Categories
Data Protection

The Use of CCTV in Disciplinary Hearings in the Workplace-Interesting High Court Decision (February 2020)

The conflict of rights in the workplace between employer and employee concerning the use of cctv in the workplace, and its use in disciplinary processes, was dealt with by the High Court in February 2020. The case was Doolin v The Data Protection Commissioner [2020] IEHC 90 and it was an appeal from the Circuit Court where Doolin, the employee, had lost.

The purpose of CCTV gathering in this workplace was for “security purposes”. On that basis Doolin argued that the employer could not use that CCTV footage in a disciplinary process.

Generally, the use of CCTV in the workplace must be “necessary and proportionate”. This means it should only be used for the stated purposes, unless it has been made clear at the outset that the gathering of the cctv data may be used for these other purposes-for example investigating offences or prosecuting offenders or disciplinary procedures.

The Grand Chamber of the European Court of Human Rights has held that the use of covert surveillance in the workplace may be justified if reasonable suspicion of serious misconduct has occurred. You can read a blog post here about Lopez Ribalda and others v Spain.

The key takeaways from that case are

  1. The employee’s right to privacy in the workplace is not absolute
  2. The employer’s action must be viewed in the light of the specific facts of the case and whether the steps taken by the employer were in pursuit of a legitimate aim and were necessary and proportionate.

Doolin v The Data Protection Commissioner [2020] IEHC 90

Doolin had been disciplined in the workplace arising from the taking of unauthorised breaks in the workplace. These had become apparent when the employer had found threatening graffiti in Our Lady’s Hospice and Care Service in Harolds Cross and had been advised by an Gardai to monitor who had access to the room in question.

This was how the question of unauthorised breaks by Doolin arose.

Doolin complained to the Office of Data Protection Commission about the use of CCTV in the disciplinary process and the unlawful use of his personal data.

The Data Protection Commissioner held that the purpose of gathering the CCTV was advised in advance as “for the purpose of health and safety and crime prevention”. Because the original viewing of the CCTV was for a security purpose-that is, to try to find out who was posting the graffiti-the subsequent viewing of the data for the disciplinary process against Doolin was not for a different purpose.

Doolin appealed this decision to the Circuit Court who upheld the decision of the Data Protection Commissioner. Doolin then appealed to the High Court.

The High Court agreed with Doolin insofar as it held that if the employer had intended to use CCTV in disciplinary proceedings in the workplace it should have made this clear in its data protection policy. It changed its policy in later years to reflect this but this was not the case at the time Doolin was disciplined.

The High Court held that the Circuit Court and the Data Protection Commissioner were incorrect in finding that no further processing of the data had occurred in the disciplinary process.

Interestingly, it found that if the data protection policy had reflected, as it later did, that cctv could be used for “for the purpose of a disciplinary investigation” it would have been acceptable to discipline Doolin with the assistance of the cctv; but that was not the case when Doolin was subjected to the disciplinary.

The High Court held, inter alia,

I am therefore overturning the decision of the Circuit Court on the basis that there was no evidence for the conclusion that the disciplinary action, in which information derived from the CCTV footage was used, was carried out for security purposes.

The High Court also concluded,

The information used by the Panel to arrive at their conclusion that the Applicant had taken unauthorised breaks derived inter alia from both the CCTV footage and fob access records. Accordingly, it is indisputable that the information contained in the CCTV footage was used for the disciplinary proceedings, which use constituted a different purpose from the one for which the data was originally collected. The fact that it was not downloaded for use does not mean no further processing took place.

Conclusion

For the reasons set out in the Decision,

I: (a) allow the appeal against the decision of the Circuit Court on the basis that there was no evidence for the conclusion that the use of the CCTV footage or material derived from it in the disciplinary hearing was for security purposes;

 (b)  conclude that the DPC made an error of law in holding that no further processing took place as this conclusion was founded upon an incorrect interpretation of “processing” having regard to the terms of s.2(1)(c)(ii). 

64. Having regard to the above, I uphold the appeal and set aside the conclusions of the DPC in the Decision to the effect that no contravention of s.2(1)(c)(ii) occurred. 

65. I am conscious that s.26 simply provides for an appeal to the High Court on a point of law but does not prescribe what should happen in the event of a successful appeal. I therefore propose to hear the parties on the form of Order, including whether the matter should be remitted to the DPC. [Note: At a costs hearing on 25 February 2020, the parties indicated that no remittal should be made to the DPC and an Order was made in the terms of paragraph 63 above].

Read the full decision in Cormac Doolin and The Data Protection Commissioner and Our Lady’s Hospice and Care Services 2019/2011CA.

Categories
Data Protection

GDPR, Subject Access Requests, and Coronavirus/COVID-19

How does COVID-19 impact on your GDPR rights and obligations?

The Coronavirus/COVID-19 pandemic has caused problems in all areas of life, including the difficulties posed regarding responding to data subject requests.

The Irish Data Protection Commission (DPC) has issued guidelines, whilst pointing out that the timelines for responding to requests has not changed.

Advice for Individuals

The DPC outlines that members of the public should be aware and appreciative to the frontline and critical services organisations such as healthcare providers, government departments (in particular the Department of Employment Affairs and Social Protection), Revenue and local authorities as they may need to divert resources and to prioritize work areas. This channelling of resources will have an impact in sectors of these organisations such as handling access requests.

The closure of schools, universities and other private sector organisations has further compounded the difficulty in processing data access requests. Based on this the DPC has asked the public to bear these factors in mind if an access request is not processed in the requisite time. These are unprecedented times that call for unprecedented understanding.

Problems for Organisations/Data Controllers

The DPC has acknowledged that many organisations, especially ones on the frontline and/or provide a critical service may need to divert resources to priority work areas. The diversion of work resources will impact other areas such as processing access requests. With regard to the regulatory requirements set out by statute that deal with the same, the DPC is alive and aware of these challenges and is proposing a proportionate regulatory response to these extraordinary circumstances.

The main point is that organisations experiencing delays in responding to access requests should note that the organisation should, where possible, notify the subject of the delay or possible delay in processing their request for data. This also includes an extension for a period of two months to respond to an access request, this extension is provided for by the GDPR.

Another option open to Organisations would be to respond to access requests in stages. If this is an option open to an organisation the DPC implore organisations to communicate clearly with the individuals concerned.

Finally, where an organisation, due to the impact of COVID-19, cannot respond to a request either in full or in part that organisation remains under an obligation to comply with the request and action same as soon as reasonably possible.

Organisation must note that the statutory obligations to comply with access requests cannot be waived however if an individual complains to the DPC regarding a organisations failure to comply with a DSR, the commission will assess the specific extenuating circumstances that led to the initial delay.

Conclusion

The Data Protection Commission encourages organisations to document their reasons for not complying with the timelines set out by statute.

If an organisation feels that it will not be able to deal with a subject’s access request within the statutory timeframe the organisation should properly communicate these reasons to the data subject.

Finally, even though the GDPR does not allow statutory timelines to be waived the DPC will take into account the extenuating circumstances surrounding the delay in delivering the access request.

You can read the statement/advisory from the Office of the Data Protection Commission here.

Categories
Data Protection Employment Claims

The Use of Private Investigators By Employers-Caution Needed

Have you been tempted to engage the services of a private investigator to carry out surveillance on one of your employees?

Perhaps you are trying to gather evidence of breach of a restrictive covenant in the contract of employment? 

Or maybe you want to ascertain if an employee is working somewhere else or carrying on a business in breach of the contract of employment?

Restrictive covenants

Many contracts of employment contain restrictive covenants. The restrictive covenants aim to restrict the employee from doing certain things after she leaves the employment, typically 

  1. Restricting the employee from working in the industry for a certain period of time in a specified geographical area
  2. Restricting the employee from poaching staff from the old employer
  3. Restricting the employee from approaching old customers/clients with a view to moving them to the new employer, or the employee’s new business.

Whether the employer takes steps to enforce the restrictive covenant will depend on the circumstances, including the importance of the departing employee to the business and the potential damage he can cause if the covenants are not enforced.

The employer will have to weigh up the potential costs and benefits from attempting to take legal proceedings to enforce the post termination restrictions. Before commencing legal proceedings, however, the employer will need to be satisfied that a covenant is, or is in danger of, being breached.

This involves gathering evidence and the steps that the employer is entitled to take to gather the evidence.

Credit Suisse bank covert surveillance

The Credit Suisse bank was forced to apologise to a former employee, the head of wealth management, when it transpired that a covert surveillance operation was carried out due to the fear of the former employee poaching banking colleagues and clients. An independent inquiry was carried out to investigate the matter. This led to the resignation of the bank’s chief operation officer, who had gone on a solo run, and the finding of no evidence that the former employee was in breach of any restrictive covenant.

Private investigators in employment disputes

Private investigators would be frequently used in personal injury claims but not in restrictive covenant employment contract cases.

The question arises, however, as to the boundaries, having regard to privacy and data protection issues, of such operations.

In Ireland, in Sweeney v Ballinteer Community school, the principal of the school was criticised by the High Court for having a private investigator follow a teacher for four days in a dispute about bullying and harassment.

In fact, the High Court held that this surveillance of Ms Sweeney was itself ‘harassment of the plaintiff’ and could easily have tipped her into mental illness if she became aware, especially in a case which saw Mr Sweeney bring legal proceedings against the school on the grounds of bullying and harassment.

The operator of the Luas transport service, Transdev, used a private investigator to follow one of its drivers who was moonlighting as a taxi driver on his wife’s licence. The WRC decided that the decision to dismiss him for gross misconduct was reasonable.

The data protection commissioner has indicated that there must be a strong reason for surveillance before engaging the services of a private investigator.

Takeaway

If you are an employer and you believe a former employee is in breach of a restrictive covenant and you want to engage the services of a private investigator, tread carefully. You may have to justify the use of the investigator later on in any legal proceedings and you will need a sound justification having regard to the privacy and data protection rights of the employee.

Personal injury cases, however, have frequently featured the use of investigators engaged by the insurance company defending the claim and this is likely to continue.

Categories
Data Protection

GDPR Update-Has the Danger Passed?

gdpr legal action

Were you worried in the lead up to GDPR?

Has the danger passed? Are you just keeping the head down and hoping for the best?

Are you in a good place with respect to compliance or do you still have some concerns but hope the fears generated were exaggerated?

Just to remind you new regulations concerning personal data protection came into force in the EU from 25th May, 2015: the GDPR regulations.

What has happened since then? Was the fear and loathing justified? Was it another “Y2K” scare-all hat and no cattle-or is it too early to decide?

Firstly, GDPR came into effect in Ireland 24 hours after the commencement of a new data protection act, the Data Protection Act, 2018. There is a certain degree of trepidation amongst data controllers and processors that this new law will lead to a significant increase in the number of legal cases arising as a result of breaches for the law now allows data subjects bring civil actions for compensation.

Collective Actions

Data subjects can also now authorise not for profit organisations to bring complaints and act on their behalf. This kind of “class” action is a new development in Ireland and is likely to be availed of when there is a significant breach of personal data on a wide scale affecting a large number of individuals.

Two of these not for profit type organisations, NOYB (‘None of Your Business’) in Austria and La Quadrature du Net (‘La Quad’) filed complaints in some European countries against large tech companies within a short time of GDPR coming into effect. There is nothing stopping them from popping up in Ireland.

Right to Compensation and Damage

The right to compensation and damage is set out in regulation 82 which states,

Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

The game changer in this regulations is the reference in subsection 1 to “material or non-material damage”.

Up to this point you had to show you had suffered actual loss or damage in Ireland to be compensated, but you could not be compensated for non-material damage.

You will also see that subsection 1 refers to “controller or processor”. Prior to this only the controller could be held liable but now a processor can be also named as a defendant.

Article 78 sets out the right of the data subject to sue-that is, a judicial remedy. It states,

Article 78

Right to an effective judicial remedy against a supervisory authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

This right to bring a data protection action in Ireland is set out in section 117 of Data Protection act, 2018. This action is founded on tort-that is, a civil wrong, and can be instituted in the Circuit Court or High Court.

Section 117 obliges the plaintiff data subject to prove that

his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment

The critical change now is a data subject can sue for material and non material damage and non material damage is set out in recital 85 as follows:

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned

You will see from regulation 82 above, section 2, that the controller and processor will be held liable where they are not compliant with the regulations; it is irrelevant whether they were negligent or at fault in any way.

How much compensation?

It is too early to say what level of compensation Irish courts will award, especially for non material damage such as damage to reputation or unauthorised reversal of pseudonymisation or loss of confidentiality.

Clearly, from the perspective of a controller or processor the smart thing to do is try to ensure that there is no breach of personal data rights in the first place. However, it is vital that a breach is notified to the Data Protection Commissioner within 72 hours of becoming aware of the breach as the Act refers to doing so “without undue delay”.

Section 85 Data Protection Act 2018 states:

85. Where a processor becomes aware of a personal data breach, the processor shall notify the controller on whose behalf the data are being processed of the breach—

(a) in writing, and

(b) without undue delay.

Further reading:

The General Data Protection Regulation (GDPR) in Ireland-the Essentials

Data Protection Breaches-Are You Entitled to Damages?

Categories
Data Protection

Employees’ Privacy in the Workplace-Interesting Decision of the European Court of Human Rights

employee privacy rights

An interesting case came before the the European Court of Human Rights in September, 2017. The case was the Barbulescu case and concerns the extent to which employees are entitled to privacy in the workplace.

Factual Background

Mr. Barbulescu was a Romanian engineer. His employer asked him to set up an instant messaging account for work purposes. However, Mr. Barbulescu used it for personal reasons, too, and contacted his fiancée and brother regularly.

The employer monitored his message activity and, ultimately, dismissed him on the grounds of using company resources for personal purposes. Barbulescu felt this was a breach of his privacy rights in contravention of the European Convention on Human Rights.

The employee exhausted his claim in his domestic courts and the case eventually came before the European Court of Human Rights.

European Court of Human Rights Judgment

The European Court of Human Rights (ECtHR) recognised the difficulty in balancing the rights of the employee to privacy in accordance with the European Convention on Human Rights and the employer’s right to safeguard its legitimate interests. In this case it involved relying on the messaging records to prove a breach of the company’s internal regulations and policies, a disciplinary issue.

The Chamber of the ECtHR decided that the Romanian courts had struck a fair balance between these competing rights and held in favour of the employer insofar as it was reasonable for the employer to be able to rely on the employee’s assurance that the messaging service was only being used for professional purposes.

Appeal to Grand Chamber of the European Court of Human Rights (ECtHR)

Barbulescu appealed this decision to the Grand Chamber of the European Court of Human Rights (ECtHR). It overturned the Chamber’s decision and held that in deciding between the competing rights of the employee and employer vis a vis privacy of the employee and legitimate interests of the employer to monitor communications in the workplace the following factors need to be considered:

  1. Was the employee put on prior notice of the monitoring activity?
  2. Regard must be had to the depth and breadth of monitoring; ascertaining how much personal communication is one thing, reading personal messages a different matter
  3. Had the employer legitimate reasons for monitoring the communications?
  4. Was there a less intrusive method of achieving the same result?
  5. What are the consequences and impact of the monitoring?

Employers-what to do now

Review your existing policies on monitoring employees’ communications. The monitoring policy should not be unrestricted and should be explained to employees.

This explanation should include the type and scope of monitoring which is being carried out, why the monitoring is necessary, the consequences of the data gathering, for example will it be used in disciplinary proceedings leading to dismissal.

This European Court of Human Rights (ECHR) decision is not binding on Irish Courts or the WRC or Labour Court, but will almost certainly have strong persuasive impact.

Here’s the full decision in Barbulescu v Romania, from the Grand Chamber of the European Court of Human Rights (ECtHR).