The Irish Court of Appeal has upheld a decision that a hospice employee’s data protection rights were violated in an investigation over workplace conduct.
Cormac Doolin became embroiled in the investigation after someone at his workplace, the Dublin-based Our Lady’s Hospice and Care Service, was accused of graffitiing a racial slur in the hospice’s breakroom.
To determine who had written the message, the hospice reviewed CCTV footage of the breakroom. In doing so, management discovered that Doolin, a craftsman’s mate at the hospice, had repeatedly entered the room during work hours.
Although there was no suspicion that Doolin had written the graffiti, the footage showed that he had taken unauthorised breaks. As such, disciplinary proceedings were launched against him.
Doolin complained to the DPC (Data Protection Commission), stating that the hospice could not legally use CCTV footage to carry out disciplinary investigations.
However, the DPC dismissed this, saying that the processing of his personal data – in this instance, his image – was necessary for the purpose of security.
Doolin appealed to the High Court, which ruled in his favour. It stated that the DPC had incorrectly interpreted the law and that Doolin’s data protection rights had been violated.
The DPC then launched its own appeal, but the three-judge panel upheld the High Court decision.
Why was the decision upheld?
The appeal court ruled that Doolin had not been notified that CCTV could be used for disciplinary purposes or that there was any basis upon which he could have expected the data to be used for that purpose.
The panel added that Doolin’s personal data was used for a purpose other than that for which it was originally processed – i.e. to ensure the physical security of the premises.
The ruling should act as a reminder that organisations must have a lawful basis for processing personal data, and can only use the information for purposes appropriate to that basis.
Organisations should also remember that CCTV footage is considered personal data under the GDPR (General Data Protection Regulation) and is subject to its requirements.
The most likely reason for using CCTV in the workplace is for security. In such cases, the most appropriate lawful basis would be:
- Legal obligations, which apply when you need to process personal data to comply with specific laws; or
- Legitimate interests, which apply when a private-sector organisation has a genuine reason (including commercial benefit) to process personal data without consent, provided it’s not outweighed by the negative effects to the individual’s rights and freedoms.
Whichever basis is used, the organisation must justify why it has been chosen. It must also show that it recognises the data privacy risks that monitoring may present, and that it has implemented appropriate controls.
This means conducting a DPIA (data protection impact assessment) to assess the extent to which monitoring is necessary, where and when it is required, and what methods to use.
Conducting a DPIA
DPIAs are necessary whenever CCTV monitoring is implemented.
You can find more advice on how to use CCTV in a GDPR-compliant way in our free green paper: A Concise Guide to Data Protection Impact Assessments (DPIAs).
This guide explains how to perform an assessment and the ways DPIAs can benefit your overall GDPR compliance posture.
If you are ready to conduct an assessment, our DPIA Tool is the perfect solution. This software:
- Helps you create a DPIA process and define the scope of the DPIA;
- Produces a consistent approach for every DPIA;
- Allows you to share DPIA results with key stakeholders and the supervisory authority;
- Generates accurate reports on each DPIA conducted; and
- Enables you to export the results of each DPIA.