We cannot reproduce the entire case judgement here (although needless to say we have it!) because it runs to 81 paragraphs. However, in paragraph 28 Lord Auld tries to clarify what personal data actually refers to.
Lord Auld states:
"It seems to me there are two notions that may give assistance. The first is whether the information is biographical in a significant sense. That it is going beyond the recording of the putative Data Subject's involvement in a matter or an event that has no personal connotations. A life event in respect of which his privacy could not be said to be compromised.
"The second is one of focus. The information should have the putative Data Subject as its focus rather than some other person with whom he may have been informed, or some transaction or event in which he may have figured or have held an interest. For example, as in this case an investigation into some other person's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity."
Processing CCTV images
It would be true to say that this judgement has turned the world of Data Protection upside down. Rumour has it that Data Protection officers are now throwing themselves off large buildings. They feel they've no further purpose to serve, as this definition is now so narrow that you'd be hard pressed to find out what is and isn't personal data.
Indeed, the Information Commissioner is now having to review his Codes of Practice because this new definition is as big a surprise to him and his colleagues as it is to the rest of us who felt that we were finally coming to terms with the Data Protection Act.
In view of this new definition, I want to lay some arguments before the readers of Security Management Today (SMT) with regard to how it might affect the processing of CCTV images. This isn't meant to be definitive advice, though. I'm merely posing questions that may raise opportunities for the security industry which practitioners would be unwise to miss.
By now, all you security managers operating a CCTV system should have your signage liberally spread around the company's building(s) notifying Data Subjects that they're about to enter a CCTV-controlled area ('Outside the law', SMT, May 2003, pp42-45). Some of you might even have been involved in the extremely expensive procedure of responding to a subject access request (in particular those that have been targeted by pressure groups).
During presentations, I've often heard quotes from the audience outlining costs of £300-£400, with one assessment standing at £2,000 (including the man hours involved in order to comply with an access request). Currently, all the Data Subject has to do is provide you with £10 towards the costs.
You're doing all of this because you've been told by the Information Commissioner – and those who've studied the Data Protection Act – that processing images by CCTV is processing personal data. Well, dare I suggest that in view of this judgement it isn't any more? It's certainly well worth thinking about.
What is personal data?
Sit down in your CCTV Control Room for a minute or two and just look at those images popping up on screen. Have you any intention of identifying the images that you see? Surely the only images you're going to identify are those involved in an incident? Then you'll zoom in, capture the facial image, identify the individual in question and then take further steps against them.
No problem there. Quite clearly, that's personal data. Even given this narrow definition from the Law Lords. However, until that action is taken I'm suggesting that you're probably not processing personal data.
Now, let's discuss what that means in practice. A pressure group has targeted your organisation. They take it in turns on alternate days to wander along your perimeter fencing and then make an access request in accordance with the Data Protection Act 1998. Their intention is to disrupt your system and tie up one of your valuable personnel to collect the images caught by the CCTV cameras.
As mentioned earlier, the cost could be horrendous. If they have £100 in their budget, that would potentially allow the protesters ten such access requests within their group. If (in an eight-hour day) each one of the protestors had spent six hours wandering around your site, you'd have a vast number of images to collect. While they were walking around they were making no attempt to break into the premises, and you were just observing them on CCTV (thus, you weren't making any effort to identify who they were).
If the above argument is correct, and there's no processing of personal data going on, you don't have to respond to the access request. As one assistant commissioner told me, such a course of action might be "going against the spirit of the Act", but it can save you an awful lot of time and inconvenience, and afford you an opportunity to 'retaliate' by making sure the protesters waste their own time rather than that of your officers and CCTV managers.
Relating to the police
There's a further advantage to Lord Auld's narrow definition of what constitutes personal data. I know a number of SMT's readers who have, in the past, been approached by the police for copies of CCTV footage. The advice to the police is that they must make a request under Section 29(3) of the Data Protection Act 1998. It's written-in to the ACPO policy. Most police officers don't make an arrest because they're too busy, they've forgotten or simply never knew in the first place.
It's very important that your Security Department maintains a good working relationship with the local police at all times. It goes against the grain for a security officer to tell the police that they can't have a copy of the CCTV footage unless they make a formal, written request. If our argument is correct, then that's no longer needed.
Picture the scene. The police come to you and say they'd like a copy of your CCTV footage from the camera positioned on your south perimeter fence for Wednesday 25 February last. You're not aware of any incident having taken place. You don't ask the police what happened. Thus there's no personal data being processed by you. You hand over the tape and the police go about their business.
The issue of complying with Data Protection then becomes the responsibility of the police and not your company. They may well come back at a later date and ask you if the images they've now focused on relate to any of your employees. Then it becomes personal data, and they need to make a request in writing in accordance with Section 29(3) before you can confirm or deny.
CCTV Code of Practice
Rumour suggests that the Information Commissioner is now having to review the Codes of Practice that have previously been published. That would apply to the CCTV Code of Practice released over two years ago. As a whole, the security industry missed a perfect chance to have a serious input to that last Code. We shouldn't miss out this time around.
In that Code of Practice, it was suggested that video tapes be kept for a minimum of 30 days. Why, exactly? Surely an incident falling into the category of the purposes for which you've notified the Information Commissioner you are monitoring would come to light within seven days?
If you can justify keeping tapes for seven days or even less it will reduce your storage issues and cut down on opportunities for pressure groups to make their access requests.
Numerous arguments have sprouted from the security industry as a whole to suggest that the Data Protection Act is little more than a Villain's Charter. Just now, practitioners right across the UK are being presented with a golden opportunity to make the Act one that's of real benefit to the sector at large.
Let's grab that chance with both hands.
What you need to do...
As a security and/or CCTV operations manager, what do you need to do?
- immediately take up the arguments stated in this article with your company lawyers to see if they can develop them any further, and perhaps offer some support to the CCTV User Group (www.cctvusergroup.com);
- leave your CCTV notification signs up because there’ll come a time when an incident will take place that is caught on your CCTV cameras and you’ll want to identify those concerned... you’ll then be processing personal data;
- consider whether or not it would be beneficial for your company to reduce the period during which you keep tapes... if you can justify it, then include the idea within your CCTV policy and state that, as from a given date, you’re only going to keep tapes for five days/seven days/ten days... and list your reasons for doing so;
- within your defined CCTV Policy, state that you’ll only respond to a subject access request where you’ve had cause to focus specifically on an individual within the images that you’ve just captured... and make it extremely clear that you base these decisions on the ruling in the Court of Appeal in the case of Durant versus the Financial Services Authority (December 2003, as cited in the main body of the article).
Bear in mind that not all subject access requests will come from pressure groups intent on business disruption. Employees and visitors to your site may have a very good reason as to why they want the images in the first place. Be prepared to be flexible.
Source
SMT
Postscript
Chris Brogan is director of Security International (www.securitysi.com)
No comments yet