Covert CCTV recording in the workplace – is it ever lawful?

Cameras in the workplace – what employers need to know

Anyone with access to any social media account over the past few days will have no doubt seen Matt Hancock having the modern-day equivalent of rotten fruit being thrown at him in the stocks. All highly amusing for the casual observer, but hugely embarrassing and no doubt distressing for the subjects involved, Matt Hancock (then Health Secretary) and his aide, Gina Coladangelo, not to mention their respective families. They were filmed in a passionate embrace in Matt Hancock’s private office when they thought nobody was watching. Unfortunately for them, CCTV cameras were installed and a Whitehall insider who had access to the CCTV footage passed it on to The Sun newspaper which had no hesitation in publishing it for the world to see. Mr Hancock’s resignation swiftly followed. 

While the accounts keep differing as to whether Mr Hancock knew there was CCTV in the office in the first place and/or if it was hidden and/or if the camera was moved from its original position, if the CCTV was covert, it brings in wider questions on the processes within Whitehall. Were covert CCTV recordings made? Moreover, can an employer ever take and rely on covert CCTV recordings? 

The short answer is nearly always “no”. However, below we outline when CCTV (covert or otherwise) may be used and best practices for employers to follow. 

CCTV recording - UK General Data Protection Regulation (GDPR) Principles

The UK GDPR requires data controllers (including employers) to have a lawful ground to process personal data. There are seven data protection principles to consider.

The relevant personal data principles for using CCTV are that the data must be:

• Processed lawfully, fairly and transparently in relation to the data subject
• Collected only for specified, explicit and legitimate purposes and it must not be further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary for those purposes (in other words, it must be proportionate)
• Processed, through use of technical or organisational measures, in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

ICO Codes and Guidance 

The Information Commissioner’s Office (ICO) has issued an Employment Practices Code (“Employment Code”) and Supplementary Guidance on employee monitoring. It also has a Data Protection Code on the Use of Surveillance Cameras (“Surveillance Code”). While created prior to the GDPR and Data Protection Act 2018, these Codes and guidance remain relevant. They are not legally binding, but the ICO may consider them when deciding if unlawful monitoring has occurred and on any enforcement needed. 

The Employment Code states:   

• Employees' private lives usually extend into the workplace and so they have an expectation of privacy, even where their employer has informed them that monitoring may take place
• If an employer is to carry out monitoring, it must undertake an impact assessment
• Any monitoring must be proportionate
• An employer should inform employees if monitoring is to take place
• Only a limited number of staff should have access to information obtained through monitoring and they should have received appropriate training
• Data obtained through monitoring should be kept secure

The Employment Code requires employers to tell employees:

• The circumstances where monitoring may take place
• The nature of the monitoring
• How they will use the information obtained through monitoring
• Any safeguards in place for workers who are subject to the monitoring

The Surveillance Code supplements the above with 12 guiding principles:

• Surveillance camera systems must always be used for a specified purpose to further a legitimate aim and they must be necessary for meeting an identified pressing need
• The effect on individuals and their privacy must be considered before using a surveillance camera system, with regular reviews to ensure the use remains justified
• Transparency should be used where possible, and there should be a published contact point for access to information and for making complaints
• Organisations must allocate responsibility and accountability for all surveillance camera system activities
• Organisations must have clear rules, policies and procedures in place before using surveillance camera systems and these must be communicated to relevant individuals
• Organisations should restrict the volume of images and information to those strictly required for the surveillance camera system’s stated purpose. Such images and information should be deleted once their purpose has been discharged
• Organisations should restrict access to retained images and information, and have clearly defined rules on who can gain access and for what purpose(s) - images and information should only be disclosed when necessary for such a purpose or for law enforcement purposes
• Surveillance camera system operators should consider and maintain any approved operational, technical and competency standards relevant to a system and its purpose
• Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use
• Organisations need to implement review and audit mechanisms to ensure they comply with legal requirements, policies and standards, and publish regular reports
• Use of a surveillance camera for a legitimate aim, where there is a pressing need, should be done in the most effective way to support public safety and law enforcement
• If comparing CCTV footage to a reference database for matching purposes, the database  should be accurate and kept up to date

Data Protection Impact Assessments

Organisations should complete a Data Protection Impact Assessment (DPIA) prior to any CCTV monitoring, to balance the needs of the business against the adverse impact of monitoring on workers. The DPIA should include:

• A description of the intended processing, including types of data and its purpose
• An assessment of the necessity and proportionality of the processing
• An assessment of the risk to the rights and freedoms of data subjects
• Any measures to address the identified risks and  demonstrate compliance with the GDPR

The ICO and Surveillance Camera Commissioner have a template DPIA , which is a useful starting point. 

Covert CCTV 

Based on the above, it is clear covert CCTV is unlikely to meet the lawful requirements for using CCTV in most scenarios. ICO guidance suggests that covert monitoring of employees is rarely justified and should only be conducted in exceptional circumstances. This highlights the very high hurdle for covert monitoring.

The Employment Code has guidance which includes

• Covert recording may be permitted where an employer has genuine suspicions that criminal activity or equivalent malpractice is taking place
• Covert CCTV may be permitted if it is necessary for collecting evidence, for example where being open about recording would be likely to prevent the detection of a crime (or equivalent malpractice) or catching offenders
• There must be no less intrusive or covert ways of obtaining the data
• Any covert monitoring should be strictly targeted at obtaining evidence within a set timeframe and should not continue once an investigation is complete
• There must be clear rules limiting the disclosure of and access to information obtained
• Covert monitoring should not be used in areas workers would genuinely and reasonably expect to be private (for example, toilets or private offices). If there is to be an exception in cases where serious crime is suspected there should be an intention to involve the police
• Other information collected while monitoring should be disregarded and, where feasible, deleted unless it reveals information that no reasonable employer could be expected to ignore

What rights and remedies do employee have? 

Matt Hancock no doubt has other pressing priorities right now, but what can an employee do if they feel pressured to resign (or are dismissed) because of misconduct that only comes to light as a result of covert recording? The employee may well succeed in a constructive unfair dismissal claim (or unfair dismissal claim, if dismissed by their employer). Much will depend on the nature of the misconduct and whether the covert recording was justifiable. Using covert CCTV to capture an embrace in a private office between colleagues would surely not reach the threshold of justifiable covert recording under the Employment Code.

An employee can also take action through the courts under the Data Protection Act 2018 for unlawful processing of their personal data. They can obtain compensation for financial loss (if not already covered by an employment tribunal claim), as well as for the distress caused by the processing (which would include the initial recording and any further dissemination of the material). They can obtain compensation for distress even if they have not suffered any financial loss, as confirmed by the Court of Appeal in Lloyd v Google LLC (although that case was appealed and heard in the Supreme Court on 28 and 29 April 2021 and judgment is awaited). The disgruntled employee could also complain to the ICO which may, in turn, impose a fine or other penalty on the employer. 

An employee can also exercise their well-known and frequently used right of access and make a data subject access request to obtain information about the personal data an organisation is processing about them and copies of that information (which could include CCTV footage). 

CCTV best practices 

To mitigate the risks arising from the above, employers should take the following steps:

• Clearly mark use of CCTV, though both a privacy notice and prominent signs within the workplace
• Only use CCTV where it is strictly necessary and does not override individuals’ right to privacy
• Conduct a DPIA and review it periodically
• Ensure no CCTV monitoring is covert unless strictly justified
• Once the justification for covert CCTV has ended, stop using it
• Refer to the Employment Code, Supplementary Guidance and Surveillance Code before undertaking any types of monitoring 

Please contact a member of our data protection team if you have any questions around the use of CCTV and monitoring data.