Suspicious sales, secret surveillance and the Spanish supermarket
Video surveillance at work is a considerable intrusion into private life and it is important to weigh up the right to privacy as provided for by article 8 of the European Convention on Human Rights against the need for the surveillance. As a recent decision of the European Court of Human Rights illustrates, a fair balance has to be struck.
A recent covert surveillance at work case heard at the European Court of Human Rights (ECHR) has once more brought into focus the fine line between an employer doing what is necessary to protect its business, and the importance of respecting employees' right to a private life. Fortunately for employers, there is guidance from the Information Commissioner's Office (ICO) as to what employers need to be aware of when making decisions about monitoring employees by video surveillance.
This Spanish case (Lopez Ribalda and others) involved a supermarket employer who had identified discrepancies between sales and stock levels over a given period, leading to a suspicion that theft was taking place. It was however, unknown whether the culprits were employees of the supermarket or members of the public. The supermarket installed two categories of CCTV: visible cameras to monitor customers at the entrance points, of which staff were notified, and covert cameras focused on the check out and counter areas, of which staff were not informed. Five employees were subsequently caught on video stealing items for themselves, for colleagues and/or for customers by scanning and then cancelling purchases. They were subsequently dismissed and each brought claims through the domestic tribunals for unfair dismissal and complaints of a breach of their right to privacy.
The tribunal dismissed their claims. It found the use of covert surveillance to be justified and consistent with case law from the Spanish Constitutional Court, which broadly provided that in cases of suspected theft, the special circumstances could justify interference with an employee's right to privacy, if it was considered appropriate, necessary and proportionate to the legitimate aim being pursued. On appeal, the High Court upheld the findings. All five employees subsequently lodged an application with the ECHR which among other allegations, advanced a human rights argument that that the use of covert CCTV was an interference with article 8 (privacy) of the European Convention on Human Rights (the Convention), and that the lack of advance notification was a breach of Spanish data protection law.
The ECHR noted some similarities with an earlier German case (Kopke) in which the ECHR held that that Germany had not infringed the employee's article 8 rights, however, there were material differences in the German case including that: it involved an existing suspicion of theft against two employees; the covert surveillance took place for a limited period of two weeks; and there were no regulations at the time governing the use of surveillance in respect of employees. In the current Spanish case however, there was no substantiated suspicion against the five employees (with the consequence that the surveillance was directed at all staff); the surveillance was not time limited (and took place for weeks and during all working hours); and local data protection obligations on the employer were clearly in force (which they had not complied with).
The ECHR found that the Spanish courts failed to strike a fair balance between the employees' right to private life and the employer's interest in the protection of its property, and by a 6-1 majority held that there had been a violation of article 8 of the Convention. The ECHR concluded that the employer could have informed the employees in a general manner of the installation of video surveillance, and provided them with the required information under local data protection legislation.
Watching the watchers: General Data Protection Regulation implications on use of CCTV
A European advisory body on data protection (the Article 29 Data Protection Working Party) has published guidelines for certain data processing operations and refers to the carrying out of a Data Protection Impact Assessment (DPIA) – a concept introduced by the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018. The assessment is a tool intended to assist the data controller with the act of balancing necessity against the risks to the rights and freedoms of natural persons, and to demonstrate compliance with its obligations under the Regulation.
Whereas a DPIA is not necessary for every data processing operation, it must be used where the processing is "likely to result in a high risk to the rights and freedoms of natural persons", which includes consideration of 9 criteria. Of particular relevance to the use of CCTV surveillance are the following:
- Criteria 3 – systematic monitoring (processing used to observe, monitor or control data subjects, including data collected through networks or "a systematic monitoring of a publicly accessible area");
- Criteria 5 – data processed on a large scale (considering the number of data subjects, the volume of data, the duration and geographical extent of the activity;
- Criteria 7 – data concerning vulnerable data subjects (where there is an increased imbalance of power between data controller and data subject); and
- Criteria 8 – innovative use or applying new technological or organisational solutions.
The guidance states that the presence of more than one criterion should as a general rule, indicate the need to carry out a DPIA.
Guidance from the Information Commissioner's Office
The ICO has produced a number of documents containing guidance on the use of employee monitoring systems. The Employment Practices Code, which is a statement of best practice, also contains a specific section on the use of video surveillance, and was written to assist employers to meet their Data Protection Act 1998 (DPA) obligations in relation to such activities.
The general guidance for any monitoring system is for employers to carry out an impact assessment to determine any adverse impact to employees, and to weigh this against the potential benefit which could be achieved. The employer is also required to assess whether the monitoring is a proportionate response to the problem. Specifically, the assessment should consider the following the purpose of the monitoring; any adverse impact; any alternatives to monitoring or less intrusive ways to carry it out; the employer's data protection obligations arising from the monitoring; and whether such a measure is justified.
Adverse impact involves considering the intrusion into the employees' private lives (which includes their time spent in the workplace). Relevant factors include whether employees are aware of the monitoring, whether the monitoring will be oppressive or demeaning, who will have access to the information gathered, and how the measure could affect workplace relationships.
Looking at alternatives includes asking whether the monitoring is necessary to achieve the intended aim, and if so, whether it could be limited in scope or confined to specific employees or high risk areas only.
Justification includes considering the benefits against any adverse impact, and being fair to individual employees. The Code notes that significant intrusion into employees' lives is not justified unless the employer's business is at risk of suffering serious damage.
The specific guidance on the use of CCTV is contained within Part 3 of the Code which reiterates the need to carry out an impact assessment. Surveillance should also be limited to areas of risk and continuous video monitoring of an individual is only likely to be justified in rare circumstances. Employees should be informed of the extent, purpose and nature of the monitoring unless covert surveillance is justified, and the employer must ensure that there are adequate notices to inform individuals (other than the employees) who may be caught by the surveillance.
The guidance recommends that covert monitoring should only be used in exceptional circumstances where there are grounds to suspect criminal activity or similar malpractice, and where an overt system would prejudice its detection. Covert monitoring should be for a limited time, used as part of a specific investigation only, and should not be used in areas which employees would reasonably expect privacy. The employer should also have firm guidelines in place as to who will have access to the footage, and importantly, covert operations should normally be authorised by senior management. Supplementary guidance to the Code suggests that a reasonable benchmark is whether the activity being monitored is sufficiently serious that it would be reasonable for the police to be involved.
The government has produced a Surveillance Camera Code which applies to some public authorities only, but which suggests that all data controllers in England and Wales can follow as good practice. It includes 12 Guiding Principles, summarised as follows: the use of a surveillance system should be for a specified purpose; the effect on individuals and their privacy should be considered; there should be transparency in use of the system and accountability; storage should be limited in scope and time; access to images should be restricted; system operators should meet operational standards; security measures should be in place to prevent unauthorised access and use; and reviews and audit processes need to be in place to ensure compliance with policies and standards.
Employers should also note that the ICO has also published a Data Protection Code of Practice for Surveillance Cameras which is not specific to the workplace, but which contains practical considerations on the use of surveillance systems and tips for compliance.
With the abundance of good practice guidance, obligations under data protection legislation, and the position taken by the courts to date, it is clear that employee privacy should be a paramount consideration for any employers looking to deploy CCTV systems in the workplace.
Employers should consider why CCTV is deemed necessary in their business, and if it decides to proceed with surveillance, it should ensure that employees are aware of why systems are being installed, what data will be gathered, and how it will be used. Having a video surveillance policy in place may be helpful so that employees are aware of their rights and the business reasons for the surveillance.
Employers should also bear in mind that impact assessments will need to be carried out and soon, Data Protection Impact Assessments too. Compliance is a continuing obligation. As circumstances change, the associated risks, and original reason for carrying out surveillance should be kept under review.