-
GDPR and CCTV in taxis Article
GDPR has many implications for local authorities and taxi
drivers but should not prevent CCTV within taxis continuing to be
used to safeguard the public, as Ben Williams explains
Last year I wrote about the introduction of taxi CCTV policies
their data processing activities. Having a complete record and the
state of the law.1 Since that time I am aware of a of what data you
hold, where it came from and how it is number of local authorities
which have begun adopting such processed will enable you to
maintain the required records policies as a means of achieving a
safer environment for and assist you in complying with the GDPR
principles. Thus it drivers and passengers alike. can be seen that
there are onerous requirements which must
be adhered to. Now as I write this, nearly a week has passed
since the "go
live" date for GDPR. Despite being seen as the biggest threat
Taxi regulation and GDPR to mankind since the Hadron Collider, no
black hole has as So how does this impact on taxi regulation? yet
enveloped the country. Doubtless, though, you have been inundated
with requests to "opt in" to future correspondence GDPR dictates
that you must have a specific purpose for from a plethora of
retailers, memberships and organisations. collecting and processing
data; that this must be a specified,
explicit and legitimate purpose only; and that you must not For
those who have been living under a rock, General process data in an
incompatible way.
Data Protection Regulation (GDPR) is the apparent answer to
outdated 1990s legislation which was cracking under 2l5t Plainly
the purpose of ensuring public safety is a specific century strains
as the processing of personal data ramps up and legitimate reason
for collecting CCTV. Furthermore, with technology. CCTV assists
with the deterrence of crime and anti-social
behaviours; it therefore assists the police and assists insurers
The Data Protection Act 2018, which implements and in the event of
accidents.
extends GDPR, does not necessarily represent a clean slate, for
the broad architecture of data protection remains It is essential
that the reason for such CCTV is clear; sign age the same. Data
controllers must comply with prescribed within a taxi may refer the
passenger to the local authority's principles in respect of all
processing of personal data, and website where a clear explanation
of its policy is provided to individuals have rights of subject
access, compensation, the public. erasure and rectification.
The new rules will have a significant impact on the Pursuant to
the Act, there must be a specific purpose for retention of CCTV by
local authorities and / or drivers and
collecting and retaining data. The Act goes on to dictate that
operators. This is something that may have been lost on the data
collected must be adequate, relevant and limited various businesses
as a recent survey by the Irish Government to what is necessary.
There is therefore a limit on how long revealed that around two
thirds of respondents did not know information must be stored and
the form data must be kept in GDPR impacted on the use of CCTV.
which permits identification for no longer than is necessary.
CCTV captures imagery of "data subjects" or "passengers" GDPR
applies to data controllers and data processors alike. as they no
doubt prefer to be called in this context.
The data controller is responsible for all of the principles and
Identifiable imagery is considered as personal data under must be
able to demonstrate compliance with the same. GDPR. Given that the
processing of that data must be lawful, They are responsible for
any breaches or non-compliance by fair and transparent, this
requires some consideration by data processors who process data on
their behalf. It is worth those who make use of it. Because data
subjects are entitled noting that the new rules have a significant
sting in the tail to understand when their personal data is being
processed, in terms of the financial penalties that may be dished
out, it is essential that signage is used as a means of explaining
albeit the greater penalties are plainly geared towards the to taxi
users that this is so. The requirement for signage will larger
organisations, in particular the social media giants. no doubt be
covered in the local authority's policy, and will
likely form part of any conditions attached to the licence. GDPR
will require data controllers to maintain records of Signage
signifies the passenger's informed consent to the
processing of CCTV data for Article 4 (11) GDPR, which states: 1
(2017) 18 Jol, p32-34.
45
-
GDPR and CCTV in taxis
Any freely given, specific, informed and unambiguous indication
of the data subject's wishes by which he or she, by a statement or
by a clear affirmative action, signifies agreement to the
processing of personal data.
The ICO has issued draft consent guidance (March 2017), which,
to summarise, says:
• Don't use pre-ticked boxes/opt-outs/consent by default.
• Be "specific & granular" but also "clear & concise". •
For explicit consent, it's not much different. • If you can't offer
genuine choice, don't rely on consent. • Consent may be difficult
for employers and public
authorities. Requests for information from individuals As with
any other aspect of personal data, data subjects
On any level, therefore, you should review how you seek, have a
right to access, which could result in a local authority record and
manage consent and whether you need to make having to disclose
footage to them; and now within one any changes. This would include
a need to refresh existing month rather than 40 days as was the
position under the consents now if they don't meet the GDPR
standard. The 1998 Act. It is worth noting that a request does not
have to precise wording of CCTV signage is clearly important and
use the words "subject access" nor does it have to refer to local
authorities would be well advised to seek to achieve a the Data
Protection Act in order for it to constitute a valid consistent
approach to the same. subject access request (SAR). The request
simply has to be
Who is the data controller? In terms of data controllers, this
is something that may prove confusing. Article 4 defines data
controllers and data processors as follows:
(7) 'controller' means the natural or legal person, public
authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing are
determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union
or Member State law; (8) 'processor' means a natural or legal
person, public authority, agency or other body which processes
personal data on behalf of the controller;
Depending on the way a CCTV policy is formulated, while it is
the driver who may control the footage to some extent, in that he
or she will be transporting the facilities for creating and
retaining the footage, it is the regulating authority that has
determined the purposes of that data and the way in which it is
processed. The driver will physically hold the data, but they will
likely be compelled by the regulating authority to produce such
footage upon request or submit to the regulator for such footage to
be viewed / retained. It is seen as essential that the authority
retains significant control so that there is less risk that the
footage is tampered with in any way. This requires some careful
thought in terms of the wording of a policy, for GDPR imposes
significant obligations on the data controller.
What about keeping the CCTV footage? Thought will need to be
given to the terms of any data retention. To that end, the local
authority will need to create a retention policy. It is unlikely
that data controllers would be able to justify keeping CCTV footage
for any longer than six months, for by such time any complaints or
crimes should have been investigated. In reality, it is likely that
footage would be kept for a lesser period. If the police or local
authority wished to investigate, then they would take control of
the data forth is legitimate purpose within thattimeframe. They
would then become the data controllers and would have to submit to
the same rules.
clear that the person is asking for their personal data. If a
request is made, the data controller would need to ensure that the
requester is present in the footage and that in supplying the
footage they do not disclose any personal data of another data
subject. It is therefore vital that the controller verifies the
identity of the person to ensure that there is no inadvertent data
breach. The controller could justifiably request information from
the individual to prove that they are who they say they are, but
one must be reasonable in what is asked for.
An SAR could even involve blurring out parts of the footage,
such as people or license plates. The new rules do not allow the
controller to charge an administrative fee (£10) as was previously
the case. This could prove onerous to the local authority as there
are only specific exemptions to the requirement to provide
data.
If a request is "manifestly unfounded or excessive" data
controllers can charge a fee or refuse to respond but will need to
be able to provide evidence of how it was decided that the request
is manifestly unfounded or excessive. Further, data controllers can
withhold personal data if disclosing it would "adversely affect the
rights and freedoms of others".
What if something goes wrong? In the event that there is a
breach of security leading to the destruction, loss, alteration or
unauthorised disclosure of personal data, the data controller must
notify the Information Commissioner's Office (ICO) and any involved
individual of a breach where it is likely to result in a risk to
the rights and
46
-
GDPR and CCTV in taxis
freedoms of individuals. Plainly this would not therefore case
of footage stored in a physical format, this should be require
every passenger captured on CCTV within a taxi to be locked safely
away and tracked properly. notified in every instance of loss or
damage. Each instance must be approached on its own facts, but it
is essential Conclusion that there is provision for self-reporting.
If there is a risk of While GDPR does not actively discourage the
use of CCTV, it significant detrimental effect on the individual
data subject, is arguably seeking to strike a balance between its
intended then the self-reporting must be made within 72 hours. This
purpose and the privacy of individuals captured therein. requires
careful thought in terms of how and when drivers CCTV within taxis
remains an important tool in ensuring that are required to notify
the regulating authority in the event members of the public are
transported safely. GDPR would on any issue with regards to footage
retained within the car. not seek to interfere unreasonably with
this legitimate
purpose but would wish to ensure that the imagery captured is
thereafter dealt with in a legitimate, appropriate and
Encryption
Another important matter to consider in the context of CCTV and
taxis is the use of encryption or other security measures. It is
likely that a local authority will adopt a minimum specification of
CCTV systems and if so, such systems ought to be properly secure.
Of course, this may come at a cost to drivers, and this is where
resistance is typically found.
transparent way.
It is better late than never to consider the terms and
practicalities of any existing CCTV policy so that it is GDPR
complaint. If a local authority is contemplating invoking a new
CCTV policy, then it is essential that it fits comfortably into the
parameters of GDPR.
Any act of storage or access is considered to be "processing"
and therefore it is imperative that the confidentiality and Ben
Williams integrity of footage is maintained. If footage is stored
in an Barrister, Kings Chambers electronic format, then encryption
is essential, and in the