State sector surveillance as well as local authorities’ use of CCTV cameras was a key focus for the DPC in 2020 as highlighted in the recently published DPC annual report. Nine local authorities were involved in these inquiries and two decisions were issued during 2020. These inquiries highlighted various weaknesses within CCTV systems, including the lack of appropriate lawful basis, transparency and the overall compliance with the Local Authority ’s obligations as data controllers.
The Data Protection Commission (DPC) has published its 2020 Annual Report, highlighting key observations, emerging guidance, and large-scale inquiries and decisions in 2020.
In 2020, the DPC ramped up enforcement decisions significantly, with 10 decisions up from one in 2019. Primary areas of focus for the DPC in 2020 included enforcement (under both GDPR & ePrivacy), breach notifications, data transfers and surveillance.
For surveillance, one of the focus areas for the DPC was to examine surveillance of citizens by the state sector for law enforcement purposes through the use of technologies such as CCTV, body-worn cameras, automatic number plate recognition (ANPR) enabled systems, drones and other technologies. The objective of these own volition inquiries is to probe whether the processing of personal data that occurs in those circumstances is compliant with data protection law.
What did the DPC audits highlight?
Purpose and legal basis need to be specific
Article 5 (1) (a/b) of the GDPR provides that “personal data shall be processed lawfully” and “collected for a specified, explicit and legitimate purpose and not further processed in a manner incompatible with those purposes”.
That means that Local Authorities must identify a specific purpose or purposes first. Having identified a purpose or purposes, the local authority installing the CCTV system must identify an appropriate legal basis for the processing of personal data that will take place.
The use of CCTV may have a legal basis where it is necessary to carry out a task in the public interest, or in the exercise of official authority. However, the local authority must also identify a specific primary legislation compatible with the purpose.
Significantly, as part of the audits of Local Authorities, the DPC specifically pointed out that the Litter Pollution Act 1997, the Waste Management Act 1996, and the Local Government Act 2001 do not provide a lawful basis for the use of CCTV for law enforcement purposes.
The DPC found that certain CCTV cameras operated by Local Authorities today for crime prevention were unlawful due to the absence of authorisation from the Garda Commissioner under Section 38 of An Garda Síochána Act 2005.
Necessity and Proportionality
Having established a purpose and appropriate legal basis, a data controller must also be able to justify the CCTV installation as both necessary to achieve their given purposes and proportionate in its impact upon those who will be recorded. Necessary processing using a CCTV system means more than the CCTV system just being helpful to achieve a purpose.
The data controller must be able to demonstrate why the use of a CCTV system is necessary for all and each of the purposes listed. In other words, it requires the Local Authorities to justify the use of CCTV by presenting appropriate evidence for each purpose the CCTV footage will be used for and by demonstrating that this cannot be achieved in a different way.
In this context, the DPC report highlighted the use of specific types of CCTV technology that may raise data protection concerns. The report specifically mentions, Pan-Tilt -Zoom (PTZ) cameras and ANPR, and noted that, “Pan-Tilt -Zoom (PTZ) may be used to zoom in from a considerable distance on individuals and their property and as such the processing capabilities of these devices may pose higher risks to individuals’ privacy. Furthermore, the deployment of automatic number-plate recognition cameras (ANPR) is becoming more common place in the State Sector but the absence of data protection policies governing the use of such technology is notable.”
Article 5 (1) (a) of the GDPR provides that personal data “shall be processed in a fair and transparent manner”. The DPC report identified weaknesses in a number of local authorities highlighting gaps in signage to make data subjects aware of CCTV, not satisfying the transparency requirements.
Operating Procedure and Policies
Article 24 of the GDPR provides that, where appropriate, implementing data protection policies is one of the measures that a data controller can take to ensure and demonstrate compliance. That means that the DPC is looking for the existence of robust data protection policies and standard operating procedures. However, it is also obvious from the audits that the DPC sought clear evidence of active oversight and meaningful governance of such policies and procedures.
It is clear that the DPC position presents significant challenges for Local Authorities with regards to existing CCTV systems and the implementation of new CCTV systems to support its public tasks. Specifically, the requirement to identify a particular primary legislation that facilitates the use of CCTV as a legal basis may be challenging. It should be noted that this guidance reflects the current state of play as per the published material to date and this will further evolve.
You can download the report for free here.
At BH Consulting we help Local Authorities to carry out Data Protection Impact Assessments, to assess the risks associated with a new or existing data processing activity, system or technology. Additionally, we provide recommendations on the appropriate controls to mitigate or minimise those risks.