Employee theft, fraud and stealing time from your business

Employee stealing

5 Most Common Ways Employee Theft Occurs

Small-business owners aim to hire trustworthy workers, but companies must be aware that theft will occur. Understanding employee theft requires that you look at the type of items thieves go after and the methods used to take them. Theft can have a significant impact on a small business and can even result in your business failing. Knowing the five most common ways employee theft occurs can help you develop methods to combat the problem.

Cash Theft

Till theft and employees stealing from the cash register

Employees can transfer money from cash registers into pockets when they handle sales, or they can sneak cash out of open or unsecure safes or petty cash drawers or boxes. In addition, an employee might also quote to a customer a purchase amount higher than the actual price of an item and then keep the difference at the point of sale. Once the employee has the cash, he simply walks out of your business with it at the end of his shift. Refund fraud is on the increase and can be hard to trace. 

Stock Theft

Stock taking and employee theft

Loss of inventory or shrinkage from theft can happen in the stock distribution process. It frequently occurs on the sales floor with employees hiding stock in apron pockets or on shelves behind other items to pick up at the end of their shift. It also occurs before merchandise becomes available to the public. Employees will take items from warehouse shelves or newly arrived stock before it’s scanned into your inventory software. 


Some employees pocket small items such as pens, staples or scissors slowly and repeatedly over time or take them on the day they quit before they officially resign. Others steal more expensive items such as furniture or equipment after hours when they work unsupervised overtime or after they access your business without permission when it’s closed for the day.

Payroll & Staff Productivity

Employees sometimes falsify records or perform actions that result in receipt of payment for work they didn’t do. Some employees request reimbursement of travel or other expenses unrelated to work such as reimbursement of a business lunch that was actually a personal meal. Employee thieves will also fill out time sheets with hours they didn’t work or take extra breaks and fail to deduct the time. In addition, employees can steal by taking personal phone calls, chatting with co-workers or surfing the Internet for hours instead of working.

Information Theft 

Many employees intentionally steal information from their employers to benefit themselves or competitors. Types of information include customer lists, office memoranda and proprietary product, service or other data. Theft might occur via email, or the employee might print out the information, or copy it to a flash drive or cellphone, and simply carry it from your business in hand or in a bag or briefcase.

Tillspy Prevention

That's where Tillspy can help- our systems use covert CCTV, covert audio and advanced analytics to detect employee fraud, theft and productivity inefficiencies. Employing our services usually results in increased sales, increased productivity and the elimination of problem staff.  

Tillspy stops till fraud, refund theft and all known forms of employee theft.


Data Protection and your CCTV system - Tillspy Complies

Data Protection and CCTV

The use of CCTV systems has greatly expanded in recent years. So has the sophistication of such systems. Systems now on the market have the capacity to recognise faces. They may also be capable of recording both images and sounds. 

The expanded use of CCTV systems has society-wide implications. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual's "private space" is being unreasonably invaded.

Recognisable images captured by CCTV systems are personal data". They are therefore subject to the provisions of the Data Protection Acts. A data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system. A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances - for example, to constantly monitor employees, customers or students - can be more difficult to justify and could involve a breach of the Data Protection Acts


Proportionality - is a CCTV system justified?

Section 2(1)(c)(iii) of the Acts require that data are "adequate, relevant and not excessive" for the purpose for which they are collected. This means that an organisation must be able to demonstrate that the serious step involved in installing a system that collects personal data on a continuous basis is justified. Before proceeding with such a system, it should also be certain that it can meet its obligations to provide data subjects, on request, with copies of images captured by the system.

Proportionality - what will the system be used for?

If a data controller is satisfied that it can justify installing a CCTV system, it must consider what it will be used for and if these uses are reasonable in the circumstances.

Security of premises or other property is probably the most common use of a CCTV system. Such a system will typically be intended to capture images of intruders or of individuals damaging property or removing goods without authorisation. Such uses are more likely to meet the test of proportionality.

Other uses may fail the test of proportionality. For example, using a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.


Proportionality - what images will be captured?

The location of cameras is a key consideration. Use of CCTV to monitor areas where individuals would have a reasonable expectation of privacy would be difficult to justify. Toilets and rest rooms are an obvious example. To justify use in such an area, a data controller would have to demonstrate that a pattern of security breaches had occurred in the area prior to the installation of the system such as would warrant constant electronic surveillance. Where such use can be justified, the CCTV cameras should never be capable of capturing images from cubicles or urinal areas.

Cameras placed so as to record external areas should be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property.

Proportionality - Recommendations

Under this principle, this Office would expect that a data controller would have carried out detailed assessments as to how the use of such equipment meets with these requirements and would have the following steps carried out and documented:

  • A Risk Assessment
  • A Privacy Impact Assessment
  • A  Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
  • Documentary evidence of previous incidents giving rise to security/health and safety concerns
  • Clear signage indicating image recording in operation.




Section 2D of the Acts requires that certain essential information is supplied to a data subject before any personal data are recorded.

As best practice, it is recommended that a written CCTV policy should be in place and should include the following information;

  • the identity of the data controller;
  • the purposes for which data are processed;
  • any third parties to whom the data may be supplied.
  • How to make an access request (see “Access Requests” section below)
  • Retention period for CCTV (see “Storage and Retention” section below)
  • Security arrangements for CCTV (see “Storage and Retention” section below)

Notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice. 


If the identity of the data controller and the usual purpose for processing - security - is obvious, all that need be placed on the sign is a statement that CCTV is in operation as well as a contact (such as a phone number) for persons wishing to discuss this processing. This contact can be for either the security company operating the cameras or the owner of the premises.

If the purpose or purposes is not obvious, there is a duty on the data controller to make this clear. A CCTV camera in a premises is often assumed to be used for security purposes. Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose. Similarly, if the purpose of CCTV is also for health and safety reasons, this should be clearly stated and made known.

Storage and retention.

Section 2(1)(c)(iv) of the Data Protection Acts states that data "shall not be kept for longer than is necessary for" the purposes for which they were obtained. A data controller needs to be able to justify this retention period. For a normal security system, it would be difficult to justify retention beyond a month, except where the images identify an issue - such as a break-in or theft - and is retained specifically in the context of an investigation of that issue.

The storage medium should be stored in a secure environment with a log of access kept. Access should be restricted to authorised personnel.


Supply of CCTV Images to An Garda Síochána

With regard to requests from An Garda Síochána to download footage, the ODPC recommends that requests for copies of CCTV footage should only be acceded to where a formal written (or fax) request is provided to the data controller stating that An Garda Síochána is investigating a criminal matter. For practical purposes, and to expedite a request speedily in urgent situations, a verbal request may be sufficient to allow for the release of the footage sought. However, any such verbal request must be followed up with a formal written request. It is recommended that a log of all An Garda Síochána requests is maintained by data controllers and processors.

As outlined in the audit report of An Garda Síochána conducted by the Office of the Data Protection Commissioner


“The Office considers that, given that CCTV is obtained using a specific permissive clause of the Acts, requests for downloads of CCTV footage made by An Garda Síochána to third parties should be followed up in writing at all times. Any such requests should be on An Garda Síochána headed paper, quote the details of the CCTV footage required and should also cite the legal basis for the request i.e. Section 8(b) of the Acts. ” (p.76)


There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective.


Access Requests

Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. To exercise that right, a person must make an application in writing. The data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.

When making an access request for CCTV footage, the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought - i.e. they should provide details of the approximate time and the specific date(s) on which their image was recorded. For example, it would not suffice for a requester to make a very general request saying that they want a copy of all CCTV footage held on them. Instead, it is necessary to specify that they are seeking a copy of all CCTV footage in relation to them which was recorded on a specific date between certain hours at a named location. Obviously, if the recording no longer exists on the date on which the data controller receives the access request, it will not be possible to get access to a copy. Requesters should be aware that CCTV footage is usually deleted within one month of being recorded.

For the data controller's part, the obligation in responding to the access request is to provide a copy of the requester's personal information. This normally involves providing a copy of the footage in video format. In circumstances where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it is acceptable to provide stills as an alternative to video footage. Where stills are supplied, it would be necessary to supply a still for every second of the recording in which the requester's image appears in order to comply with the obligation to supply a copy of all personal data held. 

Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixelate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requestor. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester

Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.


Covert surveillance.

The use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).

Covert surveillance must be focused and of short duration. Only specific (and relevant) individuals/locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.

If the surveillance is intended to prevent crime, overt cameras may be considered to be a more appropriate measure, and less invasive of individual privacy.

Responsibilities of security companies.

Security companies that place and operate cameras on behalf of clients are considered to be "Data Processors". As data processors, they operate under the instruction of data controllers (their clients). Sections 2(2) and 2C of the Data Protection Acts place a number of obligations on data processors.

These include having appropriate security measures in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all unlawful forms of processing. This obligation can be met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted.

Staff of the security company must be made aware of their obligations relating to the security of data.

Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.

Furthermore, section 16 of the Data Protection Acts 1988 & 2003 requires that certain data processors must have an entry in the public register maintained by the Data Protection Commissioner. For further information, please refer to our Guidance notes on Registration. Those parties who are required to be registered and process data whilst not registered are committing a criminal offence and may face prosecution by this office. (This provision may only apply where the data controller can identify the persons whose images are captured.)



Domestic use of CCTV systems.

The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. This exemption would generally apply to the use of CCTVs in a domestic environment. However, the exemption may not apply if the occupant works from home. [ Where the exemption does apply, a person who objects to the use of a CCTV system - for example, a neighbour who objects to images of her/his property being recorded - may be able to take a civil legal action based on the Constitutional and Common Law right to privacy.] It should be noted that recording of a public space, even partially, or when recording is directed outwards from the private setting, it may not be regarded as a ‘personal or household’ activity for the purposes of the Data Protection Acts, and this may have immediate and particular interest to drone operators and data controllers.

Reference: ECJ Ruling on household exemption  C-212/13 - Ryneš


Community CCTV Schemes

Section 38 of the Garda Síochána Act 2005, provides for the installation of CCTV systems for public security purposes under the authority of the Garda Commissioner.


Some Case Studies relevant to this topic:

The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

CASE STUDY 3/07- Inappropriate use of CCTV footage by Leisure Club
CASE STUDY 6/07- Data Controller breaches Data Protection Law in regard to covert use of CCTV footage
CASE STUDY 11/06- Failure to comply with an Access Request for CCTV footage
CASE STUDY 8/05- CCTV cameras on the Luas line

GDPR & your CCTV system

Make sure your business is compliant with the new legislation regards data protection & cctv systems.

At Usee we can provide a comprehensive service to ensure your business complies with the new GDPR rules. 

Our Services include the following and can be curated to suit your individual business needs.


Annual CCTV Audit & Risk Assessment

Annual audit is carried out on your CCTV systems to ensure compliance with the GDPR. All cameras are itemised, categorized , intended viewing areas and the purpose of the surveillance.

Password Policy

Six monthly change of all CCTV passwords/ online passwords. Best practice password use controlled by Usee.

Cyber Security & Firmware/Software updates

Full site asset list with all sites monitored and updated to latest firmware and security patches as required and recommended by the manufacturers of your systems. 

CCTV Footage Retrieval - Data Controller

Usee controls all video evidence requests and becomes the Data controller for your business. All footage requests are dealt with and approved by usee, including law enforcement requests. Full audit trail of evidence retrieval, Cloud storage & full locked down off site backup - All footage is stored in the jurisdiction.  


Full report to comply with your data policy at year end on all footage retained, shared and provided to the Gardai or other government agencies.

Our services are offered in conjunction with Redactus Privacy Limited 

Contact us for more information on 01-8400300 or by email to info@usee.ie

Do you want to demo CCTV?






A full demonstration of our Tillspy software in action - demonstration of keyword search, video review and key fraud indicators.


Find the camera in our covert video room - view a selection of HD covert camera's and applications- see real world video, search and playback. 


Find the audio recording mics in our covert audio room - listen to high definition audio with crystal clear playback- fast search and retrieval of audio of interest.


View and interact with a selection of high definition cameras recording in different light conditions / frames and resolutions. View from 720P high definition up to 4K resolutions and view on our interactive 4K displays. Get to move, point and view the very latest PTZ tech from Avigilon. 


See real live world demonstration of our video analytics suite - view people & car detection alerts with different actionable rules. Check out abnormal behaviour detection, loitering detection and the very latest appearance search. Its self learning and powered by the most powerful surveillance platform in the world in our opinion.  


Get a full demonstration of our thermal counting software - see our audit room, calibration and analysis servers. Learn how we can provide counting data and interpret that to see how a store is performing with different managers.


Get a demonstration of our surveillance healthcare software - know if cameras have been obscured, moved, disabled or tampered with.  Full poling of all your surveillance infrastructure. 24/7 reporting with automated intelligence. Hard drive testing with recording integrity analysis. 


See how effective automatic number plate recognition can be for your business. Search by plate number, quickly retrieve footage of all cars of interest when combined with our analytics offering. Get to use and play with the system in our starpoint control room.


Get and see a working demonstration of our wide area microwave network with remote camera control and interrogation.


See how to effectively store vital evidence long term with easy retrieval when required on our secure platform. 


Make sure business is compliant and get a working demo of how we provide data controlling services for our client. See how our video redaction service operates end to end. 


Conveniently located at Usee HQ just north of Dublin International Airport in Redleaf Business Park, Donabate. Visiting is strictly by invitation and appointment only.  

phone us on 01-8400300

Is camera selection important?

Important considerations when choosing the right camera for the right application


#1. More pixels equal better picture quality

More pixels = better picture quality, looks correct, it’s a common misconception among users and even some security professionals. They are inclined to think the image quality of a 5 megapixel camera must better than image quality of 3 megapixel camera. However more consideration needs to be given to the area to be covered, the lighting levels throughout a twenty four hour period and the quality of the brand used. 

#2. A 4 megapixel camera is the same as two 1080p megapixel cameras

Although a 4 megapixel camera covers an area twice as large as a 2 megapixel camera, using HD megapixel cameras can reduce the total number of cameras. Any camera regardless of resolution will cover the same area, the viewing angle is determined by site survey and lens selection, but not the camera type. Its important to design your system using the right resolution, lens type and lux factor. 

#3. High Megapixel cameras perform better in low light

Typically, a 5 megapixel camera’s low light performance is poorer than the low light performance of 3 megapixel camera. So for a poor lit environment, it’s recommended to use the 1.3 - 2-3 megapixel network camera with a low light performance of  (0.001Lux). If you are looking at low light environments - lux is the most important setting.

#4. All pixels are created equal, 2 megapixel in one brand is the same as 2 megapixel from another brand.

The resolutions of camera vary by manufacturer, and are also affected by: the type of image sensor thats employed, CMOS image sensor S/N ratio, image sensor size and type, sensor’s sensitivity, the lens, and the processing capability of image signal processor. A high quality camera from Avigilon will almost certainly have better image reproduction than a low quality cameras from another manufacturer- pixel for pixel.

Every situation is a bespoke design for the engineers at Usee. The right camera is always chosen to suit its application and use. Talk to us in confidence and get the right solution and evidence now.

Tillspy 01-8400300 Part of Usee




Is your business a victim of employee theft at your tills?


Tillfraud happens - Tillspy stops it.

If you think you have a problem with Staff theft - You do

Categories of till fraud  –

Sweet Hearting
An accomplice ‘sweetheart’ presents expensive items for purchase. The till operator rings up the items but at a lower price, or the till operator fails to register the items altogether. This type of loss shows up later as ‘stock shrinkage’. You may put it down to simple shoplifting.

No Sales / Void
‘No sales’ purchases accumulate a cash surplus in the till, which is then removed by the end of shift. ‘No sales’ should be exceptional items and should be checked, in particular towards the end of the shift. This however makes heavy demands on management times - which gives rogue staff the opportunity they are looking for. Voids are a variation of ‘no sale’, with a genuine purchase cancelled after the client had left the premises. The surplus is removed from the till at the end of the shift.

Returns and Refunds
Items of stock are removed from the shelves in a food store and presented to the check out for refund. Cash is paid to an accomplice (sweetheart) or to the till operator. Alternatively an accomplice finds a receipt from the store and returns to cash out. 

Substitute Scanning
Where checkouts are equipped with bar-code scanning devices, the operator passes two items over the scanning device at one time so that only one item is recorded, (normally the low value item) 


Our Tillspy service merges high definition CCTV with your till traffic - search all transactions of interest - see every void, refund in seconds - we provide the most powerful search software with ease of use. 

Our system is suitable for all retail stores, forecourt operators and sits quietly on your network with no connection at the operator Till meaning it cannot be interfered with. 

Contact us in confidence for a full demonstration of what Tillspy can do for your business. 

Phone 01-8400300 or use the contact template at www.tillspy.com/contact/