The Information Commissioners Office announced last week they would be making enquiries into an incident involving Virgin Trains and the release of footage picturing Labour leader Jeremy Corbyn travelling on one of their services.
Organisations have several responsibilities when recording the public at large and from a privacy perspective, this includes compliance with the Data Protection Act 1998 (DPA). Failure to take such compliance issues seriously could result in legal, reputational and financial repercussions. It is therefore paramount for any organisation using, or thinking about using CCTV, to be clear on when it is appropriate to use CCTV and when captured footage can or should be released.
When can CCTV be used?
All of us will have had some exposure to CCTV. Whether it’s the slightly fuzzy image reflected at you as you enter a department store or, in the case of Jeremy Corbyn, a small camera on the ceiling of a train recording commuters, CCTV has undergone major developments from the lone camera on a pole in the middle of a town centre. These days, most organisations have some form of surveillance equipment in place to monitor and record individuals.
So when can an organisation make use of CCTV? Businesses have the right to make use of CCTV in order to protect their premises and property. Prior to doing so however, the ICO (the data protection ‘watchdog’ of the UK) recommends such parties firstly assess the need for CCTV against any potential alternatives and the impact it could have on individuals’ right to privacy by undertaking a Privacy Impact Assessment (PIA).
If a PIA result should not be favourable, it is recommended the organisation looks at alternatives or less intrusive methods of surveillance. If, following the PIA, the organisation decides to continue and use CCTV, organisations should note that they must be open and transparent about the use of CCTV and take reasonable steps to inform the public they may be recorded and the purpose for which the recording is made. Most organisations do this by using clear and unambiguous signage on and around their premises and some thought should be given as to where these signs are placed, to avoid any arguments that they were not seen by the public.
Can footage be released?
For the most part, recorded footage should be destroyed within a reasonable timescale if an organisation has no further requirement for such a recording and in general, recorded footage should not be disclosed to the public unless it can be justified under the DPA or other applicable law. It is important that users of CCTV have in place a robust data retention policy setting out how long recordings should be kept, security measures in place to avoid unintentional disclosure and once it is no longer necessary, how recordings may be disposed of securely.
However, there will be some instances where you can, and in some circumstances should, disclose the footage. The most common example of this may be where individuals have made a request to CCTV holders for any footage where they have been captured or where footage has been captured in relation to criminal activity where it may be appropriate to release it to the police for the purposes of assisting with an investigation. It may also be appropriate to disclose footage in the event of civil claims, such as personal injury actions.
But if you, like Jeremy Corbyn are travelling on a train, is it appropriate for this recording to be disclosed by the train operator? The ICO and DPA would generally say no.
If there is a breach, what can happen?
If you do release footage or imagery for reasons in breach of the DPA, the ICO has the power to take action including enforcement notices and in serious cases, impose fines of up to £500,000 (this limit may increase significantly should the UK adopt the new General Data Protection Regulations). By way of an example, in 2011 the ICO launched an investigation into an organisation which streamed CCTV content on YouTube, leading the website to eventually be taken down in order to comply with the DPA. Separately, in May 2015, a fine of £160,000 was imposed on a police force after a video recording was lost. In some very serious cases the ICO can submit a report for investigation with the Crown Prosecution Service/Crown Office and Procurator Fiscal Service which may lead to a criminal sanction against organisations, including imprisonment.
Whatever the outcome of the Corbyn CCTV investigation, the incident provides a strong reminder that the use of CCTV is to be considered thoroughly. Parties must ensure such use complies with the DPA and generally should not be disclosed into the public domain unless there is a clear justification for it.
If you have any further queries regarding CCTV or data protection generally, please contact a member of our Compliance Team.
Loretta Maxfield is a Solicitor in our specialist Intellectual Property, IT and Media team. We are always delighted to talk without obligation about whether we might meet your needs. Contact Loretta at firstname.lastname@example.org or call 01382 229111.