Disclosure of CCTV Footage: A Data Protection Commissioner Case Study

Alison Kelleher, Partner at Comyn Kelleher Tobin (CKT) outlines a case study from the Data Protection Commissioner following the disclosure of CCTV footage. 

The Data Protection Commissioner, Helen Dixon released her final annual report in December 2018. The report covers the period of 1 January 2018 to 24 May 2018 at which point the office of the Data Protection Commissioner ceased and the new Data Protection Commission (DPC) was created under the Data Protection Act 2018, which also gave effect to the General Data Protection Regulation (GDPR) in Ireland. 

The DPC report contains a number of interesting case studies, one of which detailed a complaint received from the solicitor of a resident of a direct provision accommodation centre, C who alleged that there was a disclosure of CCTV footage containing a recording of C disclosed in contravention of Data Protection Legislation.

The concern arose when a radio host claimed that he had in his possession a copy of CCTV footage which allegedly showed an altercation between C and another resident of the direct provision centre inside the centre. C made a complaint to the Reception and Integration Agency (RIA), the State Agency responsible for the accommodation centre in question. Within that complaint, C included an access request seeking a description of all recipients to whom the C’s personal data had been disclosed, pursuant to the Data Protection Acts 1988 & 2003. It was submitted to the DPC that the RIA never responded to that access request.


The RIA & Aramark’s Actions

The centre was managed on a day-to-day basis by Aramark Ireland, who in this case were the data processor on behalf of the RIA. Aramark acknowledged that footage of the incident had been downloaded by authorised personnel within Aramark and had been transmitted to the RIA by Google link due to the size of the file.

Aramark conducted an inquiry in relation to the complaint and found that no activity indicating disclosure of the footage to any third party had been identified. It was submitted that all authorised personnel had denied disclosing the footage and that the footage had been deleted following transmission to the RIA. The RIA had also not retained a copy but did confirm that the footage did relate to C.  Ultimately, however, neither Aramark nor the RIA were able to definitively confirm that the footage in question had not been disclosed to the radio station. Upon furnishing the DPC with documentation, including Aramark’s data protection and CCTV policies, the DPC found that there were no policies or practice documents in place for the management of CCTV operation in accommodation centres.


The DPC’s decision

The DPC ultimately decided that the RIA had acted in direct contravention to the Data Protection Acts 1988 & 2003 by not responding to the complainant’s request for a description of all recipients to whom the personal data was disclosed within the prescribed timeframe of 40 days.

The DPC also found that the RIA had failed in their obligations as a data controller, due to absence of a written contract in place which set out the respective obligations applicable in relation to the processing of personal data by Aramark on the RIA’s behalf. While the DPC was unable to establish how the footage came into the radio station’s possession, they nonetheless found that the complainant’s rights were infringed and that both the RIA and Aramark failed in their duty to the complainant in failing to ensure that appropriate security measures were taken against the unauthorised disclosure of his data.

They also found that the RIA had acted in contravention of their obligation to take reasonable measures to ensure that its employees and other persons at the place of work were aware of and comply with security measures. This finding stemmed from the lack of agreed procedures and in-depth policies in place between the RIA and Aramark relating to the transfer of personal data over a network.



DPC’s annual report highlights the unintended and unforeseen consequences which can result from an absence of clear, documented policies and procedures governing the transmission of personal data over a network. It also highlighted the requirement for a written agreement in place which clearly set out the parameters of data controllers and those engaged to process personal data on behalf of data controllers.

The DPC concluded that such failures “are not just administrative or regulatory breaches but can result in grave incursions into an individual’s Charter protected right to protection of their personal data which otherwise should have been avoidable”.