BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Use of CCTV & biometrics [2010] IEDPC 10 (2010) URL: http://www.bailii.org/ie/cases/IEDPC/2010/[2010]_IEDPC_10.html Cite as: [2010] IEDPC 10 |
||
[New search] [Printable RTF version] [Help]
In late 2009, we received a number of separate complaints from employees of Company X. These complaints concerned the alleged use by management of CCTV on its factory floor for the purpose of monitoring staff and the use of a biometric system for recording employees' time and attendance. As both CCTV and biometric systems process personal data, their use is governed by the Data Protection Acts. We decided that the most effective course of investigation was to carry out an unannounced inspection at the premises in question to establish the facts.
In November 2009 two authorised officers carried out an unannounced inspection. While we use such powers sparingly, this is a useful means of establishing compliance with the Data Protection Acts. In general, authorised officers are treated courteously and receive full cooperation in the course of such inspections. Unfortunately that was not the case on this occasion. From the outset of the inspection the factory manager made every effort to frustrate the work of the authorised officers. It was made clear to them that their presence on the site was not welcome. Such was the level of discourtesy displayed towards the authorised officers in the performance of their functions that they considered issuing a caution against the factory manager with a view to formally charging him with obstruction - a criminal offence under Section 24 of the Data Protection Acts. However, the level of cooperation increased as the inspection continued. During the inspection Company X denied that one of the purposes of the CCTV was to monitor staff. The company informed us that the main purpose of the CCTV system related to security and health and safety. On inspection of the factory, my authorised officers noted the location of the CCTV cameras. Based on information provided during the inspection, they noted that the individual who had access to monitor the CCTV images was a non-staff member. The individual in question was a member of the owner’s family and had off-site access to real-time CCTV views. It was also clear from our inspection that the company had no data protection policies in place in relation to the use of CCTV and biometrics. Following the inspection, the investigation progressed in the normal manner.
In our subsequent communications with the company we found Company X to be cooperative with our investigation. As a result of our extensive engagements with the company in the following weeks, it drew up a comprehensive data protection policy document. This document includes, among other things, its policy on the use of CCTV and biometrics in the workplace. The company’s CCTV policy includes confirmation that there will be no live monitoring of images captured on CCTV and that recorded images will be viewed only following the rare occasions when an a security breach, employee personal protection or health and safety incident occurs. In relation to our concerns about access to the CCTV system, the company confirmed that access had now been restricted to two members of staff who had on-site access only. At our instruction, its policy on the use of the biometric system includes the provision that, should an employee have a legitimate privacy concern or any other concern in relation to the biometric hand scanner, they can contact a specific member of staff in the HR Department about their concerns. My Office informed the company that, if a legitimate privacy concern about the use of the biometric system is expressed by any employee to the HR Department, that employee has a right to opt out of using the system. We made it clear the onus is on the company to offer such an employee an alternative means of recording time and attendance. We informed Company X that, if it was to refuse such an employee the right to opt-out, he/she would have a right to make a complaint to our Office. Company X also confirmed that staff would be informed of the availability of a copy of its data protection policy documents.
The proliferation of CCTV and biometric systems in workplaces, without due regard to the data protection rights of employees and others, is a matter of great concern. We have commented at length on these issues in our Annual Reports.
This case study also highlights the difficulties which my authorised officers face from time to time in carrying out their statutory functions. In most cases they receive cooperation from data controllers and their staff. We acknowledge that for a data controller or data processor an unannounced inspection can be a trying and anxious experience. However, for our part, we tend not to conduct such inspections unless we have solid reasons based on complaints about breaches of the Data Protection Acts. Whatever the reason for the inspection, data controllers, data processors and their employees would be well-advised to cooperate fully with authorised officers. Authorised officers, in the exercise of their functions, have considerable powers conferred on them by law. Any obstruction or impediment placed in the way of the exercising of those powers is an offence and we will have no hesitation in prosecuting any individual, data controller or data processor who commits such an offence.
