GDPR and CCTV in taxis Article

GDPR has many implications for local authorities and taxi drivers but should not prevent CCTV within taxis continuing to be used to safeguard the public, as Ben Williams explains

Last year I wrote about the introduction of taxi CCTV policies their data processing activities. Having a complete record and the state of the law.1 Since that time I am aware of a of what data you hold, where it came from and how it is number of local authorities which have begun adopting such processed will enable you to maintain the required records policies as a means of achieving a safer environment for and assist you in complying with the GDPR principles. Thus it drivers and passengers alike. can be seen that there are onerous requirements which must

be adhered to. Now as I write this, nearly a week has passed since the "go

live" date for GDPR. Despite being seen as the biggest threat Taxi regulation and GDPR to mankind since the Hadron Collider, no black hole has as So how does this impact on taxi regulation? yet enveloped the country. Doubtless, though, you have been inundated with requests to "opt in" to future correspondence GDPR dictates that you must have a specific purpose for from a plethora of retailers, memberships and organisations. collecting and processing data; that this must be a specified,

explicit and legitimate purpose only; and that you must not For those who have been living under a rock, General process data in an incompatible way.

Data Protection Regulation (GDPR) is the apparent answer to outdated 1990s legislation which was cracking under 2l5t Plainly the purpose of ensuring public safety is a specific century strains as the processing of personal data ramps up and legitimate reason for collecting CCTV. Furthermore, with technology. CCTV assists with the deterrence of crime and anti-social

behaviours; it therefore assists the police and assists insurers The Data Protection Act 2018, which implements and in the event of accidents.

extends GDPR, does not necessarily represent a clean slate, for the broad architecture of data protection remains It is essential that the reason for such CCTV is clear; sign age the same. Data controllers must comply with prescribed within a taxi may refer the passenger to the local authority's principles in respect of all processing of personal data, and website where a clear explanation of its policy is provided to individuals have rights of subject access, compensation, the public. erasure and rectification.

The new rules will have a significant impact on the Pursuant to the Act, there must be a specific purpose for retention of CCTV by local authorities and / or drivers and

collecting and retaining data. The Act goes on to dictate that operators. This is something that may have been lost on the data collected must be adequate, relevant and limited various businesses as a recent survey by the Irish Government to what is necessary. There is therefore a limit on how long revealed that around two thirds of respondents did not know information must be stored and the form data must be kept in GDPR impacted on the use of CCTV. which permits identification for no longer than is necessary.

CCTV captures imagery of "data subjects" or "passengers" GDPR applies to data controllers and data processors alike. as they no doubt prefer to be called in this context.

The data controller is responsible for all of the principles and Identifiable imagery is considered as personal data under must be able to demonstrate compliance with the same. GDPR. Given that the processing of that data must be lawful, They are responsible for any breaches or non-compliance by fair and transparent, this requires some consideration by data processors who process data on their behalf. It is worth those who make use of it. Because data subjects are entitled noting that the new rules have a significant sting in the tail to understand when their personal data is being processed, in terms of the financial penalties that may be dished out, it is essential that signage is used as a means of explaining albeit the greater penalties are plainly geared towards the to taxi users that this is so. The requirement for signage will larger organisations, in particular the social media giants. no doubt be covered in the local authority's policy, and will

likely form part of any conditions attached to the licence. GDPR will require data controllers to maintain records of Signage signifies the passenger's informed consent to the

processing of CCTV data for Article 4 (11) GDPR, which states: 1 (2017) 18 Jol, p32-34.

45

GDPR and CCTV in taxis

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

The ICO has issued draft consent guidance (March 2017), which, to summarise, says:

• Don't use pre-ticked boxes/opt-outs/consent by default.

• Be "specific & granular" but also "clear & concise". • For explicit consent, it's not much different. • If you can't offer genuine choice, don't rely on consent. • Consent may be difficult for employers and public

authorities. Requests for information from individuals As with any other aspect of personal data, data subjects

On any level, therefore, you should review how you seek, have a right to access, which could result in a local authority record and manage consent and whether you need to make having to disclose footage to them; and now within one any changes. This would include a need to refresh existing month rather than 40 days as was the position under the consents now if they don't meet the GDPR standard. The 1998 Act. It is worth noting that a request does not have to precise wording of CCTV signage is clearly important and use the words "subject access" nor does it have to refer to local authorities would be well advised to seek to achieve a the Data Protection Act in order for it to constitute a valid consistent approach to the same. subject access request (SAR). The request simply has to be

Who is the data controller? In terms of data controllers, this is something that may prove confusing. Article 4 defines data controllers and data processors as follows:

(7) 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; (8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Depending on the way a CCTV policy is formulated, while it is the driver who may control the footage to some extent, in that he or she will be transporting the facilities for creating and retaining the footage, it is the regulating authority that has determined the purposes of that data and the way in which it is processed. The driver will physically hold the data, but they will likely be compelled by the regulating authority to produce such footage upon request or submit to the regulator for such footage to be viewed / retained. It is seen as essential that the authority retains significant control so that there is less risk that the footage is tampered with in any way. This requires some careful thought in terms of the wording of a policy, for GDPR imposes significant obligations on the data controller.

What about keeping the CCTV footage? Thought will need to be given to the terms of any data retention. To that end, the local authority will need to create a retention policy. It is unlikely that data controllers would be able to justify keeping CCTV footage for any longer than six months, for by such time any complaints or crimes should have been investigated. In reality, it is likely that footage would be kept for a lesser period. If the police or local authority wished to investigate, then they would take control of the data forth is legitimate purpose within thattimeframe. They would then become the data controllers and would have to submit to the same rules.

clear that the person is asking for their personal data. If a request is made, the data controller would need to ensure that the requester is present in the footage and that in supplying the footage they do not disclose any personal data of another data subject. It is therefore vital that the controller verifies the identity of the person to ensure that there is no inadvertent data breach. The controller could justifiably request information from the individual to prove that they are who they say they are, but one must be reasonable in what is asked for.

An SAR could even involve blurring out parts of the footage, such as people or license plates. The new rules do not allow the controller to charge an administrative fee (£10) as was previously the case. This could prove onerous to the local authority as there are only specific exemptions to the requirement to provide data.

If a request is "manifestly unfounded or excessive" data controllers can charge a fee or refuse to respond but will need to be able to provide evidence of how it was decided that the request is manifestly unfounded or excessive. Further, data controllers can withhold personal data if disclosing it would "adversely affect the rights and freedoms of others".

What if something goes wrong? In the event that there is a breach of security leading to the destruction, loss, alteration or unauthorised disclosure of personal data, the data controller must notify the Information Commissioner's Office (ICO) and any involved individual of a breach where it is likely to result in a risk to the rights and

46

GDPR and CCTV in taxis

freedoms of individuals. Plainly this would not therefore case of footage stored in a physical format, this should be require every passenger captured on CCTV within a taxi to be locked safely away and tracked properly. notified in every instance of loss or damage. Each instance must be approached on its own facts, but it is essential Conclusion that there is provision for self-reporting. If there is a risk of While GDPR does not actively discourage the use of CCTV, it significant detrimental effect on the individual data subject, is arguably seeking to strike a balance between its intended then the self-reporting must be made within 72 hours. This purpose and the privacy of individuals captured therein. requires careful thought in terms of how and when drivers CCTV within taxis remains an important tool in ensuring that are required to notify the regulating authority in the event members of the public are transported safely. GDPR would on any issue with regards to footage retained within the car. not seek to interfere unreasonably with this legitimate

purpose but would wish to ensure that the imagery captured is thereafter dealt with in a legitimate, appropriate and Encryption

Another important matter to consider in the context of CCTV and taxis is the use of encryption or other security measures. It is likely that a local authority will adopt a minimum specification of CCTV systems and if so, such systems ought to be properly secure. Of course, this may come at a cost to drivers, and this is where resistance is typically found.

transparent way.

It is better late than never to consider the terms and practicalities of any existing CCTV policy so that it is GDPR complaint. If a local authority is contemplating invoking a new CCTV policy, then it is essential that it fits comfortably into the parameters of GDPR.

Any act of storage or access is considered to be "processing" and therefore it is imperative that the confidentiality and Ben Williams integrity of footage is maintained. If footage is stored in an Barrister, Kings Chambers electronic format, then encryption is essential, and in the