Council held in data protection breach for surveillance of sick employee

A local authority has been found in breach of the Data Protection Act for carrying out covert surveillance of a sick employee on what the Information Commissioner’s Office (ICO) decided was inadequate justification.

Caerphilly County Borough Council in Wales has been warned to follow the ICO's Employment Practices Code in future, after the ICO determined that it did not have sufficient grounds to undertake the surveillance, especially where the absence had at that stage lasted just four weeks.

The surveillance was only authorised on anecdotal evidence, and no other measures were taken to discuss the employee’s absence before the decision to use the covert surveillance was taken. The report, which was produced by a third party company, was never used.

Anne Jones, Assistant Commissioner for Wales, said: “It shouldn’t need to be said that spying on employees is incredibly intrusive and must only be done as the last resort.

“Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done.”

The ICO accepts in exceptional circumstances that covert surveillance of employees can be justified. The employer however must be satisfied there are grounds for suspecting criminal activity or equivalent malpractice and that notifying the individuals would prejudice prevention or detection. Covert surveillance should be used as a last resort when alternatives which respect the employee’s privacy have been considered and determined as not appropriate.