knowledge 13 June 2022 |

At Cross-Purposes: Data Protection Commissioner v Cormac Doolin

The decision, which refused the appeal of the Data Protection Commissioner (“DPC”)², has confirmed that employers must notify employees clearly of the purposes for processing CCTV camera footage in the workplace. If an employee’s personal data contained in the footage is originally captured for the purposes of security, any further processing must be compatible with that original purpose for processing.

While the case deals with the pre-GDPR data protection regime, the Data Protection Acts 1988 and 2003 (the “Data Protection Acts”), the decision will be instructive in interpreting the purpose limitation principle now contained in Article 5(1)(b) of the GDPR.

Background

In November 2015, graffiti was discovered in a staff room of Our Lady’s Hospice and Care Services (“OLHCS”) which gave rise to security concerns.  A CCTV camera was in place outside the door of the room.  An investigation was launched by OLHCS to identify the person who placed the graffiti in the staff room, which included a review of CCTV footage for the period surrounding the incident.  Mr Doolin was an employee of OLHCS at the time and the information gathered from the CCTV footage suggested that he had entered the room to take a number of unauthorised breaks.  Mr Doolin subsequently received a disciplinary sanction, following questioning by an investigation panel.

OLHCS’s CCTV policy at the time indicated that the purpose of the CCTV system was to prevent crime and promote security.  A sign beside the CCTV camera stated that it operated “for the purposes of health and safety and crime prevention”. 

Complaint

Mr Doolin made a complaint to the DPC acknowledging that OLHCS had a legitimate reason for viewing the CCTV footage to investigate the graffiti incident.  However, he objected to the footage then being used to monitor staff and for disciplinary proceedings, as this was not a stated purpose of processing in the OLHCS CCTV policy and not in line with Section 2(1)(c) of the Data Protection Acts.  Section 2(1)(c) contains the purpose limitation principle - that data obtained for one or more specific, explicit and legitimate purposes should not be further processed in a manner incompatible with that purpose or purposes.

The DPC made a determination rejecting Mr Doolin’s complaint and finding that the purpose for which the CCTV footage had been viewed was solely to investigate the graffiti incident. The DPC found that this was a legitimate purpose, consisting of “a limited viewing of the relevant CCTV footage, without downloading or further processing of any kind” which was necessary for and did not go beyond the stated purpose.  The DPC also determined that while the personal data may subsequently have been used for another purpose (i.e. disciplinary proceedings) the CCTV images were not further processed for that further purpose.  The DPC concluded that the “limited viewing” of Mr Doolin’s images took place “exclusively for the security purpose for which the images were originally collected and that no contravention of Section 2(1)(c)(ii) occurred”.

Circuit Court and High Court

Mr Doolin appealed the decision of the DPC to the Circuit Court.  The Circuit Court dismissed the appeal, relying on the evidence provided by the DPC.  The judge accepted that OLHCS only carried out one investigation, into the graffiti incident, finding that the processing of the CCTV footage was for security purposes only, including the disciplinary action against Mr Doolin.

Mr Doolin appealed this decision to the High Court, which allowed the appeal. The High Court found that there had been further processing of the CCTV footage.  In overturning the decision of the Circuit Court, the High Court found that there was no evidence for the DPC’s determination that the disciplinary action was carried out solely for security purposes and found that the CCTV footage was further processed for a “distinct and separate purpose” in the disciplinary action, which was incompatible with the original purpose.

Court of Appeal

The DPC then appealed the decision of the High Court to the Court of Appeal, arguing that:

• the CCTV footage was viewed once for security purposes specified in the OLHCS CCTV policy and not further processed thereafter; or in the alternative

• if the Court found the CCTV footage was further processed by OLHCS:
  • it was processed for the purposes of security; or
  • the purpose for which it was processed was not incompatible with the security purposes.

The Court went on to find the following:

Processing

• The DPC erred in its conclusion that Mr Doolin’s personal data was only processed once. The footage disclosed data concerning Mr Doolin beyond his image, such as when he entered and exited the staff room.  Specific reliance was put on this data to support the disciplinary process.  

• Processing of personal data includes obtaining or recording data³.  The first processing of Mr Doolin’s data took place when the data were recorded on the CCTV footage, not, as the DPC argued, on viewing the footage.

• The CCTV footage was then further processed (i) when it was viewed by OLHCS; and (ii) when the entry and exit times of Mr Doolin from the staff room were collected from the footage for the purpose of the disciplinary investigation.

Purpose

• The Court disagreed with the DPC that only one investigation overall had taken place and agreed with the High Court that two separate investigations, one into the graffiti incident and one into the unauthorised breaks taken by Mr Doolin, took place.

• The latter investigation was not for security purposes, but “manifestly for a different purpose”.  There was no evidence the unauthorised breaks taken by Mr Doolin represented a security issue.

Compatibility

• The Court then considered whether the purpose for the further processing of the CCTV footage was compatible with the purpose for which it was originally obtained, in accordance with section 2(1)(c)(i) and (ii) of the Data Protection Acts. 

• The Court noted that one of the key factors highlighted by the Article 29 Working Party⁴ to assess whether a purpose for further processing is compatible with the original purpose is what the reasonable expectation of data subjects as to the further use of their data might be.

• Notification of the purpose of processing to the data subject is central to fair processing⁵.  Personal data shall not be treated as being processed fairly unless the data subject is made aware, at or before the time the data is obtained, of the purpose for the processing.

• Mr Doolin had not been notified that the CCTV footage could be used for disciplinary purposes and could not have reasonably expected that it would be processed for these purposes.

• Mr Doolin’s data was processed for a purpose other than, and incompatible with, the specified security purpose and as such the processing was unlawful.

Takeaway

The judgment in Doolin has application to all processing of CCTV footage. Controllers in general should ensure that data subjects, whose personal data may be captured by CCTV, are made aware of all purposes for which the CCTV footage may be used and that all policies in place reflect this.

Employers in particular should ensure that their data protection policy, data protection notices, CCTV policy and signs accompanying CCTV cameras list all the purposes of processing.

Employers should also be wary of using CCTV footage in a disciplinary process unless employees have previously been informed that this may occur and if they do so, employers should ensure that the further processing of the personal data for disciplinary procedures is not incompatible with the original purposes for which it was collected (e.g. security purposes).

Also contributed by Siobhán Power