Privacy at work
Everyone has a right to privacy at work. Article 31(1) of the Charter of Fundamental Rights of the European Union states:
‘Every worker has the right to working conditions which respect his or her…dignity’
This obligation is now binding upon the State, following the entry into force of the Treaty of Lisbon. Whilst the right to privacy in the workplace has yet to be considered by the European Court of Justice, it was recognised by the European Court of Human Rights in Halford v United Kingdomand Niemitz v Germany. In Köpke v Germanythe European Court of Human Rights reiterated that ‘…that the concept of private life…may include activities of a professional or business nature and may be concerned in measures effected outside a person’s home or private premises…’ The right to privacy at work is not absolute and it has to be balanced with other rights. In Benediktsdóttir v. Iceland e-mails taken from the applicant’s former employer were published in the Icelandic press. The European Court of Human Rights was then faced with the task of deciding whether Iceland had ‘…achieved a fair balance between the applicant’s ‘right to respect for’ her ‘private life’ and her ‘correspondence’ and the newspaper’s right to freedom of expression…’ (the Court concluded that it had).
In Case Study 14/2008the Data Protection Commissioner received a complaint:
‘…from an individual concerning the processing, without his knowledge or consent, of both his and his children’s personal data by his employer. The complaint involved the obtaining and processing of his personal data and that of his children by way of a private investigator producing footage of his movements and his children’s movements on a DVD for the company without his knowledge or consent’
The Commissioner’s Office investigated. It began its investigation by asking the employer what was going on. The employer explained that ‘…the complainant was employed as a sales representative and, as such, spent virtually all of his time away from the company’s premises’ It had become concerned about his performance and so had decided to employ a private investigator to follow him. It did not appear to have considered any other methods of resolving the issue, indeed it informed the Commissioner that ‘… it believed there were no other steps it could have taken’ The Commissioner’s Office held that a breach of the Data Protection Actshad occurred as:
‘…the processing of the employee’s personal data by way of a private investigator recording the employee’s movements was not justified as it had not taken appropriate steps to highlight its concerns to the employee prior to making the decision to hire a private investigator to record his movements’
Data Protection at work
The processing of an employee’s personal data for the purpose of discharging an employee’s duties under the contract of employment will be legitimate as they are necessary ‘…for the performance of a contract to which the data subject is a party…’Other functions such as the processing of data for the purposes of the PAYE tax system will be legitimate as …for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract…’. Employers need to be careful when processing those categories of data that are ‘sensitive’ such as data relating to employees medical lives and trade union membership. In Case Study 16/2008a manager breached the by pinning an employee’s medical certificate to a notice board above her desk. In Case Study 2/2007 an employer breached the Acts by using a medical report obtained for the purposes of litigation for another purpose, namely that of dismissing the employee.
Surveillance technologies can give rise to privacy concerns in the workplace, such as those raised in relation to electronic communications and biometrics. Biometics is the term given to the use of individuals physical features such as fingerprints or facial images to identify them. Biometrics are used in passports and other travel documents. They can also be used by employers and the Data Protection Commissioner held that their use was justified in Case Study 1/2005. Such a system was described by the Data Protection Commissioner in Case Study 12/2007. The system in question was a ‘…a touch verification system…’, which required ‘…a fingertip to be inserted into a reader which converts the fingertip into an encrypted algorithm and then the employee enters their unique pin number onto a pad. The system then stores a numeric sequence on a central database. It was claimed that the numeric sequence cannot be reversed or used for any other purpose except for verification and it is also encrypted’ In Case Study 12/2007a number of data subjects had complained that their employer was proposing the introduction of such a system. The Data Protection Commissioner investigated their complaints and on foot of that investigation the employer decided to introduce a ‘…a pin code system…’ for the subjects in question. Similarly in Case Study 10/2010it was agreed with the Commissioner that employees who had a legitimate objection to the use of a biometic system could opt-out of it.
CCTV at work
That the use of CCTV can impact upon the privacy of individuals was accepted by the European Court of Human Rights in Peck v United Kingdom. Since CCTV requires the processing of audio-visual data it will also be subject to the Data Protection Acts. The Data Protection Commissioner has considered the processing of such data in a number of case studies. In Case Study 10/2008 an employer ‘…had used CCTV images to compile a log that recorded the employees’ pattern of entry and exit from their place of work’ The employer then informed the subjects that it intended to use this data at a disciplinary hearing, which could result in their dismissal from work. The subjects complained to the DPC that they ‘…had never been informed of the purpose of the CCTV cameras on the campus where they were employed. They pointed out that there were no signs visible about the operation of CCTV’ The DPCO contacted the employer and informed it that:
‘…to satisfy the fair obtaining principle…those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data’
The employer accepted that it was not entitled to use evidence derived from CCTV in its disciplinary proceedings and indicated to the subjects that the disciplinary charges in question were being withdrawn.
In case study 10/2010, CCTV was in operation in the workplace with a non-employee (a member of the owners family) having off-site access to real-time CCTV views. Following an inspection by authorised officers, they agreed that access would be restricted to 2 members of staff on-site and no real-time views would be permitted. It was agreed that recorded images would be viewed only after a security breach or health and safety incident.
In Köpke v Germanythe applicant was a shop assistant whose employer had noticed irregularities in its accounts, which it suspected the applicant had manipulated. The employer hired a detective agency and initiated covert surveillance of the applicant and another employee over a period of two weeks. The applicant was summarily dismissed as a result. She appealed her dismissal, but having viewed the video material generated by the covert surveillance the German Labour Court concluded that the dismissal was justified in the circumstances. The applicant brought her case to the European Court of Human Rights arguing that Germany had failed to adequately protect her privacy at work. The European Court of Human Rights considered that ‘… the covert video surveillance of an employee at his or her workplace must be considered, as such, as a considerable intrusion into the employee ‘s private life’ However, it also noted that ‘…the video surveillance of the applicant was only carried out after losses had been detected during stocktaking and irregularities had been discovered in the accounts… was limited in time…(and)… was restricted in respect of the area it covered…’ Access to the surveillance footage was limited and it was ‘…used only for the purposes of the termination of the employment relationship with the applicant’. The Court concluded that:
‘The interferences with the applicant’s private life were thus restricted to what was necessary to achieve the aims pursued by the video surveillance’
The Court went onto note that it had to balance the employee’s right to privacy with the employer’s right to property and that:
‘It must be considered essential for its employment relationship with the applicant, a person to whom it had entrusted the handling of a till, that it could rely on her not to steal money contained in that till’
An interesting factor that it also took into account was that ‘…the covert video surveillance of the applicant served to clear from suspicion other employees who were not guilty of any offence’ Finally, the Court observed that there: ‘…had not been any other equally effective means to protect the employer’s property rights which would have interfered to a lesser extent with the applicant’s right to respect for her private life’ Taking all these factors into account the European Court of Human Rights concluded that there was nothing to suggest that the German Courts had:
‘…failed to strike a fair balance…between the applicant’s right to respect for her private life… and both her employer’s interest in the protection of its property rights and the public interest in the proper administration of justice…’
The European Court of Human Rights therefore refused to admit the case, but in doing so it wished to make it clear that its decision should not be read as a general endorsement of the use of covert surveillance technologies, concluding with the comment that:
‘The competing interests concerned might well be given a different weight in the future, having regard to the extent to which intrusions into private life are made possible by new, more and more sophisticated technologies’
The Data Protection Actsmay apply to the audio-visual surveillance data generated by such covert surveillance technologies and workplace surveillance has been considered by the Data Protection Commissioner in a number of cases. In Case Study 6/2007, which concerned the use of covert CCTV surveillance by a Hotel, a complaint was received by a former employee of the hotel, who had dismissed following the installation of a covert CCTV system. This system had been installed for the purposes of investigation allegations which did not involve the subject. Following her dismissal the subject complained to the DPC, who began by explaining that:
‘The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Such covert surveillance is normally only permitted on a case by case basis where the data is gathered for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to involve An Garda Síochána’.
Following an investigation by his office, the DPC was satisfied that the rights of the subject had been breached as:
‘Covert CCTV cameras had been installed to investigate specific incidents. The data subject was not the subject matter of this investigation. The personal data of the persons captured on the footage was obtained for one purpose – the investigation of specific incidents in the hotel. In the case of this data subject, her personal data was further processed in a manner incompatible with the original purpose‘.
The DPC having come to this conclusion, the hotel and its former employee entered into discussions, which led to an ‘amicable resolution’.
Using a private investigator
Evidence derived from surveillance by private investigators has been admissible as evidence in many cases including Shelly Morris v Dublin Bus where the plaintiff claimed that she had sustained serious injuries while she was a passenger on the defendant’s bus and claimed she had to retire on health grounds. Evidence was accepted by the court from a private investigator which showed her movements to be ‘natural and unhindered’. In O’Connor v Dublin Bus Hardiman J in the Supreme Court stated that ‘A significant number of personal injury claims feature injuries which are not, or not wholly, capable of being proved or negative by the normal processes of clinical medicine. The credibility of the plaintiff is central in such cases, some of which are very substantial ones. Video surveillance …is often resorted to as a check or control of the plaintiffs’ account’. In many cases, the Employment Appeals Tribunal has also accepted such evidence where it has been used in accordance with fair procedures. The Data Protection Commissioner however, regards the engagement of the services of a private investigator to be a risk to the protections afforded to a data subject not only under the Data Protection Acts but also potentially a breach of a person’s constitutional right to privacy.
It is worth noting that a person could pursue a personal injury action as a result of surveillance. Following a bullying and stress complaint Ms. Sweeney (a home school liaison) was subjected to surveillance during school hours in Sweeney v Ballinteer Community School. Herbert J. accepted the plaintiff’s evidence the ‘she felt hunted, threatened and terrified’ and stated that ‘for a woman on her own to have two men following her about in a car during her working day must (have) been a truly terrifying experience for her’. He further stated that ‘despite being fully aware of the plaintiff’s long and totally uncharacteristic absences from work, in 2005, 2006 and 2007, medically certified on each occasion as being due to work related stress, which he knew, or would have known had he chosen to consider the matter, rendered the plaintiff very vulnerable to some form of mental illness such as a nervous breakdown, Dr. C (the principal) arranged for this single lady to be stalked by a private investigator’.  Herbert J. held the defendants negligent ‘…in causing or permitting the plaintiff to be harried, watched and beset in the course of her employment with the Board of Management of B.C.C.. I find that the same acts or omissions may form a basis for an action for breach of an implied term of contract’. 
Breach of the Data Protection Acts
In Case Study 14/2009, an employer breached the Data Protection Acts by using covert surveillance. The employer used the services of a private investigator to check the activities of one of its sales staff. The investigator recorded a DVD of the employee’s activities (this included activities with children). The Commissioner stated that
‘…the processing of the employee’s personal data by way of a private investigator recording the employee’s movements was not justified as it had not taken appropriate steps to highlight its concerns to the employee prior to making the decision to hire a private investigator to record his movements. My Office also requested that the DVD in question be destroyed…’
The employer had breached the Acts ‘by the processing of the employee’s personal data and that of his children, in the recording of images by a private investigator acting on its behalf, without his knowledge or consent. Covert surveillance of individuals is very difficult to reconcile with the Data Protection Acts. As a minimum and this may not even make such surveillance legal, there must be strong and evidence based justification for such surveillance in the first instance’. 
An employer should have a contract with the private investigator which describes the investigator as a processor within the meaning of the Acts. In Case Study 13/2011 the Data Protection Commissioner stated that ‘it is unlawful for an entity to pass any details of its employees to a private investigator for the purposes of surveillance or for any other purpose unless that entity has put a contract in place …in line with Section2(C)(3) of the Data Protection Acts 1988 and 2003 which would render the private investigator to be a data processor’. The Commissioner stated that the decision of an employer to engage the services of a private investigator to gather personal data carries a ‘very serious risk of breaching the provisions of the Data Protection Acts and the general right to privacy protection by Bunreacht na hEireann (the Irish Constitution), the European Charter of Fundamental Rights and the European Convention on Human Rights. It should therefore not be taken lightly.’ The Commissioner set out a number of rules which should be complied with both by the employer as controller and the private investigator. There should be a contract in place which is in accordance with section 2(C)(3). This section provides that where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must (1) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)(d) of the Act, (2) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and (3) take reasonable steps to ensure compliance with those measures.
Any processing of data by the private investigator must be in full compliance with the Data Protection Acts and any unauthorized processing of personal data by the private investigator is strictly prohibited. The investigator should implement appropriate measures to protect against accidental loss, destruction, damage, alteration, disclosure or unlawful access to the personal data in their possession and not disclose the data to any other party without the approval of the controller.
The data subject has a right access his personal data which is contained in the reports of the private investigator; this may mean access to video footage, photographs and the surveillance report. The access request must be processed by the employer or data controller. It may be that the access request is made to the private investigator directly but this should be sent to the controller without delay for processing. The Data Protection Commissioner does not believe that any of the restrictions to the right of access as set out in section 5 apply in these circumstances. The exemption contained in section 5(1)(g) of the Acts in respect of which ‘a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers’ does not apply. The Commissioner found in Case Study 13/2011 that it was ‘not obvious’ to their investigation how a security report compiled by a private investigator could constitute a communication between a client and their professional legal advisers. He stated that this section ‘does not equate to privilege at common law (i.e. legal advice privilege and litigation privilege)’. This restriction on the right of access only applies where there is a communication between a client and his professional legal advisers or a communications between a client’s professional legal advisors. The communication must be one in which a claim of privilege could be maintained in court proceedings. As such, a private investigator’s report commissioned by a data controller is ‘clearly not a communication between a client and his professional legal advisors. Nor is it a communication as between a client’s professional legal advisors’.
It is worth noting that surveillance conducted by a private investigator could constitute criminal harassment under s.10 of the Non-Fatal Offences Against the Person Act, 1997 which provides that an offence is committed by ‘persistently following, watching, pestering, besetting or communicating with him or her’. Harassment means interfering with another’s peace and privacy or causes alarm, distress or harm to the other and his acts are such that a reasonable person would realize that the acts would seriously interfere with the other’s peace and privacy or cause alarm, distress or harm to the other. If convicted on indictment a person could face a penalty of an unlimited fine and/or 7 years imprisonment.
Tracking devices in vehicles
In an employment context the use of tracking devices in vehicles may constitute an invasion of privacy and breach of the Data Protection Acts. Their purpose is to track the location of vehicles and not the employees. ‘Monitoring or tracking, including in-vehicle monitoring, must comply with the transparency requirements of the Data Protection Acts. Staff must be informed of the existence of the tracking equipment and of the purposes for which their personal data is processed’ (Case Study 13/2010).
 DPC Annual Report 2007, p51
  1 IR 232
 At page 251.
  4 IR 459
 Pacelli v Irish Distillers  15 ELR 25. See also Kearney v Gresham Hotel UD891/2006 where the claimant succeeded in her action against her employers who employed covert CCTV; She made a separate complaint to the Office of the Data Protection Commissioner successfully.
 Case Study 13/2011 and see below.
  IEHC 131.
 Para 41.
 Para 42.
 Para 63. The defendants were vicariously liable for the acts of the Principal who had bullied the plaintiff. They were also in breach of their common law and statutory duties to the plaintiff. €60,000 was awarded and a further €15,000 in respect of personal injuries which she may suffer in the future with €13,625 in agreed specials. Para 66.
 Page 67.
 23rd Annual Report of the Data Protection Commissioner 2011, page 64.
 23rd Annual Report of the Data Protection Commissioner 2011, page 66.