Covert CCTV at Work: is this ever possible?

February 28, 2018


It is generally accepted that the monitoring
of workers is intrusive. Workers have a legitimate expectation that they can
keep their personal lives private and that they are also entitled to a degree
of privacy in their work environment.

The starting point for the use of
covert CCTV of workers, therefore, is that it can be rarely justified. Guidance
from the ICO -as drafted for the purposes of the Data Protection Act 1998
-confirms that the use of covert CCTV should not be undertaken unless:

  • it has been authorised at the highest level
    within an employer’s business;
  • the employer is satisfied that there are
    sufficient grounds for suspecting criminal activity or some other
    equivalent malpractice in the workplace;
  • that telling the workforce would be likely to
    prejudice the prevention or detection of crime, or the apprehension or
    prosecution of offenders;
  • it is used as part of a specific investigation
    only, and its use should be stopped when that investigation has been

Consideration should also be given to
whether or not the police should be involved in such an investigation and as an
alternative method of achieving the employer’s intended aim(s).

In accordance with the Data Protection
Act 1998 (and from 25 May, the GDPR), employers should be clear about the fact
and purpose of any form of monitoring that they use and they must be satisfied
that their chosen method of monitoring is justified in the circumstances.
Workers must be aware of the nature, extent and reasons for any monitoring,
unless, very exceptionally, a form of covert monitoring is justified.

Lopez Ribalda v Spain

Ribalda v Spain (January
2018), all five claimants worked as cashiers at the same branch of a Spanish
supermarket. In early 2009, they began to steal money from their employer, and
in association with customers. Managers had been suspicious of missing monies
and stock but were not sure whether losses were being caused by staff or
customers. In response, CCTV surveillance cameras were installed at the store,
aimed at detecting theft by customers, some visible and aimed at the entrance
and exit doors. Some covert CCTV surveillance was also installed, aimed at the
checkouts and tills, based upon a general suspicion against all staff in view
of the missing monies and stock. Staff were told in advance about the visible
CCTV surveillance but not about the covert CCTV operation. Despite the
installation of known CCTV, the claimants continued to steal and were caught
doing so by the covert CCTV operation. The claimants, when confronted, made
full admissions and were dismissed.

All five brought claims in the
Spanish Employment Tribunal arguing that their dismissals had been unfair as
they had not been told of the hidden cameras and that their employer’s failure
to do so breached Spanish data protection laws, which require data subjects to
be ‘previously and explicitly, precisely and unambiguously informed’ about the
processing of their personal data.

The claimants’ unfair dismissal
claims were rejected, with the domestic Spanish courts confirming that the
covert surveillance had been lawfully obtained even though prior notice had not
been given. The domestic Spanish courts were of the view that the covert CCTV
surveillance had been justified, since there was a reasonable suspicion of
theft, appropriate to the employer’s legitimate aim of protecting company
property, and was necessary and proportionate.

Nevertheless, the claims found their
way to the European Court of Human Rights. The claimants argued that the use of
covert CCTV was an infringement of their Article 8 right: the right to respect
for private and family life under the European Convention on Human Rights. The
court found that even at work a worker should have an expectation of privacy
which must be rebutted before any covert monitoring becomes appropriate. In
reaching this decision, the court took account of the following:

  • the fact that a number of people had seen the
    footage prior to the claimants, including their union representative and
    the employer’s lawyer;
  • the workers had not been told of or consented
    to the covert surveillance of them;
  • the footage had been taken over a number of
    weeks, at all hours and had caught images of other workers who were not
    guilty of theft.

The ECtHR concluded that the
employer’s measures were not proportionate. The employer should have
safeguarded its property by other means which had less impact on the workers’
privacy, and should have notified its workers in advance of the installation of
the surveillance systems. Each of the claimants were awarded

Köpke v Germany

In Köpke
v Germany
admissibility decision in 2010)
, a supermarket cashier was also
dismissed for theft, having been caught as a result of covert CCTV surveillance
being used by her employer. Again, after unsuccessfully challenging her
dismissal in the German labour courts, she brought a claim in the ECtHR
claiming that her Article 8 right had been infringed.

Her employer had, however, approached
the use of covert CCTV by first giving consideration to how long it should
remain in place, the need to protect its property, and the public interest in
the proper administration of justice. It had also been a particular worker that
was under suspicion of theft (which was different to Lopez Ribalda  and the
surveillance was directed at just that individual. As a result, the ECtHR found
that the employer’s interference with the worker’s private life in this case
had been restricted to what had been necessary to achieve the aims pursued by
the covert CCTV surveillance.

So is covert CCTV possible in the

Yes it is, providing that there are:

  • sufficient grounds for suspecting some form of
    criminal activity or other malpractice is taking place;
  • workers are informed of the possibility of
    covert surveillance being used in exceptional circumstances, and what such
    footage may be used for

Given the significant intrusion to a
worker’s privacy rights, it is essential for employers to first undertake a
detailed written assessment of whether or not such covert CCTV surveillance can
be justified as being necessary and a proportionate means of achieving their
aims. Can it be confirmed that there is no less intrusive way of tackling the
suspected criminal activity or other malpractice? Within such an assessment,
employers will need to consider whether or not telling the workforce about such
surveillance would prejudice the prevention or detection of crime, or the
apprehension or prosecution of offenders. It is also absolutely necessary that
any form of covert monitoring is authorised by senior management.

GDPR implications

As we all know by now, the GDPR seeks
to change how organisations think about data protection and brings about
enhanced rights for data subjects. Under GDPR, data protection impact
assessments will also be mandatory prior to an organisation undertaking any process
which presents a potentially high risk to an individual’s privacy rights.

The specific introduction of CCTV
surveillance into the workplace (whether open or covert) presents a high risk
to individuals’ privacy rights. A data protection impact assessment should
always be undertaken for any form of CCTV surveillance operation that is to be
implemented on or after 25 May 2018. Such an assessment should address the
following questions:

  • Can a limited, or a time-restricted, operation
    be used?
  • Does the workforce already know of the
    possibility that covert CCTV surveillance may be used in exceptional cases
    and in accordance with existing policies and procedures?

While there is no set process or
method of presentation for a data protection impact assessment, under GDPR the
minimum features of such an assessment must include:

  • a description of the envisaged processing
    operations and the purpose of the processing;
  • an assessment of the necessity and
    proportionality of the data processing activity;
  • an assessment of the risks to the privacy
    rights of the individual(s) affected;
  • the measures envisaged to address the risks
    and demonstrate compliance with the GDPR, for example, the safeguards
    and/or security measures that need to be put into place.

Gwynneth Tan
is a Partner at Shoosmiths LLP and
heads up their Milton Keynes employment team. 

Michael Briggs
is a Senior Associate at Shoosmiths LLP, based in Nottingham.