BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

This Office received a complaint which stated that a supermarket instructed a third party to remove a CCTV hard-drive, containing CCTV footage of the complainant's image, from the store where the complainant worked as store manager and that no member of the supermarket staff accompanied this third party contractor during the removal. The complainant alleged that the supermarket viewed three weeks of CCTV footage which contained the complainant’s image and used this CCTV footage to ground a disciplinary hearing against the complainant. The complaint stated that at no point was the complainant consulted in relation to the removal, viewing or processing of the CCTV footage.

 

We commenced an investigation of the matter by writing to the supermarket outlining the details of the complaint. In response, the supermarket informed us that it was contacted by an external third party alleging irregularities in the cash management process in its store. An investigation into these irregularities was initiated and CCTV footage was secured in that process in line with the company's purpose for CCTV, namely to ''protect against inventory loss by criminal actions." It said that the CCTV recorder was removed by an authorised contractor, who did not carry out any maintenance which requires supervision, but solely removed the unit and transferred it to its regional distribution centre where it was securely kept in a locked room and footage was only reviewed by employees tasked with the investigation into the allegation. It informed us that the contents of the CCTV footage was explained  verbally to the complainant to allow him to explain the irregularities in the cash handling process.  The supermarket told us that, as a retail business which is handling large sums of monies on a daily basis, it felt that its actions were guided by a legitimate interest to protect its vested rights and property.    

 

We sought information from the supermarket regarding the 'external third party' who retrieved the CCTV footage from the store, and whether the CCTV footage in question demonstrated an "inventory loss by criminal actions." It informed us that the third party who retrieved the CCTV footage was its contracted CCTV service provider. It said that, in this incident, the contractor did not carry out any processing, but merely took the CCTV recorder from the store to the regional distribution centre. It further stated that the CCTV footage showed actions that were questionable, but that no conclusions were drawn from the footage as to whether the actions were of a criminal nature or a performance and conduct issue. It was satisfied from the complainant's explanations that the actions were not of a sinister nature, but instead constituted a total disregard for internal cash management procedures. It said that the complainant was subsequently disciplined for this matter.

 

We conveyed the explanation provided by the supermarket to the solicitor acting for the data subject. In response it was argued that the employer had already established that there was no cash missing by inspecting the safe and accordingly, there was no need to then review CCTV footage. It was further stated that the amount of CCTV footage viewed was excessive and disproportionate as the irregularities in relation to cash handling took place over a seven day period, but three weeks of CCTV footage was examined by the supermarket during the course of its investigation into the cash handling irregularities.

 

In response to this, the supermarket stated that the irregularities brought to its attention by the external third party were of such a complex and serious nature that it was not possible to fully investigate the matter by conducting a safe count alone. It further stated that it acted reasonably and proportionately and in compliance with data protection legislation when investigating the irregularities in the cash management process. We wrote to the supermarket seeking further specific information regarding the irregularities reported to it and how the investigation of same progressed. It informed us that it was notified by an external third party about irregularities in the cash management process. Two issues were identified, both of which involved substantial sums of money. The supermarket commenced its investigation of the matter as soon as the issues were identified. It stated that: “In order to preserve the CCTV footage for the investigation and to protect it from being overwritten, the DVR unit had to be removed by the contractors. CCTV footage from the 3rd January to 23rd January was viewed by the investigators, due to the fact that it was impossible to investigate the irregularities which took place on the 9th and the 16th of January in isolation, and given that the entire cash management for that period was relevant for the investigation.” It was further stated that the complainant was afforded the opportunity to view the entire footage in line with fair HR policies and proceedings.

 

The complainant sought a formal decision of the Data Protection Commissioner on his complaint. The key issue that arose for consideration under the Data Protection Acts was whether the supermarket acted in accordance with the requirements of the Acts when it processed CCTV footage which contained images of the complainant. The supermarket viewed CCTV footage for the period of 3 January 2012 to 23 January 2012. This footage was viewed as part of an investigation to determine whether any fraudulent or criminal activities had taken place following the reporting of irregularities to the supermarket by a third party and an alert being raised by its own internal processes. Section 2A(1)(d) of the Acts provide that a data controller shall not process personal data unless “the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.” The Data Protection Commissioner considered that, when the supermarket viewed the CCTV footage for the period, it did so in the pursuit of its own legitimate interests. The Commissioner did not consider that the processing of personal data in this case was unwarranted by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject. Following the investigation of the complaint against the supermarket regarding its processing of the complainant’s personal data in the form of CCTV footage, and having regard to the legitimate interests of the employer in this case, the Commissioner was unable to conclude that a contravention of the Data Protection Acts took place in this instance.  

 

This Office is receiving an increasing number of complaints concerning the use of CCTV in a range of environments. Many are against employers and the alleged use by them of CCTV to monitor employees as they go about their workplace duties. The use of CCTV in employment situations must be proportionate and transparent and the default position is that CCTV should only be used for stated valid purposes such as security.  CCTV footage should not be used as a tool for staff performance monitoring. Having examined the issues raised in this complaint, however, it was considered that the data controller in this instance presented this Office with a genuine security reason for processing the CCTV images of the complainant and accordingly, the processing could not be deemed to contravene the Data Protection Acts.