In Doolin v DPC [2020], the High Court held that an employer’s use of CCTV footage in an employee’s disciplinary proceedings constituted unlawful further processing. It concluded that the Data Protection Commission (DPC) had made an “error of law” in their finding that no further processing of the CCTV footage had occurred. The Court found that the CCTV footage was lawfully collected for security purposes. However, the CCTV footage was then unlawfully further processed for the purpose of the disciplinary proceedings, which was incompatible with the original purpose for which the CCTV footage was processed. The decision shows the importance of only using personal data, particularly CCTV footage, for the purpose for which it was collected.
Background
The case involved an investigation by Our Lady’s Hospice and Care Services (OLHCS) into a threatening and offensive graffiti message discovered in a staff room on their Hospice campus. The graffiti was reported to An Garda Siochana, who advised OLHCS to review their CCTV footage to determine who might have been responsible for the vandalism.
The appellant, Mr Doolin, was one of those identified as having accessed the staff room during the days leading up to the graffiti being discovered, and was asked to attend a meeting with an internal Investigation Panel. Although references were made to the CCTV footage, he was assured that any disciplinary proceedings would continue solely on the basis of the admissions made by the appellant.
In their report on the incident, the Panel noted that Mr Doolin had accessed the staff room on three consecutive afternoons leading up to the discovery of the graffiti. In contrast to its original assurance to Mr Doolin, it was apparent that the panel had relied directly on CCTV footage to arrive at its conclusions. Mr Doolin was invited to a disciplinary hearing and given a minor sanction.
Mr Doolin made a complaint to the DPC. Following an investigation, the DPC’s conclusion was that OLHCS had a lawful basis to access and view the CCTV footage (i.e. to address a potential security issue), and that the use of information gathered from viewing the footage during the disciplinary process did not constitute a different purpose for processing. The DPC made a distinction between using the information obtained from a recording and carrying out further processing for a further purpose. As the CCTV had not been accessed and downloaded for a second time to use in the disciplinary proceedings, the DPC was of the opinion that the limited viewing of the images had taken place exclusively for the original stated purposes.
During proceedings in the Circuit Court, the DPC altered its original position and instead advanced that the further use of the CCTV footage in the context of disciplinary proceedings was pursuant to the original stated purpose, as Mr Doolin had committed a breach of security by being in an unauthorised place at an unauthorised time. This argument was accepted by the Circuit Court and appealed to the High Court.
Legal issue – Purpose limitation principle
Mr Doolin’s claim centred on whether OLHCS had exceeded its lawful purpose in collecting the CCTV footage. Although the footage had originally been viewed for a permissible use in line with OLHCS policy (i.e. to prevent crime, protect staff, and public safety), it was claimed that using this same information in the context of disciplinary proceedings breached the ‘purpose limitation’ principle, and constituted a breach of section 2(1)(c)(ii) of the Data Protection Act 1988 and 2003. This provision states that a data controller may only collect and process personal data for one or more specified and lawful purposes, and may not further process the data in a manner which is incompatible with the original purpose(s).
Reference was also made to Opinion 3/2013 on purpose limitation from the Article 29 Working Party (now known as the European Data Protection Board), which states that any processing subsequent to collection will be considered ‘further processing’ and must meet be compatible with the purpose for which the personal data was collected. The fact that the further processing is for a different purpose does not necessarily mean that it is automatically incompatible: this needs to be assessed on a case-by-case basis. The Opinion identified four key factors to be considered during the compatibility assessment, including:
- the relationship between the purpose for which the data was collected and the purposes of further processing;
- the context in which the data have been collected and the reasonable expectations of the data subjects as to their further use;
- the nature of the data and the impact of further processing on the data subjects, and
- the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Decision
The High Court overturned the Circuit Court’s decision, on the basis that there was no evidence for the conclusion that the disciplinary action, in which information derived from CCTV footage was used, was carried out for security purposes.
Ms. Justice Hyland noted that the DPC had significantly departed from its original approach in arguments presented at trial:
“The DPC has gone from finding no breach because there was no further processing of the CCTV footage to asserting in these proceedings no breach because any further processing was done for the purpose for which the material was collected i.e. security”.
The Judge noted that both the sign beside the CCTV cameras and OLHCS’s CCTV policy stated that the images were being recorded for the purposes of health, safety, and crime prevention. The CCTV policy was later amended after the graffiti incident to also cover use of the footage for disciplinary purposes. The Judge remarked that many of the difficulties in this case may have been avoided had the amended policy been in place at the time of the incident. A data processor is entitled to use CCTV data for identified purposes, if these purposes are clearly identified before the material is collected.
The Judge also found that the DPC had made an error of law in its interpretation of “processing”. Although the footage had not been accessed and downloaded for further use, the Judge relied on the broad statutory definition of “processing” to determine that the passing of information obtained from the footage constituted “further processing”. The DPC’s submission that upholding the claim would have “draconian consequences” which “would seriously hamper investigations of the kind carried out here” was also rejected.
Comment
This case highlights the importance of having clear policies and procedures in place for processing personal data relating to employees, particularly in relation to CCTV footage. Organisations must carefully consider the purpose(s) for which it is collecting personal data, and ensure these purposes are clearly set out in the organisation’s data protection notice/policy, and are communicated to employees and/or other data subjects whose personal data is collected.
Although further processing of personal data is not automatically unlawful, it is more likely to be so where: the further processing is not related to the original purpose; would not be expected by data subjects; could have unforeseen or negative impacts on data subjects; and no additional safeguards have been applied to ensure fair and transparent processing.