CCTV and Surveillance October 2016
As you will probably know, the Data Protection Act 1998 (DPA) is the legislation that applies to the processing of personal data, including personal data that is recorded by surveillance camera systems. The focus of this presentation is around decisions regarding the recording of people, how they are informed about it and how their data is looked after. It is the responsibility of the data controller to ensure personal data is processed in a way that is compliant with the DPA. The definition of personal data is broad: it is any data that can lead to the identification of an individual. This can be obvious, like a name, address or a face but it can also be a number plate or a piece of clothing. It is up to the data controller to work out what is personal data based on context and other information that is available. The framework for the DPA is its eight legally binding principles. The definitions for each of these principles appear on this slide.
So, what is good practice?
Privacy Impact Assessments (PIA) Robust message Privacy Impact Assessments (PIA) Transparency The DPA requires that the Information Commissioner publishes codes of practice that can support data controllers in being compliant with the legislation and provides practical advice on good practice. The third revision of the ICO’s CCTV code, In the Picture, was published in late 2014. The code recognises that surveillance capabilities are constantly increasing and expanding and takes a more robust and specific view on certain points, for example, when recording audio and when handling requests from individuals for a copy of their data. It also includes specific guidance on BWV (Body Worn Video), ANPR (Automatic Number Plate Recognition) and drones. The CCTV code also urges data controllers to adopt a privacy by design approach, for example, the ability to turn off or mute audio. Before a camera is even purchased, data controllers should think about the reasons for using them. Proportionate processing should not have any greater effect on private interests than is necessary for achieving its purpose. Data controllers should have a clear understanding of what they are trying to achieve by using cameras and be able to justify the privacy intrusion. They should also consider how the effectiveness of CCTV use can be demonstrated ie is the quality of the recording sufficient to address the purpose? Remember there are big differences between managing deterrents and managing tools for detection and part of the process should be to consider what alternatives are available.
It’s interesting to consider the difference between deterring crime and investigating it. This informs approaches to take and whether surveillance is needed. Let’s take the example of litter: People may be more likely to stop dropping litter if more litter bins were installed or there was a sign asking them not to drop litter with a reminder about the penalties, rather than cameras being installed. Signs and bins may stop litter being dropped in the first place whereas cameras are more likely to be effective in showing who dropped the litter after the event but the litter was still dropped. Remember also that part of the process should also be to consider whether the level of the problem can justify the privacy intrusion. The ICO isn’t saying whether or not surveillance technology should be used, but if it is, it needs to be done in a compliant and fair way, that is tackling a pressing social need.
integral part of taking a privacy by design approach An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach You should do a Privacy Impact Assessment if you are starting a project that involves the processing of personal data in a new way that may have an impact on individuals or risk breaching the DPA. PIAs can: Help you manage the compliance risks involved with using the surveillance system to address a particular purpose; Enable you to anticipate where challenges lie and may avoid costly mistakes; and Be used as a tool for transparency. PIAs are not yet mandatory but are increasingly being recognised as good practice and when new DP law is introduced by EU member states in 2018 they will have a mandatory role. Each project will be different but essentially data protection and privacy should be addressed throughout the project lifecycle rather than being bolted on as an after-thought or ignored altogether. The ICO has published a code on PIAs and the Surveillance Camera Commissioner has also done work in this area, specifically around surveillance technologies, as a PIA is likely to be appropriate if a new system of recording is introduced, ie BWV or facial recognition. Other examples that could trigger a PIA are if the location for the surveillance system changes or if different security measures are introduced.
Internal/ external stakeholder engagement Describes the project, what it aims to achieve, impact on privacy Internal/ external stakeholder engagement Data flows, DC responsibility DPA (and HRA) compliance check Identify risks, solutions, accept or not A PIA should be about identifying privacy solutions. It should be completed by those who can advise on practical implications as well as those with data protection expertise – senior management buy in is key to the success of a PIA.
The redaction of third party data in subject access requests is a known risk area for compliance with the DPA. If you are recording footage of individuals, they are entitled to ask for copies of the footage that includes their personal data. Before it can be provided to them, it may be necessary to redact information that would lead to the identification of third parties, probably through pixilation, and probably by someone who can use specialist software to do this.
Data controller responsibility Justification for recording Privacy Impact Assessment Remember these building blocks.
What can go wrong?
Case studies Audio and CCTV in the workplace Audio and CCTV in public Body worn video footage Security Here are some case studies of where things have gone wrong.
Audio and CCTV in the workplace Drivers working for a haulage company reported concerns to us that inward facing cameras were continuously recording audio and video of them as they worked. No consent had been obtained by the employer. No PIA had been carried out. The employer refused to stop recording. We took enforcement action.
Audio and CCTV in public A chain of petrol stations installed cameras recording CCTV and audio continuously in a public area. We received complaints from customers. Cameras were considered necessary to tackle crime - There was no evidence to support this. Other solutions hadn’t been considered, such as a panic button. We resolved this informally through engagement.
Body worn video (BWV) footage A company’s enforcement officers were provided with BWV. A complaint was received by us that the company had refused to provide information requested under subject access. We were concerned that this was a blanket policy because of concerns about the requester posting footage on social media. A balance was required, reflecting the duty of care to staff with the rights of the data subject. Redaction can be used and our code provides guidance. The company has revised its policy and we have found them to be compliant in refusing to provide footage where evidence could be shown that it was not reasonable to provide it, ie when it could be demonstrated that the requester had a history of posting malicious footage of enforcement officers on social media.
Security The Crown Prosecution Service was fined £200,000 after laptops containing videos of police interviews were stolen from a private film studio. The interviews were with 43 victims and witnesses. They involved 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. This underlines the importance of understanding the entire flow of the data and ensuring that appropriate security checks are in place.
Useful references In the picture: A data protection code of practice for surveillance cameras and personal information Conducting privacy impact assessments: Code of practice In the picture: A data protection code of practice for surveillance cameras and personal information Conducting privacy impact assessments: Code of practice
Subscribe to our e-newsletter at www.ico.org.uk Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on… /iconews @iconews