:: DPA confusion, VOSA and MPs

It seems all is not entirely lost regarding our rights to CCTV footage. Apparently, the jury's out at the European level and the UK courts may well be forced to retreat from their narrow interpretation of various sections of the DPA settled upon in FSA v. Durant. I am particularly heartened to read the following section of an article from http://www.securitypark.co.uk which can be accessed by clicking on the title of this post:

Data Protection Act Compliance for CCTV

Many Data Controllers and CCTV system operators will be aware of the court case “Durant v’s The Financial Services Authority” as this has generated a fair amount of publicity within the security sector following the extension of the Data Protection Act to include the images gathered by CCTV cameras.

This case is now receiving coverage again following a formal letter from the European Commission to the UK Government warning that it considers that certain aspects of the Data Protection Act 1998 do not comply with the EU Data Protection Directive in the wake of landmark decision in the Durant v’s FSA case.

The case was not directly concerned with CCTV but Lord Auld’s findings have impacted all areas of the Act including CCTV. The primary issues are what does and what does not constitute personal data and can the data affect a person’s privacy. Lord Auld’s findings included: "It seems to me that there are two notions that may give assistance. The first is whether the information is biographical in a significant sense. That it is going beyond the recording of the putative Data Subject’s involvement in a matter or an event that has no personal connotations. A life event in respect of which his privacy could not be said to be compromised.

"The second is one of focus. The information should have the putative Data Subject as its focus rather than some other person with whom he may have been informed, or some transaction or event in which he may have figured or held an interest. For example, as in this case an investigation into some other person’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity."

Interpretation of this in relation to CCTV is that simply put:
1. If a data subject is picked up on a camera and their images are obtained as part of general surveillance and the images are not used in any way which affects them personally, then that subject’s privacy or expected right to privacy are not being infringed upon and some of that individual’s rights under the Act do not apply.
2. If the same images taken are in some way used in a manner or to assist in a matter, which does involve the subject in question then, most, if not all, of the previous conditions covered by the Act do apply in relation to that subject.

The likely outcome of this is that it may remove an obligation on the Data Controllers’ part to respond to a subject access request where the subject’s images were collected as part of general surveillance and the subject was not the target of the surveillance.

The more closely defined findings of Lord Auld may also affect the way in which the Police make a request for copies of CCTV footage under the Act. The case has no impact, however, on the requirement to have adequately and correctly documented procedures, audit trails and image authentication processes or any other of the requirements outside of Subject Access Requests as listed in the CCTV Code of Practice.

Datpro specialise in providing compliance solutions for CCTV systems and advises many of the UK’s leading surveyors, facilities and building management companies as well as Local Authorities and Police Forces on the Data Protection Act and how it affects them when CCTV systems are operated by them or on behalf of their clients. The Directors of Datpro have met with the Assistant Commissioner to discuss the issues raised by the findings of Lord Auld and it has been made very clear that in the majority of cases CCTV systems of the general type very definitely must comply with the Act, with the exception of certain subject access requests and in some instances disclosure to law enforcement agencies. This should go some way to correcting the view held by some Data Controllers that the findings of Lord Auld meant there was no need for compliance.

In a new development, the European Commission has sent a formal letter to the UK warning that it considers that certain aspects of the Data Protection Act 1998 do not comply with the EU Data Protection Directive in the wake of landmark decision in the Durant v’s FSA case.

Following the Durant case the findings of which concentrated in the main on the definition of personal data, and whilst the details of the letter have yet to be made public, it is understood that the European Commission considers that the approach taken in the EU Data Protection Directive requires that the UK follow a much broader definition of personal data.

The UK is obliged, under European law to implement EU Data Protection Directives into UK domestic law and the European Commission could, if the UK refuses to accept this, initiate procedures in the European Court of Justice, (ECJ) to force the UK to comply.

The CCTV Code of Practice contains, dependent on interpretation, some 90 points of law and good practice, all of which must be adhered to in order to ensure compliance with the Act. These cover areas such as image authentication, audit trail, staff training as well as the correctly worded and sited statutory signs that most users are familiar with.

In many instances CCTV system Data Controllers either seek advice from the CCTV Installation Company or interpret the legislation in house and implement their own solution. Unfortunately, very few installation companies understand all of the requirements of the act and in most cases rely on a “one size fits all” off the shelf solution that does not cover all criteria. Furthermore, the Act itself places the installer under no obligation to ensure that the equipment they install or the way it is operated by their clients meets all of the legal requirements of the Act.

In house interpretation is likely to be conducted by the system operators legal department and whilst this may cover the paperwork aspects it is unlikely to take into account the technological abilities and / or the positioning of the CCTV system itself.

Seems pretty clear to me from this that CCTV footage DOES fall within the scope of the act regardless of whether or not I am the subject of it in the strictest sense of the word. If we can believe what we are told here then so does the Information Commissioner. I shall have to pursue this matter further and the best means of doing that is through an appeal to the ICO. Futhermore, IC Officers are currently offering exactly the opposite advice on their helpline!

Among other glimmers of hope is an email I have sent to my local MP, Jeremy Corbyn, raising the entire issue of TfL/Aggrievers's treatment of its customers - his constituents - and something very similar I addressed to the Transport Select Committee. Both have confirmed receiving my communications and will reply in due course.

However, the best news I have to date is unequivocal interest from the Vehicle and Operator Services Agency who purport to be 'very interested' in my evidence concerning the practise of 'travelling forward' on the 73 route and other services. I am told that I should be contacted in a day or two and that an investigator will most likely accompany me on a sample journey to establish the truth of the matter him/herself. I shall look forward to that particular trip immensely.

If you are interested in reading more about the side-effects of Durant v. FSA I wholeheartedly commend to you the following article by Lilian Edwards: http://www.law.ed.ac.uk/ahrb/script-ed/issue2/durant.asp which deals in details with that case implications for all of us who live in the most watched society in the world.