The rise in the use of body worn CCTV in the security industry has been quite visible over the past number of years. These tiny devices have brought reassurance, deterrence and evidence to an area that once lacked all three. Most security operatives who I speak with talk about body worn CCTV as being one of the best tools they have available and tell stories of incidents where they have been an asset. However, there are also huge privacy risks that go along with these devices both to the user and to the public. In this article, I’d like to talk a little about the legal and privacy requirements that go along with CCTV and outline some correspondence I had recently with the Data Protection Commissioners Office on the subject.
Body worn CCTV are data collection and storage devices and as such fall under the requirements of the Data Protection Acts. Under these acts the collection, storage, processing and retention of personal data (video, images and audio) is strictly controlled. Body worn CCTV carries additional risk when compared to traditional fixed CCTV which invariably covers a specific area usually on private property. There are 2 large differences between the two forms:
1. Body worn CCTV will usually be recording in public space.
2. Body worn CCTV can also record audio data.
In recognition of this the data protection commissioner has produced a specific guidance document for the users of body worn CCTV. It is available on the Commissioners website and should be read in conjunction with the guidance on CCTV use.
From the perspective of privacy risk there are considerable requirements outlined by DPC that from my experience many operators of body worn CCTV have not adhered to and could land them in significant trouble should a member of the public make a complaint. This is particularly prevalent where an individual takes the decision to bring their own CCTV camera to work (not advised)
Some of the requirements include:
1. A specific policy for body worn CCTV outlining all the processes for managing data
2. A privacy impact assessment
3. A CCTV risk assessment
4. Processes for the notification of recording to the data subjects. (Signage is a minimum, but also a requirement to notify people verbally of the recording.)
5. The strict (and I mean strict) insistence that audio recordings cannot be made except in extreme circumstances.
It is this subject that I wish to concentrate on here because its one that I feel is very much not known about or adhered to and has the potential to get a lot of security operatives and organisations in trouble over the coming years as privacy concerns increase.
The commissioner’s guidance tells us that audio is an intrusion to people’s privacy and is not justified in most circumstances even where the person has been advised of its use. I know a lot of organisations aren’t aware of this and audio recording is commonplace. I had this conversation with a potential client recently and they had concerns for employees being verbally threatened at work. I raised the following query with the data protection commissioner’s office and received a very detailed clarification on the subject by reply.
Can I request some clarification on your guidance to users on body worn CCTV? This is particularly in relation to the recording of audio (voices) using body worn CCTV.
I have read the below on your website and guidance document:
“The recording of sound or voices (audio recording) by equipment used for security purposes are a considerable added intrusion into the privacy and data protection rights of individuals. For the sake of clarity, the Office of the Data Protection Commissioner does not accept that the use of such audio recording equipment is in any way justifiable or warranted for any purpose, even where members of the public or staff are aware that them voices are being recorded.
In terms of system specifications, body worn cameras should at the very least have separate video and audio recording capabilities so that if situation arises which requires the video recording of an incident, the audio recording is not automatically instigated in tandem”
A client of mine is examining the option of deploying body worn CCTV to its employees as a safety measure following a number of incidents of physical violence and threats of physical violence towards employees from members of
the public. The CCTV is to be deployed primarily as a deterrence measure to both but also for evidence purposes in any potential criminal investigation afterwards.
In instances such as this where the recording of voice is to act as deterrent to threats of violence or as evidence of the criminal act afterwards would its use be deemed reasonable?
To set the context:
1. The recording would take place in a public place.
2. Members of the public will be advised by signage and an announcement of its presence
3. The recordings are not used to monitor employee behaviour.
4. The recordings meet all other aspects of data protection legislation in relation to collection, storage access and retention etc.
5. The employees work alone and in an enforcement capacity contracted to a range of clients but employed by a single private security company.
6. A specific privacy impact assessment and CCTV risk assessment will be in place prior to deployment.
7. All employees are to receive specific training on the use of the units to include legal guidance.
8. The CCTV and audio would only be activated during specific incidents where the trained employee deems it necessary for safety or evidence of criminal activity.
Could you please advise as to the Commissions view on such a situation so that I can make reasonable recommendations to my client?
Many thanks in advance.
A few points to reinforce
In reference to best practice a few points that I remarked on above:
1. All operators of body worn CCTV need specific training in their use and legal restrictions
2. Body worn CCTV can only be used in response to a specific incident and cannot be set to record constantly.
Back to the response from DPC
I refer to your query re the use of Body Worn Cameras (BWCs). Based on the information that you have provided I can make the following observations.
With regard to audio recording, in general, we would advise that the recording of individuals’ voices represents a considerable intrusion into their privacy and data protection rights, and is unlikely to be justifiable or warranted in most situations. It is an extensive, added intrusion when
combined with video recording, and poses considerable risks for third parties in the vicinity whose conversations may be inadvertently picked up and recorded. The level of intrusion is further increased when recording using a mobile, body-worn device.
As with video recording, audio recording must be justified in accordance with the principles of proportionality and necessity as outlined in our published guidance document. The two streams (audio and video) must be considered independently and each must be clearly justified to be
permissible. Further, as audio and video are two separate data streams, each should be able to be controlled and turned on and off independently.
If you wish to consider the use of body worn cameras for both video and audio recording it will be necessary to conduct a detailed risk assessment audit and report on the associated data protection and privacy implications and whether or not the usage can be considered justified and in compliance
with the Data Protection Acts. Please note that in the opinion of this Office the threshold for the justification of audio recording will be very high. The processing of audio data can only be justified as a required tool for the security of property and/or individuals, where there is evidence, based on objective and documented circumstances, of the concrete existence
of a considerable risk, and that the processing of audio data is strictly necessary for the mitigation of that risk.
We have recently published guidance on carrying out Data Protection Impact Assessments, which is the type of assessment that needs to be undertaken.
One of the key elements of a successful DPIA is the engagement of stakeholders. In this case, as the proposed operators of the BWCs will be contracted to a variety of clients for the enforcement of regulatory standards r legislative provisions I would advise that the clients in question should be involved from the beginning in the decision-making process around the use of video and audio
recording. This is also particularly important, as it will involve
recording in public places.
I hope that this is of assistance in highlighting the considerations your client will have to make in assessing the justifiability of the use of BWC technology. If you have any further queries in this matter please feel free
to get in touch.
What does this mean?
Firstly, to say thank you to the DPC for taking the time to answer me back.
Secondly as you will see the guidance is quite strict in that video and audio streams must operate separately (can your equipment do this?). I know for a fact that this isn’t happening with certain operators in the industry. This isn’t a question of fairness and I know some security operatives will be pulling their hair out in frustration reading this as they deal with daily verbal threats.
Thirdly the requirements to justify by means of the DPIA and the risk assessment a justifiable reason for recording even images of the public. This is vital as is the need to involve clients in the process.
Lastly the email ends with this statement:
This correspondence does not purport to be a formal sanction or endorsement of the activities of a data controller, data processor or data subject and the Commissioner reserves her statutory right to investigate, or cause to be investigated, any of the provisions of the Data Protection Acts 1988 –
2003 that have been, are being or are likely to be contravened in relation to an individual. This correspondence does not purport to represent legal advice and recipients should seek independent legal advice before acting or refraining to act upon any guidance set out herein.
I advise every one of you to heed this. Do you own research, get your own legal advice and carry out your own DPIA and assessments. I strongly advise all operators of BWC’s to read the guidance and adhere to it. Data protection is here to stay and you need to be in compliance with it, Take the time to invest in your policies and procedures now before you should defend them in court.