The ICO has just told Hertfordshire Constabulary that its automatic number plate recognition system in Royston doesn't comply with the DPA - what are the consequences of getting CCTV wrong for you and your organisation?
The police force's multi-camera system effectively meant that every driver entering or leaving the small rural town of Royston was being monitored and details of their journey recorded by the police by recording number plate details.
Following complaints by privacy watchdogs, the ICO investigated the police force's CCTV system and found that:
- It had breached the first data protection principle (personal data must be collected fairly and lawfully) - its collection of personal data was unlawful (generally, an organisation needs to have the consent of the individual to collect and process their data or demonstrate that it is 'necessary').
- It had breached the third data protection principle (personal data must be adequate, relevant and not excessive) - the amount of data being collected was excessive.
- Crucially, the police force hadn't followed the guidance in the ICO's CCTV Code of Practice which recommends that organisations undertake a privacy impact assessment before implementing CCTV systems in order to comprehensively and objectively assess the impact of the system on individuals' right to privacy and whether this right is being unduly compromised (e.g. can an alternative and less intrusive system be used or can the system be utilised in a way which respects the right to privacy);
- It was likely to cause distress to the affected individuals (largely because more data than was necessary was being collected without justification).
The ICO had failed to take into account the ICO's very helpful guidance on CCTV systems (the cornerstone of which is the requirement for a privacy impact assessment process to be undertaken before a decision is made to implement the technology).
The ICO's enforcement notice requires the police force to refrain from using data collected by the system unless and until it can justify to the ICO's satisfaction that the system complies with the DPA (and its has 90 days to do so). As such, the system will effectively become useless during this period and the organisation will need to divert valuable resources away from their core activities to undertake the retrospective review process within the timeframe stipulated by the ICO (with no guarantee that it can alleviate the ICO's concerns, which may make the system totally useless or necessitate changes to the system which will no doubt involve additional costs/time before the system is compliant and can be used again).
In terms of wider issues from this case:
- It's acutely embarassing for the police and other crime detection/prevention agencies at a time when their right to use and process personal data is under scrutiny (on a global scale following revelations about Operation Prism) and raises issues around public trust and confidence in the force and its senior management.
- It's a reminder for police forces (and other organisations) that when using CCTV/surveillance systems, they must consider the individuals' right to privacy - the ICO has made a point of emphasising that police forces must justify the use of camera surveillance technology before it is installed which includes a comprehensive assessment of the impact of the privacy of individuals whose details are collected by such systems.
- At the heart of the proposed new data protection regulations is the principle of privacy by design - an overriding requirement on organisations to place compliance with privacy regulations and to consider the impact on individuals' right to privacy at the heart of all new systems/projects where personal data is collected.
- If you are considering implementing new technologies or expanding the role of existing technology (e.g. using a CCTV system not just for crime prevention but expanding its use to improve in-store customer service), its absolutely crucial that you undertake a comprehensive privacy impact assessment and ask (and answer) some key questions e.g. to what extent is the right to privacy compromised, can a different technology be used to meet the same objective, can the preferred technology solution be designed/implement in a way that the impact on the right to privacy is minimised, does the system comply with the DPA principles etc.
So, in the wost case scenario, you might have to c(ease)ctv if you don't deal with the DPA issues up front...