29 May, 2020
The coronavirus pandemic has raised questions about use of surveillance systems for tracking and tracing the spread of the virus and enforcing movement restrictions. Public authorities are considering their options to monitor social distancing measures in an attempt to reduce to the spread of the virus. This may include the use of fixed and mobile CCTV, body worn video (BWV) and automatic number plate recognition (ANPR). The circumstances are unprecedented but the basic rules of the game are unchanged.
The Data Protection Act (and so GDPR) and the Information Commissioner's CCTV Code of Practice apply to all data controllers and cover ANPR, BWV and drones. The public sector also has the Surveillance Camera Code of Practice introduced under the Protection of Freedoms Act 2012 covering public authorities (including police, local authorities and parish and district councils). The Code sets out 12 principles to apply before deploying surveillance technology. These include that it must always be for a specified purpose in pursuit of a legitimate aim and necessary to meet an identified pressing need with proper oversight and accountability.
The deployment of new surveillance systems creates a number of risks. Improper use of surveillance systems can cause claims for breaches of privacy, data protection and human rights as well as regulatory enforcement. There are also risks inherent in the use of new technology - for example false results being used to make decisions or impose sanctions. These risks should be considered and managed before any new technology is deployed.
The Surveillance Camera Commissioner (SCC) says capturing personal data via a surveillance system is 'likely to result in high risk to rights and freedoms' for the purposes of the GDPR and will required a Data Protection Impact Assessment (DPIA) before the technology is rolled out to determine legality and record how risks have been considered and addressed.
The SCC's Code gives examples of needing a DPIA before:
The Surveillance Camera Commissioner and the Information Commissioner have produced a template DPIA for public authorities to consider:
Once the initial DPIA has been conducted, a review of the DPIA should be embedded into ongoing risk assessment procedures.
Using surveillance systems will be be legitimate and justifiable for some authorities in some settings. The Information Commissioner has confirmed that data protection is not a barrier to use of new technology as long as the principles of data protection law (transparency, fairness and proportionality) are complied with. However, circumstances (including coronavirus) do not excuse unnecessary, ungoverned or excessive surveillance. Regulators have their eyes on authorities operating surveillance systems so regular review will be crucial to manage risks as the situation evolves.