The European Court of Human Rights (ECHR) has recently held, in the case of López Ribalda and others v Spain, that the right to privacy of Spanish shop workers was violated when a supermarket installed hidden cameras without their knowledge to monitor employee thefts.
This may spark interest in the world of education, as many schools have adopted surveillance systems on school grounds to help to maintain a safe and secure environment for pupils, staff and visitors. However, due to the very nature of surveillance systems, their use raises concerns about the effect on an individual’s privacy.
Images recorded by surveillance systems are also “personal data” which must be processed in accordance with data protection laws, and schools are required to ensure that the legal rights of staff, relating to their personal data, are recognised and respected.
In this case, following suspected thefts at one of its stores, a Spanish supermarket installed visible and hidden cameras. The visible cameras were aimed at detecting theft by customers, whilst the covert cameras monitored the cashiers. Workers were told about the visible cameras but not the covert ones.
Five employees were identified from the footage stealing items from the supermarket and were dismissed, having been confronted and admitting to the thefts.
The employees subsequently pursued unfair dismissal claims.
Initially, the Spanish court held that the measures used by the supermarket were justified, appropriate, necessary and proportionate, and stated that no other equally effective means of protecting the employer’s rights would have interfered less.
However, on appeal, the ECHR concluded that the employees’ Article 8 rights had been infringed and that the video surveillance had been a significant intrusion on their private lives. The ECHR commented that employers have to strike a fair balance between an individual’s Article 8 rights and the employer’s interest in protecting its business and property. In this case, it concluded that the supermarket had failed to strike the right balance.
This decision applies to the UK and follows the guidance within the Information Commissioner’s Office’s (ICO) published code of practices for surveillance cameras and personal information (the Code). Some key points from the Code and its relevance to employers include the following:
- If an employer wishes to use CCTV in the workplace, the ICO must be notified as to why they intend to use it. An employer cannot then use the information collected for any other reason. For example, if the organisation is using CCTV to monitor crime, it cannot then use it to monitor staff. Employers should, before using surveillance cameras, carry out a privacy impact assessment, decide if alternatives are possible and only proceed if the use of surveillance cameras meets a legitimate aim.
- Staff must be informed that they may be recorded and where cameras are located. To make this indisputable, the employer should use clear and visible signs.
- The levels of CCTV surveillance in the workplace must be proportionate to the reasonable expectation of privacy. In certain areas with a higher level of expected privacy, such as near toilets, changing rooms, kitchen and break areas, it is unlikely to be acceptable to have cameras.
- It will be rare for covert monitoring of employees to be justified and it should only be carried out in exceptional circumstances.
- Employers should plan the collection and storage of this data in accordance with the Data Protection Act 1998 (and as of May 2018, the requirements of the General Data Protection Regulation (GDPR)), particularly in relation to how the images will be stored, for how long and who can see them.
How will this affect schools?
In addition, schools should maintain a strict policy that covert video surveillance will only be carried out in highly exceptional circumstances where the school reasonably believes that there is no less intrusive way of tackling the issue. In circumstances where covert monitoring is undertaken, it should be done for the shortest possible period and targeted at as few individuals as possible.
Schools should also consider reviewing their surveillance and privacy policies in advance of the implementation of the GDPR in order to ensure that they are legally compliant.