In recent times, the use of CCTV (closed circuit television) technology in the workplace has increased considerably. Employers install CCTV technology for a variety of reasons, including security, health & safety, the protection business interests, assessing & improving productivity and ensuring compliance with legal and regulatory obligations.
As CCTV technology has improved to record clear images and sounds of individuals, the use of this technology in the workplace has come under the scrutiny of data protection law and employment law.
The Data Protection Acts 1998-2003 define personal data as “relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or likely to come into, the possession of the data controller”. On the basis of this definition, the Data Protection Commissioner in Ireland has recognised that “recognisable images captured by CCTV systems are personal data”.
To this end, in December 2015, the Data Protection Commissioner issued guidelines for employers who had introduced or were considering introducing CCTV in their workplaces. It is pertinent for employers to adhere to these guidelines in the manner in which they utilise CCTV in the workplace.
Section 2(1)(c)(iii) of the Data Protection Acts 1998-2003 provides that the data controller (in this case, the employer) must comply with the provision that the data processed must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected or further processed. This is the overriding objective which employers must adhere to when installing CCTV in the workplace.
Before installing CCTV in the workplace, the employer must ensure they have identified a genuine reason why CCTV is to be installed. They must then be able to justify that installing CCTV is a proportionate means of achieving that aim. Employers may wish to carry out a risk assessment and a privacy impact assessment as part of this process before the decision to install CCTV is made.
As part of the decision-making process, the employer must decide where CCTV is to be placed in the workplace. The proportionality, or otherwise, of the use of CCTV can change depending on the location. For example, placing CCTV to monitor the exterior of premises may require a lower standard of justification than placing CCTV in a staff canteen area. Employers should also consider how long data is to be retained, what it will be used for, and who will have access to it.
Once the decision to introduce CCTV has been made, the employer must ensure that a CCTV Surveillance Policy is drafted and included as part of their Employee Handbook. This should include the identity of the data controller, the reason why the data is being processed, any third-parties to whom the data may be supplied (such as An Garda Siochana), the retention period for the footage, security arrangements and details of how an employee can make an access request for footage on which they may appear.
As with any significant change in policies & procedures, it is highly advisable to consult with employees prior to the CCTV being installed – to explain why the step has been taken and the impact it may have for employees. Employees should be given the opportunity to raise any concerns they may have, and these should be addressed by the employer.
In addition to putting a written policy in place, signs should be placed around the workplace indicating that image and/or sound recording is in operation.
If you have any questions in relation to CCTV policies please contact our advice line on 01 886 0350.