Surveillance webinar Wednesday 3 May 12pm 1

Surveillance Webinar Thank you very much to everyone for joining our surveillance webinar today. Surveillance is a big feature of the regulatory work we do under the Data Protection Act. The Information Commissioner’s role is to regulate the processing of personal data that is obtained by cameras. The Information Commissioner has powers to handle complaints and take enforcement action. We also work closely with the office of the Surveillance Camera Commissioner whose role was created under the Protection of Freedoms Act 2012. The role of the Surveillance Camera Commissioner is to encourage compliance with the Surveillance Camera Code of Practice and review its operation and impact. We will talk about this in a bit more detail shortly.

The UK is recognised as a leading user of CCTV – but surveillance has grown much wider than just the use of a CCTV camera on top of a pole. The technologies in use now are much more sophisticated operations using digital and , increasingly, portable technology. The use of Automatic Number Plate Recognition (ANPR) is now commonplace and body worn cameras are being used routinely by organisations, such as the police. It is also common for many technologies to enable audio to be captured as well. No matter how familiar we are with CCTV, and how much we might expect to see cameras in operation, it is still an intrusion on people’s privacy and needs to be carefully thought through. The use of surveillance cameras has aroused public concern due to the wider use and capabilities of these technologies. They are no longer being used solely to keep people and their property safe, but are increasingly being used to collect evidence to inform other decisions. Whilst we recognise that surveillance technologies have many benefits to organisations, it is also important that organisations are aware of these public concerns and recognise that surveillance technologies can be privacy intrusive.

It is therefore essential that the benefits of using any form of surveillance are balanced against the privacy of individuals. We have concerns that privacy and information governance are often an afterthought, or in some cases, not considered at all. Itis important that privacy and information governance are properly considered right at the very beginning. This will help to ensure that the schemes you implement are appropriate for the purpose and compliant with the law. We are here to hopefully explain what key information governance issues you should be considering and the tools and resources available to assist you in the process. The webinar will focus on organisations ‘ use of surveillance technologies, covering some of the key governance and compliance considerations to ensure you are following good practice. We have also included some case studies to help demonstrate both good and bad practice and will also look at the new data protection reforms coming into effect next May and what impact these could have on any surveillance you are using or considering implementing. Benefits Privacy

The eight data protection principles Surveillance technology will often capture personal data. Consequently you will be processing personal data and will need to comply with the Data Protection Act principles as highlighted here. If you are considering implementing any new surveillance technologies within your organisation you will need to ensure that they are appropriate for the purpose and justified. I am now going to hand over to Andy who is going to go through some of the key information governance issues you should be considering to ensure that any schemes you implement are justified and compliant with the law.

Privacy impact assessments - a risk based, proportionate approach When? Why? What? AT THE VERY BEGINNING IDENTIFY RISKS & MITIGATE NOT JUST A CHECKLIST To help you get it right we recommend that you do a Privacy Impact Assessment. This isn’t a legal requirement at present, but is highly recommended. Certainly if we are asked to investigate a case involving surveillance technology, we will ask you to justify your solution and a PIA would be the easiest way of doing this. We’ve put some key points about PIAs on the slide. Firstly, a PIA it isn’t just a checklist to tick off and forget about, it’s a really useful document which can help you to ensure your systems are DP compliant. Secondly, it’s important to start your PIA early in any development work. You won’t have all the answers early on, but it will allow you to identify whether you have privacy questions to consider Thirdly, it’s there to help you to identify any privacy risks and mitigate for them The PIA helps you think about how well your solution complies with the DPA but also encourages you to consider whether you need to use surveillance technology or if there is a better way of meeting your requirements Some questions to consider:- What’s the problem you’re trying to resolve and why using surveillance technology is necessary to achieve this? What's the minimum intrusion necessary? What further safeguards are needed? and How will you review the system to see if your objectives have been met?

ICO code of practice Designed to help those who use surveillance cameras to collect personal data to stay within the law. https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf This is a good time to introduce the ICO’s ‘CCTV’ code of practice – updated in 2015 - to take account of a number of things: Firstly, surveillance capabilities had increased enormously since the previous code of practice published in 2008. It introduces some considerations about Privacy by Design and the use of PIAs – not just what you are doing, but how. For example, where do you site the cameras and does the device have the ability to turn off / mute independently? The code also gives advice about complying with the data protection principles , including considerations when using a data processor. It also includes information about the role of the Surveillance Camera Commissioner. So what are the issues that we recommend you focus on?

Continuous recording Firstly - Continuous recording This is one area that needs to be carefully considered and justified. You need to think about whether it’s appropriate to keep the cameras operating at all times, or are there any circumstances in which the recording should be stopped? An example could be if you have cameras operating in a public area but there are times when the area is closed to the public and staff may still be present. It all comes back to the reasons for installing the cameras.

Use of audio Use of audio is another area you need to think carefully about. This is likely to be more invasive, so again, you need to think about which circumstances make it appropriate to start audio recording and ensure your solution allows you to switch this on/off independently.

Have you told individuals what you’re doing? https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control A very important question here - is your processing fair? This is very much about transparency and we have another code of practice to help here. In the context of traditional CCTV, this would usually mean making sure you have signs up alerting people to the fact that cameras are in operation and who is responsible for them. It should be explicit and prominent, and explain who owns and manages the cameras. You also need to let people know where they can find more information – typically a website address. It’s more difficult to provide fair processing for mobile technologies such as BWV, but there are things you can do. Operators should have some indicator, for example on a uniform to say that a camera is in use. You also need to consider how to provide more information. Policy advice is available on our website etc, but think about about some publicity when you introduce a scheme, or reminders when you send out council tax letters etc. You can also include reference to the use of technology in press stories , for example, “we investigated the complaint using evidence collected by the BWV camera worn by the operator….” and include a link to the website. To satisfy the DPA ‘s first principle, processing also has to be reasonable – just providing fair processing isn’t enough – as mentioned earlier, a PIA will help you consider this. The code of practice makes clear, you must be able to justify any processing that you are planning and satisfy yourselves that it is proportionate and necessary. In addition, public authorities must consider their obligations under the Human Rights Act, so solutions need to be a proportionate response to a pressing social need. Organisations don’t always get this right and we have taken enforcement action in a number of cases against what we considered disproportionate solutions.

Personal data must be kept securely. There are two main aspects to this for surveillance technologies. Firstly, there’s routine surveillance activity which is used predominantly as a deterrent but sometimes used for detection purposes. This is often only reviewed when looking for evidence and much of the footage will never be accessed before being deleted in line with business retention periods. You must have secure storage solutions and appropriate access controls to ensure only specified individuals can access the data when it’s necessary. Where the footage is accessed to identify or investigate incidents, you will need to have different arrangements to retain this information for as long as necessary. Then you have data which is captured during an incident. This is more likely to be where the recording has been activated for a specific purpose in response to an incident. This sort of data will most likely need to be reviewed to determine whether it is of further use. You will need to think about how you do this and then all of the other DP considerations including retention periods, access controls, and disclosures. Principle seven – security Appropriate technical & organisational measures

Other considerations What else do I need to consider? governance disclosures The next thing to mention is governance. I mentioned the ICO’s ‘CCTV code of practice’ earlier. There’s a whole section on governance. There are lots of questions to answer. As we’ve said, it’s very important to ensure that you clearly understand what the system is to be used for, and when you will collect information – is there a permanent feed or is it triggered by activity, or noise , or a panic button? Who has access to the information; have you got adequate procedures in place to manage the data; how to check these are followed and kept up to date. Another thing to consider is whether you use a data processor to handle the data, and if so, are their responsibilities clearly set out in a contract? Governance is especially important when implementing a shared or partnership scheme. It is sensible to develop a data sharing agreement to clearly identify the responsibilities of all parties in relation to the data collected. The last thing to mention in this section is disclosures. These are covered in the governance section of the code of practice, but are worthy of a separate mention because of some particular considerations. First of all, you will need to consider requests from individuals for their own personal data. I mentioned fair processing earlier – you must provide people with the details of how they can get access to footage if they want to request it.

You will probably also need to think about how you can redact or blur the images of other people where appropriate and make sure your system allows you to do this. However, this needs consideration, because in some cases it may be reasonable to provide third party information. Some other things to consider are: - How do you locate the personal data of the requestor? What processes do you have in place to confirm their identity? How do you stop data being deleted in line with your normal retention period if a subject access request is made? Finally, you will also need to consider how you deal with requests for footage from third parties such as the police and when is it appropriate to provide this, and public authorities might also receive FOI requests, so will need to know how to deal with these.

Case Studies We’re now going to look at some examples of both good and poor practice to bring life to the compliance points that we have made. The ICO recognises the potential benefits of surveillance camera systems but the personal data obtained by these systems must be handled in a way that is compliant with the law. These examples are based on cases where the ICO has engaged with data controllers using surveillance camera systems.

In this first case study, drivers working for a haulage company reported concerns to us that inward facing cameras were continuously recording audio and video of them as they worked. The company hadn’t consulted with drivers or demonstrated the justification for installing the cameras. No PIA had been carried out. These were aggravating factors in the decision making when we took enforcement action against the haulage company.  

The use of surveillance technologies must be proportionate. This reflects the 2013 Tribunal ruling in the case of Southampton City Council v the Information Commissioner regarding the policy to require all taxis to be fitted with a CCTV system that included continuous audio recording. The ICO had issued an enforcement notice in 2012 that was challenged by Southampton City Council. The subsequent judgment noted that in this semi private space it would be likely that individuals could be having conversations about sensitive topics, for example related to health which is defined as sensitive personal data in the Data Protection Act. The judgment did not see why anyone should be forced to modify their behaviour because of continuous audio recording and ruled in favour of the Information Commissioner. It is understood that a pressing social need can justify some surveillance in taxis, but this should be proportionate to that need, for example using a system where recording can be activated by a panic button or similar when needed.

Good Practice We’ll now move on to examples illustrating good practice.

The first example is about the use of body worn video in classrooms. In one example we are aware of, consultation with affected parties was carried out, namely pupils, teachers and parents. Consideration was also given to the reasons for cameras being used. These should reflect a specific need. For example, are they being used to target problems with aggressive behaviour, or to monitor performance? These are two entirely different purposes and individuals being recorded should be consulted and subsequent use should be clearly explained. Alternatives to cameras should also be considered in order to tackle problems. Additionally, thought should be given to whether they are being used as a deterrent, or as an evidence gathering tool. Effectiveness should be monitored throughout the lifecycle of the cameras to ensure that recording remains justifiable.

This example illustrates the importance of planning. A shopping centre was planning to deploy facial recognition technology for crime prevention and detection purposes. They would maintain a database of known or suspected offenders and use these to build facial profiles within the facial recognition system.   After some engagement with the ICO, and reflecting on this in more detail, more detailed consideration was needed in order to understand the retention of images and to determine whether this would be lawful. Data minimisation should be an active part of the planning process and this will become increasingly relevant. Additionally, the shopping centre is working on effective ways to communicate the process to shoppers and staff. The shopping centre has committed to undertaking a PIA and has recognised that a DPIA would most likely be required under GDPR (more on this later). They understand that the use of facial recognition could be viewed as disproportionate in some circumstances and that this could cause reputational damage.

Remember that recording in homes or other sensitive places such as toilets, changing rooms, hospitals, religious institutions is likely to be particularly intrusive. This means that the justification for recording should be significant when balancing whether recording can be justified. Remember the slide with the scales at the start of the webinar. In a recent case, the organisation’s staff were instructed to record in every case when they visited the homes of clients. After more detailed consideration, the data controller was able to see that visits to certain clients were higher risk than others so the policy was modified. This is another example that illustrates that blanket or continuous recording is seldom justifiable.

Compliant use of surveillance What’s the purpose and would you be capturing images you actually need? Can (only) the appropriate people have access to it? Is there an alternative to surveillance? How do you provide fair processing to clearly explain that recording is taking place? How long are you holding the footage for? So just before we move onto the DP reforms – we’re just going to do a brief re-cap of the key points. PURPOSE & JUSTIFICATION You need to be clear about the purpose for recording. Crime prevention or deterrent is a different purpose to gathering evidence so you You need to ensure that the proposed surveillance technology is a justified, proportionate and necessary solution to the purpose and be able to evidence it is the most appropriate solution. RETENTION Information should only be held for as long as is necessary. Will the footage be covered under the usual business retention periods or will you need a separate retention schedule to cover the surveillance footage you are collecting? ACCESS CONTROL & SECURITY Ensure that you have secure storage solutions and appropriate access controls so that only specified individuals can access the data where appropriate and necessary. Also ensure that there are procedures in place for individuals to access their data under subject access should they request it. FAIR PROCESSING Transparency is key to public trust. Making sure that you have provided clear signage to tell people that footage is being recorded and that individuals know where they can obtain further information should they wish. As we have mentioned earlier, the key starting point in considering and addressing any governance and compliance issues is undertaking a PIA. Is the footage and system secure?

integral part of taking a privacy by design approach An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach As Andy mentioned, the PIA process should not be seen as a tickbox exercise. A properly thought out PIA will encourage you to consider whether you need the proposed surveillance technology and will ensure that it is justified and complies with the law. We have a privacy impact assessment code of practice that explains the PIA process and the kind of questions you can be answering to produce a detailed and considered assessment. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

I mentioned at the beginning that we have concerns that privacy and information governance are often an afterthought, or in some cases not considered at all when organisations are implementing surveillance technologies. The last thing an organisation wants is for their surveillance project to be placed on hold because they have failed to undertake a PIA and adequately consider the necessity and privacy implications. We are aware of this happening. This an approach that we have been working to change - It shouldn’t be have we done a PIA, but instead a proactive approach of let’s do one right at the very beginning and get this right!

This is a good time to talk about the work and the role of the Surveillance Camera Commissioner. As we’ve said, the ICO and the Surveillance Camera Commissioner’s office work in co-operation with each other. The Surveillance Camera Commissioner promotes efficient and effective use of surveillance camera systems, including technical standards. The Information Commissioner’s role is to regulate the processing of personal data that is obtained by cameras. The Information Commissioner has powers to handle complaints and take enforcement action.   The Surveillance Camera Commissioner has developed bespoke tools for surveillance operators ranging from self certification to full third party certification to help organisations demonstrate that their surveillance camera systems comply with the Surveillance camera code of practice. If you’re complying with that code, although not a guarantee, it will help you to comply with the requirements of data protection legislation when using surveillance cameras.     The Surveillance Camera Commissioner’s self assessment tool is available online to help organisations that use surveillance cameras identify if they are complying with the code. Organisations can assess what they are doing well and develop an action plan to improve any areas that fall short of compliance. Once completed, organisations are encouraged to publish the action plan. Following on from the self assessment tool, the Surveillance Camera Commissioner has developed a 2 step certification process which is delivered by bodies and accredited by the United Kingdom Accreditation Service. The certification process is available to any organisation that operates surveillance cameras in a public space. This could be a small or large organisation that wants to show compliance with the code and demonstrate good practice. Step1 – desktop certification Step one certification is valid for one year. It involves completing and submitting the self assessment tool and other related documents such as privacy impact assessments and so on to a certification body. The completed form and documents will then be audited by the certification body who may contact you for more information before recommending your organisation to the commissioner for step one certification. Step 2 – full certification Step 2 certification is valid for five years, subject to an annual review of your system. The full certification process involves an auditor from an accredited organisation visiting your  control room to audit your system, cameras and procedures. They work with a check list against the12 guiding principles in the code. As long as you do not have any serious non compliance issues the auditor will produce a report for the Commissioner recommending full certification. In some cases you may be asked to make changes or put measures in place to address certain issues before you achieve certification. If you are recommended for certification, you will be issued with a certificate of compliance from the commissioner and will be entitled to use the commissioner’s certification mark throughout the five year period subject to your annual review. Certification should reassure the public that a surveillance camera scheme is there to support them and not to spy on them. You can find out more information about self assessment and certification on the Commissioner’s website. <SEE WEBSITE> Also of interest here is that the Surveillance Camera Commissioner launched a national surveillance camera strategy for England and Wales in March. It’s a comprehensive strategy that touches on many areas of surveillance camera use – police and local authority, installers and manufacturers, training providers and regulators – and how the use of surveillance cameras impacts members of the public. The strategy will provide the Surveillance Camera Commissioner with a robust and transparent framework to fulfil his statutory functions as set out in the Protection of Freedoms Act, and will inform his annual report to the Home Secretary. https://www.gov.uk/government/organisations/surveillance-camera-commissioner

Data protection reforms Looking forward to data protection reforms that will take effect from May 2018 – the General data protection regulation and new legislation for law enforcement. For the purposes of Law Enforcement, please be aware that there will be separate legislation established for cross border and domestic policing. Focussing now on the GDPR - As most of you will know, most of the data protection principles and fundamentals don’t change significantly so the things we’ve already talked about still apply, but the GDPR does introduce some important changes that we cover on the next few slides.

Implement data protection by design and default (Art 25). Pseudonymisation Transparency Data minimisation This is a new requirement to embed privacy by design into your organisation. Article 25 makes it an explicit requirement rather than good practice. Example measures include pseudonymisation and transparency – data minimisation is an explicit requirement (only data necessary for each specific purpose are processed). When considering data protection by design you should take into account available technology and the cost of it, as well as the nature of the data and scope of your processing - and the resulting privacy risk to individuals.

Use data protection impact assessments where appropriate (Art 35). Necessary where …the processing is likely to result in a high risk to the rights and freedoms of individuals, especially where the processing activity involves the use of new technologies. where processing involves a high level of profiling, or large scale use of surveillance, Where processing involves large scale processing of special categories of PD, or data relating to crime A key measure of a data protection by design approach is the data protection impact assessment. These will be mandatory in certain circumstances. Of particular relevance today is the use of new technologies, large scale use of surveillance and processing personal data relating to crime. A DPIA must cover: The purpose of the processing Risks to individuals rights and freedoms Mitigations to risks Assessment of necessity In some cases you must seek prior approval from the ICO before processing starts so that we can assess whether measures identified are sufficient. Suggested actions: Review project/change management processes – ensure PIA/DPIA is built in. Reinforce through training – privacy by design principles.

Security requirements Pseudonymisation and encryption – specifically mentioned as security measures. You must be able to ensure the confidentiality, integrity, availability and resilience of your systems. The ability to restore the availability of and access to data in a timely manner. Have a process to test, assess and evaluate the effectiveness of the measures you have in place. GDPR has clear security obligations for both data controllers and data processors. Article 32. requires technical and organisational measures, and an appropriate level of security based on risk. It takes account of “state of the art” and cost of implementation. Measures include: Points on slide When assessing what measures are appropriate you must take into account the risks presented by the processing. - this risk assessment should be covered when doing the DPIA

When using processors, their processing must be done on the basis of a contract Data processors - must provide sufficient guarantees to implement appropriate technical and organisational measures. Cannot use sub-processors without specific prior agreement of the controller, Again, it’s not really very different in approach from the DPA, but contains more specific requirements. One extra consideration is that data processors can be held liable for data breaches if they are acting outside or contrary to the lawful instructions of the controller – see Article 82 This will allow the ICO to take action against the data processor where appropriate. It’s well worth both data controllers and data processors checking details of existing contracts to ensure they are sufficiently detailed.

Another important security requirement is the duty to report data breaches. Article 33 states that breach reporting becomes a duty for everyone – the first notification of a breach should be generally made within 72 hours. If a data processor discovers a breach, they need to notify the data controller “without undue delay.” You also need to consider whether to inform individuals affected where the risk is high.

Designation of a DPO Article 37(1) of the GDPR requires the designation of a DPO in three specific cases: a) where the processing is carried out by a public authority or body; b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. Article 37 also applies to processors Data protection officers are mandatory for certain organisations, as explained on the slide. It is important to note that this applies to data processors as well as data controllers. Data controllers who contract out surveillance activity to a data processor should check that the data processor has a sufficiently experienced DPO.

ico.org.uk/dpreform 32

Any Questions? Helpline: 0303 123 1313 Keep in touch by subscribing to our e-newsletter at www.ico.org.uk or find us on… www.twitter.com/iconews