Category Archives: employment

Analysis prompted by Morrisons “data breach”

Yesterday’s data breach involving Morrisons supermarket and its staff payroll illustrates how difficult it is properly to handle such incidents, and perhaps provides some learning points for the future. But also raises issues about what is a “data breach

What do we mean by “data breach”, “personal data breach”, “data security breach” etc?

The draft European General Data Protection Regulation (GDPR), which continues to slouch its way towards implementation, says in its current form that

In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority [and]

When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay

“without undue delay” is, by virtue of (current) recital 67, said to be “not later than 72 hours” (in the original draft it was “where feasible, within 24 hours”). However “personal data breach” is not defined – it is suggested rather that the proposed European Data Protection Board will set guidelines etc for determining what a “breach” is.What is not clear to me is whether a “breach” is to be construed as “a breach of the data controller’s legal obligations under this Regulation”, or, more generally, “a breach of data security”. Certainly under the current domestic scheme there is, I would argue, confusion about this. A “breach of data security” is not necessarily equivalent to a breach of the Data Protection Act 1998 (DPA). To give a ludicrous example: if a gunman holds a person hostage, and demands that they unencrypt swathes of personal data from a computer system and give it to them, then it is hard to see that the data controller has breached the DPA, which requires only that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (which clearly cannot be construed as an unlimited obligation) but there has most certainly been a breach of data security.

It is unclear whether Morrisons chose to inform the Information Commissioner (ICO) about their incident, but the wording they’ve used to describe it suggests they are seeing this not as a breach of their obligations under the DPA, but as a potentially criminal act of which they were the victim: on their Facebook page they describe it as an “illegal theft of data” and that they are liaising with “the police and highest level of cyber crime authorities” (a doughnut to anyone who can explain to me what the latter is, by the way). If an offence has been committed under section 55 of the DPA (or possibly under the Computer Misuse Act 1990) there is a possible argument that the data controller is not at fault (although sometimes the two can go together – as I discuss in a recent post). Morrisons make no mention of the ICO, although I have no doubt that they (ICO) will now be aware and making enquiries. And, if Morrisons’ initial assessment was that they hadn’t breached the DPA (i.e. that they had taken the appropriate technical and organisational measures to mean they were not in breach of the seventh DPA principle), they might quite understandably argue that there was no need to inform the ICO, who, after all, regulates only compliance with the DPA and not broader issues around security breaches. There was certainly no legal obligation under current law for Morrisons to self-notify. Plenty of data controllers do, often ones in the public sector (the NHS Information Governance toolkit even automatically delivers a message to the ICO if an NHS data controller records a qualifying incident) but even the ICO’s guidance is unclear as to the circumstances which would trigger the need to self-notify. Their guidance is called “Notification of data security breaches to the ICO” but in the overview at the very start of that guidance it says

Report serious breaches of the seventh principle
Ultimately I see it boiling down to two interpretations: report a data security breach so that the ICO can assess whether it is a serious breach of the seventh principle, or, assess the data security breach yourself, and if you assess it as a serious breach of the seventh principle, report that to the ICO. This is not obligatory under the current domestic data protection law, so to an extent it is an arid discussion, but if the obligation to notify does become obligatory under the GDPR it will become much more important.
There is one domestic law under which it is obligatory to report a “personal data breach”. The Privacy and Electronic Communications (EC Directive) Regulations 2003 amended by 2011 Regulations, require a provider of a public electronic communications service to notify the ICO of
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service
This notably does not specify that the breach has to constitute a breach of the service provider’s DPA obligations, and one wonders if this is the sort of thing that will be specified as a breach once the GDPR is implemented.
Morrisons’ notification to data subjects

The people whose data was apparently compromised in the Morrisons “breach” were its staff – it was payroll information which was allegedly stolen and misused. It appears that Morrisons emailed those staff with internal email addresses (how many checkout staff and shelf-stackers have one of those?) and then, as any modern, forward-thinking organisation might, it posted a message on its Facebook page.However, I really wonder about that as a strategy. The comments on that Facebook page seem to be threatening to turn the incident into a personnel, and public communications disaster, with many people saying they had heard nothing until they read the message. Moreover, one wonders to what extent some staff might have been misled, or have misled themselves, into assuming that the comments they were posting were on some closed forum or network. As was suggested to me on twitter yesterday, some of the comments look to be career-limiting ones, but by engaging on its social media platform, might Morrisons be seen to have encouraged that sort of robust response from employees?

Much of this still has to play out – notably whether there was any contravention of the DPA by Morrisons – but, in a week when their financial performance came under close scrutiny, their PR handling of this “data breach” will also be looked at very closely by other data controllers for lessons in case they are ever faced with a similar situation.

4 Comments

Filed under Breach Notification, Data Protection, employment, Information Commissioner, PECR, social media

Restrictions on use of information in litigation

Rule 31.22 of the Civil Procedure Rules provides in terms that a party to litigation can only use a document disclosed to him/her by another party (in the course of those proceedings) for the purposes of those proceedings:

A party to whom a document has been disclosed may use the document only for the purpose of the proceedings in which it is disclosed…

The exceptions to this rule are where the document has been read to or by the court or referred to, at a public hearing, or where the other party consents to its use, or by permission of the court.

A recent judgment of Mr Justice Tugendhat deals with this rule, but also has a rather odd appearance in the wings by the Information Commissioner’s Office (ICO). The case involves an application for a strike-out of a claim by a company (“IG Index”) engaged in spread betting on financial products, which had been the defendant in proceedings in the Employment Tribunal (ET). In the course of those ET proceedings the then claimant (“Cloete” – now defendant), a former network services engineer (who, it was said, had previously raised with his then employer concerns about data security at the company) had provided the defendant company (pursuant to a disclosure order of the ET judge) with a USB stick containing lists of clients of the company (including bank payment details), which it appeared to the company had been copied or retained by the claimant in breach of covenants protecting confidential information.

Separately to the ET proceedings the company claimed orders requiring the delivery up of the documents, and was successful in gaining interim relief for this, and for destruction by Cloete of any electronic copies, ordering him at the same time to pay IG Index’s costs. Cloete complied with these Orders, while at the same time withdrawing his ET claims.

At the full hearing, at which, as Tugendhat J observed, nothing of substance was still sought by IG Index (their substantive relief having been achieved by the delivery up and destruction of the information) what remained in dispute between the parties was, effectively, costs.

However, Cloete now sought strike out on the basis that the only reason IG Index had come to know of the contents of the USB stick was through the disclosure in the ET proceedings. Accordingly, he argued, the use of that information was in breach of CPR 31.22. Tugendhat J agreed, noting, importantly, that the rule applies

to protect not only the documents themselves, but also the contents of those documents, that is to say, the information derived from the disclosed documents

So IG Index’s knowledge that Cloete had, or had had, the documents, was information derived from the disclosed documents. Accordingly, the strike out claim succeeded:

The use of the information in the present proceedings cannot be said to be for the purposes of the Employment Tribunal Proceedings…Nor is the relevant information in this case the property of the Claimant…in my judgment the use of this information for the purpose of advancing a claim for damages is plainly and obviously a breach of the prohibition

There might, it was observed, be cases where to bar a claim in circumstances such as these would give rise to an injustice, but this was not one of those cases, and, in any event, sub-rule (b) (whereby a court can grant permission for use of the material) was available to avoid any such injustice.

The Information Commissioner

What I refer to as the “rather odd” appearance in these proceedings of the Information Commissioner’s Office (ICO) arises because Cloete claimed that he hadn’t retained the information at the centre of the case from the time when he had been employed by IG Index. Rather, while he was employed, he had passed it to the ICO, to express concerns about IG Index’s data security. He only got the documents back, according to his statement to the court, when they were

sent to him by the Information Commissioner six months after his employment had been terminated…following a subject access request he made to the Information Commissioner’s Office on 17 December 2012. On 16 January 2013 the Listed Items were attached to an e-mail he received in response to that request. However, he stated that he did not appreciate at the time he received the e-mail that the Listed Items were attached

One must be careful not to make unwarranted criticism of the ICO – I note that they were not involved in the proceedings at all, and had no opportunity to challenge or clarify Cloete’s statement. However, if that statement accurately reflected what happened it would be odd, to say the least, for the ICO to return this confidential information to someone who had no apparent lawful reason to have it, and also odd that it would have been sent in response to a subject access request under the Data Protection Act 1998, which entitles someone, in broad terms, to copies of their own personal data (not that of clients of their former employer). It would be interesting to know more about this.

Leave a comment

Filed under Data Protection, employment, Information Commissioner

Take the train(ing)

IG policies are essential, but not much use if you don’t comply with them

In NHS and Social Care settings a standard requirement is that all staff are trained in information governance (a large component of which is data protection): “Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained” (IG Toolkit v11) and “Ensure all staff are trained, updated and aware of their responsibilities” (Local Government Data Handling Guidelines). If an organisation suffers a serious breach of data security, and the Information Commissioner’s Office (ICO) investigates, one of the first things they will look at is whether staff were appropriately trained. If they weren’t, enforcement action, possibly in the form of a monetary penalty notice, is highly likely.

It is vital, therefore, that all organisations have a policy that all relevant staff are trained (and in some organisations – like the NHS and local authorities – that will normally mean all staff).

But, policies only work if they are implemented, enforced and monitored. The ICO has recently published an Undertaking (the “last chance saloon” before formal enforcement action) signed by the Northern Health and Social Care Trust. This arose following an incident which

involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The information was intended for the Trust’s Community Rehabilitation Team. The referral form contained sensitive clinical data

Although the Trust had a “fax policy” (good) it wasn’t complied with (bad) but also 

The Commissioner’s investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.

This failure constituted a breach of the seventh data protection principle (“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). It is highly likely that, if training requirements had been complied with, no action would have been (or would have been able to be) taken, because there would have been no breach.

Put simply, if a data controller can show it has complied with the seventh data protection principle, and there is an accidental data security breach – however horrendous – then (providing there are no breaches of other principles) no sanctions will arise.

It’s in every data controller’s interests not only to require appropriate data protection training for staff, but also to ensure that it has been taken.

Leave a comment

Filed under Data Protection, employment, Information Commissioner, monetary penalty notice

Poor judgement?

Public authorities need to be cautious when disclosing performance figures of their staff under Freedom of Information (FOI) laws. They need to be even more cautious when disclosing performance figures of third parties.

Imagine if your employer, or, worse, a third party, disclosed under FOI that, of all your peers, you made the most decisions in the exercise of your employment which were subsequently found to be wrong, and which had to be overturned. If in fact those figures turned out to be incorrect, you would probably rightly feel aggrieved, and perhaps question whether the failure of data quality was in fact a breach of your rights under the Data Protection Act 1998 (DPA) and of your employment rights.

That is what appears to have happened to certain judges in Scotland, according to a letter in The Scotsman today, from the Chief Executive of the Scottish Court Service. The letter points out that a previous (29 July) article in The Scotsman – “Meet the judge with the highest number of quashed convictions” (now no longer available, for obvious reasons) – was, although published in good faith, based on inaccurate information disclosed to the paper under FOI. The letter contains an apology to

Lord Carloway and Lord Hardie, who featured prominently in 
this article, for misrepresenting their position in relation to 
appeal decisions

because the erroneous disclosed statistics suggested they had had more judgments overturned on appeal than was actually the case.

Of course, the principle of judicial independence means that judges are, strictly, not employed. But as Carswell LCJ said

All judges, at whatever level, share certain common characteristics. They all must enjoy independence of decision without direction from any source, which the respondents quite rightly defended as an essential part of their work. They all need some organisation of their sittings, whether it be prescribed by the president of the industrial tribunals or the Court Service, or more loosely arranged in collegiate fashion between the judges of a particular court. They are all expected to work during defined times and periods, whether they be rigidly laid down or managed by the judges themselves with a greater degree of flexibility. They are not free agents to work as and when they choose, as are self-employed persons. Their office accordingly partakes of some of the characteristics of employment . .. [Perceval-Price v Department of Economic Development [2000] IRLR 380]

and the Supreme Court took this further in O’Brien v Ministry of Justice [2010] UKSC 34 by saying “Indeed judicial office partakes of most of the characteristics of employment” (emphasis added).

Whatever their employment status, judges’ performance figures are clearly an important matter to them, and the Scottish Court Service has a duty to maintain accurate figures (particularly when disclosing them publicly). As Wodehouse said, “it has never been difficult to distinguish between a Scotsman with a grievance and a ray of sunshine”. I imagine that the office of Mr McQueen, the day after the first article, was not filled with sunshine.

Leave a comment

Filed under Data Protection, employment, FOISA, Freedom of Information, Uncategorized

An error of judgment

A very brief post, on something in a High Court judgment which may merely be a slip.

On 6 June 2013 a renewed application to appeal to the Employment Appeal Tribunal was heard in the High Court. The applicant, Flynn, is seeking compensation for detriment suffered by reason of the making of a public interest disclosure (the “whistle-blowing claim”) and for arrears for holiday pay. The respondent, Warrior Square Recoveries Limited (“Warrior”) made an initially unsuccessful attempt to have the claims struck out. On appeal the Employment Appeal Tribunal refused to strike out the holiday arrears claim, but struck out the whistle-blowing claim because it had not been brought within the requisite three-month time-limit. Flynn now sought to reinstate the whistle blowing claim.

Lord Justice Rimer was not impressed by the arguments to reinstate, but, rather reluctantly, found one sufficiently compelling to justify permission

The only argument that appeared to me arguably to have some legs to it was that on 21 May 2010 the applicant made a subject access disclosure application to Warrior under the Freedom of Information Act 2000, the purpose being the provision to him of information as to whether or not the defamation claim was being pursued. Warrior had 40 days to comply with the request, but it did not do so. It is said that the expiration of the 40 days marked another deliberate failure by Warrior to act, following which the tribunal proceedings were issued within three months.

With some hesitation, I regard this ground as sufficient to justify permission to appeal…

The perspicacious among you might have noticed something. Subject access, and the 40 day time for compliance, are terms not from the Freedom of Information Act 2000 (FOIA), but from section 7 of the Data Protection Act 1998 (DPA). FOIA only applies to public authorities, of which Warrior is not one. If a public authority receives a request seeking subject access under FOIA it should apply the exemption at section 40(1) and “the public authority will need to deal with it in accordance with the DPA” (Information Commissioner guidance). An employer, such as Warrior, which is not a public authority, has no such obligations under FOIA. It probably should have still, on receipt of a letter purporting to be a FOIA request, have read it and recognised it as being, rather, a subject access request under DPA (under which it does have obligations to respond). But I’m not sure I would criticise it too much for seeing the words “Freedom of Information Act”, and thinking it didn’t need a response. I’m also not sure that the failure to respond to a non-existent obligation under an Act to which the company was not subject should have counted for the purposes of deciding when the time for lodging a claim started.

As I say, this may be a transcription error, or the judge might have mistakenly cited FOIA when he meant DPA, but the fact that this point was determinative of whether to allow permission to appeal means the error (whether it was an actual one, or just in the handed down judgment) is very odd.

Leave a comment

Filed under Data Protection, employment, Freedom of Information, Uncategorized

Back to Blacklists

Could action taken by the ICO in 2009 still have a part to play if construction industry blacklisting has continued? (acknowledgement: Tim Turner made some of these points back in January this year)

In 2009 the Information Commissioner prosecuted Ian Kerr, the then chief officer of a body called the Consulting Association. The Consulting Association had been holding a blacklist of people within the construction industry seen as “troublemakers” (a blacklist inherited from the Economic League, as detailed in Tim Turner’s superb post on the subject) and making this information available to clients on payment of a fee. The fall-out from this continues to this day, with, on the one hand civil claims being pursued, for what I understand to be common law “unlawful means conspiracy” and defamation, and on the other hand, the reports that the Information Commissioner’s Office (ICO) has been asked by Business Secretary, Vince Cable, to investigate allegations that the practice has continued to this day, on major construction projects like the Olympic Park and Crossrail (by the way, the extraordinary testimony of Gail Cartmail of Unite, in that last link, is essential reading).

The ICO’s prosecution of Kerr was for the relatively minor (and relatively rarely enforced) offence under the Data Protection Act 1998 (DPA) of failing to register with the ICO for his processing of personal data. No other sanction was, apparently, open to the ICO at the time. This was because the current regime of civil Monetary Penalty Notices (MPNs) for serious contraventions of the DPA had not then commenced.

As Chris Pounder pointed out at the time, there is even a query, applying the strict definitions of “data” in section 1(1), whether a blacklist held solely on paper, and arranged in, say, date order (rather than by reference to individuals), is even caught by the DPA. If not, then enforcement by the ICO would not be possible. This is because “data” broadly applies only to electronically-processed information or information held as part of a filing system structured by reference to individuals or criteria relating to individuals. One hopes that any alleged blacklisters haven’t made a habit of reading Chris’s blog and subsequently exploited a loophole that remains open.

Putting to one side this “loophole” point, it is likely that any processing of personal data which unfairly and unlawfully deprived someone of employment would constitute a serious contravention of the DPA, probably causing substantial damage and distress, and thus potentially attracting an MPN. An MPN is a relatively powerful weapon in the ICO’s armoury, and in my opinion one that has been used well to drive up data protection standards and drive home the importance of data security. Whether a huge construction firm would notice a (maximum) £500,000 penalty is another matter.

And, of course, none of the money paid under an MPN goes to the victim of a serious DPA contravention (it goes to the government consolidated fund). However, it is open to a data subject in such circumstances to bring a claim in the county court under section 13 of the DPA. Compensation is available if specific damage can be shown, and, if damage can be shown, further compensation for distress can follow. It is not clear to me whether the current claims from the 2009 events contain DPA claims, but the fact that they are being reported primarily as claims for tortious conspiracy suggests that even if so, they are subsidiary to the latter.

However, there is one further sanction which Tim Turner alludes to, which might possibly be in play. When the ICO prosecuted Kerr it also took steps to close down the practice, by issuing DPA enforcement notices against fourteen construction companies who had been proved to have used the list or supplied information: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited. An example of one of the enforcement notices is archived here. It required the company broadly to

Refrain from using, disclosing or otherwise processing any personal data obtained from Mr Kerr

but also to

Ensure that if any personal data relating to recruitment is obtained from a source other than the data subject, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

Ensure that if any personal data relating to recruitment is disclosed to a third party for use in connection with the recruitment of workers, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

The notices do not appear to have been effective only for a fixed period, so one is to assume that they remain effective*. If any of the firms upon which they were served have sinced breached the terms of the notice they could potentially have committed an offence under section 47(1) of the DPA. That offence is triable either-way, and anyone found guilty is liable on summary conviction, to a fine not exceeding £5000, or on conviction on indictment, to an unlimited fine. And, by section 61 of the DPA, where, as here, the notices were served on bodies corporate, the bodies’ directors and some other officers can also be guilty of the offence of failing to comply with an enforcement notice if the offence is proved to have been committed with their consent or connivance or to be attributable to their neglect.

One wonders if the ICO’s 2009 enforcement proceedings may still have some part to play.

UPDATE: 15 August 2013

*The ICO has confirmed to me that they have no record of any of the Enforcement Notices being cancelled or varied, nor of any applications to cancel or vary being received. The ICO considers that the Enforcement Notices are still effective.

5 Comments

Filed under damages, Data Protection, employment, enforcement, Information Commissioner, monetary penalty notice

Is the BBC spying on whistleblowers?

A couple of the normal BBC-baiting newspapers report that that organisation has been “accused of spying on whistleblowers”, after a Freedom of Information request revealed that the BBC’s Investigation Service monitored emails of 30 workers last year. The Telegraph says this

raised fears that BBC management is engaged in a crack down on people it suspects of whistle-blowing about their concerns over the running of the corporation

There seems to be absolutely no evidence for this. To me it looks more like an employer intercepting communications on business systems in order to prevent or investigate potential unlawful behaviour. The law provides for this, and the paper reports that the BBC even said

The BBC Investigations Service does not target whistleblowers. The four cases of leaked information involved other matters such as the release of commercially sensitive information or the release of internal information – none of the four cases of leaked information could be considered as whistleblowing in any sense. The BBC has a clear policy protecting the right to whistleblow

The circumstances under which email communication can be intercepted by an employer are clearly prescribed by law. The much-maligned and -misunderstood Regulation of Investigatory Powers Act 2000 (RIPA) corrected the previous domestic position that workplace surveillance could not amount to an infringement of an employee’s Article 8 rights (a position criticised by the European Court of Human Rights in Halford v UK). The provisions of section 1 of RIPA create a criminal offence of unlawful interception of a communication (transmitted either by public or private telecommunications system) where the interception occurs without lawful authority. However, secondary legislation, made under RIPA, prescribes what “lawful authority” can mean within an employment context. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”) provide inter alia that interception of emails will be lawful if it is done for the purposes of preventing or detecting crime, or for the purpose of investigating or detecting the unauthorised use of that or any other telecommunication system. This can be done without consent or notification as long as the business informs users of its systems in advance (normally by way of a policy) that emails may be intercepted for relevant purposes (I wrote on this in detail in None of our business? Private emails, FOI and lawful interception (PDP FOI Journal, Nov/Dec 2011
Volume 8, Issue 2, subscription only)).

So, provided the BBC have a policy informing staff that their emails could be intercepted (and I would be amazed if they don’t) they will have done nothing wrong, and nothing that a responsible employer, and public service provider, should be blamed for doing. Do the Telegraph and the Mail think the BBC should not investigate alleged unlawful – perhaps criminal – behaviour on the part of its staff?

Leave a comment

Filed under BBC, employment, interception, RIPA, surveillance

Privacy in the workplace – Employment Appeal Tribunal ruling

The boundary between a person’s private life and their public activities is not easy to mark, and its position has shifted with development of human rights jurisprudence. Thus, a person attempting to commit suicide in public, captured on CCTV, was held to have had his rights under Article 8 of the European Convention on Human Rights breached when the footage was subsequently broadcast (Peck v UK [2003] ECHR 44).

Similarly, the question as to the extent to which an employer must respect an employee’s privacy rights in the workplace, or the working environment, is no longer simply answered by reference to the terms of the employment contract. In addition to the employee’s Article 8 rights, the employer must have regard to the Data Protection Act 1998 (DPA) for which there is guidance, in the form of the Employment Practices Code, published by the Information Commissioner’s Office under section 51(2) of the DPA (“the ICO Code”).

All of these issues are addressed in an interesting recent judgment handed down in the Employment Appeal Tribunal (EAT). The case – Swansea Council v Gayle – was an appeal from an earlier Employment Tribunal (ET) decision, which had found that Mr Gayle had been unfairly dismissed (although it also found that he had not been wrongfully dismissed, nor racially discriminated against). He had twice been observed at a leisure centre during working hours and was subsequently covertly filmed several times by an investigator while leaving, or being in the process of leaving, the same leisure centre at times when he was claiming to be working.

The ET determined that, even before the covert filming had begun, the employer had had sufficient evidence to support its suspicions that its employee had been untruthful about his activities during working hours:

There was no longer a legitimate reason (or for Article 8 purposes, a legitimate aim) to place him under covert surveillance.  Even if there was a legitimate aim the Council’s manner of doing so was disproportionate and unjustified

Accordingly

the process by which the Council dismissed Mr Gayle involved an unjustified interference with his Article 8 right to a private life…the circumstances of his dismissal fell within the ambit of Article 8; the state had a positive obligation to safeguard his Article 8 right (as, indeed, did the Council as a public body); in all the circumstances, the Council’s interference with that right was unnecessary and disproportionate; the fact that the Council had a permissible reason to dismiss Mr Gayle is not by itself sufficient since it could have fairly dismissed him without such interference

As the EAT said, this amounted to the rather odd proposition that

the dismissal was unfair because the investigation was too thorough

Therefore they accepted the three-part submission that there could be no breach of Article 8(1) (“Everyone has the right to respect for his private and family life, his home and his correspondence”) because

First, the photography was in a public place of somebody in a public place…Next…this was at a time when the Claimant was “on the clock”; it was in his employer’s time…An employee can have no reasonable expectation that he can keep those matters private and secret from his employer at such a time…Thirdly…the Claimant here was a fraudster; he was busily engaged on his own business whilst receiving his employer’s money for his employer’s business…a person in such circumstances can have no reasonable expectation that their conduct is entitled to privacy

Because no breach of Article 8(1) had occured, there was no need for the EAT to consider arguments for justification under Article 8(2). However, had they had to, they would have held that interference was justified in pursuance of two legitimate aims. Firstly the prevention of crime, and secondly

the protection of the rights and freedoms of others, the “others” here being the employers whose money was at stake and who had contractual rights in agreement with the Claimant that he would behave in a way in which as it happened he did not

The EAT was particularly critical of the ET’s reliance on an apparent breach by the Council of the ICO Employment Practices Code. The ET had found that the Council’s apparent ignorance of the Code, in conducting the covert filming as it did, constituted a breach of the DPA which rendered the dismissal unfair. The EAT attacked the logic of this approach

[the ET says] that that ignorance would be such that the result would be that its investigation could no longer be considered reasonable; it does not say why.  It is not obvious to see why ignorance of a code which the employer was not bound in law to have regard to in any event would render an investigation into the wrongdoing of the Claimant unreasonable when it would otherwise have been reasonable

The EAT notably did not say that the Council’s actions were or were not permissible under DPA, or the Code, but rather that the ET

in criticising the employer for covertly filming the Claimant was not dealing with any matter relevant to the fairness of the dismissal

This case does not break any new ground, but the EAT did observe that no authority had been drawn to their attention which suggested that covert filming in a public place of claimants in personal injury cases had been held to be in breach of Article 8 (provided there were no alleged breach of the Regulation of Investigatory Powers Act 2000). And this case suggests that an Article 8 complaint about covert recording in a public place within an employment context is similarly unlikely to have much chance of success, despite what might be (in the EAT’s description of the ET’s feelings) “the Tribunal’s distaste for the employer’s use of covert surveillance”.

1 Comment

Filed under Data Protection, employment, human rights, Privacy, surveillance