Dashcams and GDPR: Assessing the privacy implications
7 point privacy guide for dashcams
The use of dashcams by taxi firms, business vehicle fleets and others is on the increase. Their use is encouraged by insurers and they are seen as an effective way of combating accident insurance fraud.
As dashcams are highly likely to capture images of people, companies installing them need to take stock and consider data protection law. This is personal data and you should consider the potential privacy impacts on those caught on camera, much in the same way as you would do when using CCTV.
Here’s my 7 point privacy guide for anyone using or preparing to install dashcams.
- Confirm what you’re using cameras for. You need to start with a clearly defined purpose (or purposes) for the images you wish to capture. For example to enable us to investigate alleged accidents for insurance purposes.
- Create a policy. Your ‘Dashcam Privacy Policy’ should make it clear what specific purposes these images are used for and identify the lawful basis for any processing of personal data images. You should make sure the processing is necessary and limited to those purposes. A policy should also explain what measures and controls are in place to protect individuals whose images are captured.
- Brief your drivers. Put simply drivers who operate the dashcams and anyone else who may use the images should fully understand how the cameras should be use and ow the data collected should be handled.
- Notify the public. You should consider putting clear signs on vehicles which have cameras. In a similar way to how you would tell people CCTV is in operation. and declare the capture of dashcam images within your company’s privacy notice. In a similar way to how you would tell people CCTV was in operation.
- Make sure images are transferred and stored securely. Many modern dashcams used by vehicle fleets provide the capability to schedule image downloads daily to a central image library for storage. These transfers must be secure, as must the location where the images are stored. Access should be restricted, given only to those who are authorised to use the images for the purposes you have specified.
- Decide how long to keep the recordings. One of the core data protection principles is not to keep personal data for longer than you need it. You may only need to keep most images for a very limited period, in case an accident is reported to you. Some claims may come in weeks after the event – so your own experience needs to dictate what is a reasonable period to hold on to recordings. If no accident is reported within the agreed period you should destroy the images. When an accident is reported you may need to retain a specific section of dashcam footage related to the accident or alleged accident whilst the claim is investigated, or if legal hold is required. You should then delete it after a suitable period when its no longer necessary.
- You might need to carry out a Data Protection Impact Assessment. If you think the processing of personal data by your dashcams might potentially result in a high risk to individuals, you should conduct a DPIA.
If your vehicle fleet includes heavy goods vehicles (HGVs) of over 12 tonnes gross vehicle weight, which operate within the Greater London area, you should look ahead to complying with the forthcoming Direct Vision Standard.
This new safety standard was created to improve the safety of all road users, including pedestrians, cyclists and motorcyclists. Depending on your specific vehicles, you might be required to fit blind spot cameras which, like dashcams, is likely to capture images of people. The new standard is expected to come into force around 1 March 2021, at the earliest.
Meeting the data protection requirements for business use of dashcams doesn’t need to be onerous, but shouldn’t be overlooked.