The subject of CCTV in the workplace has been raised by clients of mine on a number of occasions recently and covert surveillance at work is a topic that has been making waves right across Europe following a string of cases in the European Court of Human Rights.
Surveillance systems are relatively easy to purchase and install these days which has led to them becoming a common occurrence in offices and factories, almost to the point of being as ubiquitous as a hot air hand dryer in the washroom. My first question to any business owner or director who has installed CCTV – or is considering doing so – is why?
Data protection and CCTV
The images recorded by surveillance equipment constitute personal data and any business that is considering recording their staff or clients in this way needs to be completely clear about why they are choosing to do so and whether there is a better solution.
This is a discussion for senior management and should be undertaken well before any equipment is purchased. Other important things to establish include where the data will be stored and for how long (some systems can be set to automatically delete data after a certain number of days) and who will have access to the images (multiple user access can be difficult to manage and justify).
ICO guidelines on CCTV at work make it clear that staff must be told where it is operating and why it is being used. Any clients or visitors who might pass through an area where CCTV is being used must be made aware of it or there should be clear signs on display that surveillance is taking place. As with any data collection, anyone who has been recorded is entitled to apply for access to the data that is being held on them.
The ICO also advises that an organisation using CCTV should set clear rules about access to the recorded data. As an employer, you need to be clear from a data protection perspective on who has access, why they need it and how they are viewing it.
Is it lawful to install covert surveillance in the workplace?
There may be times when you want to use covert surveillance to tackle an issue such as persistent theft in the workplace but does this mean you will be breaching your employees’ right to privacy?
In the case of Lopez Ribalda & Ors v Spain, the European Court of Human Rights ruled that the article 8 right to privacy had been breached when a supermarket used covert CCTV to investigate suspected theft. Workers had been informed about visible cameras but not about others that were hidden from view. The ECtHR held that video surveillance at work is an intrusion into the private life of employees. There was also a data protection issue and the court stated that staff must be “explicitly, precisely and unambiguously” informed of any personal data file that exists, the purpose for collection, how the data is collected and who has access to it.
The problem in the case of the Spanish supermarket was that although there was a clear purpose – and five employees were caught on camera stealing and assisting other staff and customers to commit theft – the employer had not struck the right balance between protecting the privacy of its staff and safeguarding it property and goods. The majority opinion was that the employer’s rights could have been achieved differently and that by installing CCTV openly and in a way that complied with data protection laws, the same ends could have been achieved. Furthermore, the covert surveillance targeted all staff, not just those under suspicion of theft, and took place continuously over a period of many weeks rather than being limited to certain hours and a specific time frame. If the covert filming had targeted specific people during certain shifts over a defined and limited period of time the supermarket’s senior management would have had a much stronger case.
Similarly, in the case of Antovic and Mirkovic v Montenegro and Kopke the ECtHR ruled that the privacy of two professors was infringed when CCTV was installed in student auditoriums to monitor teaching and protect property and people. The domestic court had originally found in favour of the employer, stating that the setting of a public auditorium could not be considered part of the professors’ “private” lives. However, the European court held that the term “private life” was open to wider interpretation and included a right to lead a private social life at work, which would not be the case if functions were being attended in auditoriums where covert surveillance was being carried out.
There are occasions when covert surveillance is considered to be justified and lawful, as in the case of Köpke v Germany, another supermarket theft investigation. In contrast to the Spanish supermarket case mentioned above, a time period of two weeks had been set for the surveillance project and a very limited area had been chosen, covering a small zone around the supermarket’s cash register. All activity in that zone was monitored over a set period and it had been prompted by a clear objective – the suspicion of all staff after stock irregularities were identified. This targeted and defined approach persuaded the court that the intrusion into staff privacy was justified by the employer’s need to protect its property.
Summarising the ICO guidelines
The above cases make it quite clear that covert surveillance in the workplace is rarely justified and that any employer undertaking such activity risks legal action under both privacy and data protection laws.
The Information Commissioner’s Office states that covert surveillance should only be considered in very exceptional circumstances. If it is used, the monitoring must be for a specific purpose and timeframe and any tangential footage should be deleted.
In most cases of theft, openness will achieve the same objective. An employee is unlikely to continue with unlawful behaviour when he or she knows their activities are being monitored. There will be times when undercover surveillance is warranted to detect criminal activity or malpractice but there is a very fine line, as the above cases make clear.
In most situations, however, covert CCTV at work should be a last resort.
CCTV in the workplace, whether it is openly installed or not, is a major undertaking for any employer. New data protection laws under GDPR cover all types of data, including CCTV footage, and the way that data is stored, viewed and accessed by those within the organisation will be open to scrutiny. Are you absolutely sure you know why you are using CCTV, whether everyone in your organisation is aware of its existence and location and who has access to the data? Do those with access to the footage have a clear reason for viewing it? Are they viewing on public devices that could be accessed by unauthorised personnel?
As privacy and data protection legislation tightens, this is the ideal time for senior management teams to be reviewing their CCTV policy in light of recent cases and upcoming regulatory changes. The ICO recommends carrying out an audit where companies with to install or continue using CCTV on site and this is something I can assist boards and business owners with. If you would like to discuss this or any aspect of this article further please drop me a line at firstname.lastname@example.org