Blog: Is there a role for Body Worn Cameras in security monitoring?
Robert Browne, partner at McKeever Rowan Solicitors in Dublin, reflects on whether the law allows anyone to secretly keep watch and record our movements.
Celebrity chef, Gordon Ramsay may have felt justified in spying on his fifteen year old daughter and her boyfriend in her bedroom. Ramsay used his son’s ‘Go-Pro’, “one of those secret little cameras”, as he put it, to keep an eye on the pair as they studied together for tests. But is anyone allowed to secretly keep watch and record our movements?
The answer to that is that it depends on where you are and what you are doing. In November 2015, Google Street View captured images of a woman in a compromising position (urinating in public!) on a side-street of a city in the Netherlands but unfortunately, failed to pixelate or blur the face, leaving her recognisable from certain angles. Recognisable images recorded by the Google car or indeed, any CCTV cameras, except those used in a private residence, are “personal data”. These recordings are subject to Data Protection laws, meaning that certain rules must be observed.
Surveillance in public areas is a necessity for a number of reasons, such as, to prevent or combat crime and to safeguard the public. The day after the ISIS terror attacks in Paris in November 2015, Army Ranger Wing troops patrolled the rooftops of Dublin’s Dundrum Town Centre. The troops were engaged in exercises in anticipation of the moderate threat of an ISIS attack on the busy south-side shopping centre. It is to be expected that the comings and goings of shoppers and others will be subjected to high level security monitoring.
It seems that surveillance and recordings are here to stay. In February 2014, a District Court Judge was critical of a business that had not provided Gardaí with CCTV footage in support of its claim that an expensive mobile phone had been stolen from one of its premises. The CCTV footage was said to be “integral” to the prosecution of the case.
Camera phones, body worn cameras (such as ‘the Go-Pro’) as well as drones (unmanned aerial vehicles) are now widely available. There is already a proliferation of fixed CCTV on our streets, in public buildings and in places of business. Many businesses may consider making use of new mobile devices for monitoring purposes. However, it is no easy task to achieve the proper balance between benefitting from technology’s marvellous advances, while taking care not to invade a person’s ‘private space’, even in public places. Businesses needs to accommodate and plan for the presence of these new monitoring devices.
There is a very thin line between freedom of expression and the right to carry on a business, and the competing rights of individuals to privacy and data protection.
Use of Mobile Camera Devices: Points to note:
Where a business wishes to employ mobile camera devices, perhaps alongside more traditional CCTV systems, there are a number of points to bear in mind:
- The business is considered to be a “data controller” and is subject to the Data Protection Acts 1988 and 2003, (to be replaced by an EU Regulation, directly applicable throughout Europe and an EU Directive on data protection in policing matters, soon to be formally adopted by the European Parliament and Council and then implemented over a two year period.)
- It is important to know that individuals are entitled to data protection and that they have a right to privacy, guaranteed by EU law. Thus, the use of image recording must be for justifiable reasons in that it must be necessary, proportionate and lawful.
- The use of body worn mobile camera devices in the work-place should be limited to use “in response to specific pre-defined criteria, where it could be justified for security and safety purposes”. Recently Ireland’s Data Protection Commissioner, issued guidelines on the use of body worn cameras. As a general rule, the security or protection of a company’s property or assets are acceptable reasons for monitoring.
- It is unacceptable, according to the Commissioner, to record sound or voices even where employees or members of the public are aware that audio recording is taking place. It represents too much of an intrusion into privacy to be justified. Accordingly, audio recording functions should be switched off or disabled. If image recording is taking place, the subject(s) of the recording should be made aware of it by means of conspicuous signs, or an announcement by the operator of the device that recording is taking place. Also, the operator wearing the device should be in plain sight.
- Training the operator is necessary to ensure that he/she is aware of the issues of proportionality, that the recording be limited to a specific incident and for a specific purpose, and transparency i.e., that subject(s) be made aware that the recording is being made. The recording should not be prolonged and should continue only for as long as the incident lasts. It is not permissible to constantly video staff as they go about their work: “Under no circumstances should the recordings be used to monitor staff in their general duties,” according to the Commissioner.
- A business becomes a data controller when it records and processes personal data in the form of images. It then has a duty to protect that data. With regard to processing and storage of CCTV footage, the data controller must ensure that access to it is limited to authorised persons only, and that it is kept securely. Consideration should be given to applying a pixelated or blurred filter and/or to encryption of data. Footage should be destroyed as soon as the purpose for which it was gathered has been accomplished. If a person who is an identifiable subject of a recording (a data subject) requests a copy of it, it must be made available, or ‘stills’ of any recording be produced if it cannot be copied. Others visible and recognisable on the recording must be blurred by the data controller, so as to make them anonymous, unless their consent has been given to its unedited release. The costs associated with this manipulation of footage to be borne by the data controller could be exorbitant.
- A business should put in place a clear policy on the length of time for storage of footage, depending on the purpose for which it was collected. For example, video or photographic evidence of events such as ‘slips and trips’ can be of huge assistance to a company in providing an accurate record of events to enable liability/contributory negligence to be properly investigated. Retention policies need to take account of the possibility that such footage may need to be examined some days or even weeks after an incident, which may have gone unreported at the time. Clearly, when an incident is known to haves taken place, the footage must be retained.
Risk and Privacy Impact Assessments
In this regard, it is vital that businesses carry out a thorough review of their Data Protection policy to include a Risk Assessment and a Privacy Impact Assessment on the specific need for, and the protocols around, the operation of body worn cameras or mobile cameras before they are put into use.
Where a business engages an independent security company (a data processor) to perform its security surveillance, it has a duty to ensure that its contract with the security company contains clear terms of reference to ensure that its methods of surveillance are appropriate and lawful.
The operation of drones over 1 kg, requires registration with the Irish Aviation Authority according to recent new laws. A drone cannot fly over an assembly of people or over urban areas. An operator of a drone over 4 kg must undergo safety training.
- Robert Browne is a Partner at McKeever Rowan Solicitors. You can view his profile here.