New ICO video surveillance guidance

The ICO has now published its guidance relating to the use of video surveillance.

The scope of the guidance is broad and covers the use of things such as CCTV, Automatic Number Plate Recognition, Body Worn Video, Drones, Facial Recognition Technology, dashcams and smart doorbell cameras.    It does not apply, though, to use of video surveillance purely in the context of personal or household activities (as that is not regulated by the UK GDPR).

Although the points flagged by the ICO are an application of existing legislation, the guidance is very useful at identifying the key issues to consider and demonstrating the ICO’s view on how compliance can be achieved.

While the ICO flags a significant number of points in the guidance, a number of interesting ones include:

• The importance of ensuring data protection by design and default (so ensuring the system itself enables compliance with your data protection obligations). Specifically the ICO note the importance of not purchasing a system because it is new and hoping the technology will gain public approval.
• The need to consider whether a DPIA is necessary before undertaking the surveillance (for example where monitoring individuals in the workplace). This is always something you should consider when undertaking new processing activities, however surveillance is a higher risk activity which may more easily pass the threshold.
• Considering whether a use case uses special category data (such as facial recognition technology) and the need to consider your Article 9 obligations.
• The importance of ensuring that data collected by a system is of good quality and is adequate, relevant and limited to what is necessary. You therefore need to give careful consideration as to where, for example, a camera is placed (is it collecting more information that required for the purpose?).
• The need to consider alternatives to surveillance. Where an alternative method is less intrusive and achieves your aims the ICO make clear these alternative methods should be adopted instead. While this is merely a practical application of the ‘necessity’ principle it is important to keep in mind, given the intrusive nature of surveillance and potential for ICO enforcement.
• The importance of only recording audio in relation to your workforce in rare circumstances. Where you do undertake audio surveillance the ICO makes clear, in its guidance, what you should do to ensure the surveillance is compliant, including consulting with employees.
• Making sure you can access the information collected or stored by a system to ensure compliance with your data protection obligations (for example can you effectively delete the information?).

The guidance is a must if you are considering undertaking surveillance and should help you ensure compliance with your data protection obligations. There is, within the document, specific guidance on some common surveillance use cases such as facial recognition, body worn cameras and UAV cameras. These are worth a read, if applicable, to understand the issues you are likely to face.