Cameras are everywhere these days, but CCTV systems have been popular since well before the advent of camera phones. For the most part CCTV cameras are positioned in fixed, known locations such as public offices, shops or streets. A variety of covert cameras are available which have been used for many years to detect theft and fraud in particular. Any such use of covert recording should only be undertaken with caution, in specific circumstances and on the basis of advice.
— Alan English (@AlanEnglish9) June 17, 2015
This week’s Limerick Leader carries a story of covert recording in the offices of a school. It appears from the report that the reason for covert recording was that sensitive files had gone missing from the school. The full circumstances of the case are not yet known. The use of covert CCTV systems raises one set of issues, the missing files another. Missing files indicates a security breach and while a loss of personal data (likely sensitive personal data) is not specifically governed in the Data Protection Acts 1988 and 2003 a duty of care arises and the Data Protection Commissioner has published a code of practice on dealing with such breaches.
In general terms, the main considerations in using CCTV systems are the individual’s constitutional right to privacy, the Data Protection Acts and employment law. The right to privacy is somewhat undefined as no specific privacy law has been enacted (a previous bill was abandoned). Data protection legislation does not specifically refer to recording equipment or CCTV but since cameras record images of individuals, the images themselves are personal data within the meaning of the Acts and the general rules therefore apply to them. It is crucial that the collection of personal data by recording images is justified. Security would be an obvious justification but the Data Protection Commissioner is very clear that security does not justify indiscriminate recording of employees, for example.
[U]sing a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.
Cameras should not ordinarily be put in locations where occupants and visitors would have a reasonable expectation of privacy. Particular sensitivity might be required in a school, for example, which is obviously frequented by minors. In addition, the Acts require that people are provided with information about the data collected about them and who has collected it. In the context of CCTV, therefore, notices should be displayed indicating that recording is taking place, who is responsible for the recording and why it is being carried out.
Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose.
Of course, there are situations in which these rules will neither work nor be appropriate and the Acts do allow for this. Indeed, the collective EU grouping of data protection regulators accepts that employers may have to resort to covert recording in order to address fraudulent or criminal behaviour and that national laws may permit this. Employment law has long recognised that covert recording might sometimes be justified. But it is clear that specific consideration must be given on a case-by-case basis to the use of covert CCTV recording. Case studies of the Commissioner demonstrate the factors which must be borne in mind.
For data protection purposes, covert recording can be justified generally only with the involvement of the Gardaí. Covert recording may be justified in the case of criminal offences, but not for performance-related monitoring.
The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).
Where CCTV footage is recorded, whether covertly or not, obligations continue to govern its retention and access to it. It is common for operators of CCTV systems to refuse to provide copies of their recordings to anyone other than Gardaí. It should be noted that, because camera footage is the personal data of the people recorded on it, those people have a right of access to it under the Acts. Again the Commissioner is quite clear:
Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.