed in a matter incompatible” with the specified purposes.

The court also noted that the relevant principles on statutory appeals were contained in Deely v Information Commissioner [2001] 3 IR 439, which included that findings of fact could not be set aside unless there was no evidence to support such findings and that a decision could be side aside if the DPC had taken an erroneous view of the law.

The court held that the issues arising in the case were not the subject of a decision from the ECJ or the domestic courts. As such, the court determined that it could have regard to the views of a Working Party established under the Data Protection Directive of 1995. The Working Party outlined that purpose limitation of data collection was necessary to protect individuals by setting limits on how data controllers use data. Further processing was not necessarily incompatible with a specified purpose and had to be assessed on a case-by-case basis.

Mr Justice Noonan held that Mr Doolin’s data was processed more than once and that the DPC had made a “manifest error” in finding otherwise. The footage disclosed information which went beyond Mr Doolin’s image, including where he was and when.

Further, the DPC was wrong to state that processing only occurred when the CCTV footage was viewed by OLHCS. It was originally processed when it was recorded and further processing took place when it was accessed by OLHCS investigators. A third processing occurred when data of dates and times were tabulated in the final report.

This error by the DPC led to a further error as to whether there was further processing by OLHCS. The court held that there were “plainly two investigations or at minimum, one investigation into two difference matters”. Since there were two investigations, it could not be said that the disciplinary investigation was for the purpose of security. The report itself described that it was investigating a staff member’s access to the tea room.

Finally, the court considered whether the data being used for a different purpose was incompatible with the specified purpose of security. In this case, the viewing of CCTV to identify the graffiti perpetrator was “entirely irrelevant to the incidental observation of Mr Doolin taking unauthorised breaks”. There was no evidence that these breaks represented security issues in themselves.

Conclusion

The court determined that the concept of notification of the purpose of data collection was central to the case. Under the 1988 Act, data were not processed fairly unless the data subject is made aware of the purpose of processing at or before the data is obtained.

Mr Doolin had not been notified that CCTV could be used for disciplinary issues and there was no basis that he might have reasonably expected such use. The data was used for a purpose other than the specified purpose and was therefore unlawful. The appeal was dismissed.

Doolin v. The Data Protection Commissioner [2022] IECA 117

Share icon
Share this article: