The much anticipated decision of the Court of Appeal in Data Protection Commission v Doolin and Ors. [2022] IECA 117 concerned an issue that can arise in employment investigations: if an employer uses CCTV footage to investigate one incident, what happens if they discover another, unrelated incident in the context of that investigation? May they proceed to act upon the information they have found – or are they restricted in what they can do by data protection laws?

In a previous article, available here, we considered these issues in the context of the High Court decision. The decision of the Court of Appeal provides new insights that are of assistance to relevant stakeholders.

Background

The case concerned a security incident arising out of disturbing graffiti being found on the property of the employer. This caused the employer to contact the Gardaí, who recommended that the employer review CCTV footage to identify the perpetrator. In the course of the CCTV review, an employee – Mr Doolin – was identified entering and exiting a tea room at certain times, indicating he was taking unauthorised breaks.  A disciplinary process was initiated, and a sanction ultimately issued.  Mr Doolin subsequently complained to the Data Protection Commission (“DPC”) that his employer had unlawfully processed his personal data, as the employer’s CCTV policy indicated that the purpose of CCTV monitoring was for security and crime prevention, not disciplinary purposes.

The DPC dismissed the complaint, on the basis that the footage had only been processed once (to investigate the graffiti incident, which was a security incident), and that the employer subsequently relied on Mr Doolin’s admissions in the course of the investigation (as opposed to the CCTV footage).

The Circuit Court dismissed Mr Doolin’s appeal of the DPC’s decision, observing that Mr Doolin had in the course of the investigation admitted a breach of security (i.e. taking unauthorised breaks) and that disciplinary action was taken against him for security purposes.

The High Court overturned the Circuit Court decision, on the basis that there was no evidence that the disciplinary action was carried out for security purposes. The employer relied on the CCTV footage; a table was included in the investigation report that set out his times of entry/exit to the tea room. The Data Protection Commission then appealed the High Court’s decision to the Court of Appeal.

DPC arguments before the Court of Appeal

The DPC made three arguments before the Court of Appeal, essentially reiterating the different (and inconsistent) arguments it made previously. Firstly, it argued that the CCTV footage was processed once (when viewed by the employer) and no subsequent processing took place in the course of the disciplinary process, therefore no breach occurred. Alternatively, it argued that further processing was done pursuant to the CCTV policy (i.e. security purposes) and was permissible. As a further alternative, it argued that further processing was for a purpose that was not incompatible with the purpose contained in the employer’s CCTV policy, and was therefore permissible.

Approach of the Court of Appeal

The Court of Appeal noted that while the case concerned the Data Protection Acts 1988 to 2003, the issues are relevant today as the relevant provisions of the GDPR are similarly worded. At the outset of its analysis, it highlighted the importance of the Opinion of the Article 29 Working Party on Purpose Limitation, published on 2 April 2013.

In particular, the Court of Appeal cited two particular aspects of that Opinion as being of significance in this case. Firstly, further processing of data for a different purpose does not necessarily mean that such processing is unlawful – rather, a case-by-case assessment is required as to whether the subsequent processing is incompatible with the initial processing. Secondly, a key factor in conducting such a compatibility assessment in these circumstances is the context in which the personal data was collected, and the reasonable expectations of the data subject as to their further use. Having noted this, the Court of Appeal turned to examine the DPC’s grounds of appeal.

It dismissed the DPC’s first argument, noting that to conclude that Mr Doolin’s data was processed only once was “a manifest error that was serious and significant.”  Mr Doolin’s data was processed at least three times – when it was recorded on the CCTV footage, when the data was retrieved and viewed by the employer, and when the data relating to the dates and times of access by Mr Doolan to and from the tea room was used in the investigation report.

Turning to the DPC’s second argument, it assessed whether Mr Doolan’s data was processed for security reasons and, like the High Court, concluded that it was not.

Critically, it determined that this was not the end of the matter.  The mere fact that data is used for a different purpose does not make it unlawful.  A compatibility analysis is required, and it was noted that this analysis was not explicitly carried out by the High Court. The Court of Appeal proceeded to carry out this assessment, but did not agree with the DPC’s third argument that the purposes were not incompatible.

It found that the processing was not for a related purpose, and was incompatible with the specified purpose of security reasons. It noted that the original purpose of attempting to detect the perpetrator of offensive graffiti was irrelevant to the “incidental” monitoring of Mr Doolin taking unauthorised breaks – there was no evidence that taking of unauthorised breaks was a security issue. The Court did indicate that there was some circumstances in which it might constitute a security issue, for example, if Mr Doolin had been employed as a security guard – but this did not apply in these circumstances. It further noted that in conducting a compatibility assessment, the reasonable expectations of a data subject will be considered.  In this case, it was clear that Mr Doolin’s data was use for a purpose other than, and incompatible with, the specified purpose, and was therefore unlawful. The DPC’s appeal was dismissed.

Conclusion

The Court of Appeal decision clarifies that for the Irish Courts, the starting point for employers using CCTV for workplace investigations is the Article 29 Working Party opinion. Interestingly, while certain Article 29 Working Party opinions have been endorsed by the European Data Protection Board (“EDPB”) post-GDPR, this specific Article 20 Working Party opinion has not. Accordingly, while the opinion is helpful, it does not necessarily represent the current views of the EDPB. The Court’s clarification that processing data for a different purpose is not necessarily unlawful is helpful for data controllers.

Employers are not expected to “un-see” or “forget” everything that arises in a CCTV review, but before they embark upon a different investigative route, they must (i) ensure that they have a lawful basis to do so under their current policies (i.e. they must ensure that their employee privacy notices refer to use of CCTV for disciplinary purposes) and (ii) undertake a compatibility assessment to determine if the investigative purpose is compatible with the stated purpose (e.g. if this is only security) for the CCTV.

However, the emphasis placed by the Court on the reasonable expectations of the data subject in conducting this analysis suggests that employers will find it difficult to assert that subsequent processing is “compatible” with the initial processing if an employee could not have foreseen that the processing would take place based on the policies and notices available to the employee at the time.

Employers should continue to follow best practice in the use of CCTV footage in the workplace by:

1. Reviewing and updating their policy on a continuous basis;
2. Conducting a data protection impact assessment before deploying CCTV cameras in the workplace;
3. Deploying CCTV in areas of particular risk, and not where employees have a high expectation of privacy (e.g. changing rooms);
4. Clearly communicating the locations of CCTV cameras;
5. Not as a matter of course capturing footage for one purpose and using it for another;
6. Clearly communicating to employees that footage captured may be used not only for security purposes but also employee investigations and disciplinary proceedings;
7. Where less invasive methods of investigating the matter are available, consider using them;
8. Ensuring CCTV review is conducted in a manner that allows any subsequent issues to be dealt with in a manner compliant with natural justice; consider who will review the footage, and avoid overlap (where possible) with those charged with conducting HR investigations.