In Simon McVann v Data Protection Commission [2023] IECC 3 (McVann), the appellant appealed against decisions of the Data Protection Commission (DPC) concerning the processing of his personal data.

The personal data in question, captured via CCTV footage, was deemed by the DPC to have been lawfully processed by Mayo University Hospital (Hospital) and used by the appellant’s employer, the Irish Prison Service (IPS) for purposes compatible with the original purposes for collecting such data. The Court of Appeal (CoA) agreed with this finding in the specific circumstances.

Background

The case centred around the use of the CCTV footage in internal disciplinary proceedings concerning the appellant. The footage had been requested by IPS from the Hospital for security purposes to apprehend a prisoner who had escaped after being treated overnight in the Hospital. The footage was later used as evidence to support a separate allegation made against the appellant under the prison disciplinary rules. The appellant made two separate complaints to the DPC against the IPS and the Hospital.

The DPC rejected the complaints.  It found a lawful basis existed under Article 6(1) of the General Data Protection Regulation (GDPR) for processing the appellant’s personal data, and the processing was not incompatible with the purposes for which it was originally collected. The appellant’s subsequent appeal in the Circuit Court (Court) failed.  Judge O’Connor held that there was a reasonable expectation that the CCTV could be used in an investigation of a breach of security.

Doolin Case

The Court referred to Cormac Doolin v The Data Protection Commissioner and Our Lady’s Hospice and Care Services (Doolin), in which the High Court and Court of Appeal considered the use of CCTV in disciplinary proceedings. The case related to the use of CCTV footage by Our Lady’s Hospice and Care Services (Hospice) to identify the person who placed graffiti in the Hospice staff room. The footage did not reveal any wrongdoing on the part of Mr Doolin in relation to the graffiti, but it did show him allegedly taking unauthorised breaks during his working hours.  The critical question was whether the CCTV footage, which was captured for security purposes, could be processed for another employment issue.

The High Court found that the purpose of reviewing the footage was legitimate in that the Hospice aimed to protect staff security and public safety. However, using the footage for an internal disciplinary process was found to be unlawful, as this was different to the original purpose for which the footage was collected.

In Doolin, there was a sign beside the CCTV camera, stating that “Images are recorded for the purpose of health and safety and crime prevention”. The High Court held that if the CCCTV footage was intended for disciplinary purposes, that purpose should be identified in the sign or the CCTV policy.

The Compatibility Test

The CoA upheld the High Court decision in Doolin, applying a compatibility test set out by the Article 29 Data Protection Working Party (now the European Data Protection Board). The test, which largely reflects Article 4(6) of the GDPR, involves taking key factors into account when making a decision relating to the further processing of personal data;

• the relationship between the purposes for which the personal data was collected and the purposes of further processing;
• the context in which the personal data was collected and the reasonable expectations of the data subjects as to their further use;
• the nature of the personal data and the impact of the further processing on the data subjects; and
• the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.

In McVann Judge O’Connor said it was necessary to carry out a compatibility test (which the DPC had failed to do).  He found that it would be compatible with the specified original purpose of collecting the CCTV i.e., security purposes, to use that CCTV for other purposes, provided it is used to deal with the security issue during the period the prisoner escaped.  Judge O’Connor noted that on account of the nature of the appellant’s employment, there was a reasonable expectation that the IPS would use the CCTV footage in an investigation of a security breach. The facts of McVann were differentiated from Doolin in that the disciplinary proceedings brought against the appellant were specifically linked to the security incident in question. In Doolin, the investigation into Mr Doolin’s unauthorised breaks followed the graffiti investigation, and neither investigation was related to the other.

Judge O’Connor opined that the processing would not have been deemed compatible had the CCTV footage been used for any other purpose than the investigation of a security breach.

Conclusion

The McVann judgment is notable for its detailed review of the collection, transmission and use of CCTV footage and corresponding GDPR obligations.  The judgment provides a welcome reminder of the importance of signage and policies around the use of CCTV, as considered in the Doolin judgments.

The McVann judgment also emphasises the importance of the compatibility test when further processing of personal data is involved.  Where footage has been collected for a particular use or purpose, it must be used in a manner that is compatible with that particular use or purpose. Further processing of data in a manner inconsistent with the original intended use may constitute a breach of data protection rules.

If you would like to discuss this further, please contact Paul, Adele, Rachel or your usual William Fry contact.

Contributed by Tiernan McCann