With the recent publicity surrounding Virgin Trains, empty seats and Jeremy Corbyn, it would seem that organisations remain unaware of the data protection implications when using CCTV images.
There was an interesting story that was reported in the press on 31 December 2015 about a restaurant who posted an image from their CCTV on Facebook of a group of 4 people that had allegedly left the restaurant without paying their bill. I am sure there will have been a significant number of people who read the reports and thought this was a highly effective way of addressing this particular issue.
Much of the discussion that followed centred on whether or not this was an appropriate course of action for the restaurant to take from a customer service perspective. The comments that were reported suggested the majority of people felt it was a social media blunder although there was also some support for the action taken by the restaurant.
However, leaving that particular argument to one side, what did not seem to be mentioned in any of the reports was the fact that posting CCTV images of people on-line is likely to be unlawful in the vast majority of situations including both of those mentioned above. The consequences and potential penalties of unlawful processing could be far greater than the cost of a meal for 4 that was quoted in the press. In fact, there have already been investigations into exactly this type of information disclosure where an organisation streamed CCTV footage to the YouTube website and was required to enter into an Undertaking with the regulatory body, the Information Commissioner’s Office (ICO), to address breaches of the Data Protection Act 1998 (the Act).
CCTV images will usually be considered personal data, and in this particular case will definitely fall within data protection legislation as the people were clearly identifiable. Assuming the restaurant is using CCTV lawfully in the first instance (they have notified the ICO and have the relevant and appropriate data processing notices), it is still difficult to imagine any circumstances in which most businesses can lawfully publish CCTV images.
All personal data, including images, must be obtained for a legitimate business purpose, which must be a legitimate business activity of the organisation collecting the data. Once obtained, the data can only be used for that purpose and should also be processed in a way in that ensures compliance will all 8 Principles of the Act.
Most businesses will report the use of CCTV as being used legitimately for crime prevention and detection although the need for CCTV should be demonstrated through the necessary risk assessments and privacy impact assessments.
When it comes to investigating crime rather than preventing or detecting crime, there are very few organisations that will be able to report this as a legitimate business activity, with the obvious exception being law enforcement agencies. Therefore any processing by organisations for the purposes of investigating or solving “crime” that are not law enforcement agencies is likely to be unlawful. I have used “” for the word crime as I am not sure from a legal perspective whether there is technically any evidence to suggest a crime had actually been committed by one or more of the party of 4 in this case. Media coverage suggests the incident had not been reported to the police at that time the image was published.
Furthermore, the ICO makes it quite clear in their CCTV Code of Practice that the identification of individuals from CCTV should only be carried out by law enforcement agencies and goes on to state:
“…it can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place them on the internet …”
Therefore, in answer to the question in the title, my view is that it is quite clear CCTV images should not be published anywhere, including on the internet, and it may even be unlawful.
From the information reported in the media, there is potentially a whole catalogue of breaches of the law. The case also calls into question whether the necessary risk and impact assessments had been carried out. The penalties could be significant if any follow-up action is taken by the ICO. Furthermore, action could be taken by any of people identified in the CCTV who may have grounds to make a legitimate complaint due to the unlawful disclosure of their personal data and, in some circumstances, seek compensation for damages. It should be noted the restaurant subsequently removed the post.
If you have CCTV you need to ensure its use is justified and the data being collected is being processed in accordance with the relevant legislation. Comprehensive guidance is available from the ICO and, as always, please contact me to discuss training requirements or for help with impact or risk assessments.