Striking a balance between the privacy rights of staff suspected of wrong-doing and your right as an employer to protect your business interests and property is a difficult task.

The recent European case of Ribalda v Spain helps to put this in context. A family owned supermarket was experiencing major stock losses. As it was unclear whether this was as a result of internal or external activities the employer decided to install video surveillance equipment to determine the root cause of the problem. They deployed a two prong approach by installing visible and hidden cameras. The purpose of the hidden cameras was to catch any internal thefts by the cashiers. The covert cameras were ‘successful’ and the employer dismissed five employees. They all admitted to the thefts in the presence of their union representative.

All five brought claims in the Spanish Employment Tribunal arguing that their dismissals had been unfair as they had not been told of the hidden cameras, and that their employer’s failure to do so breached Spanish data protection laws, which require data subjects to be “previously and explicitly, precisely and unambiguously informed” about the processing of their personal data. The Spanish courts were of the view that the covert CCTV surveillance had been justified, since there was a reasonable suspicion of theft, appropriate to the employer’s legitimate aim of protecting company property, and was necessary and proportionate.

Nevertheless, the claims found their way to the European Court of Human Rights. The claimants argued that the use of covert CCTV was an infringement of their Article 8 rights. The court found that a worker should have an expectation of privacy which must be rebutted before any covert monitoring becomes appropriate. The court took account of the following:

  • the fact that several people had seen the footage prior to the claimants, including their union representative and the employer’s lawyer;
  • the workers had not been told of, or consented to the covert surveillance;
  • the footage had been taken over a number of weeks, at all hours and had caught images of other workers who were not guilty of theft.

The court concluded that the employer’s measures were not proportionate and they were awarded 4,000 euros.

Peter Stanway, our BackupHR™ legal expert comments:

Guidance from the Information Commissioner’s Office (ICO) confirms that the use of covert CCTV should not be undertaken unless:

  • it has been authorised at the highest level within an employer’s business
  • there are sufficient grounds for suspecting criminal activity or equivalent;
  • telling the workforce would hinder the prevention or detection of crime
  • it is used as part of a specific investigation only and not continuing.

Under GDPR, data protection impact assessments will be mandatory prior to an organisation undertaking any process which presents a potentially high risk to an individual’s privacy rights, addressing the following questions:

  • can a limited, or a time-restricted, operation be used?
  • does the workforce already know of the possibility that covert CCTV surveillance may be used in exceptional cases?

There is no set method of presentation for a data protection impact assessment, under GDPR but the minimum features of such an assessment should include:

  1. A description of the envisaged processing operations and its purpose.
  2. An assessment of the necessity and proportionality of the monitoring.
  3. Evaluating the risks to the privacy rights of the individual(s) affected.
  4. The measures envisaged to address the risks and demonstrate the safeguards, and/or security measures that need to be put into place.

The guidance provided in this article is just that – guidance. Before taking any action make sure that you know what you are doing, or call us for a free initial chat on 01480 677980.