Big Brother Is Watching Who? - Assessing the Impact and Risk of Surveillance Camera Systems

Article

29 May, 2020

Bethany Paliga

Senior Associate

The coronavirus pandemic has raised questions about use of surveillance systems for tracking and tracing the spread of the virus and enforcing movement restrictions. Public authorities are considering their options to monitor social distancing measures in an attempt to reduce to the spread of the virus. This may include the use of fixed and mobile CCTV, body worn video (BWV) and automatic number plate recognition (ANPR). The circumstances are unprecedented but the basic rules of the game are unchanged.

Law and Codes

The Data Protection Act (and so GDPR) and the Information Commissioner's CCTV Code of Practice apply to all data controllers and cover ANPR, BWV and drones. The public sector also has the Surveillance Camera Code of Practice introduced under the Protection of Freedoms Act 2012 covering public authorities (including police, local authorities and parish and district councils). The Code sets out 12 principles to apply before deploying surveillance technology. These include that it must always be for a specified purpose in pursuit of a legitimate aim and necessary to meet an identified pressing need with proper oversight and accountability.

Assessing Risks

The deployment of new surveillance systems creates a number of risks. Improper use of surveillance systems can cause claims for breaches of privacy, data protection and human rights as well as regulatory enforcement. There are also risks inherent in the use of new technology - for example false results being used to make decisions or impose sanctions. These risks should be considered and managed before any new technology is deployed.

The Surveillance Camera Commissioner (SCC) says capturing personal data via a surveillance system is 'likely to result in high risk to rights and freedoms' for the purposes of the GDPR and will required a Data Protection Impact Assessment (DPIA) before the technology is rolled out to determine legality and record how risks have been considered and addressed.

The SCC's Code gives examples of needing a DPIA before:

introducing a new surveillance camera system;
introducing new or additional technology (e.g. facial recognition, ANPR, audio recording, BWV, drones, megapixel or multi sensor very high-resolution cameras (e.g. infra-red); or
activating any type of data matching.

The Surveillance Camera Commissioner and the Information Commissioner have produced a template DPIA for public authorities to consider:

are surveillance cameras the right solution to the problem?
what are the risks to data subjects?
Is the impact on individuals' rights and freedoms proportionate to the problem?
Can the risks be reduced to an acceptable level?

Once the initial DPIA has been conducted, a review of the DPIA should be embedded into ongoing risk assessment procedures.

Conclusion

Using surveillance systems will be be legitimate and justifiable for some authorities in some settings. The Information Commissioner has confirmed that data protection is not a barrier to use of new technology as long as the principles of data protection law (transparency, fairness and proportionality) are complied with. However, circumstances (including coronavirus) do not excuse unnecessary, ungoverned or excessive surveillance. Regulators have their eyes on authorities operating surveillance systems so regular review will be crucial to manage risks as the situation evolves.

The Surveillance Camera Code of Practice can be found here

The template DPIA produced by the SCC and the ICO can be found here

For more information contact Bethany Paliga in our Insurance department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Insurance department here

RPs & Covid-19: What does this mean for the financial future…

Challenging Historical WRULD Occupational Disease Claims