Covert CCTV at work. Is this ever possible?

The European Court of Human Rights recently held that covert CCTV infringed a worker's right to a private life. A previous decision of the same court permitted use of covert CCTV. So where do employers stand?

Background

It is generally accepted that the monitoring of workers is intrusive. Workers have a legitimate expectation that they can keep their personal lives private and that they are also entitled to a degree of privacy in their work environment.

The starting point for the use of covert CCTV of workers, therefore, is that it can be rarely justified. Guidance from the Information Commissioner's Office (ICO) -as drafted for the purposes of the Data Protection Act 1998 -confirms that the use of covert CCTV should not be undertaken unless:

• it has been authorised at the highest level within an employer's business;
• the employer is satisfied that there are sufficient grounds for suspecting criminal activity or some other equivalent malpractice in the workplace;
• that telling the workforce would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders;
• it is used as part of a specific investigation only, and its use should be stopped when that investigation has been completed.

Consideration should also be given to whether or not the police should be involved in such an investigation and as an alternative method of achieving the employer's intended aim(s).

In accordance with the Data Protection Act 1998 (and from 25 May 2018, the General Data Protection Regulation or GDPR), employers should be clear about the fact and purpose of any form of monitoring that they use and they must be satisfied that their chosen method of monitoring is justified in the circumstances. Workers must be aware of the nature, extent and reasons for any monitoring, unless, very exceptionally, a form of covert monitoring is justified.

Lopez Ribalda v Spain

In this case, all five claimants worked as cashiers at the same branch of a Spanish supermarket. In early 2009, they began to steal money from their employer, and in association with customers. Managers had been suspicious of missing monies and stock but were not sure whether losses were being caused by staff or customers. In response, CCTV surveillance cameras were installed at the store, aimed at detecting theft by customers, some visible and aimed at the entrance and exit doors. Some covert CCTV surveillance was also installed, aimed at the checkouts and tills, based upon a general suspicion against all staff in view of the missing monies and stock. Staff were told in advance about the visible CCTV surveillance but not about the covert CCTV operation. Despite the installation of known CCTV, the claimants continued to steal and were caught doing so by the covert CCTV operation. The claimants, when confronted, made full admissions and were dismissed.

All five brought claims in the Spanish Employment Tribunal arguing that their dismissals had been unfair as they had not been told of the hidden cameras and that their employer's failure to do so breached Spanish data protection laws, which require data subjects to be "previously and explicitly, precisely and unambiguously informed" about the processing of their personal data.

The claimants' unfair dismissal claims were rejected, with the domestic Spanish courts confirming that the covert surveillance had been lawfully obtained even though prior notice had not been given. The domestic Spanish courts were of the view that the covert CCTV surveillance had been justified, since there was a reasonable suspicion of theft, appropriate to the employer's legitimate aim of protecting company property, and was necessary and proportionate.

Nevertheless, the claims found their way to the European Court of Human Rights. The claimants argued that the use of covert CCTV was an infringement of their Article 8 right: the right to respect for private and family life under the European Convention on Human Rights. The court found that even at work a worker should have an expectation of privacy which must be rebutted before any covert monitoring becomes appropriate. In reaching this decision, the court took account of the following:

• the fact that a number of people had seen the footage prior to the claimants, including their union representative and the employer's lawyer;
• the workers had not been told of or consented to the covert surveillance of them;
• the footage had been taken over a number of weeks, at all hours and had caught images of other workers who were not guilty of theft.

The court concluded that the employer's measures were not proportionate. The employer should have safeguarded its property by other means which had less impact on the workers' privacy, and should have notified its workers in advance of the installation of the surveillance systems. Each of the claimants were awarded #4,000.

Köpke v Germany

In this case, a supermarket cashier was also dismissed for theft, having been caught as a result of covert CCTV surveillance being used by her employer. Again, after unsuccessfully challenging her dismissal in the German labour courts, she brought a claim in the European Court of Human Rights claiming that her Article 8 right had been infringed.

Her employer had, however, approached the use of covert CCTV by first giving consideration to how long it should remain in place, the need to protect its property, and the public interest in the proper administration of justice. It had also been a particular worker that was under suspicion of theft (which was different to the Lopez Ribalda case above) and the surveillance was directed at just that individual. As a result, the court found that the employer's interference with the worker's private life in this case had been restricted to what had been necessary to achieve the aims pursued by the covert CCTV surveillance.

So is covert CCTV possible in the workplace?

Yes it is, providing that there are:

• sufficient grounds for suspecting some form of criminal activity or other malpractice is taking place;
• workers are informed of the possibility of covert surveillance being used in exceptional circumstances, and what such footage may be used for

Given the significant intrusion to a worker's privacy rights, it is essential for employers to first undertake a detailed written assessment of whether or not such covert CCTV surveillance can be justified as being necessary and a proportionate means of achieving their aims. Can it be confirmed that there is no less intrusive way of tackling the suspected criminal activity or other malpractice? Within such an assessment, employers will need to consider whether or not telling the workforce about such surveillance would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. It is also absolutely necessary that any form of covert monitoring is authorised by senior management.

GDPR implications

As we all know by now, the GDPR)seeks to change how organisations think about data protection and brings about enhanced rights for data subjects. Under GDPR, data protection impact assessments will also be mandatory prior to an organisation undertaking any process which presents a potentially high risk to an individual's privacy rights.

The specific introduction of CCTV surveillance into the workplace (whether open or covert) presents a high risk to individuals' privacy rights. A data protection impact assessment should always be undertaken for any form of CCTV surveillance operation that is to be implemented on or after 25 May 2018. Such an assessment should address the following questions:

• Can a limited, or a time-restricted, operation be used?
• Does the workforce already know of the possibility that covert CCTV surveillance may be used in exceptional cases and in accordance with existing policies and procedures?

While there is no set process or method of presentation for a data protection impact assessment, under GDPR the minimum features of such an assessment must include:

• a description of the envisaged processing operations and the purpose of the processing;
• an assessment of the necessity and proportionality of the data processing activity;
• an assessment of the risks to the privacy rights of the individual(s) affected;
• the measures envisaged to address the risks and demonstrate compliance with the GDPR, for example, the safeguards and/or security measures that need to be put into place.