Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

CASE STUDIES 2015

 
 

 
 
 
 

Case Study 1: Marketing offences by MTS Property Management Limited – prosecution

 
We received a complaint in February 2013 from an individual who received marketing SMS messages from MTS Property Management Limited advertising the company’s property-management services. The complainant informed us that she had dealt with the company on one occasion over five years previously but she did not consent to her mobile phone number being used for marketing purposes. She also pointed out that the SMS messages that she received did not provide her with a means of opting out.
 
Our investigation of this complaint became protracted as the company denied knowledge of the mobile number to which the SMS messages were sent and it denied knowledge of the account holder of the sending phone number. However, our investigation established sufficient evidence to satisfy itself that MTS Property Management Limited was responsible for the sending of the marketing SMS messages to the complainant. We decided to prosecute the offences.
 
MTS Property Management Limited had come to our attention previously in the summer of 2010 when two individuals complained about unsolicited marketing SMS messages sent to them without consent and without the inclusion of an opt-out mechanism. Following the investigation of those complaints, we warned the company that it would likely face prosecution if it committed further offences under Regulation 13 of SI 336 of 2011 at any future time.
 
At Dublin Metropolitan District Court on 23 February 2015, MTS Property Management Limited pleaded guilty to one charge of sending an unsolicited marketing SMS without consent and it pleaded guilty to one charge of failing to include an opt-out mechanism in the marketing SMS. The Court convicted the company on both charges and it imposed two fines of €1,000 each. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.


 

Case Study 2: Marketing offences by Greyhound Household – prosecution

 
In May 2014, we received a complaint against Greyhound Household from an individual who received an unsolicited marketing phone call on his mobile telephone from the company’s sales department. The same individual had previously complained to us in December 2013 as he was receiving marketing SMS messages from Greyhound Household that he had not consented to receiving. He informed us that he had ceased being a customer of the company in May 2013. Arising from the investigation of the previous complaint, Greyhound Household had undertaken to delete the former customer’s details and it apologised in writing to him. On that basis, we concluded the matter with a formal warning to the effect that any future offences would likely be prosecuted.
 
On receipt of the latest complaint, we commenced a further investigation. Greyhound Household admitted that a telephone call was made to the complainant’s mobile phone number without consent but it was unable to explain why his details had not been deleted in line with the company’s previous undertaking. We decided to prosecute the offence.
 
At Dublin Metropolitan District Court on 23 February 2015, Greyhound Household pleaded guilty to one charge of making an unsolicited marketing phone call to a mobile phone number without consent. The Court applied Section 1(1) of the Probation of Offenders Act subject to the defendant making a charitable donation of €1,000 to Pieta House. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
 

Case Study 3: Marketing offences by Imagine Telecommunications Business Limited – prosecution

 
In March 2015, we received a complaint against Imagine Telecommunications Business Limited from a company that had received unsolicited marketing telephone calls. The same company had previously complained to us in 2014 about repeated cold calling to its offices. Despite having submitted an opt-out request to Imagine Telecommunications Business Limited, it continued to receive marketing phone calls. Following our investigation of the first complaint, and having been assured that the phone number of the complainant company had been removed from the marketing database, we issued a formal warning to Imagine Telecommunications Business Limited that any future offences would likely be prosecuted.
 
On investigating the current complaint, we were informed by Imagine Telecommunications Business Limited that it had failed to mark the telephone number concerned as ‘do not contact’ on the second of two lists on which it had appeared. This led to the number being called again in March and June 2015. It stated that the only reason the number was called after the previous warning was due to this error and it said that it took full responsibility for it.
 
We prosecuted the offences at Dublin Metropolitan District Court on 2 November 2015. Imagine Telecommunications Business Limited pleaded guilty to one charge of making an unsolicited marketing telephone call without consent. The Court applied Section 1(1) of the Probation of Offenders Act conditional upon a charitable donation of €2,500 being made to the Merchant’s Quay Project. Prosecution costs were recovered from the defendant.
 

Case Study 4: Marketing offences by Eircom Limited – prosecution

 
We received complaints from two individuals in February and April 2015 concerning marketing telephone calls that they had received on their landline telephones from Eircom Limited. In both cases, and prior to lodging their complaints, the individuals had submitted emails to Eircom Limited requesting that they not be called again. Eircom’s Customer Care Administration Team replied to each request and informed the individuals that their telephone numbers had been removed from Eircom’s marketing database. Despite this, each individual subsequently received a further marketing telephone call in the following months, thus prompting their complaints to this Office.
 
Eircom informed our investigations that the agents in its Customer Care Administration Team who handled the opt-out requests had not updated the system to record the new marketing preference after sending out the replying email to the individuals concerned. It undertook to provide the necessary refresher training to the agents concerned.
 
Separately, a former customer of Eircom complained in May 2013 that he continued to regularly receive unsolicited marketing phone calls from Eircom on his landline telephone despite clearly stating to each caller that he did not wish to receive further calls. He stated that the calls were numerous and that they represented an unwarranted intrusion into his privacy. Eircom continued to make a further ten marketing telephone calls to the individual after the commencement of our investigation of this complaint. Our investigation subsequently established that this former customer had received over 50 marketing contacts from Eircom since 2009 when he ceased to be an Eircom customer. Eircom explained that the continued calls arose from a misunderstanding of what systems the former customer’s telephone number was to be opted out from.
 
In October 2014, an Eircom customer complained that he had received a marketing SMS from Eircom that did not provide him with a means to opt out of receiving further marketing SMS messages. Eircom informed our investigation of this complaint that the inclusion of an opt-out is the norm in all of its electronic-marketing campaigns but, in this instance, and due to human error, the link to the necessary opt-out had not been set properly. Our investigation established that this error affected over 11,600 marketing messages that were sent in the campaign concerned.
 
We proceeded to prosecute the offences identified on foot of the complaints received in the aforementioned cases. At Dublin Metropolitan District Court on 2 November 2015, Eircom Limited pleaded guilty to six charges of making unsolicited marketing calls without consent and it pleaded guilty to one charge of sending a marketing SMS without a valid address to which the recipient may send an opt-out request. The Court applied Section 1(1) of the Probation of Offenders Act conditional on the defendant making donations amounting to €35,000 as follows: €15,000 to Pieta House, €10,000 to LauraLynn (Children’s Hospice) and €10,000 to Our Lady’s Children’s Hospital, Crumlin. The company agreed to pay the prosecution costs incurred by this Office.
 

Case Study 5: Defence Forces Ireland – failure to keep data safe and secure

 
A member of the Defence Forces made a complaint to this Office that certain personal data relating to him was not kept safe and secure by the Defence Forces.
 
The circumstances of the individual’s complaint to our Office arose when a Military Investigating Officer (MIO) was appointed to review an internal complaint made by him as a member of the Defence Forces. Subsequently, the Defence Forces Ombudsman was appointed to review the process of the handling of the complaint and, during the course of its review, it was ascertained that the MIO could not supply details of interview notes of an interview he had conducted with the complainant as he had stored them at an unsecure location and they were damaged or lost following flooding and a burglary at that location when the MIO was on an overseas mission. The unsecure location was in fact the MIO’s private house.
 
We raised the matter with the Defence Forces, who confirmed the complainant’s allegation that the notes had been stored at an unsecure location and had been damaged or lost as stated.
 
The Defence Forces informed us of the measures taken to keep data safe and secure, and referred us to its Administration Instruction, which provides for the prohibition of removal of records.
 
The Defence Forces further stated thatthe removal of records from their place of custody to a private residence would breach this instruction and that a breach of this provision may constitute an offence under S.168 of the Defence Act 1954. It advised that, as the MIO was no longer a serving member of the Defence Forces, he is not subject to military law.
 
The Defence Forces unequivocally acknowledged that the loss of the data in this case should not have occurred and was fully regretted. It informed us that it had recently undertaken a full review of practices and procedures in respect of both the processing and disclosure of data to mitigate the possibility of any future unauthorised or accidental disclosure of personal data.
 
The Commissioner’s decision on this complaint issued in June 2015, and it found that the Defence Forces contravened Section 2(1)(d) of the Data Protection Acts by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the complainant’s personal data when it allowed it to be stored at an unsecure location, namely a private house.
 
This Office acknowledges that the Defence Forces has procedures in place in relation to the protection of personal data as set out in its Administration Instruction. However, those procedures were not followed in this case and when an official record was removed from its place of custody, it resulted in the complainant’s personal data being lost or stolen because the appropriate security measures in place were not followed.
 
There are many workplace scenarios where staff and managers, in particular, may need to take files, including personal data, home with them. Extreme caution should always be exercised in such cases to ensure that there is no risk to the security of personal data either in the transit of the files or while the files are in the employee’s home. Data controllers must ensure that employees act in a responsible manner with regard to the safe custody and handling of workplace files. This demands a proper system that records the taking of and returning of files and the following of prescribed procedures for the safe keeping of personal data while the files concerned are absent from the workplace. Likewise, it is critical that employees are prohibited from emailing official files from their workplace email account to their personal email account for afterhours work or for any other reason. In such situations, data controllers lose control of personal data that they are obliged by law to protect.
 

Case Study 6: Further processing of personal data by a state body

 
In February 2015, we received a complaint from an employee of a state body in relation to the alleged unfair processing of his personal data. The complainant stated that, in the course of a meeting, he had been advised that his manager had requested access to data from his security swipe card in order to compare it with his manually completed time sheets. The complainant explained that this had been carried out without any prior consultation with him or his line manager. By way of background, the complainant informed us that the security swipe cards used by the employees are for accessing the building and secured areas only, and are not used as a time management/attendance system.
 
We sought an explanation from the body concerned as to how it considered that it had complied with its obligations under the Data Protection Acts in the processing of the complainant’s personal information obtained from his swipe-card data. We also advised it that we had sight of the relevant section of its staff handbook and we noted that there was no reference to the swipe card being used for the purpose of checking attendance.
 
We received a response explaining that the swipe-card data relating to the complainant was handed over to the complainant’s manager in good faith on the basis that it was corporate rather than personal data. The organisation also confirmed that it checked the staff handbook and any other information that may have been circulated to staff regarding the purposes of the swipe card and that there was no mention of the use of swipe cards in relation to recording time or attendance. It advised that the focus of the information circulated with regard to swipe cards was on security and access only.
 
After consideration of the response received, along with the content of the complaint, we informed the organisation concerned that we considered that the Data Protection Acts were breached when the employee’s swipe-card details were provided to his manager to verify his working hours. We referred to the provisions of Section 2(1)(c)(ii) of the Data Protection Acts, which state that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. Given that we considered the information concerned had been processed in contravention of the Data Protection Acts 1988 and 2003, we required an assurance that all email records created in relation to the further processing of the swipe-card details concerned be deleted from its systems; this assurance was duly provided.
 
The complainant in this case agreed, as an amicable resolution to his complaint, that he would accept a written apology from his employer. This apology acknowledged that the complainant’s data protection rights had been breached and it confirmed that the organisation had taken steps to ensure that this type of error did not recur in the future.
 
This case highlights the temptation organisations face to use personal data that is at their disposal for a purpose other than that for which it was originally obtained and processed. The scenario outlined above is not uncommon, unfortunately. Time and attendance monitoring may occasionally prove difficult for managers, and contentious issues arise from time to time. The resolution of those issues should not involve an infringement of the data protection rights of employees similar or otherwise to the circumstances in this case.
 

Case Study 7: Supermarket’s excessive use of CCTV to monitor member of staff

 
A former staff member of a supermarket submitted a complaint to this Office regarding her employer’s use of CCTV.
 
The complainant informed us that she had been dismissed by her employer for placing a paper bag over a CCTV camera in the staff canteen. She informed us that the reason for her covering the CCTV camera was that when she was on an official break in the staff canteen, a colleague styled her. The complainant also stated that the camera was placed in the corner of the staff canteen and there was no signage to inform staff that surveillance was taking place. She informed us that she was never officially advised of the existence of the camera nor had her employer ever informed her of the purpose of the CCTV in the canteen.
 
In its response to our investigation, the supermarket informed us that the complainant was dismissed for gross misconduct, which occurred when she placed a plastic bag over the camera in the canteen to prevent her actions being recorded and thereby breaching the store’s honesty policy as outlined in the company handbook. The supermarket owner informed us that the operation of CCTV cameras within the retail environment was to prevent shrinkage, which can arise from customer theft, waste and staff theft. He stated that it was also used for health and safety, to counter bullying and harassment and for the overall hygiene of the canteen. In relation to the incident concerning the complainant, the owner informed us that, on the day in question, the store manager noticed some customers acting suspiciously around the off-licence area and that on the following day CCTV footage was reviewed. It was during the viewing of the footage in relation to suspicious activity in the off-licence area that he noticed the complainant putting a bag over the camera.
 
Following an inspection by one of our Authorised Officers, we informed the supermarket owner that, in our view, there was no justification from a security perspective for having a camera installed in the canteen area.
 
The complainant in this case declined an offer of an amicable resolution and she requested a formal decision of the Commissioner.
 
The decision by the Commissioner in January 2015 found that the supermarket contravened Section 2(1)(c)(iii) of the Data Protection Acts, 1988 and 2003, by the excessive processing of the complainant’s personal data by means of a CCTV camera in a staff canteen.
 
Data controllers are tempted to use personal information captured on CCTV systems for a whole range of purposes. Many businesses have justifiable reasons, usually related to security, for the deployment of CCTV systems on their premises but any further use of personal data captured in this way is unlawful under the Data Protection Acts unless the data controller has at least made it known at the time of recording that images captured may be used for those additional purposes, as well as balancing the fundamental rights of employees to privacy at work in certain situations, such as staff canteens and changing rooms.
 

Case Study 8: Disclosure of personal information to a third party by the Department of Social Protection

 
This Office received a complaint in July 2014 concerning an alleged unauthorised disclosure of the complainant’s personal information by the Department of Social Protection to a third party. The complainant informed us that, in the course of an Employment Appeals Tribunal hearing, her employer produced to the hearing an illness-benefit statement relating to her. The statement contained information such as her name, address, PPSN, date of birth, bank details and number of child dependants. She stated that her employer was asked how he had obtained this illness-benefit statement. He stated that he had phoned the Department of Social Protection and the statement had subsequently been sent to him by email. Prior to making the complaint to this Office, the complainant had, via her solicitors, received an apology from the Department, who acknowledged that her information had been disclosed in error and that proper procedures had not been followed. However, she informed us that she had very little information as to how the disclosure had occurred and that the matter had caused her considerable distress.
 
We commenced an investigation by writing to the Department of Social Protection. In response, it stated that it accepted that a statement of illness benefit was disclosed to the complainant’s employer in error, on foot of a telephone call from the employer. The Department acknowledged that the information should not have been sent out to the employer and that the correct procedures were not followed on this occasion. It stated that the staff member who supplied the information was new to the Department. It explained that it was not normal practice to issue a screenshot to the employer; the correct procedure was to issue a statement to the employee along with a note informing the employee that the information had been requested by their employer.
 
The data subject chose not to accept an apology from the Department as an amicable resolution of her data protection complaint, opting instead to seek a formal decision of the Data Protection Commissioner.
 
A decision of the Data Protection Commissioner issued in October 2015. In her decision, the Commissioner formed the opinion that the Department of Social Protection contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. The contravention occurred when the Department of Social Protection disclosed the complainant’s personal data to an unauthorised third party.
 
This case serves as a reminder to data controllers of the importance of ensuring that new staff are fully trained and closely supervised in all tasks, particularly in those tasks that involve the processing of personal data. Errors by staff present a high risk of data breaches on an ongoing basis and it is critically important that efforts are made to mitigate against those risks by driving data protection awareness throughout the organisation, with particular focus on new or re-assigned staff.
 

Case Study 9: Covert CCTV installed without management knowledge

 
This Office received a complaint from staff of Letterkenny General Hospital in relation to the operation of covert CCTV surveillance by management within the Maintenance Department of Letterkenny General Hospital.
 
We also received a ‘Data-Breach Incident Report’ from the Health Service Executive (HSE) about this matter. This breach report recorded the incident as ‘Unauthorised CCTV Surveillance of Office Area’ and stated that a covert CCTV camera was installed by two maintenance foremen in their two-man office due to concerns they had in relation to the security of their office.
 
We commenced an investigation of the complaint by writing to the Health Service Executive (HSE), outlining the details of the complaint. We sought information from it in relation to the reporting arrangements between the maintenance staff in Letterkenny General Hospital and the maintenance foremen who installed the covert CCTV; the whereabouts of footage captured by the covert CCTV; the outcome of the internal investigation; how the covert CCTV was installed without notice to the management of Letterkenny General Hospital; and details of any instruction or notification issued to staff on foot of the internal investigation.
 
In response, the HSE stated that the foremen who had installed the camera were direct supervisors of the maintenance department staff and that the footage recorded was stored on a DVD and secured in a locked safe. It further stated that an internal investigation concluded that two staff had installed the covert CCTV without the authority, consent or knowledge of the management of Letterkenny General Hospital, due to concerns regarding unauthorised access/security in their office. We established that the camera in question was previously installed in a now disused area of the hospital, had been decommissioned and was re-installed in the office in question.
 
As well as confirming that the footage captured by the covert camera was of normal daily comings and goings to the maintenance office, the HSE stated that this was an unauthorised action by staff in the maintenance section and that it was keenly aware of its duty to all staff to provide a workplace free from unauthorised surveillance. The HSE confirmed that it would initiate steps to ensure that there would be no repetition of this action.
 
The HSE subsequently issued a written apology to the complainants in which it also confirmed that the recordings had been destroyed.
 
A decision of the Data Protection Commissioner issued in April 2015. In her decision, the Commissioner formed the opinion that the HSE contravened Section 2(1)(a) of the Data Protection Acts 1988 and 2003 by failing to obtain and process fairly the personal data of individuals whose images were captured and recorded by a covert CCTV camera installed without its knowledge or consent.
 
Covert surveillance is normally only permitted on a case-by-case basis, where the data is kept for the purpose of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This implies that a written specific policy must be put in place detailing the purpose, justification, procedures, measures and safeguards that will be implemented in respect of the covert surveillance, with the final objective being an active involvement of An Garda Síochána or other prosecutorial authority. Clearly, any decision by a data controller to install covert cameras should be taken as a last resort after the full exhaustion of all other available investigative steps.
 

Case Study 10: Danske Bank erroneously shares account information with third parties

 
We received a complaint against Danske Bank alleging that it had disclosed personal data and account information in relation to a mortgage on a property owned by the complainant to third parties. We commenced an investigation of the matter by writing to Danske Bank, outlining the details of the complaint. We received a prompt response from Danske Bank, which stated that the complainant and the individual who received his personal data were joint borrowers on certain loan facilities and that it was during the course of email communications with the other individual in respect of that individual’s loan arrears that the personal data relating to the complainant was disclosed to two third parties. Danske Bank admitted that this was an error on its part and stated that it was unfortunate that it had occurred. It went on to explain that, in dealing with the queries raised by the other individual in respect of his arrears and entire exposure to Danske Bank, the relationship manager also included information on all arrears in respect of that individual’s connections, which included the complainant. The staff member concerned expressed his regret at the incident and Danske Bank confirmed that the staff member was reminded of its procedures with regard to data protection and the need to be vigilant when dealing with the personal data of customers. Danske Bank apologised for the incident and offered reassurance that it would endeavour to prevent a future reoccurrence.
 
Danske Bank went on to state that it had robust controls in place to ensure that such incidents did not occur; however, it admitted that, despite such controls, this was a case of a human error and it did not believe that it was in any way intentional.
 
The complainant requested that the Data Protection Commissioner issue a formal decision on his complaint. A decision of the Commissioner issued in January 2015, and it stated that, following the investigation of the complaint, she was of the opinion that Danske Bank contravened Section 2(1)(d) the Data Protection Acts 1988 and 2003 by disclosing the complainant’s personal data to a number of third parties without his knowledge or consent.
This case is illustrative of the need for financial institutions to be vigilant when dealing with the personal data of individuals who have common banking relationships with others, and to ensure that appropriate safeguards are in place to prevent accidental or erroneous sharing of personal data.
 

Case Study 11: Failure to update customer’s address compromises the confidentiality of personal data

 
This Office received a complaint that Allied Irish Banks (AIB) failed to keep the complainant’s personal data up-to-date over a prolonged period, despite repeated requests by the individual to do so, and that it failed to maintain the security of the individual’s personal information. The complainant informed us that he had repeatedly asked AIB to update his address details but that it had failed to do so. As a result, his correspondence from AIB continued to be sent to a previous address. The complainant alleged that, arising from the failure of AIB to update his address, his correspondence containing his personal data, which was sent to his previous address by AIB, was disclosed to unknown third parties at this previous address.
 
We commenced an investigation of the matter by writing to AIB, outlining the details of the complaint. AIB confirmed to us that, due to a breakdown in internal processes, the complainant’s correspondence address was had not been updated on all its systems in a timely manner, resulting in automated arrears letters continuing to issue to an old address.
In circumstances where AIB had been advised that the complainant had changed address, our investigation was satisfied that its continued sending by post or delivering by hand of correspondence intended for the complainant to the previous address failed to secure the complainant’s personal data against unauthorised access by parties who had access to the letterbox at the previous address.
 
Efforts to resolve the complaint by means of an amicable resolution were unsuccessful and the complainant sought a formal decision. In her decision, the Commissioner formed the opinion that AIB contravened Section 2(1)(b) of the Data Protection Acts 1988 and 2003 by failing to keep the complainant’s personal data up to date. This contravention occurred when AIB failed to remove the complainant’s previous address from his account despite notification from him to do so. The Commissioner also formed the opinion that AIB contravened Section 2(1)(d) by failing to take appropriate security measures against unauthorised access to the complainant’s personal data by sending correspondence by post and by hand delivery to an address at which he no longer resided, while knowing that this was no longer his residential address.
 
This case demonstrates the need for all data controllers to ensure that personal data is kept accurate and up-to-date at all times. Failure to do so may result in the disclosure of personal data to unauthorised persons as well as unnecessary distress and worry for data subjects who have updated the data controller with the most accurate information, only to find that the necessary safeguards were not in place to prevent their personal data being compromised by use, as in this case, of a previous address.
 

Case Study 12: Unfair use of CCTV data

 
The subject matter of this complaint was the use by the data controller of CCTV footage in a disciplinary process involving one of its drivers. The data controller, Aircoach, advised that it was reviewing CCTV footage from one of its coaches as part of dealing with an unrelated customer-complaint issue when it happened to observe a driver using her mobile phone while driving a coach.
As is often the case with such complaints, the complainant objected to the use of the CCTV footage as evidence in a disciplinary process that was taken by Aircoach against her, the basis of the objection being that it was unfairly obtained.
Aircoach informed us that it had introduced CCTV across its fleet in order to further enhance safety and security for both staff and customers. It further advised that all staff are informed that CCTV is installed and of the reasons behind its use, but admitted that it was not until the middle of 2014 that significant efforts were made to fully inform both staff and customers as to the presence of CCTV on its coaches.Aircoach provided us with a copy of its new CCTV policy and it also provided us with photos showing the CCTV signage on the coach entrance doors, adding that the process of putting appropriate signage in place on its coaches commenced in January 2014 and was concluded by October 2014.
The law governing the processing of personal data, including CCTV images, is provided for under Section 2 of the Data Protection Acts 1988 and 2003. Processing includes, among other things, the obtaining and use of personal data by a data controller and it must be legitimate by reference to one of the conditions outlined under Section 2A(1) of the Acts. In addition, a data controller must also satisfy the fair-processing requirements set out under Section 2D(1) of the Acts, which requires that certain essential information is supplied to a data subject before any personal data is recorded.
The investigation in this case established that, at the time of the relevant incident on 19 February 2014, the roll-out of CCTV signage by Aircoach had commenced; however, the company failed to properly or fully inform staff that CCTV footage might be used in disciplinary proceedings. Any monitoring of employee behaviour through the use of CCTV cameras should take place in exceptional cases rather than as a norm and must be a proportionate response by an employer to the risk faced, taking into account the legitimate privacy and other interests of workers. In this case, when processing the complainant’s image, Aircoach was not aware of any particular risk presented and, by its own admission, was investigating an unrelated matter. While it subsequently transpired that the incident in question was indeed a very serious matter, involving alleged use by a driver of a mobile phone while driving, there was no indication at the time of the actual processing that this was the case and the processing therefore lacked justification. In addition, the fair-processing requirements set out in Section 2D were not fully met and fair notice of the processing for the specific purpose of disciplinary proceedings was not given to drivers whose images might be captured and used against them. In those circumstances, the processing could not be said to have been done in compliance with the Acts and the Commissioner found that Section 2(1)(a) had been contravened.
It is important to note that the processing of CCTV images in disciplinary proceedings against an employee is very much circumstance-dependent. Thus, while on this occasion the employer was found to have been in contravention of the Acts because the images were processed without justifiable cause or fair notice to the employee in question, in other circumstances the processing might be regarded as being proportionate and fair, especially if the processing is done in response to an urgent situation and the employer has the correct procedures in place. Employers should therefore be careful to ensure that a comprehensive CCTV policy is in place and followed if they wish to stay within their legal obligations.