Dashcams and GDPR: Assessing the privacy implications

August 2020

7 point privacy guide for dashcams

The use of dashcams by taxi firms, business vehicle fleets and others is on the increase. Their use is encouraged by insurers and they are seen as an effective way of combating accident insurance fraud.

As dashcams are highly likely to capture images of people, companies installing them need to take stock and consider data protection law. This is personal data and you should consider the potential privacy impacts on those caught on camera, much in the same way as you would do when using CCTV.

Here’s my 7 point privacy guide for anyone using or preparing to install dashcams.

  1. Confirm what you’re using cameras for. You need to start with a clearly defined purpose (or purposes) for the images you wish to capture. For example to enable us to investigate alleged accidents for insurance purposes.
  2. Create a policy. Your ‘Dashcam Privacy Policy’ should make it clear what specific purposes these images are used for and identify the lawful basis for any processing of personal data images. You should make sure the processing is necessary and limited to those purposes. A policy should also explain what measures and controls are in place to protect individuals whose images are captured.
  3. Brief your drivers. Put simply drivers who operate the dashcams and anyone else who may use the images should fully understand how the cameras should be use and ow the data collected should be handled.
  4. Notify the public. You should consider putting clear signs on vehicles which have cameras. In a similar way to how you would tell people CCTV is in operation. and declare the capture of dashcam images within your company’s privacy notice. In a similar way to how you would tell people CCTV was in operation.
  5. Make sure images are transferred and stored securely. Many modern dashcams used by vehicle fleets provide the capability to schedule image downloads daily to a central image library for storage. These transfers must be secure, as must the location where the images are stored. Access should be restricted, given only to those who are authorised to use the images for the purposes you have specified.
  6. Decide how long to keep the recordings. One of the core data protection principles is not to keep personal data for longer than you need it. You may only need to keep  most images for a very limited period, in case an accident is reported to you. Some claims may come in weeks after the event – so your own experience needs to dictate what is a reasonable period to hold on to recordings. If no accident is reported within the agreed period you should destroy the images. When an accident is reported you may need to retain a specific section of dashcam footage related to the accident or alleged accident whilst the claim is investigated, or if legal hold is required. You should then delete it after a suitable period when its no longer necessary.
  7. You might need to carry out a Data Protection Impact Assessment. If you think the processing of personal data by your dashcams might potentially result in a high risk to individuals, you should conduct a DPIA.

If your vehicle fleet includes heavy goods vehicles (HGVs) of over 12 tonnes gross vehicle weight, which operate within the Greater London area, you should look ahead to complying with the forthcoming Direct Vision Standard.

This new safety standard was created to improve the safety of all road users, including pedestrians, cyclists and motorcyclists. Depending on your specific vehicles, you might be required to fit blind spot cameras which, like dashcams, is likely to capture images of people. The new standard is expected to come into force around 1 March 2021, at the earliest.

Meeting the data protection requirements for business use of dashcams doesn’t need to be onerous, but shouldn’t be overlooked.

RoPA – Five tips for keeping your Records of Processing Activity up to date

One of the more onerous obligations under GDPR was the requirement for many organisations to maintain a Record of Processing Activities (RoPA). I stress the word ‘maintain’, as this isn’t a one-off exercise.

Even smaller organisations still have certain record keeping responsibilities, which should not be overlooked.

The specific requirements for record keeping are detailed and it’s an area many businesses have found challenging, especially keeping records up to date.

Here’s my quick 5-step guide to keeping your RoPA fresh and complete.

1.  Why? – The need for ongoing updates

Keeping your records updated is really important. It’s a good idea to enlist the support of your Board as you’ll need help from all business function heads to tell you about their changes to processing, notify you of new data service providers and to keep the RoPA refreshed over time.

Failure to do so can lead to a loss of understanding about the true breadth of your processing, resulting in to uncertainty when you most need to refer to your records. After all, if you don’t know about certain processing or hold any record of it, how can you possibly help the business to protect that data?

For example, your RoPA should be the first place to look if you suffer a data breach, helping you to identify;

  • the categories of individual
  • sensitivity of the data
  • what it’s used for
  • who the data owners are
  • who it was shared with
  • what safeguards should have been in place to protect it… and so on.

It can also be helpful to reference your RoPA when handling individual rights requests.

If requested you might need to make your records available to the ICO, so you’d want to know they are in good shape. Getting behind, letting them get out of date makes the job of getting them back into order all the more difficult.

2. Who? – Is your list of data owners / stakeholders up to date?

Make sure you have a complete list of who is accountable for each of the personal data assets in your organisation? For example, employee & recruitment data, customer data, supplier data, financial data, etc. They need to understand their role in record keeping.

No DPO, or data protection team can do this on their own, they need the support of others.

3. What? – Make sure you’re capturing all the right information

Check you’re capturing all the RoPA requirements, which are slightly different if you act as a controller or processor (or both). If you need to check take look at the ICO’s guidance on documentation.

4. How? – Regular engagement with your stakeholders

Building a good two-way dialogue with your data owners & other stakeholders is essential not only for record keeping but many other data protection tasks. They will be close to coalface in terms of what data they have, what it’s used for and what measures they use to protect it.

5. When? – New processing

Have you updated records for all the new processing and changes to processing you’re aware of? You should be updating them whenever you identify new processing or changes to processing, including when you carry out a DPIA or LIA. Good stakeholder relations can really help you with this.

I hope this helps you with ways to keep your own records up to speed. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach can motivate others to support you in this important task. Good luck!

 

If you need some practical advice in creating, maintaining or reviewing your Record of Processing Activities GET IN TOUCH

You’ve been SAR-bombed!

July 2020

You are at the end of long day; just about to turn in for the night. You just do one last check of your inbox for any signs of a reported security incident. Suddenly you are aghast, the new email count in your inbox registers over 9,000 new emails! You quickly scan to fathom what on earth has happened…

All the emails come from the same sender and the subject lines all declare they are SAR (Subject Access Request) requests. Looking closer you note the emails include personal information, describe that “so-and-so” wants to exercise a privacy right and references different privacy laws.

Laws you know require you reasonably address privacy requests, with penalties should you fail to address the request in good faith and in a timely manner.

While I hope you never experience 9,000 requests in one hit, people seem to be increasingly relying on third parties and apps to facilitate their privacy rights. Indeed, some third-party portals are actively encouraging people to use their services.

Once your organisation is identified, you are likely to receive requests from the third party’s entire user base; all delivered to the email address published via your privacy statements.

Let’s explore this trend in more detail and give you a glimpse of how to tackle the SAR-bomb experience.

The Dawn of Privacy Preference Apps

Chances are you’ve already received or honoured an individual’s privacy request received via a third party in some fashion or another. Country and channel specific regulatory “do not contact” lists have for some years allowed people to ‘opt-out’ of direct marketing “en masse.” Some third parties offer people template letters to express privacy choices with a pre-defined list of organisations that should receive them.

Mobile apps are also available to help individuals exercise their requests. One such app seeks to help individuals to identify organisations they have previously transacted with for the purposes of exercising their privacy rights and another is designed to help individuals address legal disputes.

Of course, California’s Consumer Privacy Act (CCPA) now requires organisations to process privacy requests delivered by third parties (defined as “authorised agents”). As the world’s sixth largest economy, CCPA’s “authorized agent” mandates are likely to be replicated and influence individual’s expectations beyond California.

Mindset

When addressing privacy requests delivered to you via third parties, be sure your response plan considers first the people submitting these requests. They’ve already invested some time and energy and may have even paid for the help these parties and solutions offer.

People may have turned to such third parties to assert control over their data in as broad a manner possible. Some may be frustrated, confused or upset, and others may not be aware or care that your organisation has specific obligations under the law.

Your procedures to authenticate identity, validate the processing of personal data, address requests within your organisation and ensure the security of the data in your care, are likely of little concern to individuals.

Even though the law may require you to separately affirm certain requests received online, some individuals simply won’t appreciate your attempts to confirm the authenticity of their requests.

Furthermore your requests of people to follow your processes may be met with frustration, indifference and scepticism; especially when you need them to take additional action to facilitate their original request.

Your experience addressing sensitive SAR requests, such as those associated by disgruntled employees or customers punishing you for bad service, can be especially useful.

Getting to Work

With the individual’s mindset front and centre, let’s shift attention to some of considerations specific to being SAR-bombed. Time is of the essence and you need a systematic approach to establish whether you will deny, partially or fully comply with the request.

  • Get your arms around the situation – At a minimum, you need to identify each individual, extract the personal data (as needed to authenticate their identity and confirm the data exists within your organisation) and define the rights they wish to exercise. Conduct a quick test to see how much time is needed based on the total volume.

In our example, let’s say it takes you just 90 seconds to open one of emails, log the relevant details to your SARs system and archive the email. At 9,000 requests, you may need 225 hours to convert these SAR emails into requests that make sense within your organisation.

  • Create a structured dataset – The volume of SARs simply requires a repeatable process designed to convert the unstructured privacy email into a structured request that makes sense within your organisation. It may help to create a solution that can parse emails for relevant details and return data back to you in a structured format.

If your email platform supports it, consider exporting all the SAR emails into a Comma Separated Values or “CSV” file. Once in a CSV file, you can use your favourite spreadsheet program to make short work of your analysis and response.

  • Include key details within your structure dataset – Consider assigning a unique identifier specific to the request and sender to help you demonstrate the original request across the actions needed to address it. Pull forward the personal data related to the request in a way which reflects your existing SARs authentication and matching procedures.

You may also extract demographic information across specific columns; especially useful if the requests reference rights across different jurisdictions or laws. Denote the privacy right (or rights) for each request. Be sure to use terms your organisation understands to save time.

Consider assigning a reference to the jurisdiction (or law) applicable to the request; or the individual involved. For example, it may be useful to validate GDPR requests originating from Europeans differently from CCPA requests from Californians.

  • Questions relevant to developing your strategy

a. Do you have multiple requests for the same individual? Check if you have duplications i.e. the same individual requesting the same right.
b. Do you have requests that aren’t legally required? Check if those exercising a right are indeed subject to the right or law referenced. For example, is the individual a European (if referencing GDPR) or a Californian (if referencing CCPA)? Dependent on the volume and results of this analysis, you may need to address requests subject to the law first.
c. Can you act on the request as presented? Do you have evidence the third party has authority to act on the individual’s behalf? Are you able to verify their identity? If you need more information your response plan also needs to factor in developing and sending communications, and addressing the responses.

  • Creating records to demonstrate your reasonable efforts – Regardless of your specific response plan, be sure to keep records detailing what you did and the decisions you made. This may include:

1) details of your actions to assess the request
2) communications with the individual
3) actions taken internally to address the request
4) summary of results (for example whether you denied, partially or fully complied)
5) the timeframe taken to resolve

Adopting the approach above, my company, Harte Hanks, has addressed 9,254 email requests within just a few days. We identified that 96% of the requests delivered were simply duplicates.

The “sender” seems to have experienced a technical problem, delivering the same request on average at least 44 times and one over 1,600 times. Of the 326 “unique” requests delivered, 67 requests described rights under CCPA whereas the other 259 described rights under GDPR.

When considering the personal data delivered along with the request, we found all CCPA requests included personal details reasonably descriptive of a Californian whereas only 16 of the remaining “GDPR” request reasonably “described” a European.

Here’s to hoping you don’t ever experience such a deluge of requests at one time.

Further information

In the UK, the Information Commissioner’s Office addresses requests made via third party portals in its detailed Right of Access Guidance.

The ICO says to determine whether you need to comply with such a request you should consider whether you are able to verify the identity of the individual and are satisfied the third party portal is acting with the authority of and on behalf of the individual in question.

The regulator stresses you are not obliged to take proactive steps to discover that a SAR has been made. So, if you can’t view the SAR without paying a fee or signing up to a service, you have not ‘received’ a SAR and are not obliged to respond.

Furthermore, it’s the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. In responding to a SAR you are not obliged to pay a fee or sign up to a third party service. If you are in this position the regulator’s advice is to provide the information to the individual directly.  The draft code states:

“If you have concerns that the individual has not authorised the information to be uploaded to the portal or may not understand what information would be disclosed to the portal, you should contact the individual to make them aware of your concerns.”