Thursday 4 June 2020

The COVID-19 pandemic has raised questions about using surveillance systems for tracking and tracing the spread of the virus, as well as enforcing movement restrictions. How do you assess the impact and risk of surveillance camera systems?

Public authorities are considering their options to monitor social distancing measures to reduce the spread of the virus. This may include the use of fixed and mobile CCTV, body worn video (BWV) and automatic number plate recognition (ANPR). The circumstances are unprecedented, but the basic rules are unchanged.

Law and Codes

The Data Protection Act 2018 (and GDPR) and the Information Commissioner’s CCTV Code of Practice apply to all data controllers and cover ANPR, BWV and drones.

The public sector also has the Surveillance Camera Code of Practice introduced under the Protection of Freedoms Act 2012 covering public authorities (including police and councils).

The Code sets out 12 principles to apply before deploying surveillance technology. These include the principle that surveillance must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need, with proper oversight and accountability.

Assessing risks

The deployment of new surveillance systems creates a number of risks. Improper use of surveillance systems can cause claims for breaches of privacy, data protection and human rights, as well as regulatory enforcement.

There are also risks inherent in the use of new technology; for example, false results being used to make decisions or impose sanctions. These risks should be considered and managed before any new technology is deployed.

The Surveillance Camera Commissioner (SCC) says capturing personal data via a surveillance system is ‘likely to result in high risk to rights and freedoms’ for the purposes of the GDPR. It will require a Data Protection Impact Assessment (DPIA) before the technology is rolled out to determine legality and record how risks have been considered and addressed.

The SCC’s Code gives examples of needing a DPIA before:

  • Introducing a new surveillance camera system.
  • Introducing new or additional technology (for example facial recognition, ANPR, audio recording, BWV, drones, megapixel or multi-sensor very high-resolution cameras like infra-red).
  • Activating any type of data matching.

The SCC and the Information Commissioner have produced a template DPIA for public authorities to consider:

  • Are surveillance cameras the right solution to the problem?
  • What are the risks to data subjects?
  • Is the impact on individuals’ rights and freedoms proportionate to the problem?
  • Can the risks be reduced to an acceptable level?

Once the initial DPIA has been conducted, a review of the DPIA should be embedded into ongoing risk assessment procedures.

Using surveillance systems will be legitimate and justifiable for some authorities in some settings. The Information Commissioner has confirmed that data protection is not a barrier to using new technology, as long as the principles of data protection law (transparency, fairness and proportionality) are complied with. However, circumstances (including COVID-19) do not excuse unnecessary, ungoverned or excessive surveillance. Regulators have their eyes on authorities operating surveillance systems, so regular review will be crucial to manage risks as the situation evolves.

Bethany Paliga, Accredited Data Protection Practitioner and Solicitor, Forbes Solicitor (bethany.paliga@forbessolicitors.co.uk) and Dan Milnes, Partner in the Governance, Procurement & Information Team, Forbes Solicitors.


Discover the many benefits of ALARM membership

Find Out More

Stay up to date

If you have a specific query, why not contact a member of our office team directly? We will be pleased to assist you - whatever your question.


Our Platinum Sponsors