In its decision, the Court of Appeal (“the CoA”) determined that the employer had breached Mr. Doolin’s data protection rights when the employer used Mr. Doolin’s data, in the form of CCTV footage, in disciplinary proceedings (involving alleged unauthorised breaks during work hours).
The crux of this issue was that the employee had not been notified in advance that their data could be processed for such purpose, nor would it have been reasonable for the employee to expect their data would be processed for such purpose.
Mr. Doolin successfully argued that the data collected by the CCTV cameras were for a specific purpose, namely workplace security/health and safety, and that to extend that purpose to include disciplinary proceedings in respect of matters unrelated to security/health and safety was unlawful and in breach of GDPR.
Purpose Limitation Principle
Under the GDPR and Data Protection Acts, any personal data obtained by a data controller (in this case, Mr. Doolin’s employer) should be obtained for specific, explicit, and legitimate purpose (or purposes) and should not be processed any further than required for the purpose or in a manner which is incompatible with that purpose.
In other words, if a data controller informs its data subjects that their data is being collected for the purpose of security, the data cannot then be processed for any purpose other than security useless the data subject is informed in advance of this further purpose and the purpose is legitimate under the Data Protection Acts.
Mr. Doolin’s Complaint
When Mr. Doolin first made his complaint to the DPC, the DPC rejected his complaint and stated that the personal data consisted solely of Mr. Doolin’s image, and that the CCTV footage was reviewed without any further processing by the employer.
The DPC also held that Mr. Doolin’s data had been processed in connection with investigating the security issue only and that its subsequent use in the disciplinary proceedings did not constitute a different use or further processing.
The CoA disagreed with the findings of the DPC in upholding Mr. Doolin’s complaint.
It held that the data did not merely consist of Mr. Doolin’s image but included where he was and when. It also found that the employer not only processed Mr. Doolin’s data for the purposes of security but that it was also processed for the purpose of investigating Mr. Doolin.
The CoA determined that the concept of notification to the data subject for the purpose of data collection was central to the case. Under the Acts, data is not processed fairly unless the data subject is made aware of the purpose of processing at or before the data is obtained; it cannot be remedied after the fact.
The CoA also determined that it was not reasonable to say that Mr. Doolin had been notified that the CCTV footage would be used for disciplinary purposes nor was it reasonable for Mr. Doolin to expect such a use of the CCTV footage.
Accordingly, the CoA held that the DPC was wrong to reject Mr. Doolin’s complaint.
This decision highlights the importance of making data subjects aware of all purposes for which their data is being processed, particularly in the context of CCTV footage, when its purpose is largely security and health and safety. This can be done by ensuring that any CCTV data protection policy (and all other policies surrounding the use of data) is kept up to date and that the policy and any/all signs accompanying CCTV cameras list the purposes for which the data (ie. images of a data subject) is collected and processed.
To see a full copy of the Doolin decision, click here.
This document has been prepared by Kane Tuohy LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Cómhnall Tuohy, Managing Partner
Olwyn Ryan, Trainee Solicitor