The rights of a resident in one of the State’s direct provision centres were breached by the Reception and Integration Agency and the contractor running the centre after CCTV footage featuring the resident was allegedly disclosed to a radio station.
The case study is featured in the annual report of the Data Protection Commissioner published on Friday. The report covers the period from January 1st to May 24th, after which a new EU data protection enforcement regime took effect.
A complaint was made to the commissioner from solicitors for a resident of a direct provision centre in relation to an alleged disclosure of CCTV footage capturing the complainant’s images.
The accommodation centre in question is owned by the State, with responsibility for it resting with the Reception and Integration Agency (RIA) which sits within the Department of Justice and Equality.
The centre is managed on a day-to-day basis by Aramark Ireland.
The alleged disclosure of the complainant’s personal data came to her attention during her participation in a radio programme, the commissioner’s report said.
“The subject matter of that radio show concerned a matter that had arisen between residents of the accommodation centre and its staff. During the course of the radio programme, the radio host claimed that he had a copy of CCTV footage, which was apparently taken from a room in the accommodation centre, which allegedly showed an altercation between the complainant and another resident of the direct provision centre.”
The complainant subsequently made complaints to RIA, to Aramark and to the radio station. They also sought details of all recipients to whom their personal data had been disclosed, but the unidentified reception agency did not respond.
Aramark told the commissioner’s investigation team that authorised personnel had downloaded the CCTV footage and transmitted it to the reception agency. It maintained that the Google Drive link with the footage had not been sent from any Aramark account to a party other than the RIA.
The commission said the agency had acknowledged during the investigation that “there were no policies or practice documents in place for the management of CCTV operating in accommodation centres”.
“Ultimately neither Aramark nor the RIA were able to definitively confirm that CCTV footage in question had not been disclosed to the radio station,” the report said.
The commissioner found the RIA had contravened its obligation to respond to the complainant’s request for their data.
It also found that the agency had contravened data protection legislation by failing to have a written contract in place delineating the respective obligations of the RIA and Aramark in relation to the processing of personal data by Aramark on the agency’s behalf.
“Although the DPC was unable to establish how the CCTV footage in question came to be in possession of a radio station, the DPC found that ultimately the complainant’s rights were infringed,” the report said.
The commissioner said such failures by a controller to comply with its data protection obligations were “not just administrative or regulatory breaches” but could result in “grave incursions” into an individual’s fundamental right to the protection of their personal data.
The investigation does not make reference to whether the radio station was asked about its use of the footage. However, journalists have exemptions from the normal data protection rules when they process information for “journalistic purposes”.