Body worn cameras and privacy implications
Is your use of body worn cameras reasonable and proportionate?
Wearable technologies such as body worn cameras (‘bodycams’) and other recording devices are often used for public safety and security purposes. An obvious example is by the Police and other public services. They can also used for recreational pursuits.
The use of these devices has increased significantly over recent years as the technology advances in leaps and bounds, and prices fall.
Bodycams can pose a real challenge from a data protection perspective due to their portability. When a bodycam is in use, it effectively becomes a mobile surveillance system which is highly likely to capture images or audio of individuals. This should be regarded as personal data. Businesses using these devices need to be mindful of relevant data protection requirements.
We need to bear in mind, when bodycams are combined with the use of facial recognition technology to uniquely identify individuals (e.g. for safety and security purposes), the data protection concerns increase. If you are actively processing special category data, such as biometric data used within facial recognition systems, you need to identify a suitable condition under Article 9, UK GDPR.
Eight key privacy principles and obligations for bodycams
- Fair and lawful processing – you must be able to demonstrate your use of bodycams is both fair and legal. The necessity must be carefully considered. The potential for bodycams to be intrusive means meeting a relatively high threshold to demonstrate your use is genuinely necessary.
- Limited purposes & data minimisation – cameras should only record the minimum amount of personal information necessary for specified purposes.
- Transparency – did you clearly tell people before you began recording? Are they aware of their rights?
- Information security – Any recordings must be stored securely. If video footage is stored on the device itself, or on a memory stick (even temporarily) there’s an additional risk of loss or theft of personal data.
- Restricted access – clearly defined rules should be in place covering who can access recordings and for what purposes.
- Sharing – the disclosure of images and information should only take place when it’s necessary for specified purposes, or for law enforcement. And checks should be in place before disclosing to law enforcement or other agencies.
- Storage limitation – data on individuals (including video & audio) must be retained only for the minimum amount of time required, and then deleted.
- Individual rights – you must be able to respond appropriately to any privacy rights requests from individuals (such as the right of access or right to erasure).
Carrying out an impact assessment
In most situations it would be wise to conduct a Data Protection Impact Assessment (DPIA) to formally assess and document your approach and how you will meet the data protection obligations.
The DPIA will need to consider each of the relevant principles and evaluate if measures and controls in place are adequate to protect individuals whose personal data may be captured.
The ICO published ‘Guidance on video surveillance’ earlier in 2022. This covers the processing of personal data by video surveillance systems by both public and private sector organisations. Their scope for surveillance systems includes CCTV, ANPR, bodycams, drones (UAVs), facial recognition technology (FRT), and also dashcams and smart doorbell cameras. They pick up on many of the points I’ve summarised above.
The Biometrics and Surveillance Camera Commissioner published a draft update to its ‘Surveillance camera code of practice’ in August 2021, which is still out for consultation.
The draft code includes twelve guiding principles for surveillance system operators however, as you may anticipate, many of these overlap with the privacy principles I’ve picked out above. I’ve highlighted some other areas covered in this draft code:
- There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
- Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
- Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
- There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
- When the use of a surveillance camera system is in pursuit of a legitimate aim, and there’s a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
- Any information used to support a surveillance camera system which compares against a reference database for matching purposes (for example, ANPR or facial recognition) should be accurate and kept up to date.
I hope you found this article useful. If you’d like to know more please just drop us a line and arrange a chat.