The Court of Appeal recently ruled that the use of CCTV security footage to investigate an employee discipline issue was unlawful since the footage was collected and processed solely for the purpose of security. It was held that the difference in purpose was in breach of the Data Protection Act 1988 which requires data processors to notify all data subjects about the specified purpose for which that data was collected.
In this case, the employee worked at a hospice in Dublin. In 2015 an ISIS slogan was found carved into a table in the staff canteen a week after a terror incident in Paris. There was CCTV outside the canteen and staff members could access the canteen only using an electronic fob. The hospice reviewed the CCTV footage and saw that one employee entered the canteen on several occasions over three days. It appeared the employee was taking several long unauthorized breaks during the day. He was sanctioned and during an interview he admitted taking extended breaks.
In its final report, the Hospice looked at both the CCTV and fob access records. They explained to their employee that they were accessing all this information solely to investigate all his unauthorised breaks and not in connection with the ISIS graffiti. The employee then complained to the Data Protection Commission claiming the hospice policy on CCTV indicated its use for security purposes only and therefore its use for disciplinary reasons was unlawful as there was no security aspect in that investigation. The Commission rejected this claim and held that the use of CCTV footage in a disciplinary setting did not constitute a different purpose.
This finding was appealed to the Circuit and High Court which allowed the appeal. The hospice then appealed to the Court of Appeal where Judge Noonan laid emphasis on section 2 of the Data Protection Act which states that data “shall not be further processed in a matter incompatible with the specified purpose.”
The Court of appeal held that the hospice was, in effect, conducting two investigations one a security issue and the other disciplinary. The latter investigation could hardly be said to be for the purpose of security. The court considered the data used for the disciplinary issue was for a purpose utterly different to the specified one of security. There was no evidence to suggest the unauthorised canteen breaks taken by the employee constituted security issues in themselves. The court concluded that the principle of notification of the purpose of data collection was central to its findings. The data subject (the person caught on TV) must be made aware of the purpose of processing at or before the data is obtained.
In this case, the employee was never informed that CCTV would be used for disciplinary purposes and so it was used for purposes other than the specified purposes and was therefore unlawful. The appeal was dismissed.
Doolin v The Data Protection Commissioner [2022] IECA