The Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2016 on 11 April last. The report contained an interesting case study that will undoubtedly be welcomed by employers. In Case Study 10 of 2016, the ODPC confirmed that no breach of the Data Protection Acts 1988 and 2003 (“the Acts”) had occurred when photos and audio recordings of a sleeping employee were taken by the employee’s supervisor and passed to the employer for disciplinary purposes. These photographs and recordings were subsequently relied on by the employer as part of disciplinary proceedings which ultimately led to the dismissal of the employee.

The employee in question was employed at a residential care home and had been found by a supervisor to be asleep during a night shift on two separate occasions. On both occasions the employee was the sole staff member on duty responsible for the care of a number of highly vulnerable and dependent adults who had complex medical and care needs and who needed to be checked regularly.

Having been discovered asleep on the first occasion, the employee’s supervisor warned the employee that, if it happened again, a complaint would be made in line with the employer’s grievance and disciplinary procedure. On the second occasion that the employee’s supervisor discovered the complainant to be asleep, “fully covered by a duvet on a recliner with the lights in the room dimmed and the television off”, the supervisor used his/her personal phone to take photographs of the employee sleeping and make a sound recording of the employee snoring.

Following an investigation and a disciplinary hearing, the employer found that the act of sleeping on duty constituted gross misconduct in light of the vulnerabilities and dependencies of the clients in the care home and the employee was dismissed.

The employee made a complaint to the ODPC in respect of the processing of his/her personal data i.e. the taking of the photograph and audio recording by the supervisor, and the subsequent disclosure of these to the employer for use in disciplinary proceedings.

Having considered the circumstances of the complaint and, in particular, the vulnerability of the clients involved and the nature of the employee's duties, the ODPC concluded that no breach of the Acts had occurred. In reaching this conclusion, the ODPC relied on Section 2A(1)(d) of the Acts, which permits the processing of personal data where “the processing is necessary for the purposes of the legitimate interests pursued by the data controller … except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.”

The ODPC noted that Section 2A(1)(d) requires the balancing of the data controller's legitimate interests against the fundamental rights and freedoms or legitimate interests of the data subject, including an evaluation of any prejudice caused to those rights of the data subject. In carrying out this balancing exercise, the ODPC noted that;

  1. the processing of the employee’s data was limited in nature and scope as it consisted of a one-off taking of a photograph and the making of an audio recording by the supervisor, who acted of his/her own volition and not in response to any direction or request from the employer;
  2. there had been limited further disclosure of the personal data afterwards, i.e. to the employer, while the original photograph and audio recording were deleted from the supervisor's personal phone; and
  3. copies of the relevant material had also been provided to the employee in advance of the disciplinary investigation.

In the circumstances, the ODPC concluded that the processing was proportionate and that the legitimate interests of the data controller outweighed the employee’s right to protection of his/her personal data.

Key Implications for Employers:

This decision may provide some comfort to employers fearful of using certain types of evidence they might have in their possession for the purposes of disciplinary proceedings. However, employers should be aware that encouraging a policy of supervisors recording employees may not be received well by the ODPC, as suggested by the reference, in the above Case Study, to the fact that the supervisor had acted of his/her own volition and not in response to any direction or request from the employer.

In addition, the ODPC focused on the fact that there had been limited further disclosure of the personal data concerned after it had been collected and passed to the employer. Particular reference is made to the fact that the employee was given copies of the material in question in advance of the disciplinary investigation. While the sharing of such material in this matter is a required as part of fair procedures, it is interesting to note that it also will help to achieve compliance with the Acts.

Finally, caution should be exercised in relation to potential reliance on Section 2A(1)(d); the final comments of the ODPC suggest that this is not a “catch all” provision;

“… as this case demonstrates, data-protection rights should not be used to ‘trump’ the rights of particularly vulnerable members of society or the legitimate interests pursued by those organisations responsible for safeguarding the health and life of such persons in discharging their duties of care and protection”.

It is therefore important to ensure that, if an employer is seeking to rely on the legitimate interest justification, he/she must be in a position to identify a legitimate interest of sufficient weight such that it can be pitted against the data protection rights of the individual. Any processing personal data in pursuance of this legitimate interest must be proportionate, necessary and limited to the bare minimum required to achieve the legitimate interest.