This week we look at a recent High Court case relating to the monitoring of employee emails and the use of CCTV. Our Elizabeth Murphy highlights the key points to note in the case of Fox v The Data Protection Commissioner, [2023] IEHC 529.
Mr. Fox was employed as an attendant at the National Gallery of Ireland (NGI) between 1990 and 2011. He signed the NGI’s IT Code of Conduct in June 2003. The IT Code of Conduct stated that the NGI could monitor emails if there was suspicion that the Code was being breached. The Code made it clear that the NGI’s computer resources were not to be used to send or receive confidential or sensitive information.
In January 2010 the NGI discovered that wine had gone missing from a storeroom where it had been placed. This incident raised serious security concerns given the value of the artwork housed in the Gallery. Covert cameras were installed in the storeroom to investigate the theft and prevent a similar offence occurring.
At the same time, the NGI were using software to monitor potential security risks to their IT systems. Keywords were entered into this software and any emails containing such words were flagged with the NGI IT department. Words relating to the NGI’s security systems were included in this word-bank.
Mr. Fox had apparently used his NGI email address to communicate with a third party who was a former employee of the Gallery’s security firm. Five of these emails and their attachments were flagged with the Gallery’s IT Department as they contained the name of the Gallery’s security firm. The flagging of these emails resulted in an internal HR investigation into Mr. Fox which seems ultimately to have led to the termination of his employment.
Mr. Fox requested a copy of all personal data relating to him from the 20 years he had worked with the NGI. The NGI provided a certain amount of this data to Mr. Fox within the required statutory timeframe and then asked him to clarify what data was outstanding. Mr. Fox never clarified what data he was still seeking.
In December 2010, Mr. Fox submitted a complaint to the Data Protection Commissioner regarding the NGI’s use of security cameras, email monitoring software and their handling of his data subject access requests.
Mr. Fox contended that the monitoring of his emails was a breach of his data privacy rights. He alleged that the only way the emails in question could have been discovered was by ‘trawling’ through his emails. The Data Protection Commissioner was satisfied that this was not the case and that the software in place identified the flagged communications. The Commissioner noted that the software employed was the least invasive method available to the NGI and that their legitimate interest in preventing confidential information passing through their systems took precedence over Mr. Fox’s data rights. The monitoring of emails was consented to by Mr. Fox when he signed the IT Code of Conduct. The methods of monitoring used by the Gallery were minimally invasive and proportionate to the legitimate aim they had of protecting the security of the State’s national art collection.
The Data Protection Commissioner accepted that the installation of cameras and the processing of Mr. Fox’s data in that context was in the legitimate interests of the Gallery. The Commissioner also found that as Mr. Fox had not clarified the position regarding outstanding data the NGI could not have been found to have violated his data rights in not providing it. Mr. Fox had made such an expansive request that clarification on his behalf was necessary.
The Data Protection Commissioner ultimately found that the NGI had not breached Mr. Fox’s data privacy rights under the Data Protection Acts 1988-2003. Mr. Fox appealed this decision to the Circuit Court which upheld the Data Protection Commissioner’s findings. Mr. Fox then appealed again, this time to the High Court. The High Court dismissed Mr. Fox’s appeal and upheld the Circuit Court’s decision.
The key findings in the case were as follows:
Mr. Fox had consented to his emails being monitored when he signed the National Gallery of Ireland’s IT Code of Conduct. The processing of his data was deemed to be a legitimate interest of the Gallery for IT security purposes.
The processing of Mr. Fox’s data via security cameras was also deemed to be in the legitimate interests of the Gallery in the context of the security of the State’s national art collection.
Mr. Fox had made a very wide-ranging data request which the NGI fulfilled to the greatest extent possible within the statutory timeframe. Mr. Fox did not direct them as to what data was outstanding, which meant that NGI did not breach the Data Protection Act 1998 in failing to provide copies of any further data.
Employers should, however, note that before processing employee data, it is important to have an appropriate policy in place and to have communicated it to employees. Employers must also carefully consider what lawful basis they have for collecting and processing different categories of employee data.
Employers who require advice in relation to employment law or data privacy issues issues can contact our Adrian Twomey.