IP, Technology & Data

Today’s announcement from the Information Commissioner’s Office (ICO) that police in Hertfordshire had failed to adequately assess the privacy impact of new CCTV cameras is a timely reminder to all organisations that just because technology is available it does not mean that its use will always be lawful.

What does the Data Protection Act say?

Excessive collection of personal information is common place (how many e-commerce websites ask for personal information that isn’t necessary to complete a transaction?). Often organisations will collect as much information as possible – just in case it might be useful. But that doesn’t mean that it is always legal.

Principle 1 of the Data Protection Act requires that personal data shall be processed fairly and lawfully and, in accordance with one of the listed conditions set out in the Act.

Principle 3 of the Data Protection Act requires data controllers to ensure that personal data that they hold are adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This means that organisations should always ensure in advance that the collection of personal data is proportionate to the purpose in question, and that the data collected is no greater than that which is necessary to achieve that purpose. If the purpose can be achieved in another way that is less privacy intrusive, then the organisation should follow that course of action instead.

Commonly, the way to ensure compliance with this principle is to carry out what is known as a privacy impact assessment. By carrying out an impact assessment, the organisation can assess the impact on privacy of the proposed action or policy, and ensure that what it is doing is proportionate. Having a privacy impact assessment on file is also helpful if you are asked to justify your course of action to the ICO.

Failure to conduct privacy impact assessment

In this case, Hertfordshire Police introduced automatic number plate recognition (ANPR) cameras around the small town of Royston in Hertfordshire (population 15,000). According to reports, a ring of ANPR cameras (known locally as the “Ring of Steel”) were installed on all roads into the village, tracking the number plate of every person who entered or left the town.

It’s not clear whether Royston has a chronic crime problem. According to UKCrimeStats website, it is a low risk area (albeit with a spike in anti-social behaviour in October 2011).

After investigation, the ICO found that Hertfordshire Police had failed to consider the privacy impact of such surveillance, and was unable to show that use of the new cameras was justified and proportionate to the problem it was trying to address.

ICO has now issued an enforcement notice requiring Hertfordshire Police to cease using the cameras unless and to the extent that Hertfordshire Police can justify their use to the ICO following a proper privacy impact assessment.

To be clear, the ICO isn’t saying that ANPR can never be used in this manner, but that in order to do so, the police force needs to demonstrate why it is necessary, having regard to the impact on privacy.

The case serves as an important reminded that just because new technology allows an organisation to track, monitor or collect data on its staff, customers or the general public, doesn’t mean that such use of that technology is automatically legal. Further, if an organisation is unable to show that it has properly assessed the privacy impact then enforcement action is likely until such time as the organisation can show that the action is proportionate.

You can read the ICO’s guidance on the use of CCTV on the ICO’s website.

Follow me