Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011

The role of the ICO Enforce and regulate: –Data Protection Act –Freedom of Information Act –Environmental Information Regulations –Privacy and Electronic Communications Regulations Provide information to individuals and organisations Adjudicate on complaints Promote good practice

About the ICO 206,585 – calls to our helplines 339,298 – organisations notifying 29,685 – data protection cases closed 4,369 – freedom of information cases closed Public awareness of data protection rights 89% Public awareness of freedom of information rights 84%

The data protection principles 1.Fair and lawful processing 2.Specified purposes 3.Personal data shall be adequate, relevant and not excessive 4.Accurate and up to date 5.Personal data shall not be retained longer than is necessary 6.Individuals have rights 7.Appropriate technical and organisational measures to secure the personal data 8.No transfer outside of the European Economic Area except where there is adequate protection at destination.

ANPR data– personal information? Identifiable information: vehicle keeper identified by the VRM and other “readily available” information Useful tool in detecting and preventing crime, public safety, managing car parks and traffic Limited consequences for most people But tracking vehicle movements of huge numbers of people who have done nothing wrong brings data protection responsibilities

ICO’s CCTV code of practice Data Protection Act applies to images of individuals or information derived from images related to them (eg VRMs) Covers UK, all sectors Helps CCTV operators comply with legal obligations Focus on data protection Education – intervene/enforce where risks high. Monetary penalties for serious breaches

ANPR data: data protection issues Lack of awareness that often ANPR is personal data Who is the data controller? Fairness - signage Purpose of collecting the data – car park management, prevention and detection of crime, public safety Accuracy of underlying databases – DVLA, hotlists Excessive retention of “reads” Retention of “hits” for DVLA audit purposes Sharing of information eg with police

Further CCTV regulation ICO view: Want effective CCTV and ANPR regulation Want to see improved standards Don’t want to see a weakening of data protection standards or a perception that data protection no longer applies to CCTV

Protection of Freedoms Bill Surveillance Camera Code Surveillance Camera Commissioner What about data protection? Data Protection Act continues to apply to images of individuals – or information derived from images related to them (eg VRMs) Wider geographic scope - DPA covers UK DPA covers all sectors, public and private space except for domestic use

Surveillance camera code Minister has confirmed that ICO remains responsible for data protection Welcome provision in the Bill that Secretary of State has to consult ICO on code Agree clarity and co-ordination are essential Committed to working closely with Surveillance Camera Commissioner

Public attitudes to CCTV/ANPR Public trust and confidence – can’t be taken for granted More access requests Expect proper control and fair use Privacy concerns about new proactive technologies

Fairness is the key Be honest and open about how you use information Do people understand what you are doing and why? The more unexpected the processing, the more sensitive the data, the more you need to do No surprises

Disclosure of information Disclosure of images must be controlled Appropriate to disclose data to law enforcement agencies on case by case basis so as not to prejudice the prevention and detection of crime Release of CCTV images to the media for identification purposes should generally be through law enforcement agencies

Data quality Accurate records – fit for the purpose Cleaning up existing information resources such as hotlists Making corrections and informing others e.g. problems caused by cloned plates Compatibility of information-systems, format of names, dob’s etc Common defined retention periods

Data sharing code of practice DPA is not a barrier where information sharing is justified, necessary and proportionate DPA provides a framework for sharing in a secure, lawful and reasonable way Limitations and safeguards are essential Vital to get this right with partnerships, multi-agencies, outsourcing Statutory code

ICO approach to enforcement New powers and monetary penalties but primary focus is education, awareness, good practice Strengthening public confidence by making it: –easier for the majority of organisations who seek to handle personal information well –tougher for the minority who do not Calling for tougher penalties for people who misuse data and stronger audit powers

Getting it wrong Monetary penalty notices –Applicable to serious infringements likely to cause damage or distress –Either deliberate or knew (or should have known) the risks –Failed to take reasonable steps to prevent the contravention –If standards are widely known and used and you are not using them this will stand out

Reducing the risk Knowing what information is held – sensitive images? Access – levels of control Data sharing – communication methods Policies and procedures? Staff awareness?

Good practice Reducing risk requires: –Leadership - accountability –Assessing what can go wrong (how, how often, how much) –Keep up to date and agile with new technology –See staff not just as a vulnerability but also as a first line of defence

Keep in touch Subscribe to our e-newsletter at or find us on…