It is fair to say that surveillance is big in the UK. We have one of the world’s highest concentration of CCTV cameras. There are over 5.2 million used by consumers, businesses and public authorities – compared to just over one million in France, a country 2.3 times bigger than the UK. There are also over 11,000 Automatic Number Plate Recognition (ANPR) cameras watching UK roads and car parks – by far the largest number compared to any EU country. This vast network has clearly helped prevent crime over the years and actually forms a key pillar in UK crime prevention strategy.
Surveillance continues to grow and evolve. Camera technology has improved to the extent that it is much more cost effective and as a result is commonly used by consumers more to protect their property and vehicles. Cameras have also been combined with new identification technologies such as facial recognition software which offer various applications. It is no surprise therefore that the data regulator – Information Commissioner’s Office (ICO) – has recently published new video surveillance guidance. The guidance clarifies how cameras and other surveillance equipment should be used by organisations and how the data they collect should be handled.
What does the guidance cover?
The ICO outlines its key data principles and provides some useful case studies applying these to surveillance, as well as covering the importance of data governance. We summarise the key areas below:
- Accountability – the responsibilities of those operating cameras and control over how the data is recorded and processed. It sets out how organisations must comply with data protection requirements including keeping written records outlining the purpose(s) for using cameras, the risks and how any risks can be mitigated.
- Lawfulness – this is about determining whether processing of the image data is lawful. Organisation’s must determine which lawful basis is being used and take appropriate steps to confirm lawfulness. For video surveillance ‘legitimate interests’ or ‘public task’ are noted as the most likely bases given the setting. The former is most relevant to private businesses and will require a balancing test to be undertaken, weighing up the benefits of processing the data against the risks.
- Fairness – what are the reasonable expectations of data subjects being recorded? Where would they expect cameras to be positioned? How would they expect the data to be processed?
- Transparency – this is mostly about raising awareness that cameras are being used and that the movements of data subjects are being recorded.
- Governance – this focuses on management of the data and adhering to the firm’s data protection policy. Who is authorised to handle the data and decides when it should be shared? What processes are in place for sharing – such as responding to Freedom of Information requests? What measures need to be taken when the information is shared (such as the need to use specialist software to redact imagery).
The ICO has also published specialised guidance covering the use of surveillance technologies other than CCTV. Most of this is relevant to the public authorities and enforcement firms that use this type technology. One of these is ANPR, which is a useful tool for combatting crime (especially vehicle crime). When a vehicle is reported stolen the police record this as a crime in the Police National Computer (PNC), which is connected to the ANPR network of cameras found across the UK’s roads. Each time a camera identifies a stolen vehicle, by recognising the vehicle’s registration mark (VRM), it generates a notification to police forces. The stolen vehicle data the police record is shared with Total Car Check and other vehicle check providers and this leads to our vehicle check products flagging up if a vehicle has been reported as stolen.
There are very strict rules for the use of PNC and ANPR, not just from a GDPR point of view but to ensure the integrity and credibility of the system and safety of the public. GDPR is relevant here not just because of the fuzzy images of people in vehicles that the cameras may take, but because the VRM is considered to be a personal identifier e.g. when made available to third parties, along with other types of data, it can lead to the identification of individuals. All organisations must, from a default position, treat the VRM as personal data.
Why is the guidance important?
The very fact the regulator has produced this guidance suggests that it has seen some issues in the market and it may signal closer monitoring of this area in future. For the automotive sector CCTV is used extensively in motor retail, auction and storage sites, so for firms operating in these sectors compliance with the rules is crucial. Balancing the interests of security against privacy should not present difficulties, but it does require governance and compliance to ensure the data principles are being met. The actions firms take should be proportionate to the risks. But as with many regulatory requirements – policies and processes must be written down so they can be communicated to staff and demonstrated!