CCTV in public areas or in private residential properties has an obvious purpose – to deter intruders, to minimise risk of criminal acts occurring or anti-social behaviour.

CCTV can and often does also form the basis for "substantiating evidence" in a case where a company's disciplinary policy has been invoked. It can often be the determining factor of the outcome of an internal investigation or a point of reference in a disciplinary hearing, which may see a warning implemented or a dismissal. Disciplinary processes should always include an employee's right to appeal any sanction implemented, or a decision made to terminate a person's employment. This may naturally lead to an employee (and/or their representative) taking a hard look at the company CCTV policy to ensure the collection of the data used to determine such an outcome, and the processing of it, was lawful, fair, and in adherence with the CCTV policy.

As a starting point to developing such a policy where CCTV is in use within a company, employers must ensure they comply fully with general data protection principles, outlined in the DPC Guidance on the use of CCTV for Data Controllers.

A Data Controller should be an assigned competent person within a company who has overall responsibility for ensuring the CCTV policy is compliant and adhered to when it comes to the collection, secure storage and processing /use of any footage obtained. In the first instance, a company must carefully consider the purpose of its collection of personal data (such as CCTV footage) and communicate this to its employees or other data subjects whose personal data may be collected. This purpose must be very clearly communicated in the CCTV policy. For example, in a childcare setting, the policy may outline:

The CCTV system has been installed by the service with the primary purpose of ensuring the safety of children in our care, and helping to ensure the safety of all staff, parents/guardians, and visitors, consistent with respect for each individuals' privacy.

Case Study [Doolin V DPC, 2022]

In a recent case in the Court of Appeal, CCTV footage was found to be unlawfully processed when it was used to investigate threatening and racist graffiti found in the staffroom of a Hospice. The management were advised by the Gardaí to examine the CCTV to ascertain who may have been inside the room on the day the graffiti was discovered. On observation of the footage, the Hospice management found that Mr Doolin had entered the room at unauthorised times, outside of his statutory breaks. The Hospice invoked their disciplinary policy on these grounds, and an investigation report entitled “Investigation into staff member [CD] accessing the tea room at unauthorised times” was furnished. The report provided that “the panel have established on the balance of probabilities that unauthorised breaks were taken by Mr. Cormac Doolin on the afternoons of Tuesday 17th, Wednesday 18th and Thursday 19th November 2015."

The report made no reference to any findings in connection with the graffiti, and a disciplinary sanction was implemented against Mr Doolin in respect of taking unauthorised breaks.

The take-away for employers?

This case demonstrates the importance of having clear, lawful policies around the purpose and use of CCTV, and that managers/employer should revert carefully to them, particularly where there is a reliance on CCTV as a basis for the outcome of an investigation or disciplinary process. Although the use of CCTV for this purpose, or further processing of it is not automatically unlawful, there is more risk to an employer when the processing of CCTV is for a purpose other than that which is set out in the policy.

Canavan Byrne/CB & Associates can provide you with a fully comprehensive and compliant CCTV Use Policy to ensure best practice, fair and transparent processing is conducted in your company